Techie Feeds

Explained: security certificates

Malwarebytes - Tue, 08/08/2017 - 18:17

As a result of my PowerShell series [1],[2],[3], where I used the handling of certificates as an example, mainly because I wanted a method to keep track easier of which certificates were being added by malware, I’ve have received some questions about how security certificates work and how they stopped our software from working.

First, it helps to take a look at your own certificates. Go ahead and open the Microsoft Certificates Management Console. You can do this by typing certmgr.msc in the search field of your start button. You will have to do this as an administrator of the system.

You should see an overview of your certificates divided up into categories. The most used and usually the most important categories are Trusted Root Certification Authorities and Untrusted Certificates.

What are these certificates?

Root certificates are a method to prove that a communication you are receiving (from a website, by mail, or otherwise) comes from the source that it claims to be. This is done by public key encryption to establish a trust between the holders of the public and the private keys. But since it would be impossible to store certificates for every site we’ve ever visited or wish to visit, the system of certificate authorities (CA) was set up. To establish trust that a certificate is genuine, it is digitally signed by a root certificate belonging to a trusted certificate authority. Operating systems and browsers maintain lists of trusted CA root certificates so they can easily verify that they have been issued and signed.

You may have seen prompts warning you about a website’s security certificate, or as in the example below, a mismatch between the certificate and the name of the site:

The image shows which checks have been made before allowing a free exchange of information:

  • Can we trust the source of the certificate?
  • Is the certificate still valid? They all have a starting and an expiration date.
  • Is the name valid, and does the name on the certificate match the name on the site’s certificate?
  • Is the signature strong enough?

Another important check needs to be done, however. Has the certificate been revoked? Sometimes the CA revoke certificates, mainly because the certificate, or the private key, has been stolen or compromised. This check is made against the Certificate Revocation List (CRL), which is a system that unfortunately has some flaws, meaning sometimes the check is not completed.

Untrusted certificates

As we have seen in the past, certain types of malware place certificates in the Untrusted category, which basically disables users from downloading and using security software to remove the malware. Below you can see that the Malwarebytes certificate was placed in the Untrusted category by the Wdfload malware.

 

This certificate, however, has nothing to do with our website. Instead, it’s associated with our software. With the certificate above in the Untrusted category, this is what you will see if you try to run our software.

Even though the CA (DigiCert) did not revoke our certificate and can still be found under our Trusted Root Certification Authorities, the Malwarebytes certificate was listed as revoked by the malware. We have to remove the certificate shown above from the Untrusted category before we can use the software again.

So there you have it: a brief explanation of how security certificates work and how malware can abuse the certificates system to block you from downloading and/or running your favorite software.

The post Explained: security certificates appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (July 31 – August 6)

Malwarebytes - Mon, 08/07/2017 - 19:19

Last week we explored some basic PowerShell commands, dived into the new methods used by TrickBot, and wrote at length about the Magnitude exploit kit redirection chain. Our teams were busy at both BlackHat and DefCon, and outside of those famous hallways, we also took time to fire up some basic PowerShell programs.

Naturally the two big security events have consumed most of the column inches this past week, but even so there’s still a couple of notable security stories floating around.

Latest updates for Consumers

WannaCrypt victims paid out over $140k in Bitcoin to get files unscrambled: Victims of Ransomware continue to pay the price (source: The Register)

Web Developer for Chrome compromised: A timeline of how a Chrome extension was taken over by bad actors (source: Blog on Chris Pederick)

iOS users beware: You’re the biggest target for mobile phishing attacks: Keep a close eye on your trusty Apple devices (source: TechRepublic)

Nigerian man charged in US phishing scam: Contrary to popular belief, sometimes the phishers do get brought to justice (source: VOA News)

Divorce, wiretapping, and email: This domestic fallout has it all (source: The Register)

Stay safe, everyone!

Malwarebytes Lab Team

The post A week in security (July 31 – August 6) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Apple phish: Summary report statement

Malwarebytes - Mon, 08/07/2017 - 15:30

If the following message lands in your mailbox, you may wish to throw on your “This is highly suspicious” cap before proceeding further:

 

The email is titled

RE: [ Summary Report ] Statement login and update account 08/05/2017

Note the old spammer trick of placing “RE:” at the start to make you think there’s some sort of correspondence taking place.

Spoiler: there isn’t.

The message reads as follows:

Apple ID
Account Information Page

We need your help resolving an issue with your account. Thus, we have temporarily lock your account.

We understant it may be frustating not to have full access to your account.

We want to work with you to get your account back to normal as quickly as possible.

How can you help?

It’s usually quite straight forward to take care of these things. Most of time, we just need some more information about your account.

Please complete your account informations by clicking in the link below.

Confirm My Account
We will permanently lock your account if we don’t receive your verification within 24 hours.

Regards,

Apple Support

The URL used is a Goo(dot)gl shortener (now deactivated), which was bouncing users to the final destination below located at

online-appleidsupport-accountimportant(dot)net/Login(dot)php?

Entering an Apple ID and password results in the following (fake) message that the account has been locked:

We’ve noticed significant changes in your account activity. For your protection, we’ve disable [SIC] your account.

Unlock account

The next page asks for a lot of personal information, including: name, address, DOB, phone number, full card information, security question information, and even 3D secure details.

This is not something you want to hand your details over to. This site joins the ranks of phishing pages making use of HTTPs to appear more authentic – here’s the real Apple sign in page:

You’ll notice it mentions the company name. This is called an Extended Validation certificate. The one being used on the phish page claims to be from a service offering free certs to those possessing a web domain.

A good example of why you shouldn’t just believe the site in front of you is legit, purely because there’s HTTPs going on in the background. Emails directing you to pages asking for payment info via embedded links should set off all the warning alarms – and this particular email and website combo should be forever banished to your “ignore forever” folder.

Christopher Boyd

The post Apple phish: Summary report statement appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Learning PowerShell: basic programs

Malwarebytes - Fri, 08/04/2017 - 18:00

In the previous posts we have looked at some elementary PowerShell concepts and we have constructed some basic commands to export and compare data.

We did this by using an example of certificates being dumped in the “Untrusted” category by some malware. This time we will try to write a program that can undo these changes.

Remember when running PowerShell scripts, unlike single commands, that you will have to remove any execution restrictions that are in place. This command will allow everything for the current session:

Set-ExecutionPolicy Unrestricted

Objectives

One of the basic skills in each scripting language is text manipulation. I will need a few of those manipulations, before I’m able to use the html export we created last time, as a source for the list of registry keys that I need to remove. But we know they are all present in that export, so let’s get to it.

To read how we created the comparison.html file have a look at the previous post in this mini-series. First we need to get rid of some unnecessary text that was added during the process of making tables and converting to HTML.

One of the lines we want to get rid off is the header. We could take the easy route and simply delete it, but I want to build in some extra safety, so I will try to remove all the lines that do NOT contain @{Thumbprint= since those are the entries we are interested in anyways.

So how do we do that?

Get-Content c:\users\public\desktop\comparison.html | Select-String -pattern "@{Thumbprint=" | Out-File C:\certain\ceficates1.txt

That command filters out all the lines that do not contain the @{Thumbprint= string and brings the html back to a text file, because txt files are a bit easier to work with.

Now we will need a step to get rid of the table make-up.

click to enlarge

(Get-Content C:\certain\ceficates1.txt) -replace "\<.*?\>","" | Out-File C:\certain\ceficates2.txt

This one looks a bit more complicated because of the regular expression. Regular expressions (regex) are worthy of a topic all by themselves, because of their complexity and usefulness. Maybe another day. This one looks for a “<” and deletes that and everything up to and including the closing “>”.  That got rid of all the <tr>, <td>, </td>, and </tr> bits that were previously needed for the table. The Get-Content call needs to be in parentheses or PowerShell would regard – replace as an argument for that call and throw an error, as -replace is not defined as an argument for that cmdlet.

Now, just for good measure I want to delete all the SideIndicator arrows as well. Note that in the text file they look like this: =&gt; where “&gt;” is the html code for “>”.

(Get-Content C:\certain\certificates2.txt) -replace "=&gt;","" | Out-File C:\certain\certificates3.txt

Now that we have cleaned up the file we can use the next loop to delete the registry keys. And with those keys we effectively delete the certificates.

$List = Get-Content certificates.txt
foreach ($Line in $List) {
$First, $Second, $Third = $Line -split ';'
$Thumbprint= $First -replace("@{Thumbprint=","HKLM:\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\")
If ($Thumbprint.length -eq 108) {
$path = $Thumbprint
$acl = Get-Acl $path
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("Everyone","FullControl","Allow")
$acl.SetAccessRule($rule)
$acl |Set-Acl -Path $path
Remove-Item –Path $path
Write-Host ($path,"removed")
}
}

Explanation of what this loop does:

  • It reads the text file line by line and splits each line up using the “;” as a delimiter.
  • The first part of each line contains the Thumbprint, so we can ignore the rest and use only the first part.
  • We replace the text added by the Get-ChildItem ( which is “@{Thumbprint=”) by the path to the registry key that we need (“HKCR:\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\”)
  • As an extra security measure we check if the length of the string equals 108 (the length of the key including the Thumbprint. We do not want to delete random registry keys because of some fluke in the text-files. As an exercise: think what could happen if someone used the “<” in the Subject part of the certificate.
  • Then we give ourselves full control over that same registry key and remove it.
  • Then the program writes to the PowerShell terminal which keys were removed.
Aftermath

When putting the program together I found out that it worked better to move the command that filters out the lines without the @{Thumbprint= string further down, because it caught some lines that were created by some unexpected word-wrap issue. So the final version of my program looks like this:

Get-ChildItem -Path cert:\currentuser\disallowed -Recurse | select Thumbprint, FriendlyName, Subject| Set-Content c:\users\public\desktop\certificatesafter.txt
compare-object (get-content c:\users\public\desktop\certificatesbefore.txt) (get-content c:\users\public\desktop\certificatesafter.txt)| ConvertTo-Html | Set-Content c:\users\public\desktop\comparison.html
Get-Content c:\users\public\desktop\comparison.html | Select-String -pattern "@{Thumbprint=" | Out-File C:\certain\certificates1.txt
(Get-Content C:\certain\certificates1.txt) -replace "\<.*?\>","" | Out-File C:\certain\certificates2.txt
(Get-Content C:\certain\certificates2.txt) -replace "=&gt;","" | Out-File C:\certain\certificates3.txt
Get-Content C:\certain\certificates3.txt | Select-String -pattern "@{Thumbprint=" | Out-File C:\certain\certificates.txt
$List = Get-Content certificates.txt
foreach ($Line in $List) {
$First, $Second, $Third = $Line -split ';'
$Thumbprint= $First -replace("@{Thumbprint=","HKLM:\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\")
If ($Thumbprint.length -eq 108) {
$path = $Thumbprint
$acl = Get-Acl $path
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("Everyone","FullControl","Allow")
$acl.SetAccessRule($rule)
$acl |Set-Acl -Path $path
Remove-Item –Path $path
Write-Host ($path,"removed")
}
}
del C:\certain\certificates1.txt
del C:\certain\certificates2.txt
del C:\certain\certificates3.txt
del C:\certain\certificates.txt

Using it

In case you are interested how to use this.

In theory we would have created a folder C:\certain that holds the script (the one directly above) which is then also in use as a temporary storage for all the different text files.

On the public desktop there is the text file that holds the “Before” set of certificates. On a VM that could be a part of the snapshot.

So, all we have to do to get an overview in html off the added certificates and remove them at the same time:

  • Run Powershell as Administrator
  • Command: Set-ExecutionPolicy Unrestricted
  • Confirm with a Y
  • Command: cd c:\certain to change the directory
  • Command: .\certsfinal.ps1 to run the script

And behold, we will have c:\users\public\desktop\comparison.html with our list of added certificates and the list in the terminal to confirm that they were removed.

 

A word of warning for those who want to repeat this on their own VM: make sure to kill the certsdropper process as it will re-add the certificates if it’s still active. And make sure only to try it on a VM as the certificates are not the only changes it makes.

I hope you found this useful. I am well aware there are more efficient ways to do this, but all your possible improvements are welcome in the comments

Links:

Strings in PowerShell – Replace, compare, concatenate, split, substring

Regex

Pieter Arntz

The post Learning PowerShell: basic programs appeared first on Malwarebytes Labs.

Categories: Techie Feeds

DEFCON 25

Malwarebytes - Fri, 08/04/2017 - 16:11

After a few days in Las Vegas and after BlackHat, DEFCON 25 is finally over! It was an amazing time around awesome people.

I didn’t attend all the talks, but most of the ones I saw were interesting:

This talk presented several ways to bypass protections against DNS rebinding, and ways to access data from an internal network using these techniques. Several mitigations were also presented, one of them being, to not use strong authentication only for external resources, but to enforce them for internal resources as well. He released Jaqen, a tool used to reliably execute DNS rebinding attacks using different methods.

This talk presented the weird behavior of URL parsers and how to get a RCE in Github Enterprise using a chain of four vulnerabilities exploiting SSRF.

Tor developers have been working on a new generation of Onion Services to make them stronger to resist censorship and to provide several interesting features that the current generation doesn’t have. This talk also explained that {Dark, Deep}Web is not really a thing and is most of the time used as a marketing nonsense term: the biggest website using Tor Onion Services is actually… Facebook.

This talk presented the impressive research and results from Google and CWI which led them to get a way to get SHA1-collisions after several years of work and intense computations. Some unexpected consequences have also been presented, like the Webkit repository corruption. Counter crypt-analysis mechanisms used to detect these collisions implemented in Gmail and Github have also been explained.

  • Breaking Wind: Adventures in Hacking Wind Farm Control Networks, by Jason Staggs.

This talk presented internals of wind turbine control networks, and how security is totally absent from their design: unauthenticated APIs, flat network, false security claims from vendors…

This talk presented a very cheap (but efficient) way to leverage DDoS and bruteforce attacks against websites and OTP systems, using several Microservices providers.

This talk presented interesting ways to use webhooks and Github as a broker C&C to exfiltrate data in a constrained environment. Github issues and comments were used as a communication channel. A proposed mitigation: to restrict outbound access to required Github repositories only.

This nice and technical presentation explaining the process to get Ring0 exploits primitives using GDI, and analyzing security issues MS16-098 + MS17-017 with the first standpoint.

This talk presented the new features and developments related to Windows Defender galaxy…. and how to get around the new defense mechanisms introduced in latest Windows 10 versions.

Apart from these talks, villages and panels were very exciting places to attend. SE-Village, Recon-Village, Crypto and Privacy Village, Voting Machine Hacking Village and Packet Hacking village were particularly great! Also, the EFF panel on Friday night was nice to get updates and discussions from EFF directors and attorneys.

Recorded presentations and workshops are available on media.defcon.org .

This was a nice (but very crowded!) edition, looking forward to next year!

The post DEFCON 25 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Black Hat USA 2017 Recap

Malwarebytes - Wed, 08/02/2017 - 21:54

What do you get when you put hackers, gambling, and dogs together? Black Hat USA 2017  …and a random zoo conference happening next door. Last week, we wrapped up another successful trip to Las Vegas for Black Hat. For those of you who couldn’t make it or had too much Vegas fun and need a reminder of what happened, here’s a little recap for you.

Background

Every year Black Hat, the world’s leading information security event series in the world, hosts a six-day conference in Las Vegas. The conference and technical training sessions focus on the latest research, development, and trends in the cybersecurity space. This year Black Hat hit a major milestone by celebrating its 20th year in hosting these events.

Hot topics

In the last couple of years, we’ve noticed a lot of conversation about AI machine learning  – specifically this year focused on AI Machine Learning Neutral Networks in the security industry. The general belief is that AI alone will help defeat all malware and move us into the new age. That’s not going to happen – in our opinion. All these AI talks seem to forget one important thing. How exploitable and manipulative a machine learning database and algorithm can be. They are extremely prone to be poisoned and easy to bypass when you know what you’re doing.

There were a million talks this year and last about AI machine learning and how you can use it to detect malware and defeat exploits and so on and so forth, however it will never be practical in the way the talks are pushing. AI will do amazing things in the background of security companies and in unison with other security functions though.

Booth action

The Malwarebytes booth was as hot as the hippest DJ playing at the “it” club in Vegas. ZERO the robot was a crowd favorite per usual. Our product marketing team (Dana & Helge) broke down the current threat landscape, went into detail about Jaff ransomware, and talked about our latest business products – Endpoint Protection and Incident Response.

Click to view slideshow.

 

Conclusion

Black Hat always seems to bring around a talented group of professionals. We’re happy we can participate in this event each year and spend some time meeting everyone. It seems like AI will continue to be a hot topic, it will be interesting to see what updates are to come in the next year.

Thank you to all those that stopped by the Malwarebytes booth. See you next year!

The post Black Hat USA 2017 Recap appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Enemy at the gates: Reviewing the Magnitude exploit kit redirection chain

Malwarebytes - Wed, 08/02/2017 - 15:00

Over the last few months, we have been keeping an eye on the Magnitude exploit kit which is mainly used to deliver the Cerber ransomware to specific countries in Asia. Our telemetry shows that South Korea is most impacted via ongoing malvertising campaigns.

When a visitor goes to a website that monetizes its traffic via adverts he may be exposed to malicious advertising. Tailored ads shown in the browser are initiated on-the-fly via a process known as Real-time Bidding (RTB). Unfortunately, crooks will take advantage of this process by deceiving and abusing ad agencies, trying to win the online auction to serve their malicious content.

Figure 1: Typical redirection flow via Magnigate to Magnitude EK

In addition to traffic filtering performed by various ad networks, users are inspected at a ‘gate’ that decides whether or not they should be allowed to proceed to Magnitude EK. This gate, which has been nicknamed ‘Magnigate’ by Proofpoint [1], performs additional checks on the visitor’s IP address and user-agent to determine their geolocation, Internet Service Provider, Operating System and browser information.

Double purpose

Magnigate serves two goals: to be a decoy site for non-intended targets or to be a redirection mechanism to Magnitude EK (or a social engineering scheme [1]) for the visitors that meet its requirements. In other words, seeing the content of the bogus site means the redirection to Magnitude EK has failed. During our tests, we also noticed that the gate can send a 404 or 502 HTTP status code.

Figure 2: Magnigate leads to e-cig decoy site (avoidance) or Magnitude EK (real target)

Beginnings: 2013-2014

Using publicly available packet captures as well as our own honeypots, we go back in time and explore the history and evolution of this gate. Note: this post does not intend to be completely exhaustive and the reader should know that there are other redirection chains than the ones solely presented here.

Early packet captures are hard to find publicly but PCAPs from mid-2013 and 2014 show various techniques used to redirect users to Magnitude EK.

302 redirect

This one shows a 302 redirect from a possibly compromised site in August 2013 although malvertising was also an infection source at the time (MalwareDontNeedCoffee [2]). The PCAP comes from Malware-Traffic-Analysis.net.

Figure 3: A site performing a redirection to Magnitude EK in the summer of 2013

iframes

In January 2014, we can see iframe insertions on compromised sites to redirect to a second stage server that performs the 302 redirect to the EK. The PCAP comes from Malware-Traffic-Analysis.net.

Figure 4: iframe injections resulting in 302 redirect to Magnitude EK

top.location.href

Yet another redirection technique is seen in this March 2014 capture. (Side note: the website pictured below remains hacked, even 3 years later). The PCAP comes from Malware-Traffic-Analysis.net.

Figure 5: A compromised site leading to Magnitude EK in the winter of 2014

JS injection to iframe

In this September 2014 snapshot, we see a compromised website with a malicious JS injected into it. The PCAP comes from Malware-Traffic-Analysis.net.

Figure 6: This external JavaScript calls a Magnitude EK landing page

Steganography

In October 2014, we see an interesting redirection technique involving steganography which was not obvious at first. The malicious redirect URL is stored in an image file hosted on the hacked site (data.png). It’s a poor name choice for a file designed to conceal… data, considering the effort that was put into the JavaScript function that decodes it.

The PCAP comes from Malware-Traffic-Analysis.net.

Figure 7: An interesting and covert way to redirect traffic from a hacked site via steganography

A more ‘predictable’ gate: late 2014-2015

In November 2014, there is an interesting change with the redirecting infrastructure. A compromised site is injected with a hex encoded script that performs the first redirection to a .eu domain. It is the next domain called filesnews.ws, which performs the final call to the Magnitude EK landing page. It’s noteworthy that the ‘.ws’ domain and the Magnitude EK landing are in the same IP space and both running Apache 2.2.15 and PHP 5.3.3. In the following month, we also witnessed the gate sharing the same server software specs (although in different IP spaces).

The PCAP comes from ThreatGlass.

Figure 8: Overlapping infrastructure specs between gate and EK in this Fall 2014 capture

The use of decoy sites in Magnitude EK campaigns may have started in late 2014 or early 2015. Below is an example of such a site (paypalinvest.info) where traffic originated from malvertising. The fake sites are designed to confuse analysts and have used various themes over time such as finance, gaming, e-cigs, etc.

Figure 9: The use of decoy sites has been a popular trend

Fingerprinting: 2016

A new twist to the gate happened around March 14, 2016. So far, the redirections we had observed had been via one single web request but over the course of a few days, we witnessed the emergence of an added step which also contained ‘fingerprinting’ code. (Side note: According to MalwareDontNeedCoffee the fingerprinting code was already in Magnitude’s main landing page before).

Figure 10: Fingerprinting the user via the browser is shown here in the gate to Magnitude EK

A little over a month later and the fingerprinting gate is gone, replaced by a simple 302 redirect.

Figure 11: A ‘simple’ redirection flow

Sometime later, the first part of the gate changes slightly and reveals the detection of the Kaspersky virtual keyboard:

Figure 12: Detecting (and avoiding) users that have Kaspersky software installed

It was only a matter of time before things changed again. The Kaspersky check gets switched to the second part of the gate.

Figure 13: A switch around for the Kaspersky keyboard detection

Obfuscation: Fall 2016

In the Fall of 2016, an important change happened with Magnitude EK as it was no longer rented as a toolkit, but instead became the sole use of one actor who decided to focus on targeting Asia, and in particular, South Korea, delivering the Cerber ransomware [1].

During the months that followed, the gate which by now was publicly known as ‘Magnigate’, went through some code obfuscation on top of the server side checks to filter traffic by user-agent and geolocation [1]. This meant that capturing Magnitude EK in the wild became more difficult without a proper set-up.

Figure 14: Various encodings in use by Magnigate over the course of a few months

More encoding: July 2017

The latest version of Magnigate has yet different encoding. Here’s a quick look at it.

Figure 15: Magnigate seen in July 2017

Figure 16: Step 1 in the Magnigate redirection flow

Figure 17: Step 2 in the Magnigate redirection flow

Step 0 in the gate?

We spotted an instance where there was a redirect loop within the gate itself before finally carrying on with the usual path. This ‘extra’ check did not happen all the time though, suggesting it is either something still in development or being selectively tested.

The server infrastructure is also quite puzzling, with for example Microsoft IIS instead of the standard Apache we normally see, and residing on an IP address (210.117.120.42) located in South Korea.

Figure 18: An interesting detour before the normal Magnigate flow

A closer look at the code used in this pre-step 1 stage reveals various types of fingerprinting, for example checking the local IP address and detecting the video driver installed.

Figure 19: Getting the current user’s local IP address via the RTCPeerConnection trick

Figure 20: Canvas fingerprinting used to identify the user’s video driver

Whatever the exact purpose of this pre-gate is, it is performing some in-depth checks on the current visitor and passing those as parameters within the URL. Only time will tell if this becomes integrated as a de facto check, or whether this was some kind of temporary trap for honeypots.

Gates and exploit kits

A gate is not required in order to perform a successful drive-by infection so long as there is an existing redirection mechanism in place (via compromised sites or malvertising). However, gates provide an efficient way to do final traffic filtering before wasting resources on non-intended targets. It’s also a very effective means of preventing honeypots and security researchers from poking their nose into your business or perhaps tracking and logging their activity. Some exploit kits like Astrum EK do some heavy filtering throughout the infection chain to be as stealthy as possible, resulting in little information known about their malvertising campaigns or the exploit code they use.

It’s quite likely that Magnigate will continue to evolve but the question is whether these will be slight cosmetic changes (different obfuscation techniques) or more substantial (new detection or evasion techniques).

Malwarebytes users are protected against Magnitude EK thanks to our signature-less anti-exploit module.

References

[1] Cerber, not the only payload: https://www.proofpoint.com/us/threat-insight/post/magnitude-actor-social-engineering-scheme-windows-10

[2] http://malware.dontneedcoffee.com/2013/10/Magnitude.html

Acknowledgements

I would like to thank David Ledbetter and Manuel Caballero for their help in this research.

Indicators of compromise

Magnigate Regex

\/(([0-9]{5,8}|0)(\$|%[0-9][A-Z]|&)){13,14}$

Magnigate domains (step 1)

paypalinvest[.]info bestmoneyinvest[.]net roundgames[.]biz aroundgamez[.]org arcencielfoundation[.]org planetofsgames[.]com lebhaile[.]com sextizer[.]net pyfxmoney[.]com blowyourmindvape[.]com letsvapes[.]com letsdovape[.]com letsovape[.]com

Magnigate fully qualified domains (step 2)

cdi3e82hac4p.boxaims[.]com f344709fpep0ue412r.dieowed[.]com 4lfcfq6a7g94.rarekid[.]com 0adci9j7d7l46e.asmight[.]com d88o9cd59.endsits[.]com c00x28g6c54fax0br.ordrink[.]com 28cdw96cl1do5.givesup[.]com 2a2l2xfcffcb66v.hesoff[.]com 38ffa328261.isleave[.]com 6d82p5d2v0e4ft105s.owesdo[.]com 175c2a53f64lbr64w.milered[.]com e4cua85j8w06crek833x.helpfix[.]stream 70i4o34b724q.bestbusy[.]site 7a48s4eu85kaeu4p3.doebulk[.]com 906q2u4567021q.usfixes[.]com 93c452ci0.deskif[.]com

IP addresses

217.172.189.199 31.3.242.108 78.46.29.251 148.251.205.122 185.130.226.117 185.82.216.199 185.104.11.201 89.163.129.151 91.134.161.63 188.138.102.127 95.215.63.225 95.215.62.214 188.138.68.153 188.138.68.163 94.228.223.242 94.228.223.245 188.165.85.28 51.255.154.6 149.202.232.201 46.105.95.113 151.80.179.144 46.105.95.114 37.59.140.124 145.239.190.17 210.117.120.42

The post Enemy at the gates: Reviewing the Magnitude exploit kit redirection chain appeared first on Malwarebytes Labs.

Categories: Techie Feeds

TrickBot comes with new tricks – attacking Outlook and browsing data

Malwarebytes - Tue, 08/01/2017 - 19:10

Last year we reported about a new modular malware using a network protocol similar to Dyreza – you can read about it here. The malware was not very stealthy and some parts were looking to be under development, but we noticed its potential and capability to be easily extended. Indeed, authors of TrickBot are persistent not only in spreading their product but also in developing new features.

Some of the novel changes have been noted in the report of Security Art Work (available here).

In addition, it has been found, that developers added to the bot a worm module – probably inspired by the success of worm-equipped ransomware (WannaCry, EternalPetya).

But authors of the malware didn’t stop on this – recently we captured some additions – for example, the one called Outlook.dll. While most of the modules are written in C++, this one is written in Delphi. It may indicate that the team of developers gained some new members that are more comfortable with this particular language.

Analyzed samples

Downloaded modules (32 bit):

Behavioral analysis

As before, after being deployed TrickBot installs itself in a new directory created in %APPDATA%. It runs a new instance from the installation directory.

Inside, it creates another directory – Modules, where it drops downloaded modules and their configuration files in encrypted form:

The way in which the modules and configuration files are encrypted didn’t change – still, we can use the same scripts to recover them.

After decrypting config.conf we got some more details about the current campaign – the version of the analyzed configuration is 1000030 and the given group tag is tt0002. Fragment:

As before, the persistence is achieved with the help of Scheduled Task:

The task deploys the main bot, that after being run, decrypts and loads other modules. Each module is injected into a new instance of svchost:

Inside

As before, all the TrickBot modules follow a predefined API. They export four functions:

  • Control
  • FreeBuffer
  • Release
  • Start

As mentioned in the section “behavioral analysis”, in the current run we observed 5 modules. SystemInfo.dll and loader.dll (injectDll32) are present in the TrickBot since the very beginning. The module mailsearcher.dll has been introduced in December 2016 (according to the F5 DevCentral’s article). But there are some modules in the set, that we haven’t seen described before: module.dll and Outlook.dll.

module.dll/importDll32 Overview

This bulky module is written in C++, compiled with Qt5, OpenSSL and also incorporates SQLite. Inside the binary we can find the strings indicating particular versions of the libraries:

  • Qt 5.6.2 (i386-little_endian-ilp32 static release build; by GCC 6.2.0)
  • OpenSSL 1.0.2k 26 Jan 2017
  • 2017-02-13 16:02:40 ada05cfa86ad7f5645450ac7a2a21c9aa6e57d2 (SQLite)

We can also find references in the code – in the given example QAbstractSocket class from Qt library is used:

DLL’s compilation timestamp indicates that it is pretty fresh, written in May of this year:

2017:05:27 14:27:06+01:00

Functionality-wise, this module is focused on stealing data from the browsers, such as:

  • Cookies
  • HTML5 Local Storage
  • Browsing History
  • Flash LSO (Local Shared Objects)
  • URL hits

…and more.

Authors didn’t put any effort to hide their intentions. Debug strings informing about every action taken are being printed. Examples:

Grabbing URL hits:

In contrary to loader.dll/injectDll (referenced here) which is modular and stores all the scripts and targets in dedicated configuration files, module.dll/importDll32 comes with all the data hardcoded. For example, we can find inside the binary a very long list of targets – websites from countries all around the world – France, Italy, Japan, Poland, Norway, Peru and more:

Browser fingerprinting

During its run the module creates a hidden desktop:

This desktop is used as a workspace, where the malicious module can open and fingerprint browsers in a way that is not noticed by the user.

Inside the malware’s code we can find some hardcoded HTML files with javascripts that are used for gathering information about the browser’s configuration. For example:

You can see the full content here.

This script, while being executed fills the text area with the data gathered about the environment, and passes this data to the malware:

Another script is used for gathering information on the plugins installed in InternetExplorer (compare with this script):

You can see the full content here.

The scripts send the collected data in the POST request in the variable called marker_:

The data is received by the handler inside the TrickBot module:

Interestingly, the malicious plugin contains also 4 base64 encoded pictures in PNG format:

Decoded pictures:

The SQL part

Among the data hardcoded within the module.dll we can find a string referencing an SQLite release:

2017-02-13 16:02:40 ada05cfa86ad7f5645450ac7a2a21c9aa6e57d2

The incorporated SQLite is used to retrieve and steal from locally stored databases, for example cookies (similarly to Terdot Zbot, described here, that also incorporated SQLite for this purpose):

Sample strings and queries to the cookies database:

We can see also queries used for stealing the stored browsing history:

outlook.dll

This is the module written in Delphi. It contains a hardcoded configuration that follows a pattern typical for TrickBot modules:

<moduleconfig> <autostart>no</autostart> </moduleconfig>

Its purpose it to steal data saved by Microsoft Outlook.

The module opens relevant registry keys, and tries to retrieve saved credentials:

Conclusion

TrickBot’s new modules are not written very well and they are probably still under development. The overall quality of the design is much lower than the quality of the earlier code. For example, module.dll is bulky and does not follow the clean modular structure introduced by TrickBot before. Also, they make use of languages and libraries that are easier – Qt instead of native sockets for module.dll, Delphi language for Outlook.dll. Those changes may indicate some changes in the development team – either they gained new members that has been delegated to the new tasks or some of the previous members resigned and has been substituted by lower quality programmers. It may also be possible, that they are doing some prototyping and experiments for the further development.

Anyways, as we can see, TrickBot is still actively maintained and it is not going to leave the landscape any soon.

This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. She loves going in details about malware and sharing threat information with the community. Check her out on Twitter @hasherezade and her personal blog: https://hshrzd.wordpress.com.

The post TrickBot comes with new tricks – attacking Outlook and browsing data appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Learning PowerShell: some basic commands

Malwarebytes - Tue, 08/01/2017 - 15:00
My first Powershell script

The first PowerShell script I wrote (see below) was a quick fix to remove certificates from the “Untrusted” registry key after a Vonteera infection. After some initial commands, this script basically loops back for every certificate that doesn’t belong under a certain key.

$path = "HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates\C1437F2BC6F11..."
$acl = Get-Acl $path
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("Everyone","FullControl","Allow")
$acl.SetAccessRule($rule)
$acl |Set-Acl -Path $Path
Remove-Item –Path $path

What it does is:

  • Define the path to the key
  • Set the permissions for that key
  • Remove the key
Current challenge

The problem I have been faced with is finding the hexadecimal values that were the registry keys of the certificates. I have had to take registry snapshots before and after the infection to find out which ones were added. Getting an overview of the certificates that are present before the infection is not that difficult. Deciding what information to keep and how to store it is less trivial.

I ended up with this command, which I will explain in detail as this is a learning experience:

Get-ChildItem -Path cert:\currentuser\disallowed -Recurse | select Thumbprint, FriendlyName, Subject | ConvertTo-Html | Set-Content c:\users\public\desktop\certificates.html

The cert: drive is provided by the Windows PowerShell Certificate Provider, and using the Get-ChildItem cmdlet lets you get certificate store locations, certificate stores, and certificates from it.

They have chosen the “disallowed” path as that is where some malware samples have been known to block the download and operation of certain security programs. But of course, you can change that to any of the other possibilities you might be interested in.

The “Recurse” parameter allows me to search subdirectories of the “path”.

I want to see these properties of each certificate:

  • Thumbprint, because that is the name of the registry key
  • FriendlyName, because that shows the reason for the certificate not to be trusted (which is sometimes helpful)
  • Subject, because that is the one that holds the humanly readable information we can see in the certmgr

The last two bits of the command are necessary to prepare the output for export and to define the export location. I choose the public desktop so everybody can copy the command without having to change it to fit their own circumstances. And I have decided on HTML because that gives me a nice table.

So, taking a snapshot is one thing. Now, we have to compare the sets of certificates before and after infection. Luckily, there is an obvious choice, which is the compare-object cmdlet.

click to enlarge

To compare the new set of certificates with an older snapshot, I have changed the previous command a little bit, for practical reasons. Below is the command to export it to a text file:

Get-ChildItem -Path cert:\currentuser\disallowed -Recurse | select Thumbprint, FriendlyName, Subject| Set-Content c:\users\public\desktop\certificates.txt

I have made the change to avoid getting tables within tables when I do this comparison on text files. To have something to compare with, in this case, I have used the certificate dropper section of a malware file we detect as Trojan.Wdfload. Wdfload is an infection that combines a bitcoinminer with a module that disables the download and use of antimalware software by altering the hosts file and dropping certificates in the Untrusted category. After running the command above, before and after the infection, I also renamed the corresponding files to add before and after to the filenames. And used this command to get yet another easy to read output file.

compare-object (get-content c:\users\public\desktop\certificatesbefore.txt) (get-content c:\users\public\desktop\certificatesafter.txt)| ConvertTo-Html | Set-Content c:\users\public\desktop\comparison.html

Let’s look at the above image again. The SideIndicator column is added by the compare-object cmdlet. It shows on which side of the comparison the line was an extra compared to the other. In this case the arrows indicate whether a certificate was added ( => ) or whether it was removed ( <= ).

The certs dropper I used does not add any FriendlyName items, which is why that column shows up empty in the screenshot above.

So far we have concentrated on creating some useful PowerShell commands. Next time I will attempt to write a Powershell script that uses my output (or a smaller version of it) to remove the certificates that were added by the certsdropper without me having to hardcode all the registry key names manually.

Earlier in this series:

Your comments and constructive criticism are welcome.

The post Learning PowerShell: some basic commands appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (July 24 – July 30)

Malwarebytes - Mon, 07/31/2017 - 19:21

Last week, we recognized one of the unsung heroes of our times, explained what the Dark Web is, revealed challenges one of our experienced when putting together his conference presentation for SteelCon, revealed the potential dangers of smart toys to kids, and made a prediction following the arrests made against those involved in Fireball.

We also talked about encryption and law enforcement, Petya’s decryption key, and talked about the real problem with ransomware with accompanying statistics, which you can find from the respective links below:

The real problem with ransomware

The state of ransomware among SMBs

Below are notable news stories and security-related happenings from last week:

Latest updates for Consumers
  • Top Ten Lessons Learned From WannaCry. “…the WannaCry ransomware variant changed the view of ransomware globally, mainly due to its ability to capture multiple major businesses and critical infrastructure. The cyber-attack that hit the NHS and businesses around the world made headline news globally, bringing awareness about ransomware – and indeed cybersecurity – to the masses.” (Source: InfoSecurity Magazine)
  • Mysterious Mac Malware Has Infected Victims for Years. “The second version of FruitFly is even more puzzling, according to Patrick Wardle, the former spy agency hacker who now develops free security tools for Apple computers and researchers Mac security for the firm Synack. Wardle told Motherboard in a phone call that when he first discovered FruitFly 2, no antivirus software detected it. More surprisingly, it looks like it has been lurking around for five or 10 years and infected several hundred users.” (Source: Motherboard)
  • The Stantinko Botnet Is Back After Years Under The Radar. “ESET researchers alert that Stantinko – a huge botnet which hasn’t been detected for the past five years – is now not only back but it also managed to infect half a million systems and allow its developers to ‘execute anything’ on the infected machine. The botnet was used for a massive adware campaign in 2012 that was primarily targeting Ukraine and Russia. However, thanks to its ability to adapt really quickly and avoid detection as well as the code encryption, Stantinko managed to stay under the radar all this time.” (Source: Virus Guides)
  • Your Old Phone Number Can Be Used To Hack Facebook Account. “We all know that in most cases, Facebook users are required to submit their phone number while registering with the social network. This is how they can link their phone with the profile so that when a user forgets the password, they can prove his authenticity and receive a new password on their smartphone. However, in case the user stops using the phone number linked to their Facebook profile and changes it to another one, there are chances that the previous number can be assigned to someone else. This is where the problem begins.” (Source: HackRead)
  • Segway MiniPro Patched To Stop Hackers Hijacking Remote Control From Hoverboard Riders. “Critical security vulnerabilities have been discovered in the Segway/Ninebot MiniPro Hoverboard, but don’t panic – firmware patches have already been issued to prevent malicious hackers from attacking the devices. Which is a relief – as successful exploitation of the security holes could have seen attackers seize remote control of a hoverboard and potentially injure riders by suddenly disabling the motor.” (Source: Tripwire’s State of Security)
  • AI Cyber Wars: Coming Soon To A Bank Near You. “The battle between cyber criminals and banks is an intensifying arms race. Cyber criminals are racing to develop new offensive weapons while the banks and insurers they are targeting are scrambling to keep pace.Financial institutions are increasingly deploying Robotic Process Automation (RPA) and other early-stage AI technologies to the front lines, identifying the behavior of trustworthy users and detecting emerging threats. However, much cutting-edge software in areas such as machine learning and AI is open-sourced, meaning that it is readily available to the wrong side.” (Source: Forbes)
  • Discover Launches Social Security Number Alert Feature. “There’s a corner of the internet, inaccessible by traditional search engines, where stolen personal information can be sold anonymously. A new feature announced this week from Discover aims to shed a little more light into that corner. Discover says the new service alerts cardholders when their Social Security number appears on certain websites on the so-called ‘dark web.'” (Source: NerdWallet)
  • Letting Cyberattack Victims Hack Back Is A Very Unwise Idea. “As the rate of cybercrime increases, so too does the intensity of those attacks. Now, companies like the UK’s Pervade Software are exploring new digital weapons with the goal of better protecting themselves and recovering stolen data. These include turnkey denial-of-service attacks and actions that damage the accused hackers’ computers and data. But taking advantage of tools more appropriate for a vigilante climate will have serious consequences for the health of the internet.” (Source: Wired)
  • New Form of Cyber-Attack Targets Energy Sector. “In the attacks so far picked up by Israel-based cybersecurity company CyberInt, a ‘lure’ document masquerades as a curriculum vitae accompanying a harmless email. What makes this latest type of spear-phishing attack hard for the energy companies to identify is that the lure email and attached Word document are totally clean and contain no malicious code whatsoever. They are therefore undetectable to incoming email monitoring defenses.” (Source: InfoSecurity Magazine)
  • Bots Make Lousy Dates, But Not Cheap Ones. “Bill installed the dating app on his smartphone. To his surprise, he was quickly matched up with several women he found attractive. Better yet, they immediately showed their interest by sending him text messages. ‘One’s a flight attendant and three are models!’ he told his friends over coffee. ‘Why didn’t I jump into online dating years ago?'” (Source: Dark Reading)
  • Officials Arrest Suspect In $4 Billion Bitcoin Money Laundering Scheme. “Police in Greece have arrested a man wanted in the United States for allegedly running a massive Bitcoin-based money laundering operation, according to the Associated Press. Authorities say the 38-year-old Russian man was responsible for converting $4 billion in illicit, conventional cash into virtual currency.” (Source: Ars Technica)
  • Malware Creators Increasingly Run Their Business Like Legitimate Software Companies. “The continuing increase in ransomware attacks is, partly, due to how easy the malware can be built and used by attackers that have limited technical skills. Take for example the Philadelphia Ransomware-as-a-Service (RaaS) offering. Offered for sale by a group (or individual?) that calls itself The Rainmakers Labs, it is just a part of the overall arsenal of ‘anti-security solutions’ on offer.” (Source: Help Net Security)
  • Google Discovers New Lipizzan Android Spyware. “Google’s Android Security team announced today the discovery of a new powerful Android spyware — named Lipizzan — which Google claims to be linked to Equus Technologies, an Israeli company that describes itself on its LinkedIn page as being specialized ‘in the development of tailor made innovative solutions for law enforcement, intelligence agencies, and national security organizations.'” (Source: Bleeping Computer)
  • Gas Pump Skimmer Sends Card Data Via Text. “Skimming devices that crooks install inside fuel station gas pumps frequently rely on an embedded Bluetooth component allowing thieves to collect stolen credit card data from the pumps wirelessly with any mobile device. The downside of this approach is that Bluetooth-based skimmers can be detected by anyone else with a mobile device. Now, investigators in the New York say they are starting to see pump skimmers that use cannibalized cell phone components to send stolen card data via text message.” (Source: KrebsOnSecurity)
  • Hackers Are Targeting People Using Free Wi-Fi At Hotels Around The World. “Travellers are being warned about an evil new form of malware that is targeting people who use free Wi-Fi at hotels around the world. Notorious hackers the DarkHotel group, which have been targeting the IT systems of hotels for years are back with a new campaign which targets free Wi-Fi connections in hotels across the globe.” (Source: Thai Visa)
Latest updates for Businesses
  • As GDPR Approaches, Retail Data Breaches Remain Unacceptably High. “Two in five retailers across the globe have experienced a data breach in the past year, according to Thales and 451 Research. The report reveals that 43 percent of retailers had experienced a data breach in the last year, with a third claiming more than one. With 60% claiming that they had been breached in the past, it’s perhaps unsurprising to learn that 88% of retailers consider themselves to be ‘vulnerable’ to data threats, with 37% stating they are ‘very’ or ‘extremely’ vulnerable. As a result, three quarters of retailers expect their spending on IT security to increase.” (Source: Help Net Security)
  • Configuration Errors Blamed For Sensitive Data Exposed Via Google Groups. “Researchers at RedLock, working within the Cloud Security Intelligence team, say they’ve discovered hundreds of organizations exposing sensitive data via Google Groups, pinning the cause on basic configuration issues. ‘A customer-controlled configuration error in the Google Groups sharing settings has led to the exposure of sensitive data such as personally identifiable information (PII), including employee salary compensation details, sales pipeline data, customer passwords, names, email addresses and home addresses at hundreds of companies,’ an advisory shared with Salted Hash explains.” (Source: CSO)
  • Compliance And Employee Behavior Bother Data Security. “A survey of 304 IT professionals by HANDD found that 21% of respondents felt regulation, legislation and compliance will be one of the greatest business challenges to impact data security, while 21% believe that the behavior of employees and their reactions to social engineering attacks also pose a big challenge.” (Source: InfoSecurity Magazine)
  • Don’t Click On These New Fake Replies From ‘Customer Service Departments’. “Phishing is not a new crime, but the criminals who send phishing emails continue to refine their craft. One form of phishing email that seems to be gaining momentum is the ‘fake reply.’ According to a recent report by the Comodo Threat Intelligence Lab, Internet users now face ‘a new series of phishing emails that purport to be replies to previously asked requests for information from well-known brands and likely legitimate contacts.'” (Source: Inc)
  • Employees Working While On Holiday Open Orgs To Security Risks. “Many workers will feel the need to check-up on work emails while they are away from the office and enjoying a well-earned vacation. Unfortunately, by doing that, they can open organizations to many security risks. T-Systems, the corporate IT and cyber-security arm of Deutsche Telekom, has asked 2,050 full-time workers UK about their cyber security practices while on holiday…” (Source: Help Net Security)
  • Downtime from Ransomware More Lethal to Small Businesses Than the Ransom. “Of more than half of all small-to mid-sized businesses (SMBs) infected with ransomware in the past year, attackers demanded ransom of $1,000 or less – a drop in the bucket in comparison to the downtime these attacks cause, a new report shows.” (Source: Dark Reading)
  • The Right to Be Forgotten & the New Era of Personal Data Rights. “On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) will go into effect in Europe to help harmonize personal privacy rights across all 28 EU member states. Although individual countries can maintain their own privacy laws and impose additional penalties, GDPR establishes a common baseline of protections for citizens and residents of the EU and for collectors and processors of personal data — a set of common obligations and potential fines (up to 4% of global revenue per company per country).” (Source: Dark Reading)

Safe surfing, everyone!

The Malwarebytes Labs Team

 

 

 

The post A week in security (July 24 – July 30) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Mobile Menace Monday: Malicious clicker with extra maliciousness included

Malwarebytes - Mon, 07/31/2017 - 14:00

A new malicious clicker has emerged onto third-party app stores. Chinese in origin, the malicious app uses heavy obfuscation and poses as a battery optimizer app. We classify is as Android/Trojan.Clicker.hyj.

Click to view slideshow. Hide what’s inside

To obfuscate its code, Clicker.hyj uses an APK inside another APK that hooks into the malicious code — allow me to explain. Let’s call the original APK that gets installed from a third-party app store onto the Android device the shell APK. After installation, the shell APK hooks into another APK, which is held in the shell APK’s data folder — let’s call this the executing APK. The executing APK holds all the malicious code while the shell APK contains simple code that runs some libraries which does the hooking of the executing APK. Looking at the shell APK code, there isn’t much to it. Because of its simplicity, it could easily be overlooked by malware researchers and/or scanners.

It’s important to note that the executing APK cannot be installed on an Android device alone — it must be run via the shell APK.

The meaty badness

The executing APK holds all the meaty badness. Within the executing APK’s assets folder are several JavaScript files. These JavaScript files have base64 encryption along with other encryption to further obfuscate. The JavaScript files are used to perform various actions when URLs are piped to them via code within the executing APK.

Although the code within the JavaScript files uses obfuscation, the file names are pretty telling of their actions:

  • findbutton20161226.js – Find button on webpage
  • getcaptcha4numberl.js -Get Captcha on webpage
  • processurl.js – Process URL
  • setcaptcha4numberl.js – Set Captcha on webpage
  • simulationClickYes.js – Click “Yes” on button in webpage

With each URL “clicked”, the malware authors are paid a small amount as a result. Therefore, running the actions from the JavaScript files over and over again on a small list of URLs can accumulate revenue quickly.

Shortcut to maliciousness

Another trait of Clicker.hyj is creating a shortcut that opens up the default Web browser to a URL that is no longer active — who knows what malicious content it once contained!

Even more money scams

To gain even more revenue, Clicker.hyj sends SMS messages to the affected device’s contact list. These SMS messages attempt to trick the user into subscribing to a pay-for-service via SMS:

This application has Asia's largest video library, is now to super preferential price of the massive broadcasting, constantly surprises. Just sms registration can receive various hot video. You want to hear our act in pettish, you want to take a look at the beauty of the hot body, Only INR30.00. immediately at the click of a button, fast join us! Wonderful content is absolutely not to be missed!

Subscribe to the “service” and as a result, an extra charge will appear on your phone bill each month.

All about the $$$

Crooks know there is real money in mobile malware — consequently, we will continue to see the rise of malware like Clicker.hyj.

In conclusion, be wary of installing third-party apps from untrusted app stores. It is also a good idea to always have a scanner installed on your phone like Malwarebytes anti-malware mobile — which, for the record, is FREE.

Stay safe out there!

Nathan Collier

The post Mobile Menace Monday: Malicious clicker with extra maliciousness included appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Today is System Administrator Appreciation Day

Malwarebytes - Fri, 07/28/2017 - 18:56

And we are enormously grateful. What started off as a tongue-and-cheek offshoot of Administrative Professionals Day has now become a special holiday that people around the world recognize and practice.

Dear reader, today is System Administrator Appreciation Day.

Let’s be honest, maintaining the security and integrity of a business network, ensuring that all computers connected to it are religiously patched, and that the printer is forever jam-free when you need it the most are no small feats. So, if you can, drop what you’re doing right now, head over to the IT wing, and treat your Sysadmins to coffee. Cake and ice cream aren’t bad either.

With the number of tasks Sysadmins usually have on their plate—all of them urgent more often than not—time is a precious commodity. So why not free them from sweating over the small stuff so they can have more time to relax and enjoy this day? Here are a number of ways you can do just that:

  • Schedule password changes. Yes, it may be high time to start reminding yourself (and not let your Sysadmin constantly do this for you) to change your password regularly after you’ve been using the same one for several months now. Circle a fixed date on your wall or table calendar, or set yourself a reminder to do this on your phone.There is a genuine need for password changes on a regular basis, and this is to keep both the enterprise and your personal accounts safe. Your Sysadmin will thank you for your diligence.
  • Use the ticketing system. We know the temptation to walk over to IT and ask for a solution is strong, but there’s a system in place for a reason. Ticketing systems are how IT and Sysadmins track how much work they are doing and how well they’re performing (and justify their staffing levels).Using them also guarantees your problems won’t slip through the cracks. Just remember to be as detailed as possible in describing your issues and be realistic on setting the urgency for them.
  • Eat and drink at your station at your own risk. Finishing a presentation for a meeting in half an hour with an empty stomach is an all-too familiar scenario most of us can relate to. This is also why, at times, we work and eat at our computers. It’s practical, after all.However, coffee and juice spill, and they almost always do over your (desktop or laptop) keyboard. Crumbs and other bits of food may find themselves wedged between keys and along the sides, too. Think about that today. Despite popular opinion, it’s not your Sysadmin’s job to clean your keyboard for you.
  • Start learning how to fix common technical issues by yourself. Does your computer seem slow? Maybe it’s not really your computer but your Internet connection. Say the program you’re using stopped responding and your screen appears frozen. Terminate the program via Task Manager or, if you like, do a hard reset. What if the printer won’t print? There are a number of ways you can address this, beginning with making sure your drivers are up-to-date and that the printer has paper and ink/toner.There will always be issues you wouldn’t be comfortable dealing with yourself. And once you reach that point, escalate to your Sysadmin accordingly.
  • When offered, attend and pay attention to security trainings. Nowadays, more companies are beginning to incorporate this into the work culture after realizing that basic security is becoming less of an option and more of a need. Don’t feel as though a sanctioned phishing training is meant to victimize you, the user. Sysadmins are trying to patch the end user and ingrain security reflexes to make everyone safer.Remember that falling for a sanctioned phishing email isn’t the end of the world. In fact, this a lot better than being phished for real! Having mandatory security awareness training isn’t that bad. Recognizing phishing attempts is hard, especially if they’re well crafted. Techniques change, and periodic training refreshes security awareness.

System Administrator Appreciation Day doesn’t have to start and end today. If we commit to doing at least one of the above from here on, every day would be Sysadmin Appreciation Day!

 

The post Today is System Administrator Appreciation Day appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Fireball arrests made

Malwarebytes - Fri, 07/28/2017 - 15:30

Following some arrests in China, we may see a decrease in the amount of adware and adfraud hailing from the Rafotech labs.

According to some reports 250 million machines may have been infected with one variant or another of Rafotechs’ products. We have shared some information about the potential risks associated with their malware before. But according to this article in The Register the organization may have been beheaded by the eleven arrests the Chinese police made.

This graph shows how many detections Malwarebytes (versions 2 & 3) reported back for the month of July so far. The numbers of detections shown in the graph are only for Adware.Elex and associated detections.

click to enlarge

As you can see we have hit the 30,000 detections per day on occasion. Keep in mind, there are other families attributed to Fireball, but these have different vendor names. Anyway, we hope this curve will take a dive very soon.

On the surface Fireball infections may seem like just another browser hijacker, that simply changes your start-page, and the default search engine, but a closer look reveals capabilities of ad fraud, data gathering, and to download and install other malware. Also the methods in use by Elex covered almost the entire range of methods, including rootkits.

Reports about the arrests vary, but all sources agree that some of the most important managers of Rafotech were included. Rafotech is a digital marketing agency that earns money by combining the adware and browser hijackers in bundlers.

Remind me to have another look at the graph next month, so we can see if the arrests have had the effect we hoped for.

Pieter Arntz

The post Fireball arrests made appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The state of ransomware among SMBs

Malwarebytes - Thu, 07/27/2017 - 16:00

In a report conducted by Osterman Research and sponsored by Malwarebytes, more than 1,000 small and medium-sized businesses were surveyed in June 2017 about ransomware and other critical security issues. What we discovered was surprising—ransomware authors aren’t only targeting enterprise businesses for big payouts. They’ve got their greedy gaze on businesses of all sizes. In fact, 35 percent of SMB organizations surveyed were victims of a ransomware attack. And while the ransom demands weren’t always large, the impact on productivity made a sizable dent in revenue.

To learn more about the results of the report, take a look at the infographic we’ve compiled below.

Click here for the full version.

 

The post The state of ransomware among SMBs appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The real problem with ransomware

Malwarebytes - Thu, 07/27/2017 - 14:00

Ransomware – a specialized form of malware that encrypts files and renders them inaccessible until the victim pays a ransom – is an extremely serious problem and it’s quickly getting worse. The FBI estimated that ransomware payments were $1 billion in 2016, up from “just” $24 million a year earlier. 2017 will likely see another dramatic increase in extortion payments with tens of thousands of ransomware victims paying several hundred dollars each to recover their encrypted files. In some instances, the ransom is larger, such as South Korean web hosting company Nayana, which paid 397.6 Bitcoin (about $1 million) in June 2017 and Hollywood Presbyterian Medical Center, which paid $17,000 in Bitcoin in February 2016.

Despite the significant payments to the cybercriminals behind ransomware, Osterman Research found that most ransomware victims don’t pay the sums that cybercriminals attempt to extort from them. For example, in a six-country survey of 1,054 small to medium-sized businesses conducted in June 2017 for Malwarebytes by Osterman Research, we found that only 28 percent of ransomware victims actually paid the ransom demands.

Since most organizations choose not to pay the ransom, the primary challenge stemming from a ransomware attack is not actually the ransom. Instead, Osterman Research discovered that the largest cost of ransomware is the downtime that results when endpoints become infected and the files they contain are no longer accessible. We found that the average amount of downtime that results from a ransomware infection is 21.4 hours, meaning that potentially critical files and systems are unavailable to an organization for nearly a day (or much longer in some cases). For example:

  • Desktop or laptop PCs infected with ransomware prevent users from accessing corporate email or databases, meaning users may not be able to communicate with key clients or respond to inquiries in a timely manner. At a minimum, employee productivity can be seriously impacted by ransomware-induced downtime. For example, on June 27, 2017, Washington, D.C.-based law firm DLA Piper instructed its employees not to turn on their computers and to remove all laptops from their docking stations and FedEx employees received a text message in May 2017 to turn off their computers as a precaution against a fast-moving ransomware attack.
  • Servers or other endpoints involved in processing retail transactions that are infected with ransomware can no longer do so, resulting in delayed or lost sales. One example is the KimcilWare ransomware that targets the Magento eCommerce platform.
  • Hospitals whose systems become inaccessible for hours or days because of ransomware can see lives put at risk, such as NHS patients whose cancer treatments were delayed as a result of a May 2017 attack.
  • Manufacturing operations can be temporarily shut down due to a ransomware attack, as were Renault factories in France and Slovenia in May 2017.

In short, while ransomware payments will likely cost businesses several billion dollars in 2017, the cost of downtime will be much higher.

To understand the full impact of downtime from an attack, Osterman Research has developed a cost calculator that aims to quantify the cost of downtime resulting from a ransomware attack. Using data from the June 2017 survey mentioned above, as well as secondary data, we made the following assumptions for an organization of 500 users that suffer just two downtime incidents per year:

  • Mean employee hourly wage: $28.00
  • Employee productivity loss during downtime: 50 percent
  • Corporate revenue generation per hour: $24,000
  • 21 hours of downtime until full recovery
  • Impacts of ransomware:
    • 50 percent chance of employees suffering productivity loss
    • 30 percent chance that the business will shut down temporarily
    • 20 percent chance of corporate revenue loss

Based on these assumptions, we found that for a 500-employee business, the total annual impact of downtime resulting from just two ransomware infections will be $219,634, or $220 per employee. That means that just two ransomware attacks per year are costing organizations the equivalent of nearly one day’s productivity per employee, not to mention the hard-to-quantify impacts of lost future revenue, damage to corporate reputation, missed deadlines, etc.

What this also means is that if a company could deploy a technology that would prevent just one of these ransomware infections each year, and if the total cost of that solution was $50 per user per year, the organization would save $170 per user per year in downtime costs or nearly $110,000 per year.

In short, the primary impact of downtime for your company is not the ransom that is being demanded of you, but instead, the real cost of ransomware is the downtime it will cause – a cost that is much greater than the ransom that will be demanded.

Read the full “Second Annual State of Ransomware” report here.

 

About the Author

Michael Osterman is the principal of Osterman Research, Inc., founded in 2001. Since that time, the company has become one of the leading analyst firms in the messaging and collaboration space, providing research, analysis, white papers and other services to companies like Hewlett Packard, IBM, Google, EMC, Symantec, Proofpoint, Dell and many others.

The post The real problem with ransomware appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Explained: the Dark Web

Malwarebytes - Wed, 07/26/2017 - 17:00

You may have seen the Dark Web referenced in popular TV shows and have gotten the wrong idea, or if you already knew about it, you may have snorted in derision. It’s also sometimes called the Deep Web, when in fact the Dark Web is only a part of the Deep Web.

Terminology
  • Surface Web is what we would call the regular World Wide Web that is indexed and where websites are easy to find.
  • The Deep Web is the unindexed part of the Web. Actually, anything that a search engine can’t find.
  • The Dark Web is intentionally hidden, anonymous, and widely known for illicit activities.

Maybe it’s a good idea to clear up some of the misconceptions about the Dark Web for those that are not in the know. That should tell you a lot about what it really is.

The Dark Web is a separate part of the World Wide Web

Well, it’s not as much separate, but sites on the Deep Web are harder to find as the Deep Web is an unindexed part of the internet. Actually, the indexed part of the Web, which is the part that can be found by robots, is only a small fraction of the entire web. Estimates say that only 5% of the Web is easily accessible to the general public. Many other sites can only be visited if you have a direct URL.

Only criminals use the Dark Web

Even though most of the traffic on the Dark Web is used up by criminal activities, such as—

  • Drug trafficking
  • Selling weapons to countries where they are forbidden or selling types of weapons that are prohibited
  • Child (and other illegal) porn
  • Malware (as a Service), think of this as programmers selling their malware for a fee or part of the profit
  • Sites where victims can pay the ransom for some ransomware they have been hit with
  • Buying and selling stolen data
  • Fraud related services
  • Fake ID’s

—there are also groups of users that need the Dark Web for reasons that are only considered illegal in a few places, such as:

  • Journalists working in “difficult” countries
  • People resisting a totalistic regime
  • Whistleblowers
  • Places where crimes can be reported anonymously
  • Bitcoin services
  • Forums on various subjects that do not wish to be public

As you can see there are some grey areas, depending on where you stand in a certain situation.

You need a special browser to visit the Dark Web

There are several methods of restricting access to many of the resources on the Dark Web, but you can certainly expect you will have to login when you arrive at the site that you want to access. But in most cases, you will also need to be using some kind of service like a VPN, proxy, or an anonymized network.

For sites with an Onion (hence the symbol) domain, you will need a Tor browser to access them. This browser protects your privacy and anonymity by encrypting your traffic to and from the websites you are visiting, and by using a proxy. But if you are a Firefox user, you may see a big resemblance with the Tor Browser, so the browser is not that special. It’s the way how it connects that is different. You can also use Tor on the surface Web. People often do this for privacy reasons.

Surfing the Dark Web is dangerous

If you take the necessary precautions, surfing the Dark Web will not get you hurt, robbed, and mugged. But, like on the surface Web, you have to be vigilant and be protected. Keep in mind, for example, that torrents often bypass your proxy settings and might, therefore, expose your real location. And, needles to say, when you’re actively dealing with criminals, you can actually expect to get deceived and even robbed. So, stay away from those guys.

But as we recently learned, even the bad guys are not always safe on the Dark Web. People do get careless after a while and in these cases, it got the bad guys busted. Keep that in mind if you make it a habit to visit the darker corners of the Web. Curiosity killed many a cat.

Summary

We have tried to shed some light on the Dark Web by discussing some of the most common misconceptions about it.

Additional information

The post Explained: the Dark Web appeared first on Malwarebytes Labs.

Categories: Techie Feeds

FBI: Smart toys could harm children’s privacy and physical safety

Malwarebytes - Tue, 07/25/2017 - 16:30

The Federal Bureau of Investigation has recently issued a Public Service Announcement (PSA), encouraging consumers—parents, in particular—to think twice before purchasing internet-connected toys. Smart toys and entertainment devices for kids are part of the Internet of Things, and as such, they have built-in Wi-Fi capabilities. This enables them to communicate with the cloud and with each other. Other than that, these are also equipped with sensors, cameras, microphones, and other bits that allow them to not just respond to their child owners but also store data and tag a child’s location for parents/guardians to keep track of them in real time.

CloudPets, Hello Barbie, My Friend Cayla, i-Que Robot, and hereO are just some of the smart toys and devices that security researchers have scrutinized for their lack of security and privacy measures.

The FBI has highlighted in the PSA what type of information these toys may be able to gather. As most of these are normally “always on”, they can act as silent observers inside a home, being able to listen in on chatter from whoever is within its microphone’s range from young children or adults alike.

More from the PSA: “In addition, companies collect large amounts of additional data, such as voice messages, conversation recordings, past and real-time physical locations, Internet use history, and Internet addresses/IPs. The exposure of such information could create opportunities for child identity fraud. Additionally, the potential misuse of sensitive data such as GPS location information, visual identifiers from pictures or videos, and known interests to garner trust from a child could present exploitation risks.”

The PSA also includes an overview of what makes internet-connected toys vulnerable, what the existing laws that protect children are, and a rundown of recommendations consumers or parents can do before they buy a smart toy or device for their kids.

Parents are also encouraged to file a complaint to the Internet Crime Complain Center if they think that the toy or device may have been compromised by hackers.

The post FBI: Smart toys could harm children’s privacy and physical safety appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Going dark: encryption and law enforcement

Malwarebytes - Tue, 07/25/2017 - 15:00

We’re hearing it a lot lately: encryption is an insurmountable roadblock between law enforcement and keeping us safe. They can’t gather intelligence on terrorists because they use encryption. They can’t convict criminals because they won’t hand over encryption keys. They can’t stop bad things from happening because bad guys won’t unlock their phones. Therefore—strictly to keep us safe—the tech industry must provide them with means to weaken, circumvent, or otherwise subvert encryption, all for the public good. No “backdoors”, mind you; they simply want a way for encryption to work for good people, but not bad. This is dangerous nonsense, for a lot of reasons.

1. It’s technically incorrect

Encryption sustains its value by providing an end to end protection of data, as well as what we call “data at rest.” Governments have asked for both means of observing data in transit, as well as retrieving data at rest on devices of interest. They also insist that they have no interest in weakening encryption as a whole, but just in retrieving the information they need for an investigation. From a technical perspective, this is contradictory gibberish. An encryption algorithm either encodes sensitive data or it doesn’t—the only method for allowing a third-party to gain access to plain-text data would be to either provide them with the private keys of the communicants in question or maintain an exploitable flaw in the algorithm that a third-party could take advantage of. Despite government protestations to the contrary, this makes intuitive sense: how could you possibly generate encryption secure against one party (hackers) but not another (government)? Algorithms cannot discern good intentions, so they must be secure against everyone.

2. They have a myriad of other options to get what they need

Let’s assume for a moment that a government entity has a reasonable suspicion that a crime has been committed, a reasonable certainty that a certain person did it, and a reasonable suspicion that evidence leading to a conviction lies on an encrypted device. Historically, government entities have not checked all these boxes before attempting to subvert decryption, but let’s give them the benefit of the doubt for the moment. Options available to various levels of law enforcement and/or intelligence include, but are not limited to:

  • Eavesdropping on unencrypted or misconfigured comms of a suspect’s contact
  • Collecting unencrypted metadata to characterize the encrypted data
  • Detaining the suspect indefinitely until they “voluntarily” decrypt the device
  • Geolocation to place the suspect in proximity to the crime
  • Link analysis to place the suspect in social contact with confirmed criminals
  • Grabbing unencrypted data at rest from compliant third party providers
  • Eavesdropping on other channels where the suspect describes the encrypted data
  • Wrench decryption

Given the panoply of tools available to the authorities, why would they need to start an investigation by breaking the one tool available to the average user that keeps their data safe from hackers?

3. They’re not really “going dark”

In 1993, a cryptographic device called the “clipper chip” was proposed by the government to encrypt data while holding private keys in a “key escrow” controlled by law enforcement. Rather than breaking the encryption, law enforcement would have simply had a decryption key available. For everyone. An academic analysis of why this was a stunningly bad idea can be found here.

Given that this program was shuttered in response to an overwhelmingly negative public opinion, has law enforcement and intelligence agencies been unable to collect data for the past 24 years? Or have they turned to other investigatory tools available to them as appropriate?

4. If we do give them a backdoor, what would they do with it?

1984-style heavy handed tactics are unlikely at present time, but a government breach that results in loss of control of the backdoor? Much more likely. The breach at OPM most likely endangered the information of up to a third of adult Americans, depending on who and how you count. (We don’t know for sure because the government didn’t say how they counted.) That breach involved data of sensitive, valuable, government employees. Would they do any better with a backdoor that impacts technology used by pretty much everyone?

No, they wouldn’t.

Let’s take a look at how they secure their own networks, post OPM. Oh dear….

If the most powerful and richest government in the world cannot secure their own classified data, why should we trust them with ours? The former head of the FBI once called for an “adult conversation” on encryption. We agree. So here’s a modest counter-proposal:

  • Stop over-classifying cyberthreat intelligence. The security community cannot fix what it does not know. Threat intelligence over a year old is effectively worthless.
  • Send subject matter experts to participate in ISACs, not “liaisons.”
  • Collaborate in the ISACs in good faith: shared intelligence should have context and collaboration should extend beyond lists of IOCs.
  • Exchange analytic tradecraft: analysts in the government often use techniques that while obscure, are not classified. This will improve tradecraft on both sides.
  • Meet the DHS standard for securing your own machines, classified or otherwise. No one would trust someone with a key escrow if those keys are held in a leaky colander.

We think these are reasonable requests that can help keep people safe, without breaking the encryption the world relies on daily to do business, conduct private conversations, and on occasion, express thoughts without fear of reprisal. We hope you agree.

The post Going dark: encryption and law enforcement appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (July 17 – July 23)

Malwarebytes - Mon, 07/24/2017 - 16:41

Over the last week, we have covered Play Protect, android’s new security system and how the Dutch police ran Hansa Market after the take down of Alpha Bay, both major players on the Dark Web. We also provided some tips on how to stay cyber safe this summer. We also saw how the Terror exploit kit started dabbling in ad fraud, more specifically URL shortener fraud. And last but not least, we saw the adware series come to an end with a tools section.

Other security related news:

General Consumer Business

 

Good to know:

Malwarebytes can be found at BlackHat USA Boot 547 and at the RSA Conference Singapore Booth G11. Visit our stands if you are around!

Safe surfing, everyone!

The Malwarebytes Labs Team

The post A week in security (July 17 – July 23) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Play Protect: Android’s new security system is now available

Malwarebytes - Fri, 07/21/2017 - 18:04

Play Protect, a security suite for Android devices, was originally introduced in mid-May of this year during the Google I/O conference.

And in just a couple of months, the tech giant has made it available for all their mobile users.

Play Protect is the amalgamation of Google’s Android security features, such as Verify Apps and Bouncer, and it’s integrated into the Google Play Store app. As such, users don’t need to look up, download, and install a separate app.

Here’s how Play Protect works:

  • It scans and verifies all apps in the Google Play Store before users can download them. It also periodically scans for all apps already installed on the Android device.
  • For apps downloaded from third-party stores, Play Protect scans and monitors them around the clock for any change in behavior. This is handy for those apps that appear normal at first but then starts misbehaving, like inconspicuously downloading malicious components. If a potentially harmful app is detected, Play Protect does two things: (1) disables it or (2) issues a warning to users about it.
  • It implements an anti-theft feature called Find My Device (formerly Android Device Manager). If the device—phone, tablet, or smartwatch—cannot be claimed back, this also allows the owner to lock it or wipe data stored in it.
  • Its Safe Browsing feature stops users from landing into dubious destinations when browsing the Web via Chrome.
  • It constantly auto-updates so users don’t have to do it manually.

The system behind Play Protect uses machine learning to enable itself to continuously improve in protecting Android users.

Users can access and customize the settings of Play Protect by going to Settings>Google>Security>Verify Apps.

Stay safe, everyone!

The Malwarebytes Labs

 

 

The post Play Protect: Android’s new security system is now available appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Pages

Subscribe to Furiously Eclectic People aggregator - Techie Feeds