Techie Feeds

Fireball Chinese malware and you

Malwarebytes - Wed, 06/07/2017 - 22:54

By now, you might have heard about an adware infection operation that has allegedly spread to 250 million systems called Fireball.  The threat intelligence and research teams at Check Point wrote a blog post last week describing the operation, what the threat does, the system, and the alarming potential the malware has for doing some serious damage.

Fireball the malware:

Fireball is currently being used as a browser-hijacker being frequently installed through bundling (the same infection method that brings you most of the PUPs we detect) modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine (the company that created Fireball).  Also, it utilizes tracking pixels to collect private information about the user and their browsing habits.

The best case

As mentioned before, Fireball is most frequently classified as adware or malware that exists solely to push users to specific web pages and serve them loads of advertisements, getting paid on the back end through all the clicks the ads get by unwilling users. With this in mind, the best scenario is that Fireball continues just to be adware, being annoying and disruptive but not overly dangerous.

The worst case

Fireball also happens to have some additional features that make many security researchers very nervous; this includes the ability to download and execute additional malware.

When you think about 250 million endpoints being infected with this adware and any day it could just decide to drop and execute any malware on the system, it will make you nervous too.  Here is what could potentially happen in the worst-case scenario:

  • Fireball drops a botnet malware family on all the endpoints, turning it into the most powerful Distributed Denial Of Service weapon ever created, which could be used for taking down the web servers of critical infrastructure, competitor websites, game servers, social media and even our unfortunately designed internet backbone (registrars and top level DNS servers) which could prevent many people from accessing their favorite websites.
  • Fireball drops ransomware on the systems and then waits to get paid, disrupting millions of systems and the users and organizations that rely on them
  • Fireball drops any other malware (or a combination of malware) and can steal credentials, spy on users, hijack social media and communication accounts or just use the whole thing as a massive spam spreading operation.

Why this might not happen

Education is key when it comes to dealing with new cyber threats, Check Point did a fantastic job bringing this infection to the eyes of users at large and the media, it has had a lot of coverage over the last few days and hopefully folks are scanning their systems and removing unwanted plugins to help reduce the power this adware operation has to do anything worse.

In addition to that, while Rafotech (who created Fireball) is using the infection to spread advertisements, they are sitting in a legal gray area and shutting them down would be a bit difficult without some serious international cooperation.  However, if Fireball started spreading additional malware, like ransomware or bots, then you’ve got an international crisis on your hands, and law enforcement for every country affected knows who the culprit is, safe to say it would be a bad move.

The worst, worst case

In a nightmare universe, the backend command and control systems that decide what Fireball does is compromised by malicious actors who then drop all kinds of nasty malware on the systems.  If that were to happen, you would still have the international crisis but no attribution.

You can guarantee though, that even if the attackers cannot be stopped, Rafotech would take a lot of heat and face serious charges for their involvement in creating this threat, not securing it correctly and handing a nuke to whatever cybercriminal wanted it.

Removing yourself from the problem

Obviously, if your system is infected with Fireball then not only is your safety an issue but also the safety of every other system on the internet. It is easy to weaponize an infected system to be used for direct DDOS attacks, act as a proxy for traffic (hiding the bad guys) to spread malware itself in the case of some spambots.

So, how can you remove your system from being used in this way? It’s pretty easy actually.

  • Check your browser

Are you being redirected to the Rafotech search engine or feel like you’ve seen an immense amount of advertisements being pushed to you without provocation recently? If either of those is true, it’s likely you are infected with Fireball.

  • Run a scan

Your first step is to download, install, update and scan with Malwarebytes 3.0.  This will identify any artifacts on the system belonging to the threat; we detect Fireball as “Adware.Elex.”  We know exactly what Malwarebytes can detect concerning this threat, so we are only discussing remediation using our tool.

  • Find any strange browser add-ons

Fireball utilizes browser extensions and add-ons to help it complete its goal of drowning you in ads. So, you want to make sure there aren’t any that you didn’t install yourself, if you find one that looks strange, go ahead and remove them.  You can check out this resource that Facebook put together to help folks clean up the add-ons and extensions they have in their browser which may be causing problems.

  • Reset your defaults

After a Fireball infection, your default homepage and the search engine would have been modified; you can go into your browser settings to change them back to what you want or just restore the whole browser to its default state.

Conclusion

We want to thank Check Point for their fantastic analysis of this threat and bringing it to the attention of the world. We hope that those infected with this adware can find articles like this and learn how to clean up their systems before one of the worst-case scenarios listed above actually become a reality.

In the meantime, it’s best not to consider any malicious threat less dangerous than others, PUPs, adware, spyware, and others are still software installed on a system with the limitations (or lack thereof) of any other piece of software. Just because something is being used for one purpose today doesn’t mean it won’t be repurposed for something far more damaging next week.

Thanks for reading, stay alert, stay safe and we’ll catch you next time.

The post Fireball Chinese malware and you appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Tech support scams: what are other people doing?

Malwarebytes - Wed, 06/07/2017 - 14:00

We’ve talked a lot about tech support scams over the past few years, typically focused on what we see ourselves, and the scammers who like to pose as Malwarebytes. But tech support scams are much bigger than that, targeting every tech company under the sun. So what are other people doing about it? Let’s take a look at some of the other players working to keep you safe.

IT Advocate

Independent researchers will occasionally conduct sting calls based on a combination of victim complaints and their own research. IT Advocate presents some of the most thorough research and professional videos in this genre, providing context to each company before they make the call.

Others who refer to themselves as “scam baiters” will present calls on Youtube, typically designed to waste the scammer’s time, or execute a practical joke. These are amusing, but also frustrating because they aren’t useful; most videos don’t disclose where they got the number, what their specific setup is, or any specific details on the company. IT Advocate, in contrast, focuses on collecting hard, actionable evidence that can be used in takedown requests to keep users safe. They publish fairly frequently and you can find their YouTube channel here.

 

Fatsecurity.com

An occasional problem defenders run into is how to effectively execute a takedown, in particular, an advertisement takedown for a fraudulent company. Scammers will register a corporate presence in the United States, set up several money mule accounts here as “payment processors”, and use US dollars to buy ads. As a result, it can be tough for an advertising company like Google to distinguish these ads from those of a legitimate tech support company. Fat Security is attacking this issue from an interesting angle, as you can see here. Rather than crowdsourcing victim reports, which can be vague or incomplete, they are crowdsourcing reporting – users who sign up will be informed of identified scams and how to report them to the proper authorities. The idea being one researcher’s report can be ignored; ten thousand users reporting the same scam demands a response. It’s a novel idea and we look forward to seeing how it turns out.

The Big’uns

Microsoft is arguably one of the most abused companies in a tech support scammer’s pitch. So how are they fighting back? They have extensive coverage of tech support scams in their blog, as well as a consumer education sheet with useful info here. (Here’s ours, by the way.)

What a lot of folks don’t realize is that they also have a reporting tool for victims and researchers to report a scam directly to them: www.microsoft.com/en-us/reportascam. When conducting threat analysis, more data tends to make for better judgments, so these types of reporting tools tend to yield good intelligence.

Symantec provides a public resource page here, as well as a reporting tool, although it appears to be a catch-all for abuse of their intellectual property.

Teamviewer is the tool of choice for scammers to gain access to your computer. Their resource page for victims here offers some good tips on how to secure your account if you have one and provides an email address to report fraudulent use of their product.

In short, there’s a wide range of researchers working hard to keep you safe from tech support scams, from the biggest names in the industry, down to single individuals working as an avocation. The more of us who pitch in makes it more likely that you won’t have to deal with a scammer. And if you’ve ever thought you were talking to Malwarebytes and gotten someone unsavory instead, please post to the comments below.

Some resources mentioned above:

The post Tech support scams: what are other people doing? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

HTTPS… Everywhere!

Malwarebytes - Tue, 06/06/2017 - 14:00

We recently updated our redirections rule in HTTPS-Everywhere, a browser extension that automatically redirects you to the HTTPS version of the website you are trying to visit. Now is a good time for us to give a short overview of how important HTTPS is. We’ll also talk about a few major HTTPS-related events that happened lately.

When we browse the web, several third-parties are able to snoop on the connection between the user and the website, including the user’s ISP, law enforcement, the website’s ISP, and other people in between.

Who can snoop on your connection without HTTPS, and what can they see? (by The TorProject)

These intermediaries are able to obtain and modify on the fly most of the information sent through the connection: the website reached, the web page name and content, the potential username and password, the user’s IP address, and more. It obviously poses a lot of problems, which is why HTTPS is now mandatory for more and more websites (public sector, banks, etc.). Using HTTP with SSL/TLS (HTTPS) hides much of information compared to the picture above:

Who can still snoop on your connection with HTTPS, and what can they see? (by The TorProject)

Now, the intermediaries only get access to the website reached and the user’s IP address. The web page name, its content, the logins are no longer exposed to whoever snoops between the user and the website. It’s also no longer possible to modify this data on the fly.

The security gain is then huge, as it’s possible to transmit sensitive data in an authenticated way without being modified. This is possible thanks to a chain of trust established between the user software (a web browser, for instance) and a third-party who authenticated the service (a website, for instance).

This third party is called a Certificate Authority (CA). There currently are a lot of different CAs and all of them need to strictly follow the guidelines in order to stay trusted by web browsers, operating systems, and other software.

Once a service requests a certificate to be authenticated, the Certification Authority proceeds to a multiple-step process in order to verify the owner identity. If it’s successful, the service will be authenticated.

A widespread adoption

However, despite the huge benefit of using SSL/TLS, anyone who requests a trusted certificate for a specific domain needs to regularly pay an expensive fee, which slows down the adoption rate.

In 2014, a new non-profit Certificate Authority was created by the ISRG with the idea to provide trusted certificates for free for everyone. The adoption was huge: Let’s Encrypt has been publicly launched in 2016 and has already delivered more than 33M certificate since then, for more than 40M domains.

Let’s Encrypt Certificates Issued Per Day

For the first time, more than 50% of total web page requests have been served over HTTPS in early 2017 and it’s still climbing.

Percentage of pages loaded over HTTPS – Google Transparency Report

This widespread adoption is definitely good news for security. However, the landscape evolves very quickly, with involved parties trying to fix the remaining problems—and introduce new ones.

Web browsers pushing harder

In order to push the adoption much further, web browsers are also taking active actions.

Recently, Google and Mozilla announced a new feature in their browsers (Chrome and Firefox, respectively): websites served over HTTP will be labeled as non-secure (whereas before HTTP websites used to be the norm and only websites served over HTTPS had a specific label):

They also announced the end of support for the SHA1 algorithm, which is still used by some Certificate Authorities despite several flaws it suffers.

Another step is the introduction of Certificate Transparency, the support of which will be mandatory for all Certificate Authorities from October 2017 in order to very quickly detect wrongly issued certificates and malicious Authorities, thus, revoking them as quickly as possible.

Last but not least, they are taking strong positions against Certificate Authorities that don’t follow the rules and best practices: Google and Mozilla announced their intention to distrust the “Class 3 Public Primary CA” Symantec certificate due to several failures to comply with the industry rules and other more recent security problems. This will revoke the trusted chain and will trigger a warning for users visiting a service authenticated with this certificate and may even block them to visit the website depending on their configuration unless Symantec changes their practices or agree to comply with Google and Mozilla requests which may be the case.

Security software playing nasty Despite all these actions to push more and more  SSL/TLS implementation best practices, a major issue still persists. Several antivirus software, middleboxes, or corporate appliances analyze web or mail connections to scan for malicious content. While it’s easy to achieve for clear-text traffic (like HTTP), it’s much more difficult to do so for SSL/TLS traffic. As pointed by the recent study “The Security Impact of HTTPS Interception”, these solutions tend to behave like spyware and play nasty with SSL/TLS while they try to decrypt it “for security reasons”. As expected, it usually puts the user at risk while breaking the security chain, reducing the connection security, and reintroducing old security flaws. Malware is seen to maliciously modify the system certificate root store (which stores the list of trusted certificates from known Certificate Authorities). They add a non-trusted certificate and set it as trusted, or remove known and legit certificate in order to break the connection to known services. The latter has been seen very recently on our forum:

List of certificates maliciously marked as untrusted by the system

But as explained, several security software programs proceed in a very similar manner. The study has used browsers legit SSL/TLS handshakes with some being knowingly intercepted by security software (and middlebox, corporate appliances) to be able to draw a comparison based on the relationship between the user agent and Client Hello messages. They used portions of Cloudflare, Firefox update servers, and several popular e-commerces websites traffic in order to get a sufficient amount of data. The results are particularly explicit by themselves: 90% of connections to Firefox servers, 32% of connections to e-commerce’s websites, and 54% of Cloudflare connections have been observed to be less secure while being intercepted.
  • On 12 famous and widely used corporate middleboxes tested:
    • 11 weaken connection security (compared to an up-to-date web browser).
    • 5  introduce several MiTM flaws
    • 10 support RC4 ciphers (broken)
    • 2 support export-grade ciphers
    • 3 do not properly validate the certificates
  • On the various security software solutions and malware tested:
    • 10 introduce several flaws (CRIME, anonymous ciphers, no certificate validation, RC2, too short DH length)
    • Some RCE vulnerabilities (triggered by malformed certificates) are regularly found in some of them
Conclusion In short, even if only a few security software have seemed to properly handle SSL/TLS interception without introducing several vulnerabilities, all of them decreased the overall security compared to an up-to-date web browser or email client. Even worse, most of the time-critical vulnerabilities otherwise fixed years ago have also been reintroduced. The updated HTTPS Everywhere rule we spoke about in the introduction is another step to help our users to stay secure while browsing our websites, as all our services are available with HTTPS. We try to stay up-to-date with the best SSL/TLS deployment practices.

The post HTTPS… Everywhere! appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Interview with a malware hunter: Pieter Arntz

Malwarebytes - Mon, 06/05/2017 - 14:00

Welcome to our new series: interview with a malware hunter. In these Q&A sessions, we’ll take you behind the scenes to get to know our malware intelligence crew. Without further ado, we present our first victim, researcher, and blogger Pieter Arntz.

Where are you from? Are you still there now?

I’m from the Netherlands. I’m there now, yes.

You speak four languages. What are they? How did you learn them?

I speak Dutch, German, English, and French. We got the basics at school and I lived in London for a time and a place near Hamburg, Germany, as well. France was a favorite vacation spot for me, so that’s how I kept up to level.

How did you get into cybersecurity?

I started participating in the forums a long time ago, helping people who had computer problems. Because of the people I met in the forums—Marcin, Doug, Bruce, Mieke [Malwarebytes company founders]—I got interested in malware, specifically adware and spyware. They were looking for someone to write removal guides on the forums. I volunteered, so that’s how I ended up in cybersecurity, working for Malwarebytes.

Did you major in computer science? How did you know how to help people with malware problems?

I studied it a long time ago at University, so I had to have some basic knowledge of code. I actually got my bachelor’s in geodesy, so we had to use a lot of computer programs of our own making to put in all the data.

How long have you been a cybersecurity researcher?

Professionally, seven and a half years. I started doing it as a hobby 18 years ago.

When did you join the Malwarebytes team? What made you join?

November 2009 is when I joined. I watched this company grow enormously, and I liked the people that worked here. It gave me a lot of freedom, and it made my hobby into my work, so what else can you want?

What makes you stay? What do you like about this line of work?

I keep on learning. It doesn’t get boring, there’s always something new. That’s what keeps me going. The people I work with, like Adam [Kujawa, Director of Malware Intelligence] and Jérôme [Segura, Malware Intelligence Analyst], know so much that I don’t know, so I’m always trying to pick their minds.

What area of cybersecurity research do you focus on? Why this area?

I specialize in adware. It’s the easiest to understand for me. It’s like a puzzle I can work out. When I started, there were people who were spreading viruses just to make a name for themselves. Now we have to deal with hardened criminals. With the money angle in mind, there is a motive to what they do. And adware is what the majority of people have to deal with nowadays.

What’s the most interesting/impactful discovery you’ve made as a researcher?

I think it was Vonteera, an adware that marked certificates for security programs as untrustworthy. Because of that, people who were infected couldn’t download security programs. I was the first person to find out how they did that. I posted the results on the blog and wrote a fix for it. After that, the adware disappeared a few days later.

What’s the biggest cybersecurity “fail” you’ve witnessed?

My previous employer had a synchronized backup to back up the system every hour. When they got a virus infection, they didn’t notice for a week, so all the infected files got written to the backup. So they lost a week’s worth of work. I was very glad I didn’t work in IT there!

Talk to me about a day in the life of a researcher. How do you conduct your research?

I start with looking at forums and see if there are any new things that people are complaining about or having problems removing. I try finding an installer for it using programs such as Cosmos and VirusTotal. If I can’t find it anywhere, I reach out to the users who are complaining and get the infected file from them. Then I look to see if I should write about it—especially if it requires additional user interaction or if it is hard to recognize the infection. Then I check Twitter and Facebook to see if there are any other new trends I need to write about. If I find something that Malwarebytes does not tackle, I let the research team know.

What tips you off that something might be malicious?

I usually can guess if something is malicious is by the way it acts and the way it’s presented. If it talks like a duck and walks like a duck, it’s probably a duck. You always can tell if a program has something to hide.

When an outbreak like the recent WannaCry ransomware attack occurs, how does that impact your work?

I was tipped off about WannaCry when I noticed on Twitter that a lot of companies were complaining. People in England were being sent home from the hospital. Alarm bells started to ring. By the time I found out what was really going on, the other researchers in America were online and together we came up with a plan. When we found the sample, everything else stopped, especially since we knew our premium products already protected our customers. Zammis [one of our researchers] started working on reverse-engineering right away. We had to get that information out there so other people could be safe.

What kind of skills does a person need to be a malware intelligence researcher?

You have to be able to follow tracks. Finding the sources of the malware is the biggest part, really. You need logical thinking and enough understanding of coding to be able to decipher the raw elements. A big part of tracking malicious programs down is understanding the money flow, the business model. If they offer something for free that promises everything you ever wanted, and there is no catch, no improved version to purchase later on, how do they make their money?

What advice do you have for people who want to break into the field?

If you really want to make a difference, then try to learn reverse engineering or hacking. If you’re a good reverse engineer, you can work for any company you like.

The post Interview with a malware hunter: Pieter Arntz appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (May 29 – Jun 04)

Malwarebytes - Mon, 06/05/2017 - 13:59

Last week, we looked at a ransomware strain that appears to be a fake version of DMA Locker. We also focused on adware that use scheduled tasks in part 4 of a series. Lastly, we talked about fake reviews and how to spot them.

Below are notable news stories and security-related happenings:

  • Healthcare Industry Continues To Struggle With Software Security. “According to the results of a recent survey, roughly one third of device makers and HDOs are aware of potential adverse effects to patients due to an insecure medical device, but despite the risk only 17 percent of device makers and 15 percent of HDOs are taking significant steps to prevent such attacks.” (Source: Help Net Security)
  • The Need For Internet Security On Your Devices. “Cyber crime seems to be making headlines every other day. Cyber crime continues to be a growing problem for kiwi’s, costing us over $257 million per year.  This means that it’s important now more than ever to ensure that you are protected against the plethora of threats that seek to compromise your devices.” (Source: Future Five)
  • Don’t Wanna Cry After Meeting Judy? How To Secure Your Mobile From Malware. “Security firm Checkpoint on Thursday revealed that around 36.5 million Android devices were likely infected by a malware, dubbed as ‘Judy’, after downloading apps developed by South Korea-based Kiniwini and published under the name of ENISTUDIO Corp. The Korean firm developed 41 such malicious apps and was able to bypass Google’s security protocols on the Play Store, thereby making the app available for download.” (Source: Money Control)
  • China’s Tough Cybersecurity Law To Come Into Force This Week. “China, battling increased threats from cyber-terrorism and hacking, will adopt from Thursday a controversial law that mandates strict data surveillance and storage for firms working in the country, the state-run Xinhua news agency said. The law, passed in November by the country’s largely rubber-stamp parliament, bans online service providers from collecting and selling users’ personal information and gives users the right to have their information deleted, in cases of abuse.” (Source: South China Morning Post)
  • What Will It Take To Keep Smart Cities Safe? “‘Smart cities’ use smart technologies in their critical infrastructure sectors: energy, transportation, environment, communications, and government. This includes smart systems for energy management, parking management systems, public transportation information coordination, transportation sharing, traffic management, air quality monitoring, waste management, e-government, connectivity, and so on.” (Source: Help Net Security)
  • IT and Biz Leaders: Boards Don’t Take Security Seriously. “Nearly half of IT and business decision makers globally don’t think their boards are capable of effectively managing cybersecurity threats, despite the vast majority (77%) believing it is now the C-level’s responsibility, according to new research from Control Risks.” (Source: InfoSecurity Magazine)
  • Bitcoin Has Come Roaring BackBut So Have The Risks. “The big question is whether a crash is coming or whether cryptocurrencies have hit their stride. Should investors cash out now while the getting is good, or buy more now before the price climbs even higher? So far, when it comes to bitcoin, the only real rule is volatility.” (Source: Wired)
  • OneLogin Suffers Breach—Customer Data Said To Be Exposed, Decrypted. “OneLogin told fretful customers in an internal notification that they would need to work through a number of steps to secure their accounts, including generation of new API credentials and OAuth tokens. Any users served by the firm’s US data centre have been hit by the breach, OneLogin said.” (Source: Ars Technica)
  • A Recently Discovered Linux Flaw Could Be Exploited By Sudo Users To Gain Root Privileges. “Security researchers at Qualys Security have discovered a Linux flaw that could be exploited to gain root privileges and overwrite any file on the filesystem on SELinux-enabled systems. The high severity flaw, tracked as CVE-2017-1000367, resides in the Sudo’s get_process_ttyname() for Linux and is related to the way Sudo parses tty information from the process status file in the proc filesystem.” (Source: Security Affairs)
  • Kmart Point of Sale Hacked With ‘Undetectable’ Malware. “Kmart is not saying how many of its 750 stores in the US were affected by the point-of-sale (PoS) malware, but it stressed that no personal data, including names, addresses, Social Security Numbers or email addresses, was stolen. It also talked up its EMV reader implementation.” (Source: InfoSecurity Magazine)
  • Inside Google’s Global Campaign To Shut Down Phishing. “At the beginning of May, a phishing scam flooded the web, disguised as a typical Google Docs request. Some of the emails even appeared to come from acquaintances. If victims clicked through and granted seemingly innocuous permissions, they exposed their entire Gmail account to whoever was behind the scam. It was an explosive scheme. And Google responded in kind.” (Source: Wired)

Safe surfing, everyone!

The Malwarebytes Labs Team

The post A week in security (May 29 – Jun 04) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Spotting fake reviews – have healthy online skepticism

Malwarebytes - Thu, 06/01/2017 - 14:00

One of the most often pieces of advice I give when speaking to friends and relatives regarding online threats is to research it.

Performing a simple Google search on a product, a strange phone number, or a business, can reveal a wealth of data that can then be used to make an informed decision about what actions to take. And here is where we get to the crux of it all. Just as we now have to contend with “fake news,” some of the information unearthed by web research will be wrong, contain mistakes, or even attempt to deliberately mislead you.

Let’s take an example we often hear about:

  • A user has a computer problem.
  • They perform a Google search in an attempt to find a solution.
  • The results point them to the apparent official technical support for the product they are having issues with.

*Attentive readers will notice that we have touched on this subject in the past.

This is where a careful user should do a little bit of research

A simple Google search of “company name + scam” will often turn up some valuable information. A company that has pages upon pages of customer complaints should raise some red flags.

Some examples of the websites that Google displays when you perform such a search are repositories of customer experiences, such as the online presence of the Better Business Bureau, Pissedconsumer.com, and even the official Facebook page of said business to name a few. Perusing these complaints will help give you an idea of the trustworthiness of a business. Going the extra mile and doing this research also gives you the time to think about the service you are looking at purchasing. This mitigates being rushed in your decisions.

Sometimes, legitimate users catch on!

Shills, sockpuppets, and personas

This research phase is also where we sometimes see a strange trend. A search on some of the websites that aggregate consumer complaints might show the first page of results filled with glowing reviews exhorting the awesome customer service they received.

Let’s stop and think about this. Why are random users taking the time to go register an account and fill a glowing review on a site that predominantly focuses on negative experiences? Only a small number of customers will go to the effort of filling out a review, much less a positive one.

This is an effort to artificially bury the negative reviews on these sites, as users rarely visit anything beyond the first page of results. These reviews are created by shills, either employed by the company affected by the negative reviews or by an online reputation management firm.

These are companies that specialize in online reputation management and have been hired to clean up negative comments that would otherwise be prominently be shown as the top search result. As an aside, any company that uses these techniques should fall victim to the “Streisand Effect” and immediately be viewed with extreme suspicion.

Spot the fakes

Some review sites will let you gather a little intel on the authors of reviews. Here are a few pointers for spotting fake ones:

  • Are all the positive reviews created on the same date? Organic reviews would be created at different times, fake ones might be done manually or programmatically in a short time frame.
  • Look for the age of the accounts with positive reviews. Real accounts would be created at different times, on different dates. Again, fake ones might be done manually or programmatically in a short time frame.
  • How many reviews do the accounts have? A real user might make reviews for several sites and services. A shill will almost only ever do the one. Maintaining a myriad of sockpuppet accounts is difficult.
  • Do they use a boilerplate? Are there multiple reviews with identical text from supposedly different authors? Boilerplates are a dead giveaway that there’s some reputation management going on.
  • Try pasting the review, or a portion of the text used in the review, in Google and searching for it. If the results turn up in multiple different reviews on different review sites, you have found a boilerplate!
  • If the first page of reviews is filled with positive comments, buck the trend and check the 2nd and 3rd pages. Reputation management outfits know almost no one checks past the first page. Valuable true negative comments often appear there.
  • Read the positive reviews carefully. Are they super polished? Perfect grammar? Real humans write in a way that is difficult to emulate. A boilerplate, or a professional shill, would have proofread the review and removed typos.
  • Beware of some review sites. They might be an advertisement for a specific product cleverly disguised as a review site!
  • Some reviews are solicited by the technician, only when there is a positive interaction, effectively drowning the review site with genuine positive interaction reviews. This becomes apparent when there’s an unusually large amount of reviews for the website/service.

There are no hard rules in detecting fake reviews and some real ones might exhibit the symptoms of fake reviews and vice versa. A good indicator is critical mass. If there are multiple dubious examples on the review site, you should take all the reviews on the site with a grain of salt.

Attempting to manage negative reviews by having a brigade of sockpuppets bury them with fictitious positive ones is in itself a good indicator of malfeasance.

Identical text across multiple reviews, with different users, review creation date, and geographical location.

Identical text across multiple reviews, with different users, review creation date, and geographical location.

1140 positive reviews! An example of flooding.

On the honesty of review sites

As if the waters were not murky enough, the review sites themselves sometimes have a financial stake in either showing negative reviews or conveniently hiding them. Some review sites have been repeatedly accused of providing preferential treatment to businesses that subscribe to their services. Others have been compared to a shakedown or strong-arm techniques based enterprise.

Subscribe to our service, buy advertising space on our site, pay for a membership… Do this and the negative reviews will be buried several pages in, away from view.

This subject alone could fill a separate article.

Reviews, complaint boards, and Google searches are powerful tools at your disposal to help in the decision process when evaluating a service. Having robust online skepticism will help preserve this skill, despite less than reputable online presence management shenanigans.

As always, stay safe, and if you have ever encountered shill reviews, please share them in our comments!

Jean Taggart

The post Spotting fake reviews – have healthy online skepticism appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Adware the series, part 4

Malwarebytes - Wed, 05/31/2017 - 14:00

In this series of posts, we will be using the flowchart below to follow the process of determining which adware we are dealing with. Our objective is to give you an idea of how many different types of adware are around for Windows systems. Though most are classified as PUPs, you will also see the occasional Trojan or rootkit, especially for the types that are more difficult to detect and remove.

Scheduled Tasks and Services

Two popular methods to deliver advertisements to your computer at regular intervals are Scheduled Tasks and Services. Both can easily be used to set a timer and show you a new advertisement at a set interval. The interval can be hours or mere minutes. For the advertiser, an interval in the range of hours has the advantage of being more inconspicuous as the user may close the advertisement and think nothing more of it. But a short interval brings in more money if you get paid by the impression (or by the number of unique views).

Scheduled Tasks

The Windows Task Scheduler is like an alarm clock that you can set, to start a procedure under specified circumstances. You can set them to start at a certain time, and repeat at a set interval, or you can set them to start at a certain occasion, most commonly when the computer boots up. Scheduled Tasks are the containers, that hold the information about what has to happen and when. Since the introduction of Task Scheduler 2.0, Scheduled Tasks have the format of XML files and the job extension.

Once you are aware of the fact that a Scheduled Task is responsible, it is pretty easy to remove them. Be aware that they tend to come in small groups (2 or 3 tasks is what we’re used to seeing in most cases).

How to open the Task Scheduler Windows XP and Windows 7

To open Scheduled Tasks, click Start, click All Programs, point to Accessories, point to System Tools, and then click Scheduled Tasks.

Windows 8 and Windows 10

Use the Search option to search for “Schedule” and choose “Schedule Task” to open the Task Scheduler.

Identify and delete a Scheduled Task

In the list of Scheduled Tasks find the ones that trigger the process associated with the advertisements. You can find the process name under the Action tab. Note that there may be switches set behind the filename like in the example below (GoogleUpdate.exe is the file name).

Select the Scheduled Task in the overview window and use the Delete option to remove it.

That’s all there is to it. As you can tell from the above, identifying the culprit as a Scheduled Task is the hardest part here. Removing Scheduled Tasks is easy enough once you are sure what to get rid of.

Services

Windows services are programs that work in the background and many of them are crucial for the operation of the system, so be careful when you start disabling them. Also, make note of the following order since you may have to re-enable them in the reverse order. Many services depend on others and are unable to run without the ones they depend on.

How to open the Services console

To see the list of services run services.msc in your Run prompt or from your search box.

Identify and disable a Service

If you right-click a line in the list of services and click Properties, you can see the path to the executable on the General tab.

When you have found the service that is responsible for the advertisement, you can Stop the service on that same tab and set the Startup type to Disabled.

That should stop the advertisements and prevent the service from starting again. If it does start again, there are other processes involved and you may be dealing with a rootkit. More about those later.

Index Part 1
  • Identify the process
  • Clear browser caches
  • Remove browser extensions
Part 2
  • Proxies
  • Winsock hijackers
  • DNS hijackers
Part 3
  • Type of software
  • Uninstall
  • Remove file
  • Replace file
 Part 4
  • Scheduled tasks
  • Services
Up next, part 5
  • DLL’s
  • Handles
  • Parent process

 

Pieter Arntz

The post Adware the series, part 4 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (May 22 – May 28)

Malwarebytes - Mon, 05/29/2017 - 17:48

Last week we informed you about several new threats, including the android ransomware that targets Tencent users. This SLocker.fh masquerades as various legitimate apps to fool users into accepting escalated rights.

Or how about the potential danger of spilling Windows credentials for Chrome users. All they need you to do is to visit their site.

Some of these threats are so unsettling they even frighten us. We listed 5 cyberthreats to keep an eye on.

Also we brought you up to speed about RoughTed, a malvertising campaign that is is unique for its considerable scope ranging from scams to exploit kits, targeting a wide array of users via their operating system, browser, and geolocation to deliver the appropriate payload.

Other noteworthy news in cybersecurity:

Safe surfing, everyone!

The Malwarebytes Labs Team

The post A week in security (May 22 – May 28) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A stolen version of DMA Locker is making the rounds

Malwarebytes - Mon, 05/29/2017 - 14:21

Ransomware has become a popular criminal business with a relatively easy entrance. Even the people with little technical knowledge can build their own ransomware based on open source code, that has been published on the internet some time ago. Nevertheless, cybercriminals keep stealing, not only from victims, but also from each other. Some time ago we heard about PetrWrap – a ransomware build upon a binary of the infamous Petya. But that is not  the only case. For some time, we have been observing a threat actor who distributes patched DMA Locker binaries.

Real or stolen DMA Locker – why would you care?

The observed samples of the stolen version of DMA Locker have been built based on one and the same instance of DMA Locker – so, they carry inside the same public key. This implies, that all the victims of this version can get their data back with the help of the same private key. And now comes the best part: we have this key and we distribute it for free to all affected persons.

If you are a victim of the fake DMA Locker, you can send e-mail with samples of you encrypted files to: hasherezade-at-gmail.com

How to recognize the stolen versions?

Since the fake DMA Locker is based on the binary of the original DMA Locker 3.0, they have exactly the same GUI – only the keywords referring to DMA Locker has been removed:

The main difference between the original and stolen DMA Locker is a different marker at the beginning of the encrypted file. While the real DMA Locker prefixes content with: !DMALOCK, the stolen version have many different prefix patterns. Some we have observed are:

  • !XPTLOCK5.0
  • !Locked#2.0
  • !Locked!###
  • !Encrypt!##

However, the threat actor changes them periodically – so, anything that is different from the standard pattern may suggest that we are dealing with the “pirated”, decryptable version.

Example of file encrypted by the fake DMA Locker:

What are the chances to get the data back?

Up to now we managed to help 100% of the known victims of the fake DMA Locker. So far, the threat actor responsible for distributing it, has not changed the key – so, the prospects of getting data back are still big. However, the chance to get help drastically shrink in case you were attacked with the legitimate DMA Locker, which may look the same at first sight.

How to prevent the attack?

Distributors of the fake (as well as the original) DMA Locker enter the victim machine via hacked Remote Desktop. Thus, we recommend paying attention if you have Remote Desktop open and if so, if it is properly secured.

Analyzed sample

https://www.reverse.it/sample/38527d20338fb35717b349176b976610465d368123c083fb88115e982b367918?environmentId=100 – fake DMA Locker, adding “!Encrypt!##” prefix.

Appendix

Currently in distribution is version 3.0 of DMALocker, since the development of 4.0 was abandoned. Read more about our research:

DMA Locker 4.0: Known ransomware preparing for a massive distribution

The post A stolen version of DMA Locker is making the rounds appeared first on Malwarebytes Labs.

Categories: Techie Feeds

RoughTed: The anti ad-blocker malvertiser

Malwarebytes - Thu, 05/25/2017 - 14:00

RoughTed is a large malvertising operation that peaked in March 2017 but has been going on for at least well over a year. It is unique for its considerable scope ranging from scams to exploit kits, targeting a wide array of users via their operating system, browser, and geolocation to deliver the appropriate payload.

We estimate that the traffic via RoughTed related domains accumulated to over half a billion hits and was responsible for many successful compromises due to effective techniques that triage visitors and bypass ad-blockers.

The threat actors behind RoughTed have been leveraging the Amazon cloud infrastructure, in particular, its Content Delivery Network (CDN), while also blending in the noise with multiple ad redirections from several ad exchanges, making it more difficult to identify the source of their malvertising activity.

Highlights
  • Traffic comes from thousands of publishers, some ranked in Alexa’s top 500 websites.
  • RoughTed domains accumulated over half a billion visits in the past 3 months alone.
  • Threat actors are leveraging fingerprinting and ad-blocker bypassing techniques upstream.
  • RoughTed can deliver a variety of payloads for each platform: scams, exploit kits, and malware.
Campaign identification

While studying the Magnitude exploit kit, we came across an interesting redirection chain from a domain name called roughted[.]com, hence the nickname ‘RoughTed’ we gave to this threat actor and campaign.

roughted.com/?&tid=645131&red=1&abt=0&v=1.10.59.18

This domain was calling out to an XML feed to serve ads, but because of our geolocation at the time (South Korea), we were redirected to the Magnitude exploit kit via its pre-filtering gate, also known as ‘Magnigate’.

Over the course of a few days, we noticed a similar referer as roughted[.]com, with the same URL structure redirecting to the RIG exploit kit this time. Upon mining our data set, we started seeing that pattern for over a hundred other domains and mapped out some of the most prolific ones.

Numbers above added up from SimilarWeb.com analytics.

The majority of the domains were created via the EvoPlus registrar in small batches with a new .ru or .ua email address each time. Another thing in common that these domains have is that they are being used as a gateway meant to bypass ad-blockers (we will expand on that aspect later).

The visualization below shows clusters representing domain names assigned to a unique registrant email.

Within each cluster, we can see that the domain naming convention follows a certain pattern, with one or two strings being used in various positions. For example, below we have the strings ‘get‘ and ‘fun‘ used to build the domain name.

This is in itself is not shocking (it could simply be a lack of imagination) but it becomes interesting when two separate clusters are semantically related (different registrant email but similar domain names). This allows us to connect the campaigns together in yet another way (besides the URI patterns).

For instance, let’s zoom in on two clusters that show different email addresses. We see that the common string here is ‘parser‘ used in both and it is not just a ‘coincidence’.

Publishers

The term ‘publisher’ is commonly used in the advertising industry to refer to websites that display adverts to generate online revenues. Publishers are typically providers of content (news, media files, etc.) which drive people to visit them regularly. The cost of advertising is not only dependent on how popular a website is, but also on other variables which revolve around the kind of audience a publisher captures.

The bulk of the traffic for the RoughTed campaign comes from streaming video or file sharing sites closely intertwined with URL shorteners. These are areas where malicious actors love to lurk because of the sheer volume of traffic but also subpar standards for quality and safety of online advertising.

Below are some domains we spotted in our telemetry, ranking within Alexa’s top 1000. Visitors to these sites are targeted with ads and in some cases, some that belong to the RoughTed campaign. We will detail later to what kind of content users were exposed.

During our research, we spoke with Denis Sinegubko from website security company Sucuri who shared similar findings with how ‘personal’ websites were involved in this malvertising campaign. Webmasters knowingly integrated an ad code script from advertising company Ad-Maven into their pages in order to monetize their website.

The obfuscated script above contains an algorithm to generate future Amazon S3 URLs, but the buckets are only created for the next 3-5 days.

Each bucket contains a base64 encoded blurb which decodes to the current cloudfront.net subdomain:

We have many examples of these cloudfront.net subdomains (leveraging the Amazon’s Content Delivery System, Amazon CloudFront CDN) seen as a referrer to RoughTed domains in our telemetry as well:

Refer: dh0uktvqfaomb.cloudfront.net/br?tid=651488 -> trandsey.info/?&pid=6&tid=651488&status=4&subid=0&info={redacted}.&v=1.1.0.1&_=1490387450476 Fingerprinting and ad-blocking evasion techniques

There’s more within this code and it has been raising eyebrows for its invasive nature, in particular for its use of fingerprinting techniques, in that case, ‘canvas fingerprinting’.

We can see it below again in a slightly different format (admvn.js) used by the URL shortener site adf.ly and redirecting users to a RoughTed domain (somethodox.info):

The point is to profile users with great granularity and identify those that may be cheating the system by lying about their browser or geolocation.

Typically the User-Agent string can determine a visitor’s OS and browser but it’s trivial to fake the UA and lie to the server. One clever alternative is to look for installed fonts since they are specific to certain operating systems, i.e. a Mac user will have different fonts than a Windows user (thank you Manuel ‘The Magician’ Caballero for pointing out this trick).

Another interesting aspect is that redirections to RoughTed domains seem to happen even to those running ad-blockers and that was reported by users of Adblock PlusuBlock origin or AdGuard.

The animation below shows a redirection to one of the RoughTed gates that bypass the ad blocker in Google Chrome (ABP is shown installed and activated at the top right) and ultimately pushes a bogus Chrome extension. All a user has to do is click anywhere on the first page they visited and their browser will become hijacked.

Something for everyone

This malvertising campaign is quite diverse and no matter what your operating system or browser are, you will receive a payload of some kind. Perhaps this should be something for publishers to have a deep hard look at, knowing what they may be subjecting their visitors to if they decide to use those kinds of adverts.

Adware for Mac

This is a fake Flash Player update that targets Mac users and tricks them into believing that the file comes from Apple. As a rule of thumb, you should really only download software updates from the original manufacturer, not some third-party. Unfortunately, crooks can easily create deceiving pages or scare users into installing a fraudulent piece of software.

Traffic view

PUPs for Windows

There are countless fake updates for Flash, Java, not to mention all those ‘special’ codecs for Windows. The following page urges users to install a Java update which is laced with adware. When it comes to Java, it’s usually better not having it in the first place, let alone installing some shady updates.

Traffic view

Rogue Chrome extensions

There is no question that Chrome is one of the safest browsers but unfortunately, malware purveyors and other ill-intent advertising companies are aggressively pushing rogue extensions that can collect or even modify the data on the sites you visit. Malvertising is a prime distribution method for bogus Chrome extensions which are pushed in a forceful way, leaving users little choice but to install them, in some cases.

Traffic view

Undesired redirections to iTunes/app store

There is a large quantity of ‘free’ apps out there, both for iOS and Android and their business model is either via in-app adverts or add-ons you can purchase. Some apps go one step too far by making the game too hard to beat without buying a certain item (this is also known as ‘pay-to-play’). But after all, it is up to users to make that choice to download those apps and opt for such purchases.

However, malvertising murks the waters by doing some automated redirections to some ‘random’ apps and generating commissions for each install.

Traffic view

Tech support scams

Tech support scams have long been feeding off malvertising and targeting many different countries. Therefore it’s not surprising to see cases here via RoughTed as well.

Traffic view

Security researcher Malekal tweeted about a Tech Support Scam (TSS) campaign targeting French people. He points at the heavily obfuscated code and we can spot a RoughTed domain (suspecial.info) in his screenshot within the HTTP traffic.

Surveys and other scams

Fake surveys or lottery pages are also common place via malvertising. In this particular sequence, we ran into NoTrove (a campaign first reported by RiskIQ).

Traffic view

Exploit kits

According to our telemetry records, the majority of victims impacted by exploit kits via the RoughTed malvertising campaign were in the US and Canada, followed by the U.K., Italy, Spain, and Brazil.

RIG EK

One very active malware campaign as of late is known as “Seamless” and has pushed a lot of the Ramnit banking Trojan, especially to Canadian users. It is easily recognizable by its use of IP-Literal hostnames that redirect to the RIG EK infrastructure.

Much of the upstream traffic comes from adult portals and popunder ad networks. Here you can see RoughTed involved in the ad call and chain via interesting multi-step hops leading to the Seamless campaign.

If you want to check the full redirection flow, please click here.

Magnitude EK

Magnitude EK has long been faithful to the Cerber ransomware as its dropped payload of choice. The bulk of infections are happening in South Korea, some in Taiwan and Hong Kong, and curiously, a few in Italy. The screenshot below is an example of a Cerber infection on a Korean user via the Magnitude exploit kit.

Traffic view

Same old, same old

Malvertising may look easy on the surface but is actually a much more complex and deep-rooted issue. We all know that it’s there and whenever a big case is uncovered, ad networks (and publishers) are blamed and it somewhat taints their brand for a little while.

But for the most part, malvertising continues unabated, especially with certain providers. The response from end users has traditionally been to gravitate towards ad-blockers as a means to avoid getting infected or bothered by obnoxious adverts.

Naturally, this has caused a similar knee-jerk reaction by some publishers and ad companies to fight back in various ways to protect their business. The rationale behind it is that people shouldn’t be getting free content that costs them money to come up with and host.

The use of dynamically created scripts to perform redirections that bypass ad-blockers are clever in many ways. For one, when a publisher includes the code on their site, it is unique to them as it is generated in their own dashboard, and by the same token, it is less likely to be detected. The script itself pulls data from a new URL every day which means blocking new domains is truly a cat and mouse game that guarantees a sufficient enough up time to serve up ads.

It becomes a real issue when this ad-supported content pushes scams or malware, even to those running an ad-blocker. At this point, one should ask themselves who really is responsible: ad networks (which are fending for themselves) or publishers (and site owners) that knowingly expose their visitors to nefarious code for the sake of ad revenues.

Thanks to Denis from Sucuri for sharing his insights into injected adverts in personal websites.

Indicators Of Compromise (IOCs)

Regex to detect RoughTed campaign

&tid=6[0-9]{5}&(status|red)=[0-9]{1,2}&(info|ref|subid|abt|v)

Top RoughTed domains (by traffic)

histock.info charmstroy.info greatwork.info yoursinfo.info leversions.info modescrips.info beershavartb.com budgement.info octagonize.com contentpap.info

A longer list can be found here.

Mac PUP (FLVPlayer.dmg)

5170de1236854a73fa4c964044347142788a1d89adfa7f99704fc661620a9bd1

Windows PUP (VideoPlayerSetup.exe)

4ac4e1ebb3b51406a10f3826e048e639b1b473d53e42877bc3fef4455cb99bdc

Chrome extension (ABP bypass)

chrome.google.com/webstore/inlineinstall/detail/oihncglcaajcdibgcmdeioodpkpnnafn

Chrome extension (SearchApp)

chrome.google.com/webstore/detail/cjdnjcibbanenpflghdngkcdphpnenaf

iTunes redirection

itunes.apple.com/app/apple-store/id1095254858?mt=8

Tech support scam

windows-micro-soft-cure.com 3095web.xyz/gunzaofr/index.html

RIG EK

Method,IP address,Domain name,Comments 52.84.133.139,roughted.com,RoughTed 198.134.116.30,xml.ad-maven.com,Redirection 52.86.58.112,emj38.voluumtrk.com,Malvertising 52.28.7.230,nbfb6.redirectvoluum.com,Malvertising POST,193.124.18.68,193.124.18.68,Seamless_Campaign_URL 52.58.225.210,nbfb6.voluumtrk.com,Malvertising 193.124.200.212,193.124.200.212,Seamless_Campaign_URL 193.124.18.68,193.124.18.68,Seamless_Campaign_URL 109.234.36.58,top.onlineboatinsurancesanantonio.com,RIG_EK_URL (Flash Exploit) 109.234.36.58,top.onlineboatinsurancesanantonio.com,RIG_EK_URL (Landing Page) 109.234.36.58,top.onlineboatinsurancesanantonio.com,RIG_EK_URL (Malware Payload) Ramnit: cc4c5eabb76ebca1bc3af1d8e8a6629e72164f9ae0fc61287592548288937220

Magnitude EK

Method,IP address,Domain name,Comments 54.230.249.46,roughted.com,RoughTed 174.137.155.139,xml.pdn-1.com,Malvertising 94.228.223.243,besttovapez.com,Magnigate 94.228.223.245,43dcp5wceag93.doebulk.com,Magnigate 37.59.186.134,19fd6r50gemdb491z.wireits.loan,Magnitude_EK_Code (Landing Page) 37.59.186.134,19fd6r50gemdb491z.wireits.loan,Magnitude_EK_URL (Flash Exploit) 37.59.186.134,37.59.186.134,Magnitude_EK_URL (Kernel32 call) 37.59.186.134,37.59.186.134,Magnitude_EK_URL (Malware Payload) Cerber: d9411664ad6f1451b7cbd2a9453e5824d566535bae480dfe533cda7e0bef0ae7

The post RoughTed: The anti ad-blocker malvertiser appeared first on Malwarebytes Labs.

Categories: Techie Feeds

5 Unsettling cyberthreats

Malwarebytes - Wed, 05/24/2017 - 18:39

Cyberthreats are typically boring, repetitive, and require a reasonably predictable remediation process. A SQL injection is a SQL injection, no matter who’s trying it.  But what about the outliers? What about threats that impact you, but you can’t remediate, or establish a policy to cover?

Here are 5 cyberthreats that if you’re not frightened by, you should be.

  1. VNC roulette. This was a website that scanned for computers that allowed for remote sessions, but were unsecured by passwords or encryption. A fair amount of screenshots the site collected were from average users who simply failed to set up proper security settings. But there were also machines for which that failure was much more serious, like SCADA systems, CCTVs, and water treatment plants.

 

  1. A public drone feed? Last week a security blogger discovered what appeared to be a publically accessible Predator drone feed. As it turned out, the video was actually an unclassified demo page created by a defense contractor using a misconfigured web server. While not exactly the OPSEC blunder viewers thought, the amount of critical infrastructure exposed to the internet and managed via unaccountable third parties is food for thought.

 

  1. Mirai botnet. Used in some of the largest DDoS attacks ever, including one to silence Brian Krebs, Mirai scans the internet for Internet of Things devices using factory default credentials and infects them. What’s the scope of a Mirai attack? Ars technica reported a Mirai DDoS on French web host OVH of 1.7 terabytes.  That’s not the scary part. The scary part is that the IoT market is booming, they have one of the most abysmal records of security engineering and poor judgment ever seen. And as of 2016, the most conservative estimation for IoT devices on the market was 6.4 billion.

 

  1. RATs. Some of us are familiar with remote access tools used to spy on the unwitting and sometimes take compromising pictures. But what happens when a RAT is embedded in a SaaS tool? Tech Support scammers have been hit by third-party business services who sold their service with an extra addition of DarkComet. Given how tough it can be to vet a SaaS offering, the potential to impact legitimate businesses is very large.

 

  1. The Computer Fraud and Abuse Act. Nobody likes fraud and abuse, so what’s the big deal an act designed to keep them off of computers? Well, the act was written in 1986, prompted by a White House screening of the movie WarGames (no, really) and criminalized those who

“having knowingly accessed a computer without authorization or exceeding authorized access”

That bold part has proved problematic in recent years, as the automated scraping of content, saving public data that the owner didn’t intend to make public, and landing on unexpected pages due to a web sites misconfiguration have all been interpreted as violations of the law at one point or another. This is absolutely scary, as the act and its capricious enforcement have led to a chilling effect over vulnerability disclosure and introduced a risk to researchers who might otherwise work with law enforcement.

These are all scary cyberthreats not because of their technical sophistication, but more because they are failures of organizations and institutions that manage technology. Your security team can patch a zero-day vulnerability, but not the executive that insists his password be set to ‘1234’ for ‘convenience.’ When you have strong organizations, the cyberthreats you face suddenly get much less scary.

The post 5 Unsettling cyberthreats appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Stealing Windows credentials using Google Chrome

Malwarebytes - Tue, 05/23/2017 - 14:00

Security researcher Bosko Stankovic recently published an article explaining how an attacker could use Chrome, the SMB file sharing protocol, and Windows Explorer Shell Command File to steal victims credentials.

The basic elements Chrome

Similar attacks have been demonstrated using Internet Explorer and Edge, but being able to do this with a (very popular) third party browser increases the chances of this being used in the wild by a lot. Chrome uses a technique called MIME-sniffing for files with a text or text-like content and downloads files that contain a non-printable character. It downloads these files to the default download folder as specified in the Advanced Settings section of the Chrome Settings.

SMB protocol

This file sharing protocol recently gained a lot of fame by being exploited to spread the WanaCrypt ransomware worm. This protocol is what Windows uses to share files, printers, serial ports, and communicate this information between computers. By intention clients make SMB requests and servers make the resources available after successful authentication. But as it turns out, this feature can be (ab)used for a lot more.

SCF files

Windows Explorer Shell Command File are basically shortcuts with a run command. A very noteworthy feature is that this extension is invisible even if you have your extensions set to show.

So you will have to take a really close look at a file that has a double extension like example.txt.scf to see the difference with an actual txt file.

 

Another thing that makes SCF files dangerous is that they are triggered as soon as the folder they are in is opened. Windows will send a request for the resource the very moment the file is showing in Windows explorer.

The possible attack

The attacker plants an SCF file containing a non-printable character on a website that he knows his victim(s) frequents (watering hole attack). Or if the threat actor is after a bigger audience he can rig a malvertising campaign or use social media.

Chrome users will get the SCF file downloaded to their default downloads folder and the next time they want to look at or move a file from that folder, the SCF file will be triggered as soon as the downloads folder is opened in Windows Explorer.

As explained, SCF files can be configured to contact a server with a request for resources (i.e. a file). There are no restrictions so this can be a remote server under control by the attacker. In order to make the resource request, it will need to send an authentication request via SMB, which can be captured on the server. The request would include the victims’ username, his domain, and the NTLMv2 password hash. This information can be extremely useful for an attacker who wants to expand his foothold on a network.

The consequences

Once the attacker has the hashed password it depends on the strength of the hash for how long it takes to find out the password. This can vary from mere seconds to a few days. In targeted attacks, you can be sure the username and hash will be checked against lists published after breaches to see whether a password has been re-used and can be matched with the hash even faster.

If the Windows 8/10 user is using Microsoft Authentication (MSA) to use Microsoft services like Office 365, OneDrive, Skype, and many others, the impact on the victims can be even bigger.

Mitigation

You probably heard this before this week, but if you don’t need SMB, disable it. This is the only part of the attack chain the end-user can easily manipulate by executing a simple Powershell command. Other options are:

  • To always use the “Save as… ” option when you are knowingly downloading something, so you’d never have to open the default downloads folder.
  • Alter the file association for SCF files, which you would have to do in the registry. Changing the default value under the key HKEY_CLASSES_ROOT\.scf “ txtfile” makes the files visible and opens it in notepad.

But disabling SMB is more likely to be successful and it helps protect you against other malware like the WannaCry ransom worm and the Adylkuzz cryptocurrency miner.

Summary

This article explains how Chrome users are at risk of spilling their Microsoft Authentication credentials by simply visiting the wrong site.

 

Pieter Arntz

The post Stealing Windows credentials using Google Chrome appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Mobile Menace Monday: Ransomware targets Tencent users

Malwarebytes - Mon, 05/22/2017 - 14:00

Early this April, an increase of infection rates by a variant of ransomware known as Android/Ransom.SLocker.fh was seen.

Ransomware targets Tencent users

An especially relevant trait of SLocker.fh is its use of Tenpay to send payment to the criminals. Tenpay is an integrated payment platform by Tencent — China’s largest Internet service portals. Thus, it is no surprise that SLocker.fh originates from China.

In order to pay, users must have a QQ ID to send payment; which is provided.  Since Tencent’s most popular platform is QQ Instant Messenger, the criminals are probably targeting these users the most.

Various iterations to fool users

Like many Android ransomware apps, SLocker.fh masquerades as various legitimate apps to fool users into accepting escalated rights. Users who accept the escalated rights will have their device forced to reboot.  After reboot, users will have their device locked with overlaying screen with instructions to pay.

Click to view slideshow. Click to view slideshow. Stay protected

Because Android ransomware is on the rise, users should be extra cautious. You can protect yourself by being cautious of giving superuser and/or device administrator rights to any app that asks for it. If the app looks shady like the two example above, this is especially true.

So you’re infected with ransomware

A good anti-malware scanner like Malwarebytes Anti-Malware Mobile can remove the ransomware, but only BEFORE escalated rights are granted. Afterward, it becomes a bit harder. For how to remove such infections, refer to blog post “Difficulty removing Koler Trojan or other ransomware on Android?

As always, stay safe out there.

The post Mobile Menace Monday: Ransomware targets Tencent users appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (May 15 – May 21)

Malwarebytes - Mon, 05/22/2017 - 13:59

Last week was dominated by the WannaCry ransomware and the discussions ensuing it. We published:

Others discussed:

In other news we celebrated Privacy Awareness Week, highlighting the two main themes:

  1. Share with care.
  2. Trust and transparency.

And we gave out some pointers on what to consider and how to act when you have reason to believe that your personal information was stolen.

Other important security news:

  • Researchers from Carnegie Mellon University, Seagate, and the Swiss Federal Institute of Zurich published a paper entitled “Vulnerabilities in MLC NAND Flash Memory Programming: Experimental Analysis, Exploits, and Mitigation Techniques.” Our friends at Bleeping computer explained the found vulnerability of SSD drives.
  • A Croatian security investigator has discovered a new network worm that uses 7 tools and exploits from the US intelligence service NSA. The worm is called EternalRocks, but its original name is “MicroBotMassiveNet“.
  • Wikileaks has brought out information about other CIA tools called Athena and Hera, spyware designed to take full, remote control over infected Windows PCs.

In non-security news, we were amazed by this jewel telling us that scientists at UCLA and the University of Connecticut managed to create a protein-based battery-like device that extracts energy from the human body which could potentially be used to power implants like pacemakers.

Safe surfing, everyone!

The Malwarebytes Labs Team

The post A week in security (May 15 – May 21) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

WannaDecrypt your files? The WannaCry solution, for some

Malwarebytes - Fri, 05/19/2017 - 20:11

We just wanted to shoot out a quick blog post to let you know about a decryptor (Wanakiwi) that has been developed for WannaCry/WannaCrypt/wCrypt. There is a catch though, it only works for the following operating systems:

  • Windows XP
  • Windows Server 2003
  • Windows Vista
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows 7

So if you’ve got a WannaCry infection on one of the above operating systems, there is hope!

IMPORTANT:

The decryptor is only going to work if you haven’t restarted the infected system and you haven’t killed the ransomware process (should be wnry.exe or wcry.exe) so please don’t restart or kill the process if you want to get those files back!

Usage

In order to use this tool, you first need to download it from here.

This tool essentially searches the system’s memory for prime numbers and pieces together the encryption key used. However, it relies on current running memory so once you reboot it will be gone and if you’ve done too much on the system since infection, it’s possible the key won’t be found (because it’s been overwritten by data from other applications using the same memory space).

To run it, download the linked file (above) and extract the .zip to a folder on your desktop, (if you can download the file from a clean system and then transfer it via USB, you run less risk of overwriting the key in memory).

Next, you can either double click it (boring) or open the command prompt (Start + CMD) and run it through there (fun!).

The tool will automatically identify the WannaCrypt applications running on the system if they are called wnry.exe or wcry.exe, but if for some reason they can’t find them, maybe check out the running applications on your system (Task Manager/Process Explorer) and find the offender (it’s pretty obvious), then identify the Process Identification Number (PID) and you can just plug that into the command prompt after wanakiwi.exe.

It might take a few minutes for the tool to find the key (or many minutes in some cases), but once it’s found the tool is going to start searching your system for encrypted files and decrypt them automatically.

Fallout

After the tool finishes decrypting your files, you are going to be left with a ransom note as a background and lots of encrypted files next to your unencrypted files.

Here are some possible next steps:

  • Download Malwarebytes 3.0 (or whatever scanning tool you prefer that can clean up WannaCry) and run a scan on the system to identify all artifacts related to WannaCry. This will help you get the malware off the system in case it tries to encrypt again.
  • Restart the computer to finish clean-up.
  • Find all the most important files you want to keep and move them to some form of backup.
  • Wipe the system and reinstall Windows.
  • OR you can just go through your system looking for all files with the .WNCRY extension and getting rid of them.
Background

The original memory scrubbing, prime number searching WannaKey decryptor tool (for XP) was written by Adrien Guinet (@adriengnt) and then used as the base for Wanakiwi developed by Benjamin Delpy (@gentilkiwi). These guys are incredibly talented and deserve a round of applause!

We found out about the tool thanks to the very extensive blog post by Matt Suiche (@msuiche), which you should check out to get more information about how these tools work. You might remember Matt from his assistance in stopping a variant of the WannaCry released last week by registering the killswitch domain.

Effectiveness

We didn’t want to write about this tool until we tested it in some capacity. A lot of other security researchers have given it a go and it seems that the tool works well in lab environments (sometimes). I personally tested it on a Windows 7 system using the following sample (with mixed results):

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

  • My first test worked like a charm.
  • My second test with a new profile (for taking screenshots for this post) couldn’t actually launch the malware.
  • My third test launched the malware, but the decryptor took forever and eventually never found the key.
  • My fourth test worked like a charm again (original profile).
  • Some of our other researchers tried it and were unable to get the tool to find the key.
Conclusion

This tool was put together very quickly and it’s meant to help those that it can help and that is likely not everybody. I wouldn’t recommend putting all your eggs in the basket that if you get hit, you couldn’t decrypt using this tool because either:

  • You are likely going to be unable to recover the key OR
  • The malware will modify to clean up the running memory or force a reboot after install to make the tool ineffective

But if you are currently dealing with a WannaCry infection, you have barely touched the infected system(s), and you are running one of the operating systems listed at the beginning of this post, running the tool is not going to break anything that isn’t already broken so it’s worth a shot just to see if you can get those files back.

That being said, once again big thanks to @adriengnt, @gentilkiwi & @msuiche for their hard work, information spreading and ingenious development skills.

Let us know in the comments if this tool worked for you (and your configuration too!)

The post WannaDecrypt your files? The WannaCry solution, for some appeared first on Malwarebytes Labs.

Categories: Techie Feeds

How did the WannaCry Ransomworm spread?

Malwarebytes - Fri, 05/19/2017 - 14:00

Security researchers have had a busy week since the WannaCry ransomware outbreak that wreaked havoc on computers worldwide. News of the infection and the subsequent viral images showing everything from large display terminals to kiosks being affected created pandemonium in ways that haven’t been seen since possibly the MyDoom worm circa 2004.

News organizations and other publications were inundating security companies for information to provide to the general public – and some were all too happy to oblige. Information quickly spread that a malicious spam campaign had been responsible for circulating the malware. This claim will usually be a safe bet, as ransomware is often spread via malicious spam campaigns. Admittedly, we also first thought the campaign may have been spread by spam and subsequently spent the entire weekend pouring through emails within the Malwarebytes Email Telemetry system searching for the culprit. But like many others, our traps came up empty.

Claims of WannaCry being distributed via email may have been an easy mistake to make. Not only was the malware outbreak occurring on a Friday afternoon, but around the same time a new ransomware campaign was being heavily distributed via malicious email and the popular Necurs botnet. We recently wrote about the Jaff ransomware family and the spam campaign that was delivering it.

Some may have seen the rash of news occurring on their feeds, an uptick in ransomware-themed document malware in their honeypots, and then jumped to conclusions as a way to be first with the news.

But here at Malwarebytes we try not to do that. And now after a thorough review of the collected information, on behalf of the entire Malwarebytes Threat Intelligence team, we feel confident in saying those speculations were incorrect.

Indeed, the ‘ransomworm’ that took the world by storm was not distributed via an email malspam campaign. Rather, our research shows this nasty worm was spread via an operation that hunts down vulnerable public facing SMB ports and then uses the alleged NSA-leaked EternalBlue exploit to get on the network and then the (also NSA alleged) DoublePulsar exploit to establish persistence and allow for the installation of the WannaCry Ransomware.

We will present information to support this claim by analyzing the available packet captures, binary files, and content from within the information contained in the ShadowBrokers dump, and correlating what we know thus far regarding the malware infection vector.

Here’s what we know EternalBlue

EternalBlue is an SMB exploit affecting various Windows operating systems from XP to Windows 7 and various flavors of Windows Server 2003 & 2008. The exploit technique is known as HeapSpraying and is used to inject shellcode into vulnerable systems allowing for the exploitation of the system. The code is capable of targeting vulnerable machine by IP address and attempting exploitation via SMB port 445. The EternalBlue code is closely tied with the DoublePulsar backdoor and even checks for the existence of the malware during the installation routine.

EternalBlue checks for DoublePulsar

EternalBlue strings

Bits of information obtained by reviewing the EternalBlue-2.2.0.exe file help demonstrate the expected behavior of the software. The screenshot above shows that the malware:

  • Sends an SMB Echo request to the targeted machine
  • Sets up the exploit for the target architecture
  • Performs SMB fingerprinting
  • Attempts exploit
  • If successful exploitation occurs, WIN
  • Pings the backdoor to get an SMB reply
  • And if the backdoor is not installed, it’s game on!

The ability of this code to beacon out to other potential SMB targets allows for propagation of the malicious code to other vulnerable machines on connected networks. This is what made the WannaCry ransomware so dangerous. The ability to spread and self-propagate causes widespread infection without any user interaction.

DoublePulsar

DoublePulsar is the backdoor malware that EternalBlue checks to determine the existence and they are closely tied together.

This particular malware uses an APC (Asynchronous Procedure Call) to inject a DLL into the user mode process of lsass.exe. Once injected, exploit shellcode is installed to help maintain persistence on the target machine. After verifying a successful installation, the backdoor code can be removed from the system.

DoublePulsar Parameters

The purpose of the DoublePulsar malware is to establish a connection allowing the attacker to exfiltrate information and/or install additional malware (such as WannaCry) to the system. These connections allow an attacker to establish a Ring 0 level connection via SMB (TCP port 445) and or RDP (TCP port 3389) protocols.

DoublePulsar Ring0 Connections

Network analysis

Taking a look at the wannacry.pcap file shared to VirusTotal by @benkow_ helps us attribute the previously discussed code as the infection vector via the initial calls of the attack cycle.

A high-level view of a compromised machine in Argentina (186.61.18.6) that attacked the honeypot:

The widely publicized kill-switch domain is present in the pcap file. As was reported, the malware made a DNS request to this site. Until @MalwareTech inadvertently shut down the campaign by registering the domain, the malware would use this as a mechanism to determine if it should run.

DNS lookup to Sinkhole

The SMB traffic is also clearly visible in the capture. These SMB requests are checking for vulnerable machines using the exploit code above.

SMB Requests

The exploit sends an SMB ‘trans2 SESSION_SETUP’ request to the infected machine. According to SANS, this is short for Transaction 2 Subcommand Extension and is a function of the exploit. This request can determine if a system is already compromised and will issue different response codes to the attacker indicating ‘normal’ or ‘infected’ machines.

Diving into the .pcap a bit more, we can indeed see this SMB Trans2 command and the subsequent response code of 81 which indicates an infected system. If the attacker receives this code in response, then the SMB exploits can be used as a means to covertly exfiltrate data or install software such as WannaCry.

Trans2 Multiplex ID

Putting it all together

The information we have gathered by studying the DoublePulsar backdoor capabilities allows us to link this SMB exploit to the EternalBlue SMB exploit. It’s really not hard to do so as both were patched as part of the MS17-017 Security Bulletin prior to this event, and as previously mentioned, were both released in the well-publicized ShadowBrokers-NSA dumps.

Without otherwise definitive proof of the infection vector via user-provided captures or logs, and based on the user reports stating that machines were infected when employees arrived for work, we’re left to conclude that the attackers initiated an operation to hunt down vulnerable public facing SMB ports, and once located, using the newly available SMB exploits to deploy malware and propagate to other vulnerable machines within connected networks.

Developing a well-crafted campaign to identify just as little as a few thousand vulnerable machines would allow for the widespread distribution of this malware on the scale and speed that we saw with this particular ransomware variant.

So what did we learn?

Don’t jump to conclusions. Malware analysis is difficult and it can take some time to determine attribution to a specific group, and/or to assess the functionality of a particular campaign – especially late on a Friday (which BTW, can all you hackers quit making releases on Fridays!!). First, comes stopping the attack, second comes analyzing the attack. Remember, patience is a virtue.

Update, update, UPDATE! Microsoft released patches for these exploits prior to their weaponization. Granted, patches weren’t available for all Operating Systems, but the patch was available for the vast majority of machines. This event even forced Microsoft to release a patch for the long-ago EOL Windows XP – which gets back to the first thing that was said. UPDATE! Why are there still machines on XP!? These machines are vulnerable (beyond this attack) to the ransomware functionality of this attack and they need to be updated.

Disable unnecessary protocols. SMB is used to transfer files between computers. The setting is enabled on many machines but is not needed by the majority. Disable SMB and other communications protocols if not in use.

Network Segmentation is also a valuable suggestion as such precautions can prevent such outbreaks from spreading to other systems and networks, thus reducing exposure of important systems.

And finally, don’t horde exploits. Microsoft president Brad Smith used this event to call out the ‘nations of the world’ to not stockpile flaws in computer code that could be used to craft digital weapons.

That reminds me of an article I wrote a few years ago (and which was substantially cut for length) about Hacking Team and the government sanctioned use of exploits.

Hack Me: A Geopolitical Analysis of the Government Use of Surveillance Software

I guess things haven’t changed…

The post How did the WannaCry Ransomworm spread? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Information stolen? What now?

Malwarebytes - Thu, 05/18/2017 - 15:00

There are several different types of malware that look for interesting information on an infected computer and transmit that information to the threat actor.

Identifying and removing the malware is our job, but what do you need to do yourself to control the aftermath? To answer that question it’s important to know what information the malware was after and sometimes how long it has been active.

Information

What types of information are the malware authors after? Most of the time they are after anything that they can turn into cash. In rare cases of targeted attacks, they could be after other confidential information. Consider for example a keylogger installed by a close relative who is curious about some aspects of your private life.

But usually we can divide the sought after information in these categories:

  • Banking details
  • Shopping website credentials
  • Other website credentials
  • Gaming credentials
  • Bitcoin and other eMoney wallets
  • Email credentials
Time period

When is the infection period important and why? It is important in cases of malware that tracks the user’s activities like keyloggers and malware that intercepts internet traffic. It should be clear that knowing when this tracking started can be very helpful in determining which important information could have been stolen.

Tip: do not rely on your memory too much. If you are not sure, change that password of which you are unsure whether you have used it recently.

How do I recognize malware that has stolen information?

Sometimes you can tell by our naming convention that a particular malware was after your information. But not all of them are called Spyware.PasswordStealer. For starters look up information about the detection on your machine. Alarm bells should be ringing if the detections are spyware, keyloggers, and backdoors. Although, other Trojans are capable of stealing information as well.

In our threat library you can find information of this kind under the header Remediation, so look for your detection there if this applies to you.

Dangers

In most cases, this is easy to guess. The stolen information could be used in ways that will cost you money. What could be the threat actors goals?

  • Withdrawing money from your accounts
  • Shopping at your expense
  • Impersonating you for other reasons
  • Extortion with personal information (doxing, sextortion, etc.)
Countermeasures

What can you do to limit the dangers as much as possible?

  • Change the passwords that might have been stolen for every website you can remember logging into.
  • If your email account has been compromised, change that password first as other credentials may be sent to you by mail and still end up in the wrong hands. Some webshops even send you a password in plain-text (shudders).
  • Keep a close eye on your banking and eMoney accounts. Use the activity alerts that some banks offer.
  • Keep tabs on your posts in social media. It may look silly to check what you have supposedly posted yourself, but imagine someone else doing it for you.
Extra precautions Related article

Info stealers

Stay safe out there and get protected.

 

Pieter Arntz

The post Information stolen? What now? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Privacy Awareness Week: A primer

Malwarebytes - Wed, 05/17/2017 - 15:00

The Asia Pacific Privacy Authorities (APPA) began an initiative called Privacy Awareness Week, or PAW, with the purpose of educating users about current privacy issues and promoting the importance of keeping their personal information safe.

This remains the core of why it exists for more than a decade now.

For those who may not be familiar with what this campaign is all about, this post aims to answer the questions you may have in mind about PAW.

When is Privacy Awareness Week?

APPA typically celebrates Privacy Awareness Week in May every year. Since the organization has a number of member countries, they each decide on when they want to hold the event locally.

In the first week of May, Singapore held its PAW locally. Hong Kong, New Zealand, and the United States held their own campaigns in the second week of May.

Australia is celebrating Privacy Awareness Week this week.

Are there other countries that will hold this event?

There are a total of 11 member countries comprising APPA. Aside from those already mentioned, Canada, Colombia, Korea, Macao, Mexico, and Peru are or will also be celebrating this campaign.

What’s the theme of this year’s Privacy Awareness Week?

There are two themes that APPA members are using: “Share with care” and “Trust and transparency”.

Share with care. This stresses on the importance of caring for your privacy, given that our current technological landscape is heavily data-driven. It also reminds users to think about what may or may not happen to their personal information once they have been shared.

Trust and transparency: Both trust and transparency are vital to each another, as people normally expect one to exist with the other. Case in point, it is important for businesses to gain the trust of their clients and it’s important for clients to know that the businesses they trust are clear about what they do, how they store, and how they use what they give them, which in this case is their personal information.

Can we celebrate Privacy Awareness Week even if our country is not a member of APPA?

Privacy Awareness Week is about educating users concerning privacy. There are ways individuals and organizations can celebrate PAW. One example is to use social media to raise awareness to your followers. Another is to do a refresher of your organization’s privacy policy. If they don’t have one, why not encourage your organization to make one?

Privacy and security go hand in hand. Practicing solid cybersecurity hygiene coupled with a fair familiarity of how personal data changes hands can bring about positive experiences to our digital lives. As such, we encourage you, dear Reader, to check out some of our previous posts and reacquaint yourselves on how you can keep your data safe and your computing devices secure:

Happy Privacy Security Week, everyone, wherever you are, and remember to share your personal info with care!

 

The Malwarebytes Labs Team

The post Privacy Awareness Week: A primer appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Wanna Cry some more? Ransomware roundup special edition

Malwarebytes - Mon, 05/15/2017 - 21:25

Whether you call it WannaCry, WannaCrypt, WCrypt, Wanacrypt0r, WCry, or one of the other names currently vying for the “call me this” crown, the ubiquitous ransomware which brought portions of the UK’s NHS to its knees over the weekend along with everything from train stations to ATM machines is still with us, and causing mayhem Worldwide. As a result, our regular roundup has been replaced with what will hopefully serve as a useful place to collect links related to the attack.

First thing’s first: this was a big enough incident that Microsoft created a special patch for Windows XP users, some three years after it had the plug pulled on support. Regardless of Windows OS, go get your update.

Now that we have that out of the way, here’s some handy links for you to get a good overview of what’s been going on:

This is a rapidly changing story, with a lot of valuable follow-up data being posted to haunts favored by security researchers such as Twitter, and we’ll likely add more links as the days pass. Update your security tools, patch your version of Windows and stay safe!

 

The Malwarebytes Labs Team

The post Wanna Cry some more? Ransomware roundup special edition appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The worm that spreads WanaCrypt0r

Malwarebytes - Fri, 05/12/2017 - 22:02

Something that many security researchers have feared has indeed come true. Threat actors have integrated a critical exploit taking advantage of a popular communication protocol used by Windows systems, crippling thousands of computers worldwide with ransomware.

Within hours of being leveraged, a flaw that had been recently patched by Microsoft has been used to distribute the WanaCrypt0r ransomware and wreak havoc worldwide.

In this blog post, we will describe the worm responsible for spreading this ransomware by looking at its capabilities and what has made this threat so successful.

Main functionality

WanaCrypt0r has been most effective—not only does the ransomware loop through every open RDP session on a system and run the ransomware as that user, but the initial component that gets dropped on systems appears to be a worm that contains and runs the ransomware, spreading itself using the ETERNALBLUE SMB vulnerability (MS17-010).

The WinMain of this executable first tries to connect to the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. It doesn’t actually download anything there, just tries to connect. If the connection succeeds, the binary exits.

This was probably some kind of kill switch or anti-sandbox technique. Whichever it is, it has backfired on the authors of the worm, as the domain has been sinkholed and the host in question now resolves to an IP address that hosts a website. Therefore, nothing will happen on any new systems that runs the executable. This only applies to the binary with the hash listed above; there may well be new versions released in the future.

After this check passes, the first thing the worm does is check the number of arguments it was launched with. If it was run with less than two arguments passed, it installs a service called mssecsvc2.0 with display name Microsoft Security Center (2.0) Service (where the binary ran is itself with two arguments), starts that service, drops the ransomware binary located in the resources of the worm, and runs it.

If it was run with two arguments or more—in other words, if it was run as a service—execution eventually falls through to the worm function.

The initialization function called first calls WSAStartup() to initialize networking, then CryptAcquireContext() to initialize the crypto API so it can use a cryptographically-secure pseudo-random number generator. It then calls a function that initializes two buffers used for storing the worm payload DLLs, one x86 and one x64. It copies the payload DLLs from the .data section of the worm and then copies the entire worm binary after it.

The code of each payload DLL is very small, just getting the resource content (i.e. the worm binary), dropping to disk as C:\WINDOWS\mssecsvc.exe (this path is actually hardcoded) and executing it.

SMB vulnerability leveraged to spread ransomware worldwide

After initializing the functionality used by the worm, two threads are created. The first thread scans hosts on the LAN. The second thread gets created 128 times and scans hosts on the wider Internet.

The first thread (in charge of scanning LAN) uses GetAdaptersInfo() to get a list of IP ranges on the local network, then creates an array of every IP in those ranges to scan.

The LAN scanning is multithreaded itself, and there is code to prevent scanning more than 10 IP addresses on the LAN at a time.

The scanning thread tries to connect to port 445, and if so creates a new thread to try to exploit the system using MS17-010/EternalBlue. If the exploitation attempts take over 10 minutes, then the exploitation thread is stopped.

The threads that scan the Internet generate a random IP address, using either the OS’s cryptographically secure pseudo-random number generator initialized earlier, or a weaker pseudo-random number generator if the CSPRNG failed to initialize. If connection to port 445 on that random IP address succeeds, the entire /24 range is scanned, and if port 445 is open, exploit attempts are made. This time, exploitation timeout for each IP happens not after 10 minutes but after one hour.


The exploitation thread tries several times to exploit, with two different sets of buffers used (perhaps one for x86 and one for x64). If it detects the presence of DOUBLEPULSAR after any exploitation attempt, it uses DOUBLEPULSAR to load the relevant payload DLL.

Protection

It is critical that you install all available OS updates to prevent getting exploited by the MS17-010 vulnerability. Any systems running a Windows version that did not receive a patch for this vulnerability should be removed from all networks. If your systems have been affected, DOUBLEPULSAR will have also been installed, so this will need to also be removed. A script is available that can remotely detect and remove the DOUBLEPULSAR backdoor. Consumer and business customers of Malwarebytes are protected from this ransomware by the premium version of Malwarebytes and Malwarebytes Endpoint Security, respectively.

The post The worm that spreads WanaCrypt0r appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Pages

Subscribe to Furiously Eclectic People aggregator - Techie Feeds