Techie Feeds

The smart, alert, strong, kind, and brave way to internet awesome

Malwarebytes - Tue, 06/27/2017 - 15:00

Mom and Dad, do you know when to start talking to your kids about internet safety? Google’s new Be Internet Awesome program might just be the perfect topic to start off that conversation.

Launched this National Internet Safety Month, Be Internet Awesome aims to teach kids to explore the internet safely, smartly, and confidently. This campaign is a collaborative effort of Google with online safety experts from the Family Online Safety Institute (FOSI), the Internet Keep Safe Coalition (or iKeepSafe), ConnectSafely, and several YouTube vloggers—who happen to include The Fault in Our Stars author, John Green—for an ongoing video series.

Be Internet Awesome has resources for parents and teachers and an educational video game for kids called Interland. This program is also compliant with the standards set by the International Society for Technology in Education (ISTE).

Be Internet Awesome drives home these five key lessons for kids to learn and practice while online:

  • Be Internet SMART: Share with care. And this goes beyond privacy. This means thinking thrice before saying something while also considering whom we’re going to say it to, just like in a face-to-face conversation. We don’t spill the beans to people we just met or hardly know, right? If one thinks something isn’t right to say, then it isn’t right to post either.
  • Be Internet ALERT: Don’t fall for fake. Oftentimes, we remind ourselves that not everything we see online is real; and this is something we must teach our kids, too. Being able to tell which is which is a learned skill. Awareness is key.
  • Be Internet STRONG: Secure your secrets. Personal journals of old were not only hidden under false drawers; they were also sealed with a little lock and key. With this picture of security in mind, kids should treat their most prized possession—their personal information and credentials—the same way as these journals.
  • Be Internet KIND: It’s cool to be kind. Online bullying is one of the many challenges that kids may come across every day. It’s high time that they are reminded to treat people online the way they want to be treated. The internet can be a place for positivity to grow, too!
  • Be Internet BRAVE: When in doubt, talk it out. Children must be encouraged to raise questions regarding content or behavior they see online. In response, adults must support their children’s curiosity by listening and understanding without judgment. This does not only foster open communication between adult and child but also builds trust toward the adult and confidence in the child.

Although Be Internet Awesome primarily targets young children between the ages of 8 and 11, anyone can use the program’s materials to learn to make smart decisions online. Even Mom and Dad.

Talks about internet safety don’t have to be technical and boring. It can be creative and enjoyable, too. Regardless of how it is presented to the next generation, what’s really important is to get them involved in internet security and privacy by starting that conversation, and we continue to talk about these with them.

Safe surfing, everyone!

The Malwarebytes Labs Team

The post The smart, alert, strong, kind, and brave way to internet awesome appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (June 19 – June 25)

Malwarebytes - Mon, 06/26/2017 - 15:27

Last week, we expanded on all the different technologies that Malwarebytes uses to break the attack chain and our Incident Response solution.

We also warned you about a Roblox Robux generator scam and a phish targeting customers of Barclays Bank.

Below are notable news stories and security-related happenings from last week:

Safe surfing, everyone!

The Malwarebytes Labs Team

The post A week in security (June 19 – June 25) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Mobile Menace Monday: Fake WannaCry Scanner

Malwarebytes - Mon, 06/26/2017 - 15:00

With all the buzz around the PC ransomware WannaCry, it’s no surprise that a fake antivirus (FakeAV) has emerged on Google Play.  Entitled WannaCry Ransomware Protector for Android, the bold claim it makes is right in its name.  So how do we know this claim is false? Simple, there is no WannaCry Ransomware for mobile — at least not at the time of this writing. Furthermore, the fact that Google Play has already pulled it from the store supports our case.

To see this FakeAV in action, click through the slideshow below:

Click to view slideshow.

As you can see, there isn’t much to it. After running a fake scan, it gains revenue through advertisements and through installs of more apps. Note that the apps shown to install are legitimate and found on Google Play. Other than making a false claim about protecting against the WannaCry ransomware, the app is harmless.

What’s In a Name

Currently (at the time of this writing), there are two other apps on Google Play from the same developers that do exactly the same thing as WannaCry Ransomware Protector for Android, Mobile Security Antivirus 2017, and AMDF Anti-Virus 2017. Because these apps are not blatantly misrepresenting what they can do, we do not feel the need to classify these two — nor do other vendors. As for WannaCry Ransomware Protector for Android, we found the claim just too bold to not classify — so we as Android/PUP.Riskware.FakeAV.wacry. What can we say, sometimes it’s all in a name.

The post Mobile Menace Monday: Fake WannaCry Scanner appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Something’s phishy: How to detect phishing attempts

Malwarebytes - Mon, 06/26/2017 - 14:00

Dear you,

 It appears you need to update your information. Click here to tell us all your secrets.

 No really, it’s totally safe. We’re not going to steal your identity, we swear.

If only phishing attempts were that obvious.

Instead, these days it’s hard to tell a phish apart from a foul, if you catch my drift. Modern-day phishing campaigns use stealthy techniques to target folks online and trick them into believing their messages are legit. Yet for all its sophistication, phishing relies on one of the basest of human foibles: trust. Detecting a phish, in its various forms, then requires you to hone a healthy level of skepticism when receiving any kind of digital communication, be it email, text, or even social media message. In order to understand how we got here, let’s go back to the first instance of phishing.

The Nigerian prince and early phishing

Back in the early days of the Internet, you could marvel at your “You’ve Got Mail” message and freely open any email that came your way. You’d get one email a day, tops, from your new best friend you met in the “grunge 4EVA” chat room. There was no such thing as junk email. The only promotions you received were CD copies of AOL in the snail mail. It didn’t cross your mind that going online could bring about danger.

Then came the Nigerian prince.

Unfortunately, where innovation and progress lead, corruption and crime will inevitably follow. One of the nation’s longest-running scams, the Nigerian prince phish came from a person claiming to be a government official or member of a royal family who needed help transferring millions of dollars out of Nigeria. The email was marked as “urgent” or “private,” and its sender asked the recipient to provide a bank account number for safekeeping the funds. Gone were the innocent days of trusting your inbox.

Over the years, the Nigerian prince scam has fooled millions, raking in hundreds of billions of dollars. Why has this scam been so successful? Simple. It uses a time-honored criminal technique—the ole bait and switch—to fool folks into believing that they are being contacted by a legitimate organization with a legitimate concern. Threat actors use this social engineering method to trick unwilling participants into clicking on malicious links and handing over personal information. The end goal, as with most cybercrime, is financial gain.

Phishing attacks aim to collect personal data—including login credentials, credit card numbers, social security numbers, and bank account numbers—for fraudulent purposes. The attack is most commonly delivered as an email communication that spoofs a known enterprise, such as a bank or online shopping site, but it can also appear to come from an individual of authority or of personal acquaintance. These emails always contain a link that sends users to a decent facsimile of a valid website where credentials will be collected and sent to the attacker, instead of the supposedly trusted source. From there, the attacker can exploit credentials to commit crimes such as identity theft, draining bank accounts, or selling personal information on the black market.

“Truth be told, phishing is the simplest kind of cyberattack and, at the same time, the most dangerous and effective,” says Adam Kujawa, Director of Malware Intelligence. “That is because it attacks the most vulnerable and powerful computer on the planet: the human mind.”

The evolution of phishing

While the Nigerian prince attack vector remains in use today, most savvy Internet users can now spot this scam a mile away (hence the multitude of memes that have popped up over the years). The campaign has lost its edge and fooled way fewer users. Plus, email technology has progressed so that spam filters readily pick up on this phish and block it. And this is why cybercriminals have had to advance their tactics.

“Phishers had no other choice but to evolve and improve on where they fell short,” says Jovi Umawing, Malware Intelligence Analyst at Malwarebytes. “Nowadays, most sophisticated modern-day phishing emails are so polished and well-designed that one cannot easily differentiate them from legitimate ones.”

Case in point: Recent phishing campaigns have had great success impersonating big-name companies and fooling big-name recipients. In May 2017, a phishing email targeted one million Gmail users by purporting to be from a contact sharing Google Docs. In Minnesota alone, state employees were scammed out of $90,000 due to the Google Docs fiasco. Hillary Clinton’s campaign manager for the 2016 presidential election, John Podesta, famously had his Gmail hacked and subsequently leaked after falling for the oldest trick in the book—a phishing attack claiming that his email password had been compromised (so click here to change it).

So how can we learn from these lessons? Let’s start by identifying the different types of phishing in use today.

Types of phishing

The most basic and commonly seen type of attack, of course, is the phishing email. Phishing emails are sent to a group of users who are unique enough to be used as bait but broad enough to ensnare a large number of people. The point is to cast as large a net as possible. In contrast, other forms of attack are much more targeted.

Spear phishing, as might be gathered from its title, usually targets a specific person or organization. Since these types of attacks are so pointed, phishers scour the Internet for available information about their target in order to craft a believable email to extort information (if not money) from victims.

Whaling is a form of spear phishing directed at executives or other high-profile targets within a business, government, or other organization, such as a CEO, senator, or someone who has access to financial assets. CFO fraud is an example of whaling.

Smishing, short for SMS phishing, is carried out via SMS text messaging on mobile devices. A similar technique, vishing, is voice phishing conducted over the phone.

Pharming, also known as DNS-based phishing, is a type of phishing that involves the modification or tampering of a system’s host files or domain name system to redirect requests for URLs to a fake site. As a result, users have no idea that the website they are entering their personal details into is fake.

Content-injection phishing is when phishers insert malicious code or misleading content into legitimate websites that instructs users to enter their credentials or personal information. This type of phishing is a form of content spoofing.

Man-in-the-middle phishing happens when phishers position themselves between people and the websites they use, such as a social networking sites or online banks, to extract information as it’s being entered. This type of phishing is more difficult to detect because attackers continue to pass on users’ information (after collecting it) so as not to disrupt any transactions.

And finally, search engine phishing starts off when phishers create malicious websites with attractive offers, and search engines index them. People then stumble upon such sites doing their own online searches and, thinking the sites are legit, unknowingly give up their personal information.

There truly are a lot of phish in the sea.

So, if your head isn’t completely swimming in fish puns, it’s time to talk about how to train your eye and your gut to sniff out the various forms of phishing attacks. I asked Labs researchers to tell me their top indications that an email, text, or other form of communication is a phish and compiled a list of their, and my, recommendations.

Something’s phishy if:
  • The email, text, or voicemail is requesting that you update/fill in personal information. This is especially dubious if it’s coming from a bank or the IRS. Treat any communication asking for your credentials with extra caution.
  • The URL shown on the email and the URL that displays when you hover over the link are different from one another.
  • The “From” address is an imitation of a legitimate address, especially from a business.
  • The formatting and design are different from what you usually receive from an organization. Maybe the logo looks pixelated or the buttons are different colors. Or possibly there are weird paragraph breaks or extra spaces between words. If the email appears sloppy, start making the squinty “this looks suspect” face.
  • The content is badly written. Sure, there are plenty of wannabe writers working for legitimate organizations, but this email might seem particularly amateur. Are there obvious grammar errors? Is there awkward sentence structure, like perhaps it was written by a computer program or someone whose second language is English? Take a closer look.
  • Speaking of content, a phishing email almost always sounds desperate. “Whether they’re claiming that your account with be closed, an urgent request is needed, or your account has been compromised, think twice before double-clicking that link or downloading that attachment,” says Umawing.
  • The email contains attachments from unknown sources that you were not expecting. Don’t open them, plain and simple. They might contain malware that could infect your system.
  • The website is not secure. If you do go ahead and click on the link of an email to fill out personal information, be sure you see the “https” abbreviation as well as the lock symbol at the beginning of the URL. If not, that means any data you submit is vulnerable to cybercriminals. (If the link is malicious, Malwarebytes will block the site.)

If you suspect or can verify that you’ve been phished, it’s best to report the attempt directly to the person or organization being spoofed. You can also contact the Federal Trade Commission (FTC) to lodge a complaint. Once completed, delete the email, then empty your trash. (Same goes for texts.)

Now the next time someone attempts to scam you with fraudulent emails, you won’t have to wonder if the message is for real. You’ll scope out a phish hook, line, and sinker.

The post Something’s phishy: How to detect phishing attempts appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Solution Corner: Malwarebytes Incident Response

Malwarebytes - Thu, 06/22/2017 - 19:40

Unless you’ve been stuck at a fiery music festival, I don’t need to tell you the threat landscape is constantly evolving and that threats have become increasingly sophisticated at evading detection. Recent Malwarebytes Labs reports, including the 2017 State of Malware shine a light on just how fast these threats continue to spread around the globe impacting businesses of all sizes.

In fact, according to eWeek the latest Ponemon Institute 2017 Cost of Data Breach report came out this week and shows dwell times for malicious attacks now average 214 days. The report also highlights that 1 out of 4 businesses will experience a breach. The cost to businesses and the complexity involved in responding to these types of incidents, including remediating the threats from endpoints, continues to increase as well. Osterman Research uncovered that more than 60 percent of attacks take organizations more than nine hours to remediate.

 

 

We recently announced Malwarebytes Incident Response, a centralized threat detection and remediation platform that helps businesses accelerate their response workflows for these types of threats while reducing attack dwell times. Malwarebytes Incident Response scans networked endpoints for advanced threats including malware, PUPs, and adware, and removes them.

Our threat detection and remediation technologies are powered by the world’s best-informed telemetry. More than 500,000 consumers and businesses download Malwarebytes every day when their existing solutions fail. Driven by our big data analytics systems and expert research analysis, we process more than 3 million endpoint remediations each day. This valuable telemetry on zero-day malware makes our technology more responsive to emerging threats, and helps us anticipate tomorrow’s malware.

By scheduling and automating scans with Malwarebytes Incident Response, the prolonged downtime that typically accompanies incident response and re-imaging processes can be significantly reduced, along with management complexity. All of this helps optimize efficiency and effectiveness for admins and incident responders.

 

Flexibility and extensibility

Malwarebytes Incident Response integrates with and minimizes impacts to your existing security stack. With flexible deployment options, businesses can choose to run scans and remediate endpoints using the cloud-managed persistent endpoint agent or the included non-persistent agents (aka “agentless”). The non-persistent agent makes it simple to deploy and integrate with your existing third-party tools, including endpoint management platforms and SIEMs.

 

Thorough remediation

Malwarebytes is viewed as the gold standard in remediation, and that’s thanks in part to our Linking Engine technology. This signature-less technology works in concert with our main remediation engine to identify and remove dynamic and related threat artifacts which are linked with the primary threat payload. Additionally, our Linking Engine applies associated sequencing to ensure malware persistence mechanisms are eradicated in such a way that disinfection is permanent.

 

Threat hunting

Unfortunately for many businesses, it’s likely threats already exist in their environment. When an endpoint is successfully infected, attackers often initiate lateral movement to infect other endpoints. Malwarebytes Incident Response empowers organizations to proactively hunt for malware and thoroughly remediate endpoints leveraging on-demand, scheduled, and automated scans—reducing the complexity of the whole remediation process. This solution makes it easy to adopt a proactive, assume-the-compromise approach that greatly improves your security posture. Businesses can use the included non-persistent agent to scan, or hunt, for threats using recently reported indicators of compromise (IOCs) for instances of that threat elsewhere in their environment. For example, Malwarebytes can conduct an automated threat response based on an alert from your existing Splunk or ForeScout solutions.

Click to view slideshow. Static forensics

Malwarebytes Incident Response also includes a static forensic tool for more in-depth forensic investigations. Forensic Timeliner quickly tracks forensic events so your security team can uncover attacker actions, or address security gaps and unsafe user behavior. It gathers system events prior to, during, and following an infection from more than 20 Windows log repositories and presents the data in a convenient chronological timeline view for comprehensive analysis of vector and attack chain. Events covered include file and registry modifications, file execution, and websites visited.

 

Introducing Malwarebytes cloud platform

Malwarebytes Incident Response includes a single unified endpoint agent which is built on our cloud-based management platform. This new cloud platform makes deployment and ongoing management of Malwarebytes Incident Response and other Malwarebytes solutions easy. Administrators benefit from simplified deployments onto their endpoints along with effortless scalability.

The cloud management console provides easy, direct, centralized management of security policies, deployments, and threat visibility across all geographically distributed endpoints.

Asset Management is another built-in feature of the cloud platform that delivers dozens of actionable endpoint system details to a security or system admins’ fingertips. This allows them to quickly glean info that might ordinarily require them to log into different, separate consoles or applications. See detailed information including OS, network interfaces, storages devices, memory objects, installed software, software updates, startup programs, and more.

 

Time happens, act now

Built for Windows and Macs, Malwarebytes Incident Response provides the most complete and thorough remediation possible, improves threat detection for businesses of all sizes, and minimizes the time it takes to respond to an attack.

I encourage you to check out this new solution for your business today.

The post Solution Corner: Malwarebytes Incident Response appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Barclays Bank customers targeted by phishers

Malwarebytes - Thu, 06/22/2017 - 15:00

Today we have a phish targeting customers of Barclays Bank, located at:

bank(dot)barclay(dot)co(dot)uk(dot)olb(dot)auth(dot)loginlink(dot)action(dot)p1242557947640(dot)chofcg(dot)com/bd/

The phish opens up with an initial lunge for personal details:

The first page asks for a surname, then offers the potential victim a variety of petards to hoist themselves from – do you want to enter your membership number, card number, or sort code and account number? Please, step right this way.

The second page continues the deep dive with a move into the realm of PIN sentry codes:

Barclays use a device called a PIN Sentry for certain online (and offline) activities. Step 2 of this phish asks for the last five digits of your card, the eight digit code that appears on the device, and “your four digits ATM code”. After that:

A 5 digit telephone banking passcode and a mother’s maiden name, you say?

It would appear the phishers are trying to get enough bits of information to try some social engineering on someone in a call center, though they’re not going to get very far with a 4 digit PIN given the person on the other end of the line wouldn’t know it. Only today, a friend of mine told me their husband nearly lost his business account cash (held with another bank) because someone phoned him up and asked for his personal details. He only realized something was wrong when they asked for his PIN number – but he nearly didn’t phone the bank because he thought they’d “tell him off”.

Don’t be like him. Should you ever run into a scenario such as the above, the very first thing you should do is call your bank for help. They’ll give you the best course of action from there, and with any luck, your hard-earned money won’t be going elsewhere.

 

Christopher Boyd

The post Barclays Bank customers targeted by phishers appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The Roblox Robux generator is too good to be true

Malwarebytes - Wed, 06/21/2017 - 15:00

Roblox is an enormously popular MMORPG title for kids available on both PC and console, and it suffers no end of scammers trying to fleece its players as a result. While the game tries to block and filter text/URLs and comes with additional security features, potentially dubious sites also bounce around outside of the Roblox environment. Here’s one we had sent our way, located at:

robloxrobux(dot)gamehack(dot)co

The site claims to walk that well-worn path of free coin/item/whatever generation, in return for entering your username and a few other values such as desired coin (“Robux”) amount. There’s also a chat box in the bottom right corner which repeats the same text every time you visit the page, mostly to the tune of “Yes, this definitely worked 100% for me, honest”. Once all info is submitted and the magic “Do things now” button is pressed, it delivers the well-worn trick of popping a fake box claiming things are happening behind the scenes. Secret, hacker-style things working their magic on Roblox servers.

Unfortunately for the person using it, it’s all complete nonsense and leads gamers to the usual assortment of survey links.

We don’t have much to add here besides “Don’t bother”. All you’ll get for your troubles is your personal information added to marketing databases via the survey links. If you have young relatives playing Roblox, please consider informing them about sites such as the above.

 

Christopher Boyd

The post The Roblox Robux generator is too good to be true appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (Jun 12 – Jun 18)

Malwarebytes - Tue, 06/20/2017 - 15:56

Last week was very busy for the Labs, with a look at so-called numeric tech support scams, a visit to the huge Infosec Europe conference, an exploration of Mac Malware as a Service, and a walk through the myths of online bullying.

Elsewhere:

Stay safe!

The Malwarebytes Labs Team

 

The post A week in security (Jun 12 – Jun 18) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Breaking the attack chain

Malwarebytes - Mon, 06/19/2017 - 15:52

The attack chain. It’s a term used often in infosecurity. Also known as the kill chain, it was originally used as a military concept to describe the structure of an attack. It serves the same function in cybersecurity, where various methods of malware infiltration, deployment, and execution are outlined. To break the attack chain, then, means to preempt the attack.

This is of obvious significance to business owners, who’d much rather avoid expensive and time-sucking breach cleanups with programs that prevent attacks altogether. But breaking the attack chain is not as simple as it used to be.

Cybercriminals are constantly changing methodologies and deployment vectors to fool endpoint defenses. The attack chain is evolving and multiplying, out-thinking traditional, signature-based endpoint security. In fact, nearly 80 percent of businesses have suffered a security-related breach in the last year.

That’s why businesses need to evolve their endpoint protection strategy, using a multi-layered approach to stop malware deployment and execution in multiple attack chains. In the following infographic, we’ve outline how Malwarebytes does just this, using seven different, complementary technologies.

Click here for the full PDF version.

 

The post Breaking the attack chain appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Tackling the myths surrounding cyberbullying

Malwarebytes - Fri, 06/16/2017 - 15:00

Cyberbullying is an act most of us are familiar with. Knowing what it is, who’re involved, and its harmful effects to targets are easy enough to identify; but do you know that cyberbullying is surrounded by misconceptions, too? In this post, we have identified six of these myths, explained why they’re worth discrediting, and lastly, provided ways to nip cyberbullying in the bud.

Myth #1: Bullying, whether done face-to-face or online, only negatively affects the target.

This may seem like an obvious and accepted truth; however, several medical studies have shown otherwise. Both the offended and the offender experience emotional, physical, and social issues as a direct result of bullying and such effects have been consistently observed across youths in different countries, which includes headaches, recurrent stomach pains, feeling unsafe whether inside or outside the home, and difficulty sleeping at night.

Perhaps the most harmful consequence of being targeted, especially in the case of teens, is “internalizing problems”—negative self-perception, anxiety, depression, and insomnia. Left untreated, these will grow worse and increase the likelihood of them developing mental health issues.

Furthermore, cyberbullying has ill effects on bystanders as well.

Myth #2: Only kids and teens experience cyberbullying.

According to a survey conducted by the Pew Research Center, 40% of adults in the United States have experienced some form of bullying online. Forms of harassment range from name-calling, deliberate embarrassment, physical threats, to stalking.

In the past, we used to hear about teachers picking on students, but now we’re as likely to read about students bullying teachers.

Myth #3: The best way to beat the cyberbully is to fight back.

And by “fight back”, they mean “bullying the bully”. This may seem like sound advice from well-meaning friends or family members, but more often than not, hitting back with words may make matters worse. Those who are unable to fight back due to feelings of fear, anxiety, or powerlessness may begin blaming themselves for the bullying. It also sends the wrong message to kids and teens that out-bullying each other is the only way to stop the harassment.

Myth #4: Bullying is a part of life. Get over it.

Although bullying happens both in the digital and real domains, it shouldn’t be considered normal, okay, or acceptable, and telling those being harassed to “get over it” doesn’t help the already mentally and emotionally vulnerable. Bullying, regardless of where it takes place, is a societal problem that needs to be seriously addressed, not brushed aside.

Myth #5: Once the bullying stops, the life of the affected child/person goes back to normal.

This is far from reality. According to a joint US/UK study, people involved in bullying continue to feel and experience the effects of the act until adulthood. The severity of these effects also depends on the person’s resilience and the positive relationships he/she has with other people. Some of the problems that can carry over to adulthood are depression, panic attacks, and difficulties socializing.

Scientists also stress the long-term effects of cyberbullying, even if it happens only once.

Myth #6: There are no laws against bullying and/or cyberbullying.

On the contrary, the Cyberbullying Research Center has a dedicated page showcasing US states and their bullying laws.

Prevention is always better than cure’

What most of us may not realize is that a number of incidents of cyberbullying can be prevented. Here’s a few ways to tackle them:

  • Never share your online credentials with anyone, not even with family members (except your parents if they asked for them), or friends. Most kids and teens these days allow their friends to access their social profiles, believing that doing so is cool. However, friends may begin posting images and messages without their consent, and may cause more headache to the innocent child or teen who owned the profile.
  • Never share private or intimate photos of yourself to anyone. Not only will teen girls gain Likes from peers, they may also grab the unwanted attention of strangers, which may further lead to stalking and other forms of online harassment. Additionally, revenge porn also happens among kids and teens.
  • Consider limiting the number of people seeing what you post online. Sadly, most users of social networking sites don’t bother setting up the privacy level of their profiles and posts. As most (if not all) social sites show posts publicly by default, those who express their views on, say, politics usually invite ire from strangers who don’t share similar views. If not mitigated from the get-go, the banter may quickly escalate to bullying. If you wish to remain posting publicly, then at the very least…
  • Mind what you disclose online. Kids and teens share quite a lot about themselves—their thoughts, opinions, feelings, activities at the home or with friends. Although these are likely innocent, they can be used to fuel the bullying.
  • Create strong passwords for all online accounts. Some cyberbullies may attempt to infiltrate a target’s account by hacking. Although this act is not considered cyberbullying, online bullies can use accounts they control to humiliate a target or harass other targets by posing as someone else. Make sure that you can efficiently manage the passwords you create.
    • A word on personally identifiable information (PII): Revealing information you use to access or create accounts, such as your dog’s name and your date of birth, is highly discouraged. Not only will this contribute towards impersonation, but it may also lead to the compromise of your online account.
  • When using public or shared computers, make sure to log out of your social media accounts before leaving. If possible, delete the browser history cache and cookies or you may give someone else the opportunity to be you online.

The internet is what we make of it. On the one hand, it can be a great place to learn, meet new friends, reconnect with old ones, and discover the world without leaving the comfort of your sofa. On the other hand, it can also be a destructive and hurtful place. With the guidance of parents, teachers, law enforcement, and groups that deal with online harassment, children will be steered in a direction where future generations can still experience the internet as a safe place to be.

For additional resources, take a look at our 2016 blogs from Anti-Bullying Week:

The Malwarebytes Labs Team

The post Tackling the myths surrounding cyberbullying appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Announcing Malwarebytes Endpoint Protection, a next-generation antivirus replacement for businesses

Malwarebytes - Thu, 06/15/2017 - 15:00

Six months ago, we announced Malwarebytes 3.0, a next-generation antivirus replacement for home users. Today, I am happy to announce Malwarebytes Endpoint Protection, its equivalent for businesses.

Malwarebytes Endpoint Protection includes an easy to deploy, scalable cloud platform that allows you to rapidly install, configure, and manage our solutions on any Windows endpoint. Businesses get Web Protection, Application Hardening, Exploit Mitigation, Application Behavior, Payload Analysis, and ransomware prevention technologies all delivered through a single agent in the cloud! In addition, I’m pleased to introduce our first ever signature-less Anomaly Detection Engine powered by machine learning. This now adds a seventh layer to our protection stack, making your defense-in-depth strategy even stronger.

We’ve added Asset Management so you can see what software your endpoints have installed, what updates they have or need, and generally, monitor the health of your environment.

Key features of our new platform:

  • Cloud based: no need to provision a server, just create an account and go!
  • Scalable: enterprise-grade security for small offices or large enterprises
  • Single agent: all of our protection technologies delivered through a unified agent
Click to view slideshow.

But that’s not all! We’re also announcing Malwarebytes Incident Response, our threat detection and remediation tool which is also built on our new Malwarebytes cloud platform. Powered by our Linking Engine technology, this solution provides the most complete and thorough remediation possible for Windows and Mac endpoints.

Malwarebytes Endpoint Protection and Malwarebytes Incident Response are available globally June 28th, so stay tuned for more information. In the meantime, you can contact our awesome sales team and authorized resellers to learn more.

 

FREQUENTLY ASKED QUESTIONS

What is Malwarebytes Endpoint Protection?

Malwarebytes Endpoint Protection is an advanced threat prevention solution for Windows endpoints featuring a cloud-based management console, delivered through a unified endpoint agent.

The solution delivers real-time threat prevention using multiple layers of matching and signature-less technologies including Web Protection, Application Hardening, Exploit Mitigation, Application Behavior, Payload Analysis, ransomware prevention, and now our newest signature-less Anomaly Detection Engine, powered by machine learning. These seven technologies work together providing a more effective and efficient replacement for antivirus. Includes email and 9am-5pm phone technical support.

 

What is Malwarebytes Incident Response?

Malwarebytes Incident Response is a centralized threat detection and remediation solution for Windows and Mac endpoints featuring a cloud-based management console, delivered through a unified endpoint agent.

Malwarebytes Incident Response empowers organizations to proactively hunt for malware and thoroughly remediate any endpoint leveraging our in-depth, on-demand, and scheduled scans. Powered by the best threat remediation and signature-less Linking Engine technologies, organizations can now quickly recover from cyberattacks without the prolonged downtime that typically accompany incident response and re-imaging processes.

Malwarebytes Incident Response includes the capability to scan and remediate endpoints with non-persistent agent (aka “agentless”) CLI options. Also, includes a static forensic tool for more in-depth forensic investigations. Includes email and 9am-5pm phone technical support.

 

Can I replace my traditional antivirus with Malwarebytes Endpoint Protection?

Yes! Malwarebytes Endpoint Protection is designed to replace your antivirus solution. We believe in layered defense and built Malwarebytes Endpoint Protection to provide the right mix of proactive and signature-less technologies to combat modern threats and zero-day malware.

Malwarebytes is now a validated, next-generation replacement for traditional antivirus (AV) solutions. Coalfire Systems, a leading provider of cybersecurity, risk management, and compliance services, certified by the PCI Security Standards Council as a Qualified Security Assessor (QSA), conducted an independent assessment of Malwarebytes.

 

Can we still run Malwarebytes Endpoint Protection and Malwarebytes Incident Response alongside our existing antivirus solutions?

Absolutely! We built Malwarebytes Endpoint Protection and Malwarebytes Incident Response to be compatible with all major antivirus software. Malwarebytes defaults to side-by-side operation mode, but also has the Policy-configurable capability to register in the Windows Action Center (WAC), allowing customers of Malwarebytes to run alongside third-party antivirus applications and/or the built-in Windows Defender, or as primary, thereby deactivating Defender.

 

We currently have a Malwarebytes subscription for our business. How much do we have to pay to upgrade to Malwarebytes Endpoint Protection or Malwarebytes Incident Response?

Pricing for Malwarebytes Endpoint Protection and Malwarebytes Incident Response is dependent on the number of endpoints and length of subscription. Contact your sales representative or Malwarebytes authorized reseller for more information on pricing and how to upgrade to the new Malwarebytes cloud platform.

 

How can we get an evaluation copy of Malwarebytes Endpoint Protection or Malwarebytes Incident Response?

Contact your sales representatives to learn more about our new cloud-delivered solutions and get a free evaluation of Malwarebytes Endpoint Protection and Malwarebytes Incident Response.

The post Announcing Malwarebytes Endpoint Protection, a next-generation antivirus replacement for businesses appeared first on Malwarebytes Labs.

Categories: Techie Feeds

New Mac Malware-as-a-Service offerings

Malwarebytes - Wed, 06/14/2017 - 15:00

A couple weeks ago, two new Malware-as-a-Service (MaaS) offerings for the Mac became available. These two offerings – a backdoor named MacSpy and a ransomware app named MacRansom – were discovered by Catalin Cimpanu of Bleeping Computer on May 25.

Cimpanu evidently had some trouble getting hold of samples, but on Friday analysis of MacRansom was posted by Fortinet and analysis of MacSpy was posted by AlienVault.

Both of these malware programs were advertised through Tor websites, claiming them to be “The most sophisticated Mac spyware/ransomware ever, for free.” Neither programs were directly available, but could only be obtained by emailing the authors at protonmail[dot]com email addresses.

Behavior

Despite the claims of sophistication, these malware programs are not particularly advanced. The programs provided to both Fortinet and AlienSpy were simple command-line executable files that, when run, copy themselves into the user’s Library folder.

MacSpy:

~/Library/.DS_Stores/updated

MacRansom:

~/Library/.FS_Store

Because the .DS_Stores folder and the .FS_Store file both have names starting with a period, they are hidden from view unless the user has done something to show invisible files.

As part of the installation, these programs also create LaunchAgent files for persistence – a not at all original method.

MacSpy:

~/Library/LaunchAgents/com.apple.webkit.plist

MacRansom:

~/Library/LaunchAgents/com.apple.finder.plist

Some recent malware has had the capability to customize the install locations and names, but there’s no indication in the reports from Fortinet and AlienVault that such a feature is available in MacSpy or MacRansom, making these quite easy to detect.

MacRansom is created with a custom “trigger date,” after which time the malware detonates and encrypts the files in the user’s home folder, as well as on any connected volumes, such as external hard drives. As happened with KeRanger, which had a 3-day delay before encrypting, this delay will likely mean that few people who are using security software will actually be affected, as the malware will probably be detected before it encrypts anything.

Further, the encryption uses a symmetric key – meaning that the same key is used both to encrypt and to decrypt – that is only 8 bytes in length, making it rather weak and relatively easy to decrypt. However, the key creation process involves a random number and the resulting key is apparently not saved to the hard drive or communicated back to the authors in any way, making it impossible to decrypt the files except via brute force.

After encryption, the malware will display a pop-up alert informing the user of what must be done to decrypt the files, and will continue to reappear even if the user clicks the “Destroy [sic] My Mac” button. The malware does not save any copies of that information to files on the hard drive, as is typical of most ransomware.

MacSpy is fairly simple spyware, which gathers data into temporary files and sends those files periodically back to a Tor command & control (C&C) server via unencrypted http. It will exfiltrate the following data:

  • Screenshots (taken every 30 seconds)
  • Audio captured via microphone
  • Keystrokes*
  • Clipboard contents
  • iCloud photos
  • Browser data

In the case of keylogging, the malware requires an admin password, which can be provided in the email requesting a copy of the malware. This requires that the attacker knows the password for the target Mac in advance.

If the attacker pays for the malware, they will get additional capabilities, such as more general file exfiltration, access to social media, help with packaging the executable into a Trojan form (such as a fake image file), and code signing.

Analysis avoidance

Although neither of these programs is particularly sophisticated, they both do include some reasonably effective analysis avoidance features. Both include three methods for determining whether they are being analyzed by a researcher, in which case they shut down and do not display their malicious behaviors.

First, they will check to see if they are being run by a debugger, using a call to ptrace.

They will also parse the output from the shell command sysctl hw.model for the word “Mac”, terminating if that is not found. In a virtual machine, this command will not return the model identifier for the hardware, but will instead return a value specific to the virtualization software being used. Thus, if the output does not contain “Mac,” it is most likely being run in a virtual machine, and the most likely reason for that is that it’s being analyzed by a security researcher.

Another virtual machine check that is performed is a check for the number of logical and physical CPUs. Since the number of CPUs is simulated in a virtual machine, this is another fairly reliable indicator that the malware is under analysis.

If any of these checks fail, the malware terminates.

Fortunately, because the malware isn’t signed, it’s possible to hack the executables to bypass these anti-analysis checks and then analyze it in a virtual machine.

About the authors

The websites for the malware include an “About Us” section, in which the authors provide some information about their motivations:

We are engineers at Yahoo and Facebook. During our years as security researchers we found that there lacks sophisticated malware for Mac users. As Apple products gain popularity in recent years, according to our survey data, more people are switching to MacOS than ever before. We believed people were in need of such programs on MacOS, so we made these tools available for free. Unlike most hackers on the darknet, we are professional developers with extensive experience in software development and vast interest in surveillance. You can depend on our software as billions of users world-wide rely on our clearnet products.

I suspect that a lot of this is probably not accurate. I seriously doubt that they would really give away information about their former employers, which would provide a clue that could be used to help track them down and could be used as evidence in a trial. Further, as a security professional myself, it’s rather laughable that the best a security researcher could do for persistence is a launch agent.

Also, the lack of any way to decrypt files in a ransomware app is extremely amateurish. This means that 2/3 of the Mac ransomware that has ever existed has had no means for decrypting files so that users who pay will get none of their data back in return. Hopefully, this will make victims of future Mac ransomware reluctant to pay, which will, in turn, make it unprofitable to develop such malware in the future.

All these factors mean that these hackers undoubtedly do not have the qualifications they claim to have and are actually amateur developers with a tendency towards crime.

Disinfection

The presence of any of the following items is an indicator of infection:

~/Library/LaunchAgents/com.apple.webkit.plist ~/Library/LaunchAgents/com.apple.finder.plist ~/Library/.DS_Stores/ ~/Library/.FS_Store

Malwarebytes for Mac will detect these as OSX.MacSpy and OSX.MacRansom.

If you were infected with MacSpy, after removing it, you should be sure to change all your passwords, as they might have been compromised by the keylogging, screen captures and/or clipboard exfiltration. If your work computer has been compromised, contact your IT department to alert them to the issue; otherwise, your accounts or other information leaked could potentially give a criminal inside access to your company’s servers.

If you had a MacRansom infection and didn’t get your data encrypted, consider yourself very lucky. Start backing up your computer regularly if you didn’t already and avoid leaving the backup drive connected all the time.

If you did have data encrypted by the ransomware, it’s possible that it could be decrypted by an expert in cryptography. Although we don’t currently have information about decrypting such files, we will update this article in the future if a method for doing so is identified.

The post New Mac Malware-as-a-Service offerings appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Cheers to a successful time at Infosec Europe 2017

Malwarebytes - Wed, 06/14/2017 - 09:00

With over 350 exhibitors, well over 10,000 visitors, and many widely respected speakers, Infosec Europe is one of Europe’s biggest security events. The Malwarebytes stand attracted a lot of interested people, even without our robot Zero, who had obligations elsewhere.

The new EMEA Channel Programme, hourly presentations, and visitors that were interested in using or integrating one of our products made sure that our team at the booth never got bored. Especially the sales engineers doing the product demo’s barely had time to take a break.

Our CEO Marcin Kleczynski got a lot of press requests but found the time to do one panel discussion together with yours truly and our amazing presenter Helge Husemann.

We would like to thank everyone that stopped by at our booth to attend our presentations, inquire about the channel programme, join our panel discussion, ask for product information, or even just stopped to tell us how happy they are with our software. We’ll love to see you again next year!

Click to view slideshow.

Pictures courtesy of Fieldhouse Associates. Thank you, Aislinn.

 

The post Cheers to a successful time at Infosec Europe 2017 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The numeric Tech Support Scam campaign

Malwarebytes - Tue, 06/13/2017 - 14:00

There are many different tech support scam (TSS) campaigns active at any given moment, the majority of them are fueled by malicious adverts (the browser lockers), or bundled software (the screen lockers).

Something interesting happened recently, where legitimate – but hacked – websites would redirect to a tech support scam page, not only via malvertising but also from hacked websites bearing the mark of a popular website infection.

What was particularly striking was the fact that visitors from the US (and some other locations), running Internet Explorer, were being targeted and redirected to the scam page instead of what we would normally expect: an exploit kit landing page.

In this blog, we will focus on the US campaign that is pushed both via malvertising and compromised sites and recognizable by its use of numeric domain names.

Numeric TSS

This latest tech support scam scheme can be identified by the use of only digits within its domain name. While they may look odd at first, numeric domains – as they are known – work just like any other domain names.

They can be quite expensive if kept short as they can represent a brand or have special meanings (i.e. containing the number 8, popular in Chinese culture), but are otherwise a cheap commodity.

In fact, each domain we encountered as part of this attack was registered for a mere $0.88 and came with free WhoisGuard protection for anonymity:

The numeric TSS has been around since at least early April based on this urlQuery report, with some of those domains registered at the end of March.

Domain name Creation date 6473819564947657419.win 2017-03-31 7598437654236982.win 2017-03-31 Browser lockers

Almost all browsers fail to mitigate the fake alert used by the numeric TSS, by not allowing you to normally close the page and instead of leaving little choice other than resorting to using the Task Manager to kill the offending process.

Internet Explorer

For Internet Explorer, the crooks are using mouse events to load the dialog message. Each time the mouse moves over a certain area, the same popup will reappear. You can close the page using keyboard shortcuts only (provided you do not move your cursor) but this is not something most users would be aware of.

Code:

Google Chrome

The Google Chrome version of this campaign still uses the history.pushState() trick we reported back in Nov. 2016 to freeze the browser by maxing out the CPU. This affects Chrome on Windows and Mac and is by far the most disruptive experience across various browsers.

Code:

Firefox

Firefox visitors are prompted with a username and password when the page is shown, which abuses HTTP basic access authentication to lock the browser by reloading that authentication dialog repeatedly.

Code:

Edge

Edge is actually the only browser that lets you close the page ‘cleanly’ without resorting to Task Manager or other quick shortcut combinations.

Code:

Distribution part 1: Malvertising

We caught a few malvertising chains involved in the numeric TSS but the most notable one was served from the AdsTerra ad network. One interesting thing is that we expected to see a different TSS campaign here (one that is hosted on Amazon S3).

Distribution part 2: Compromised websites

EITest is one of several campaigns that leverages compromised sites to monetize traffic via malicious redirections, typically to exploit kits such as RIG EK. It is also one of the few that is not only longstanding but has diversified itself with social engineering schemes already, such as the fake font trick.

In late May, @nao_sec blogged about some cloaking with EITest, in particular for certain geolocations. It quickly became clear that the multi-purpose EITest had yet another trick up its sleeve which was observed by others, such as Brad Duncan.

A large blurb is injected into compromised sites right before the </body> tag with a URL to the numeric TSS page. What is quite noteworthy is that the URL could have been for an ad network or even one of the gates we mentioned earlier. But instead, EITest generates the right URL directly, suggesting some kind of access to the same API used in the malvertising campaigns.

There are times when the API fails (perhaps because of takedowns) and we caught this happening:

Brad Duncan also captured a similar case via EITest, where the injected coded had a blank numeric domain but also a link to a RIG EK landing page (bug, A/B testing?).

Tech support scam

This campaign seems to fuel various call centers in India, with phone numbers generated on-the-fly and based on geolocation. While the fake alerts are an easy lead-in to scam unsuspected users for hundreds of dollars, we noticed some differences in how the scam goes down. Some call centers are outright fraudulent and go straight for the money, but others still take the time to walk you through a ‘diagnostic’.

Regardless, Microsoft would never use such ways to contact people that may be infected so you can rest assured that any phone number that appears out of the blue on your machine is not to be trusted.

Mitigation

The easiest way to get rid of a browser locker (AKA browlock) is to terminate (‘End task’) the associated browser process using the Task Manager. There are various ways to launch it depending on your operating system, but typically you can type it in the search bar (bottom left near Windows logo in Windows 10, or inside the Start Menu in Windows 7).

This does not damage your computer but you will lose websites you had opened. Having said that, the browser lock doesn’t give you much chance either to recover those anyway. After forcefully killing the browser process, you may be asked if you want to recover the pages from the ‘crash’. You are better off saying ‘no’, or else you will be back to square one dealing with the locker once again.

Conclusion

The delivery of tech support scams via compromised websites is worrisome because ad-blockers will be ineffective here, since there is no middle man (advertiser) involved to be blocked. This is why browsers play such a big role, but also where they fall short. Maintaining a blacklist of such sites is almost counter productive as the rogue domains rotate so quickly. There could be improvements on how to defeat browser lockers to give users a way out, but also perhaps to flag such pages as potentially malicious, simply based on their behaviour.

The growing number of social engineering schemes from malware campaigns is a sign that exploit kits are failing to generate enough victims these days, mainly due to their reliance on older vulnerabilities that have long been patched. Another factor is Google Chrome’s market share (close to 60%) while most current exploits are still very much Internet Explorer-centric.

Until attackers can get their hands on newer exploits, they will continue to design creative lures and adapt them to specific targets for the most impact.

Tech Support Scams – Help & Resource Page

Some examples of numeric TSS domain names:

6473819564947657419.win 7598437654236982.win 75894326984785657.win 089808456012319849851.win 28769437645567160.review 1367465423548945466.win 36546876516465456.win 15467448788975.win 1652546334798534.win 42165448125463151.win 544789942631624685.win 1317587423345278789.win 462781647864529375896239.win 547566458877948786467.win 14567996453586879.review 1894063121084890231894080.win 212655432897895349795160.win 45610897897984561087802.site 0789085614050105453286405572454.win 1987561230989456165016547084564189075132104897789415128287129.win 236846723674238468.site 712653651726438762364523546823.site 068923772895474564121755216.review

Text message:

Windows Defender Alert : Zeus Virus Detected In Your Computer !! Please Do Not Shut Down or Reset Your Computer. The following data will be compromised if you continue: 1. Passwords 2. Browser History 3. Credit Card Information 4.Local Hard Disk Files. This virus is well known for complete identity and credit card theft. Further action through this computer or any computer on the network will reveal private information and involve serious risks. </br></br>Call Microsoft Technical Department: (888)

The post The numeric Tech Support Scam campaign appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (Jun 05 – Jun 11)

Malwarebytes - Mon, 06/12/2017 - 16:58

Last week, we interviewed our very own Pieter Arntz to get to know him a little better. We also touched on the importance of HTTPS and focused on a new social engineering scheme that triggers on mouse movement.

We also took a deeper look at LatentBot, a Trojan that is being distributed by the RIG exploit kit; profiled Fireball, a browser hijacker that is capable of downloading and executing other malware, advised blog readers to stop sharing photos of their X-rays to social media; and named the other groups and/or individuals who are also fighting the good fight against tech support scams.

Below are notable news stories and security-related happenings:

  • Apple Test Hints That iOS 11 Will Be The End-of-life For Outdated, 32-bit Applications. “Ahead of Apple’s Worldwide Developer Conference today, and the expected announcement of iOS 11, the company briefly removed older, 32-bit iOS applications from appearing in the App Store’s search results. The change, which appears to have been a short test on Sunday, could have impacted a sizable portion of the App Store’s long tail.” (Source: TechCrunch)
  • Tech Firms: We’re Trying To Make Our Sites Hostile To Terrorists. “In the aftermath of the London attack, Facebook, Google, and Twitter have insisted that they already work closely with the UK government to flush out the sharing of extremist content—as fresh calls to crack down on the Internet and end-to-end crypto once again surfaced following a terror atrocity.” (Source: Ars Technica)
  • Hack Back Law Would Create Cyber Vigilantes. “Tom Graves (R-GA) released an update to the initial Active Cyber Defense Certainty Act (ACDC) that intends to exempt victims of cyber attacks from being prosecuted for attempting to hack back at their attackers under the Computer Fraud and Abuse Act (CFAA). If enacted, the law allows organizations that are the victims of hacks to conduct their own hacks to identify the assailants, stop the attacks or retrieve stolen files. At a high level, it makes sense. In practice, it is ridiculous.” (Source: CSO)
  • Stealthy DDoS Attacks Distract From More Destructive Security Threats. “Despite several headline-dominating, high-volume DDoS attacks over the past year, the vast majority (98%) of the DDoS attack attempts against Corero customers during Q1 2017 were less than 10 Gbps per second in volume. In addition, almost three-quarters (71%) of the attacks mitigated by Corero lasted 10 minutes or less.” (Source: Help Net Security)
  • WannaCry Exploit Could Infect Windows 10. “WannaCry targeted a Server Message Block (SMB) critical vulnerability that Microsoft patched with MS17-010 on March 14, 2017. While WannaCry damage was mostly limited to machines running Windows 7, a different version of EternalBlue could infect Windows 10.” (Source: Dark Reading)
  • Why Two Factors Are Better Than One. “In fact, a recent study conducted by the Pew Research Center illustrates why reliance on the single factor of ID and password may not provide sufficient protection. The study found that 39% of online adults have shared their password to one of their online accounts with a friend or family member. In addition, 25% admit that they often use passwords that are less secure because simpler passwords are easier to remember.” (Source: InfoSecurity Magazine)
  • Singapore, Australia Forge Cyber Security Ties. “In a two-year memorandum of understanding (MoU) inked by the two countries on 2 June 2017, the Cyber Security Agency of Singapore and the Australian government will conduct regular information exchanges on cyber threats, share best practices to promote innovation in cyber security and build cyber security capabilities.” (Source: Computer Weekly)
  • The End Of Net Neutrality Could Shackle The Internet Of Things. “Net Neutrality isn’t the simplest concept to grasp. Explaining it works best via example: Net neutrality means, say, that internet providers like AT&T, Comcast, and Verizon, which also have their own television and streaming video services, can’t create ‘slow lanes’ for competing services. They can’t gum up traffic from sites such as Netflix and Dish’s SlingTV in favor of their own.” (Source: Wired)
  • Russian Hackers Control Malware Via Britney Spears Instagram Posts. “A group of Russian-speaking hackers has been attacking multiple governments for years now. Not only that, but they also experimented with different methods of conducting those attacks with the help of the social media websites. Their approach was pretty clever, and they used those sites for concealment of the espionage malware.” (Source: HackRead)
  • Slack, Telegram, Other Chat Apps Being Used As Malware Control Channels. “Researchers at Trend Micro took a closer look at platforms including chat programs, self-hosted chat clients, and social networks to see whether their application programming interfaces (APIs) could be turned into C&C infrastructure. API refers to definitions, protocols, and tools that a program uses to interact and perform specific tasks.” (Source: Dark Reading)
  • Google Ads For Tech Support Scams – Would You Spot One? “According to Bleeping Computer, the dodgy campaign was spotted on Friday by a US user who posted his observations to a StackExchange thread. The user said that a coworker had searched for ‘Target’, clicked the top result – which was an ad – and was redirected to a phishing page that was rigged up to look like a Microsoft tech support page that wanted him to call a ‘tech support number’.” (Source: Sophos’s Naked Security Blog)
  • This Russian Vending Machine Will Sell You Fake Instagram Likes. “For years, those hungry for online validation have bought fake likes, faves, or followers for every social media site imaginable. In exchange for a small sum, dozens of sketchy websites promise anywhere from a couple dozen likes on a single Instagram photo, to a million Twitter followers.” (Source: Motherboard)
  • Worried About Election Hacking? There’s A Fix For That. “Revelations regarding top-level inquiries into a cyberattack launched by Russian military intelligence agents on an American voting-systems manufacturer, and of an apparently related attempt to hack the e-mail accounts of local election officials around the United States shortly before the 2016 presidential election, should turn the attention of Congress toward the need to secure this country’s extraordinarily vulnerable electoral processes.” (Source: The Nation)
  • 14-year-old Japanese Student Caught For Creating Ransomware. “The cyber criminal community is quite active is developing nasty ransomware to infect unsuspecting users and demand a large amount of money in return. But who could expect a 14-year-old to develop a ransomware malware on his own?” (Source: HackRead)
  • Al-Jazeera Reportedly Hit By Systematic Hacking Attempts. “Al-Jazeera, the Doha-based broadcaster owned by the ruling family of Qatar, says the websites and digital platforms of Al-Jazeera Media Network, its parent company, ‘are undergoing systematic and continual hacking attempts.'” (Source: Help Net Security)
  • Sleeping Giant, Botnets Pose Threat As Ransomware Attacks Decline. “Botnet operators are capable of using their malicious networks to execute virtually any task with a success rate of close to 100 percent, according to a June 7 ESET security blog post. These task could be anything from sending spam, distributing ransomware, carrying out DDoS attacks, or cheating advertising networks, or mining Bitcoin, all of which could change on a whim.” (Source: SC Magazine)
  • Internet Cameras Have Hard-coded Password That Can’t Be Changed. “Security cameras manufactured by China-based Foscam are vulnerable to remote take-over hacks that allow attackers to view video feeds, download stored files, and possibly compromise other devices connected to a local network. That’s according to a 12-page report released Wednesday by security firm F-Secure.” (Source: Ars Technica)
  • Malicious Android App Installs ‘Impossible To remove’ Adware. “The IT Security researchers have discovered a new malware that is essentially an Android Package or APK masked as a cleaner app called Ks cleaner and tricks the users into downloading a security update. Once the update is installed, the malware cannot be removed.” (Source: HackRead)
  • I Admit It, I’m A Cyber Security Professional And I Fell For A Phishing Email. “Both emails lacked any attachments that could have aroused suspicions. On both emails there was a call to action – a ‘Renew your Business Name’ link was in the ASIC email, and a ‘View Your Bill’ link was in the Origin email.” (Source: CRN)
  • Don’t Like Mondays? Neither Do Attackers. “Monday may be our least favorite day of the week, but Thursday is when security professionals should watch out for cybercriminals, researchers say. Timing is everything. Attackers pay as close attention to when they send out their booby-trapped emails as they do in crafting how these emails look.” (Source: CSO)
  • Keeping Threat Intelligence Ahead Of The Bad Guys. “Over the course of my recent series on establishing a cybersecurity portfolio, I’ve recommended five steps for businesses to engage in as they determine the security investments that are right for them: 1) Determine Needs; 2) Allocate Spending According to Risk; 3) Design Your Portfolio; 4) Choose the Right Products; and 5) Rebalance as Needed. These steps are akin to the process you would go through with your broker when creating a strong financial portfolio, with a diversified spread of investments and an adaptable strategy that can change along with your needs at a given time.” (Source: Forbes)

Safe surfing, everyone!

The Malwarebytes Labs Team

The post A week in security (Jun 05 – Jun 11) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Please stop posting your X-rays to social media

Malwarebytes - Fri, 06/09/2017 - 14:00

Social media is fun. Posting pictures and sharing them with friends is a great technology. But please, we beg you, stop posting your medical imaging results to Instagram, Twitter, and Facebook. Why? What if you get a gnarly fracture from a really awesome snowboarding stunt and you want to share your battle wounds? Let’s start small and see where an X-ray or MRI can take us.

 

Personally Identifiable Information Click to view slideshow.

Depending on the facility, your X-ray or MRI might have your full name, date of birth, social security number, name, and the name of the facility in question. This much information is good when your doctor needs to know with 100% certainty that you are you and are tied to your medical records. It’s bad when it’s on Twitter.

 

Doxxing Click to view slideshow.

Disclosure of one piece of personal information feels inconsequential. But multiple, low-value pieces of information disclosed on multiple platforms can yield an analytic chain that can uncover more serious data. For an X-ray, your name, and the name of a hospital seem fairly trivial and non-threatening. But the hospital name provides your probable city of residence, which in conjunction with your name, often provide property, tax, and voting records. Public data brokers often organize their best guess matching name and phone number by the city.

Meaning: a bad guy holding his target’s X-ray can have hard validation on the city of residence, which in turn allows him to validate anything else of yours he steals to exclude other people with the same name. It’s a neat trick, with the only real defense being to not post personal information online if its something you can’t change easily. (Your fingerprint, city of residence, name, etc.)

Endangering your hospital/doctor’s entire network

And sometimes the machines taking the pictures can be networked. (Yes, there is an absolute landslide of issues surrounding why and how an X-ray machine should be connected to a network, but that is a series of blogs for another time.) Take a look at this X-ray:

Public facing server redacted

This person has wisely cropped out their own name, but if you check out the bottom right corner, you’ll see the active user account in the program. Not extremely alarming, but further is “Server: [redacted].” Very, very alarming! Perhaps the server receiving the image is a local machine that’s aair-gapped from the Internet but needs to receive images from multiple machines in an office or hospital. (If you are a security professional reading this, we know that this is extremely unlikely.) So, taking the server name and plugging it into a public metadata search tool, we find:

  • The image was taken in 2014, but the server is still active as of writing
  • The server is web facing
  • The WHOIS on the web server is public
  • All of the server’s subdomains are enumerated
  • Traversing the subnet reveals what is most likely a medical record server

Yikes. Medical infrastructure security has problems. A lot of problems. But while the responsibility for an insecure network lies with the organization running it, posting photos that have exploitable information is also not a great thing. Given that vulnerabilities in the medical space can have catastrophic consequences, we should take extra care before exposing any data from inside a hospital or doctor’s office.

But I really, really want to post pics!

Use a crop tool. On a Mac, Command+Shift+4 brings up a resizable frame that can be used to crop out data that is none of the Internet’s business. On a PC, Select the Start button, type snipping tool in the search box on the taskbar, and then select Snipping Tool from the list of results. Remember that you are not only cropping out your information, but also the medical facility’s.

Click to view slideshow.

On Instagram, you can follow the instructions here to crop your photo. On Twitter, maybe you just shouldn’t, unless your account is private.

A good question to ask before you post is “Do I want people I don’t know to have this information, and do whatever they want with it, for as long as they want?” If the answer is no, take a pause before hitting submit and check out our post here on securing your social media profile.

The post Please stop posting your X-rays to social media appeared first on Malwarebytes Labs.

Categories: Techie Feeds

New social engineering scheme triggers on mouse movement

Malwarebytes - Thu, 06/08/2017 - 18:49

One of threat actors’ favorite malware delivery schemes is social engineering as it remains highly effective against a variety of targets. Malicious spam, in particular, is one of the biggest threats enterprises are facing today in the form of daily deliveries of fake invoices, contract, and other receipts.

Those attachments can be scripts, PDFs, or Microsoft Office documents, the latter often containing macros designed to retrieve a malicious payload as soon as users activate them. Today we take a look at a sightly different delivery mechanism that does not rely on macros or exploits, but rather a built-in functionality in PowerPoint to run external programs.

This attack abuses the hyperlink feature to launch a Powershell command as soon as the user moves their mouse cursor over that link. The typical attack scenario is described in the diagram below.

Malwarebytes users were already protected against this threat thanks to our Application Behavior Protection:

Time will tell whether this new infection vector gains popularity among the criminal element. The fact that it does not need a macro is novel and triggers on mouse activity is a clever move. There is no doubt threat actors will keep on coming up with various twists to abuse the human element.

The post New social engineering scheme triggers on mouse movement appeared first on Malwarebytes Labs.

Categories: Techie Feeds

LatentBot piece by piece

Malwarebytes - Thu, 06/08/2017 - 15:00

LatentBot is a multi-modular Trojan written in Delphi and known to have been around since 2013. Recently, we captured and dissected a sample distributed by RIG Exploit Kit.

The main executable is a persistent botnet agent which downloads additional modules and reports about the performed activities to its Command and Control server. Depending on the modules that have been installed, LatentBot has various capabilities, including:

  • Act as a keylogger and form grabber
  • Steal cookies
  • Run a Socks Proxy from the victim system
  • Give remote access to the attacker (VNC / Remote Desktop)

In this post we will describe those modules by taking apart several layers of obfuscation and encryption in order to reveal their true nature.

Analyzed samples

Downloaded modules, injected into svchost:

Behavioral analysis

After being deployed. the original sample installs itself and deletes the sample from the original location. It injects into svchost the initial module (60c3232b90c773ed9c4990da7cc3bbdb). That module performs another injection (of module: b622a0b443f36d99d5595acd0f95ea0e)  – into Internet Explorer (iexplore.exe):

The module injected in the iexplore.exe process is responsible for establishing connection with the CnC and downloading submodules.

At this stage, LatentBot creates two groups of registry keys:

...\Software\Google\Update\network\secure

In the key named “0” the initial PE file is stored:

Another, encrypted key is added under:

...\Software\Adobe\Adobe Acrobat

The data under the key “in” is encrypted by a custom algorithm, typical for the LatentBot, that will be described further (it can be decoded by a dedicated application). After decoding, it gives the path where the malware installed itself, i.e.:

C:\Users\tester\AppData\Local\Microsoft\Windows\shfdnoh.exe

If the CnC is active and the bot managed to download sub-modules, they are run injected into new instances of svchost:

The main module is deployed with a parameter: -l MxN4ViazcD

This parameter specifies a group id where the bot belongs (also encrypted by Latent Bot’s custom crypto).

MxN4ViazcD -> Group 1

Also, the registry keys related to the new modules are added under:

...\Software\Google\Update\network\secure

Decrypted names of the modules are very descriptive:

FtUFJu5xP3C -> formgrab hdtWD3zyxMpSQB -> Bot_Engine l551X+rNDh3B4A -> Found_Core QdG8eO0qHI8/Y1G -> send_report QdW/DoI2F9J -> security RRrIibQs+WzRVv5B+9iIys+17huxID -> remote_desktop_service VRWVBM6UtH6F+7UcwkBKPB -> vnc_hide_desktop w97grmO -> Socks

Some of the modules are collecting data on the victim machine, and saving them in the %TEMP% directory in encrypted form:

Further, they are being uploaded to the CnC.

Persistence

The basic persistence of Latent Bot is simple. The initial sample is copied into:

C\[current user]\AppData\Local\Microsoft\Windows\<random_name>.exe

It is executed on each system startup thanks to a simple Run key:

Once the main module is run, it is responsible for decrypting all the submodules from the registry and loading them.

Network communication

The bot starts communication with CnC by sending a beacon. If the beaconing went successfully, it starts to download additional modules in encrypted form. They are pretending to be .zip files:

The beacon is encoded by two algorithms: Latent’s custom encryption and then Base64:

QWRsN2srdjlxUUdDYVp0aTBMUzl2cStzY0pOR3VkWlNtc3Q1VzduWlJ2SHZ6QjJhNEtuTFo3RUNobVlOKzJMbDE0TWxBUXR2NXdxelBtSk1aeDNaNVRlaVdzdFVhZG5IK0JwcEp3NkFXVTlVc3JJYWpKa3VzTnlSbUE=

Base64 decoded:

Adl7k+v9qQGCaZti0LS9vq+scJNGudZSmst5W7nZRvHvzB2a4KnLZ7EChmYN+2Ll14MlAQtv5wqzPmJMZx3Z5TeiWstUadnH+BppJw6AWU9UsrIajJkusNyRmA

Latent custom decoded:

forum?datael=US-70-789548274695&ver=5015&os=5&acs=1&x64=0&gr=Group 1&random=mxmgkuusrfqdotm

As we can see, it contains data about the infected machine, as well as the group name and a random token.

However, not all the communication is encrypted. Some of the further requests are very verbose. Name of each action is identified by a string, in capital letters. Examples:

Client beacons to the server by a HELLO command. In return, the CnC gives it a cookie that is further used as an ID. The content posted between the client and the server is encrypted:

Analyzing the traffic, we can find that the bot sends to the CnC some stolen data, packed as Cabinet format. The content inside is encrypted by a custom encryption algorithm, typical  to LatentBot, that will be described later. The file is uploaded using HTTP PUT method:

Inside

The original sample of Latent Bot, that is distributes in campaigns, comes packed with a crypter. After removing this first layer, we get a loader with the following structure of sections:

All the used strings are obfuscated – particular chunks of the string are being moved to consecutive variables:

The basic role of the main element is to to make injection into svchost.exe. In the memory of svchost.exe, another PE file is unpacked and loaded:

If we dump this file, we find another stage. Starting from this element, all further pieces of Latent Bot have some common patterns. They are written in Delphi, and their strings are obfuscated by the same set of functions. Example:

In order to defeat this obfuscation I prepared a dedicated IDA script (latent_dec.py). Not much of the other obfuscation techniques has been used, so after applying it, the code looks much more understandable:

Another thing, typical for LatentBot’s pieces are the resources following similar schema. The current sample comes with 2 resources: CFG and R. Both of them are encrypted:

This element unpacks another module (b622a0b443f36d99d5595acd0f95ea0e), that is injected this time into iexplore. The new module has resources with a structure similar to the previous one. It’s CFG file contains strings encrypted by an algorithm typical for this bot:

The configuration of this element contains the bot group ID and the CnC address:

MxN4ViazcD -> Group 1 j5kmNVnZPcAt18wWBH3kfMOzGQ6ENA -> http://104.232.32.101/ Modules

The main element of the LatentBot  is an engine downloading and managing the modules. Each module of LatentBot have some different task to do. Overall, it has capabilities of a typical RAT and stealer. Downloaded submodules are various for various samples. In the analyzed one, elements with the following names has been fetched:

  • formgrab-128521-2
  • Bot_Engine-641712-8
  • Found_Core-147200-2
  • send_report-325310-77
  • security-945874-2
  • remote_desktop_service-828255-2
  • vnc_hide_desktop-590642-47
  • Socks-400578-2

Let’s have a look inside some of them…

Bot_Engine Module

As the name states, this is the main module of the bot. It is responsible for the communication with the C&C and loading the plugins.

It fingerprints the environment and send the collected data in the beacon to the CnC.

'tkNFKRA' -> '&ver=' 'tA8OqC' -> '&os=' 't4M5zB' -> '&av="' 't4c85aF' -> '&acs=' 'tct4rwD' -> '&x64=' 'tgszOD' -> '&gr=' 'tMc36A' -> '&li=W4' 't89KWAf3QyCh' -> '&plugins=' 'to8KKL6mYGs8' -> '&errcode=' 't08rKTC' -> '&bk=1' 't08rKXC' -> '&bk=0' 'tEMeVgHimC' -> '&note=1' 'tEMeVgHinC' -> '&note=0' 'tsMSYj/L' -> '&dom=1' 'tsMSYjvL' -> '&dom=0' 'tw9sex5WXDzsMB' -> '&sockslog=' 'tk9H0psjw5Wv' -> '&vncpass=' 'tkNGWE8KNC+N' -> '&vidtype='

Example – checking installed AV products:

The dedicated function contains a long list of the directories that are checked,i.e.

This module gives to the attacker remote control on the victim’s environment by executing various commands, such as:

'/tKvXgFBlB' -> 'testapi' 'slx6nfFi' -> 'get_id' '5J5eN0Wp9A' -> 'restart' '4FEa7FfTRCI' -> 'shutdown' 'nxRY+d/E' -> 'logoff' 'slx6nLVh9Et/qqi2eUpf9D' -> 'get_label_engine' 'slx6nLVh9Et/qOCYBWP' -> 'get_label_load' 'slx6n7kxqMcKNsq0UkmG' -> 'get_plugin_list' '7hfCrPhOfgfTX28h8TZS' -> 'plugin_stop_all' '7hfCrPhOfkfbTM6EplCNCN1d' -> 'plugin_restart_all' '7hfCrPhOfg+PtNcXVAc8JLsPUA' -> 'plugin_clear_storage' '41l3p17Xus/kRtagq7ObrZEM/WucXWH' -> 'stop_engine_and_plugins' '+FJV1v6mXl5SW7r8cB' -> 'uninstall_all' 'slx6njktomFaQ0F' -> 'get_version' '7hfCrPhOfgfTX2M' -> 'plugin_stop' '7hfCrPhOfkfbTM6EplC' -> 'plugin_restart' '7hfCrPhOfgfTX28h8bppqx+bZm/CQDXSnB' -> 'plugin_stop_and_uninstall' '7hfCrPhOf4vfz5NHktwwJB' -> 'plugin_uninstall' '7hfCrPhOfgfTZiCd' -> 'plugin_start' '7hfCrPhOfgfTZiCdhJwYvUM' -> 'plugin_start_auto' '7hfCrPhOfgfTX28h83I9CD' -> 'plugin_stop_autox' 'slx6n7kxqMcKNsazBUKWvC' -> 'get_plugin_start' 'o5SQ6EkjlBwmdJhahA' -> 'clear_cookies'

Example – fragment of the function stealing and clearing the cookies:

After completing a task, it also sends a report about the operation status:

Security Module

This module performs extended environment check against various security products. Looking at the resources, we can find three elements: DFX, VBL, FDL containing lists of strings encrypted in the typical way:

Decrypting them gives an extensive list of the checked paths: DFX , VBL, and modules (exe, dll, sys): FLD

Formgrab Module

In comparison to other modules, this one does not contain string or API obfuscation.

We can find it grabbing the content of fields of the windows:

…and tapping the typed keys:

Foud_Core Module

This is the only module that has been written in C++ instead of Delphi. It comes with a default icon added to Windows projects by Visual Studio.

It’s original name is installer.exe and it exports various functions, that can be used to make injections into 64 bit applications:

It has various features that are different from other modules, i.e. lack of string obfuscation. Performed actions are reported by debug strings, that are stored inside the binary as open text, i.e.

The compilation timestamp of this executable points at the February of 2017: 2017:02:28 18:21:01+01:00. This element was not observed in previous years, so probably indeed it is added this year, to expand injection capabilities of the LatentBot to 64 bit processes.

Conclusion

LatentBot has been around for several years, however, looking at the modules we can find out that it is still being actively maintained. The distributed package is a mixture of old and new modules.

The authors of this bot are not very advanced in malware development. They program in Delphi and use some ready-made templates. Also, the obfuscation they use can be easily defeated. However, they delivered a bot that is very rich in features and easily expandable, thus, it still poses a serious threat.

Appendix

https://www.cert.pl/news/single/latentbot-modularny-i-silnie-zaciemniony-bot/ – Polish CERT on LatentBot (December 2016)

https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html – FireEye on LatentBot (2015)

https://cys-centrum.com/ru/news/module_trojan_for_unauthorized_access – CyS Cenrtum report (2015)

This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. She loves going in details about malware and sharing threat information with the community. Check her out on Twitter @hasherezade and her personal blog: https://hshrzd.wordpress.com.

The post LatentBot piece by piece appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Adware the series, part 5

Malwarebytes - Thu, 06/08/2017 - 14:00

In this series of posts, we will be using the flowchart below to follow the process of determining which adware we are dealing with. Our objective is to give you an idea of how many different types of adware are around for Windows systems. Though most are classified as PUPs, you will also see the occasional Trojan or rootkit, especially for the types that are more difficult to detect and remove.

In this part of the series, we will be focusing on cases where the process we found as the one that was showing the advertisement was not the actual culprit. We will demonstrate how to use Process Explorer to see which handles, DLL’s and parent processes are involved. Which is a relatively easy way to figure out what a process is doing.

Process Explorer

As mentioned before the tool we will be using for this episode is Sysinternal’s Process Explorer. At the moment I was writing this post the current version of Process Explorer was v16.21. To view DLLs and handles you will need to enable the Lower Pane view and set it to DLLs or Handles respectively.

To enable the Lower Pane View, click View > and put a check-mark in front of Lower Pane View. Then if you hover over the Lower Pane View option you can either select DLLs or Handles.

Parent process

But let’s have a look at the parent process first. When you toggle the header of the Process column you will notice one configuration (like in the screenshot above), where the processes are shown in a tree-like fashion. The other configurations are alphabetical and reversed alphabetical. The tree-like representation allows you to see which process started the one(s) listed under it. Example: the processes listed under “explorer.exe” have explorer.exe as the parent process. Which in the case of explorer.exe often means that the user double-clicked the executable or a shortcut to that executable. But in cases where a browser window is showing you an advertisement, it can be interesting to see which process is the parent process of the browser process, because that could be the one you are after.

DLLs

Dynamic Load Libraries (DLLs) are files that can be used by other executable files. They often contain functions or other pieces of code, that can be called by name or entry point. In this way, the code in the library can be executed as part of the running process. To see all the DLLs that are in use by one process, you can look at the Lower Pane. Tip: if you want to present this list to someone to get a second opinion, you can select the process in the top window, then click

Tip: if you want to present this list to someone to get a second opinion, you can select the process in the top window, then click File > Save As and save the resulting text file.

Tip: sort the Lower Pane by Company Name so you can easily skip all the Microsoft Corporation files. This will usually limit the number of DLLs you need to look at to a few.

Handles

Handles are a good way of looking whether a process is using certain resources like ports, sockets, and files. And the beauty of Process Explorer is, that if you know which handle you are looking for, you can search for that handle. For example, if you want to look at which processes have a handle on the counters.dat file, which is often shared among many internet connected processes, you can click Find > Find Handle or DLL… and then type the name of the resource in the prompt to get a list of processes that have a handle on it.

When in doubt, you can enable the Virustotal lookup of handles by clicking Options > VirusTotal.com > Check VirusTotal.com. This will send the hashes to Virustotal, a free service that analyzes suspicious files and URLs. With a bit of luck, you will notice a detection in the list that you would have missed if you had only checked the list of processes against Virustotal.

When you right-click a Handle, you will see the option to Close Handle. Releasing these handles can sometimes help when you encounter files that are undeletable because they are in use. By closing all the handles these files will become deletable as they will be no longer in use.

Example

Let’s use some adware, as an example, that uses your default browser to open advertisements. On this system, Firefox is the default browser. Every time I open Firefox I will get a new tab with a different advertisement (all redirects in this case).

It is obvious that the process is firefox.exe and a quick examination tells me there are no extensions at play and no active proxy is present. A little deeper investigation showed no LSP or DNS hijacks.

So I looked at my list of installed programs and saw something unknown, which was also suspicious because it has no Publisher and no Version, and the install date happens to match the date the advertisements started.

So I performed a search for DLLs and Handles with Process Explorer and found the QIPApp in quite a lot of processes and it even has a process with the same name.

In this case, the uninstall worked and the adware was gone after a reboot, so we didn’t have to remove it manually. We also could have used Malwarebytes to remove it, but I used it as an example to demonstrate the method of investigation.

See you next time when we will tackle the ones that are a lot harder to find and remove.

Index

Part 1

  • Identify the process
  • Clear browser caches
  • Remove browser extensions

Part 2

  • Proxies
  • Winsock hijackers
  • DNS hijackers

Part 3

  • Type of software
  • Uninstall
  • Remove file
  • Replace file

Part 4

  • Scheduled tasks
  • Services

Part 5

  • DLL’s
  • Handles
  • Parent process

Up next, part 6

  • ADS
  • Rootkits
  • Fileless infections

 

The post Adware the series, part 5 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Fireball Chinese malware and you

Malwarebytes - Wed, 06/07/2017 - 22:54

By now, you might have heard about an adware infection operation that has allegedly spread to 250 million systems called Fireball.  The threat intelligence and research teams at Check Point wrote a blog post last week describing the operation, what the threat does, the system, and the alarming potential the malware has for doing some serious damage.

Fireball the malware:

Fireball is currently being used as a browser-hijacker being frequently installed through bundling (the same infection method that brings you most of the PUPs we detect) modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine (the company that created Fireball).  Also, it utilizes tracking pixels to collect private information about the user and their browsing habits.

The best case

As mentioned before, Fireball is most frequently classified as adware or malware that exists solely to push users to specific web pages and serve them loads of advertisements, getting paid on the back end through all the clicks the ads get by unwilling users. With this in mind, the best scenario is that Fireball continues just to be adware, being annoying and disruptive but not overly dangerous.

The worst case

Fireball also happens to have some additional features that make many security researchers very nervous; this includes the ability to download and execute additional malware.

When you think about 250 million endpoints being infected with this adware and any day it could just decide to drop and execute any malware on the system, it will make you nervous too.  Here is what could potentially happen in the worst-case scenario:

  • Fireball drops a botnet malware family on all the endpoints, turning it into the most powerful Distributed Denial Of Service weapon ever created, which could be used for taking down the web servers of critical infrastructure, competitor websites, game servers, social media and even our unfortunately designed internet backbone (registrars and top level DNS servers) which could prevent many people from accessing their favorite websites.
  • Fireball drops ransomware on the systems and then waits to get paid, disrupting millions of systems and the users and organizations that rely on them
  • Fireball drops any other malware (or a combination of malware) and can steal credentials, spy on users, hijack social media and communication accounts or just use the whole thing as a massive spam spreading operation.

Why this might not happen

Education is key when it comes to dealing with new cyber threats, Check Point did a fantastic job bringing this infection to the eyes of users at large and the media, it has had a lot of coverage over the last few days and hopefully folks are scanning their systems and removing unwanted plugins to help reduce the power this adware operation has to do anything worse.

In addition to that, while Rafotech (who created Fireball) is using the infection to spread advertisements, they are sitting in a legal gray area and shutting them down would be a bit difficult without some serious international cooperation.  However, if Fireball started spreading additional malware, like ransomware or bots, then you’ve got an international crisis on your hands, and law enforcement for every country affected knows who the culprit is, safe to say it would be a bad move.

The worst, worst case

In a nightmare universe, the backend command and control systems that decide what Fireball does is compromised by malicious actors who then drop all kinds of nasty malware on the systems.  If that were to happen, you would still have the international crisis but no attribution.

You can guarantee though, that even if the attackers cannot be stopped, Rafotech would take a lot of heat and face serious charges for their involvement in creating this threat, not securing it correctly and handing a nuke to whatever cybercriminal wanted it.

Removing yourself from the problem

Obviously, if your system is infected with Fireball then not only is your safety an issue but also the safety of every other system on the internet. It is easy to weaponize an infected system to be used for direct DDOS attacks, act as a proxy for traffic (hiding the bad guys) to spread malware itself in the case of some spambots.

So, how can you remove your system from being used in this way? It’s pretty easy actually.

  • Check your browser

Are you being redirected to the Rafotech search engine or feel like you’ve seen an immense amount of advertisements being pushed to you without provocation recently? If either of those is true, it’s likely you are infected with Fireball.

  • Run a scan

Your first step is to download, install, update and scan with Malwarebytes 3.0.  This will identify any artifacts on the system belonging to the threat; we detect Fireball as “Adware.Elex.”  We know exactly what Malwarebytes can detect concerning this threat, so we are only discussing remediation using our tool.

  • Find any strange browser add-ons

Fireball utilizes browser extensions and add-ons to help it complete its goal of drowning you in ads. So, you want to make sure there aren’t any that you didn’t install yourself, if you find one that looks strange, go ahead and remove them.  You can check out this resource that Facebook put together to help folks clean up the add-ons and extensions they have in their browser which may be causing problems.

  • Reset your defaults

After a Fireball infection, your default homepage and the search engine would have been modified; you can go into your browser settings to change them back to what you want or just restore the whole browser to its default state.

Conclusion

We want to thank Check Point for their fantastic analysis of this threat and bringing it to the attention of the world. We hope that those infected with this adware can find articles like this and learn how to clean up their systems before one of the worst-case scenarios listed above actually become a reality.

In the meantime, it’s best not to consider any malicious threat less dangerous than others, PUPs, adware, spyware, and others are still software installed on a system with the limitations (or lack thereof) of any other piece of software. Just because something is being used for one purpose today doesn’t mean it won’t be repurposed for something far more damaging next week.

Thanks for reading, stay alert, stay safe and we’ll catch you next time.

The post Fireball Chinese malware and you appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Pages

Subscribe to Furiously Eclectic People aggregator - Techie Feeds