Subscribe to Malwarebytes feed
The Security Blog From Malwarebytes
Updated: 2 weeks 1 hour ago

Exploit kits: summer 2018 review

Tue, 08/07/2018 - 15:00

The uptick trend in cybercriminals using exploit kits that we first noticed in our spring 2018 report has continued into the summer. Indeed, not only have new kits been found, but older ones are still showing signs of life. This has made the summer quarter one of the busiest we’ve seen for exploits in a while.

Perhaps one caveat is that, apart from the RIG and GrandSoft exploit kits, we observe the majority of EK activity contained in Asia, maybe due to a greater likelihood of encountering vulnerable systems in that region. Malware distributors have complained that “loads” for the North American or European markets are too low via exploit kit, but other areas are still worthy targets.

In addition, we have witnessed many smaller and unsophisticated attackers using one or two exploits bluntly embedded in compromised websites. In this era of widely-shared exploit proof-of-concepts (PoCs), we are starting to see an increase in what we call “pseudo-exploit kits.” These are drive-by downloads that lack proper infrastructure and are typically the work of a lone author.

In this post, we will review the following exploit kits:


Two newly found vulnerabilities in 2018, Internet Explorer’s CVE-2018-8174 and Flash’s CVE-2018-4878, have been widely adopted and represent the only real attack surface at play. Nevertheless, some kits are still using older exploits in technologies that are being retired, and most likely with little efficacy.


RIG EK remains quite active in malvertising campaigns and compromised websites, and is one of the few exploit kits with a wider geographic presence. It is pictured below in what we call the HookAds campaign, delivering the AZORult stealer.

GrandSoft EK

GrandSoft is probably the second most active exploit kit with a backend infrastructure that is fairly static in comparison to RIG. Interestingly, both EKs can sometimes be seen sharing the same distribution campaigns, as pictured below:

Magnitude EK

Magnitude, the South Korean–focused EK, keeps delivering its own strain of ransomware (Magniber). We documented changes in Magniber in recent weeks with some code improvements, as well as a wider casting net among several Asian countries.

GreenFlash Sundown EK

A sophisticated but more elusive EK focusing on Flash’s CVE-2018-4878, GreenFlash Sundown is still active in parts of Asia thanks to a network of compromised OpenX ad servers. We haven’t seen any major changes since the last time we profiled it, and it is still distributing the Hermes ransomware.

KaiXin EK

KaiXin EK (also known as CK VIP) is an older exploit kit of Chinese origin, which has maintained its activity over the years. It is unique for the fact that it uses a combination of old (Java) and new vulnerabilities. When we captured it, we noted that it pushed the Gh0st RAT (Remote Access Trojan).

Underminer EK

Although this exploit kit was only identified and named recently, it has been around since at least November 2017 (perhaps with only limited distribution to the Chinese market). It is an interesting EK from a technical perspective with, for example, the use of encryption to package its exploit and prevent offline replays using traffic captures.

Another out-of-the-ordinary aspect of Underminer is its payload, which isn’t a packaged binary like others, but rather a set of libraries that install a bootkit on the compromised system. By altering the device’s Master Boot Record, this threat can launch a cryptominer every time the machine reboots.


Many exploit packs have leaked and been poached over the years, notwithstanding the availability of a large number of other dumps (i.e. HackingTeam) or proofs-of-concept. As a result, it is not surprising to see many less-skilled actors putting together their own “pseudo-exploit kits.” They are a far cry from being an EK—they are usually static in nature, their copy/paste exploits are buggy, and consequently, they are only used by the same threat actor in limited distribution. The pseudo-exploit we picture below (offensive domain name has been blurred) is one of the better ones we saw in July, in particular for its use of CVE-2018-8174.


We are continuously checking drive-by download attacks against our software. This time around, we had a more extensive test bed thanks to new and old exploit kits making it into this summer edition. Malwarebytes continues to block exploit kits with different layers of technology to protect our customers.

Don’t call it a comeback

It seems as though talking about the demise of exploit kits triggered an opposite reaction. Certainly, some digging is required to encounter the more obscure or geo-focused toolkits, but this revival of sorts continues thanks to Internet Explorer’s—and to a lesser extent Flash’s—newly found vulnerabilities.

While IE has a small and decreasing global market share (7 percent), it still has an important presence in countries like South Korea (31 percent) or Japan (18 percent), which could explain why there is still notable activity in a few select regions.

Exploit kits, even in a reduced and less impactful form, are likely to stick around for a while, at least for as long as people use a browser that wants to latch on indefinitely.

The post Exploit kits: summer 2018 review appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (July 30 – August 5)

Mon, 08/06/2018 - 16:07

Last week, we posted a roundup of spam that may have landed in your mailbox, talked about what makes us susceptible to social engineering tactics, and took a deep dive into big data.

Other news:
  • Facebook claimed to have removed accounts that display behavior consistent with possible Russian actors engaged in misinformation. (Source: The Wall Street Journal)
  • Yale University disclosed that they were breached at least a decade ago. (Source: NBC – Connecticut)
  • High school students, be on the lookout! If you receive email or snail mail from organizations with impressive-sounding names, consider that it may just be a carefully packaged marketing scheme. (Source: Sophos’s Naked Security Blog)
  • A researcher from Amnesty International revealed that hackers have targeted them with malware from an Israeli vendor. (Source: Motherboard)
  • Certain e-commerce providers in the UK were affected by a data breach and exposed potentially more than a million user data. (Source: Graham Cluley’s blog)
  • A game on the Steam platform was found hijacking video game player machines to mine cryptocurrency. (Source: Motherboard)
  • The Alaskan Borough of Matanuska-Susitna was infected with malware that disrupted normal activities so much that they had to dust off old typewriters to continue issuing receipts. (Source: Sophos’s Naked Security blog)
  • While we’re on the subject of breaches, here’s another popular victim: Reddit. (Source: TechCrunch)
  • Google joined Apple in banning mining apps on the Play Store. (Source: Coin Central)
  • An independent security researcher from the UK spotted a DHL-themed spam carrying malware hidden in a GIF file. (Source: The SANS ISC InfoSec Forums)

Stay safe, everyone!

The post A week in security (July 30 – August 5) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Explained: What is big data?

Fri, 08/03/2018 - 15:00

If the pile of manure is big enough, you will find a gold coin in it eventually. This saying is used often to explain why anyone would use big data. Needless to say, in this day and age, the piles of data are so big, you might end up finding a pirate’s treasure.

How big is the pile?

But when is the pile big enough to consider it big data? Per Wikipedia:

“Big data is data sets that are so big and complex that traditional data-processing application software are inadequate to deal with them.”

As a consequence, we can say that it’s not just the size that matters, but the complexity of a dataset. The draw of big data to researchers and scientists, however, is not in its size or complexity, but in how it may be computationally analyzed to reveal patterns, trends, and associations.

When it comes to big data, no mountain is high enough or too difficult to climb. The more data we have to analyze, the more relevant conclusions we may be able to derive. If a dataset is large enough, we can start making predictions about how certain relationships will develop in the future and even find relationships we never suspected to exist.

The treasure

We mentioned predicting the future or finding advantageous correlations as possible reasons for using big data analysis. Just to name a few examples, big data could be used to set up profiles and processes for the following:

  • Stop terrorist attacks by creating profiles of likely attackers and their methods.
  • More accurately target customers for marketing initiatives using individual personas.
  • Calculate insurance rates by building risk profiles.
  • Optimize website user experiences by creating and monitoring visitor behavior profiles.
  • Analyze workflow charts and processes to improve business efficiency.
  • Improve city planning by analyzing and understanding traffic patterns.
Beware of apophenia

Apophenia is the tendency to perceive connections and meaning between unrelated things. What statistical analysis might show to be a correlation between two facts or data streams could simply be a coincidence. There could be a third factor at play that was missed, or the data set might be skewed. This can lead to false conclusions and to actions being undertaken for the wrong reasons.

For example, analysis of data collected about medical patients could lead to the conclusion that those with arthritis also tend to have high blood pressure. When in reality, the most popular medication to treat arthritis lists high blood pressure as a side effect. Remember the old research edict: correlation does not equal causation.

In statistics, we call this a type I error, and it’s the feeding ground for many myths, superstitions, and fallacies.

The researchers

As more and more data becomes digitized and stored, the need for big data analysts grows. A recent study showed that 53 percent of the companies interviewed were using big data in one way or another. Some examples of use cases for big data include:

  • Data warehouse optimization (considered the top use case for big data)
  • Analyzing patterns in employee satisfaction; for example, in multinational companies, a 0.1 percent increase in turnover is considered too high
  • Sports statistics and analysis; sometimes the difference between being the champion or coming in second comes down to the tiniest detail
  • Prognosis statistics or success rates of particular medications can influence a doctor’s recommended course of treatment; an accurate assessment of which could be the difference between life and death
  • Selecting stocks for purchase and trade; quick decision-making based on analytical algorithms gives traders the edge

At Malwarebytes, we use big data in the form of anonymous telemetry gathered from our users (those that allow it) to monitor active threats. Viewing these data sets allows us to see trends in malware development, from the types of malware that are being used in the wild to the geographic locations of attacks.

From these data, we’re able to draw conclusions and share valuable information on the blog, in reports, such as our quarterly Cybercrime Tactics and Techniques report, and even in heat maps like the one we created for WannaCry. (As our product detected WannaCry even before we added definitions, this gave us some valuable information about where it might have originated.)

The tools

Technologically, the tools you will need to analyze big data depend on a few variables:

  • How is the data organized?
  • How big is big?
  • How complex is the data?

When we are looking at the organization of data, we are not just focusing on the structure and uniformity of the data, but the location of the data as well. Are they spread over several servers, completely or partially in the cloud, or are they all in one place?

Obviously, uniformity makes data easier to compare and manipulate, but we don’t always have that luxury. And it takes powerful and smart statistical tools to make sense out of polymorphous or differently-structured datasets.

As we have seen before, the complexity of the data can be another reason why we need special big data tools, even if the sheer number is not that large.

As big data tools are made available, they are still in the early stages of development and not all of them are ready for intuitive use. It requires knowledge and familiarity to use them most effectively. That is where personal preference comes in. Using a tool you have experience with is always easier, at least at first.

Our personal data

When we go online, we leave a trail of data behind that can be used by marketers (and criminals) to profile us and our environment. This makes us predictable to a certain extent. Marketeers love this type of predictability, as it enables them to figure out what they can sell us, how much of it, and at which price. If you’ve ever wondered how you saw an ad for vintage sunglasses on Facebook when you were only searching on Google, the answer is big data.

Imagine a virtual assistant that retrieves travel arrangement information at your first whim of considering a vacation. Hotels, flights, activities, food and drink—all could be listed to your liking, in your favorite locations, and in your price range at the blink of an eye. Some may find this scary, others would consider it convenient. However you feel, the virtual assistant is able to do this because of the big data it collects on you and your behavior online.

The data-driven society

One of the major contributions of big data to our society will be through the Internet of Things (IoT). IoT represents the most direct link between the physical world and the cyber world we’ve experienced yet. These cyber-physical systems will of course be shaped by the objects and software we create for them, but their biggest influence will be the result of algorithms applied to the data they collect.

With the evolution of these systems, we can expect to evolve into a data-driven society, where big data plays a major role in adjusting the production to meet our expected needs. This is an area where we will need safeguards in the future to prevent big data from turning into Big Brother.

Big data, big breaches

The obvious warning here is that gathering and manipulating big data require extra attention paid to security and privacy, especially when the data are worth stealing. While raw datasets may seem like a low-risk asset, those who know how to find the gold (cyber)coin in the pile of manure will see otherwise. With the advent of GDPR in May, any form of personally identifiable information (PII) will be sought after with great urgency, as the safeguards put in place to protect PII place endanger the lively black market trade set up around it.

The lesson, then, is to take seriously big data’s impact, both for good and for evil. Perhaps the whole pile should be considered the treasure.

The post Explained: What is big data? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Social engineering attacks: What makes you susceptible?

Thu, 08/02/2018 - 15:00

We now live in a world where holding the door open for someone balancing a tray of steaming hot coffee—she can’t seem to get her access card out to place it near the reader—is something we need to think twice about. Courtesy isn’t dead, mind you, but in this case, you’d almost wish it were. Because the door opens to a restricted facility. Do you let her in? If she really can’t reach her card, the answer is clearly yes. But what if there’s something else going on?

Holding the door open for people in need of assistance is considered common courtesy. But when someone assumes the role of a distressed woman to count on your desire to help, your thoughtful gesture suddenly becomes a dangerous one. Now, you’ve just made it easier for someone to get into a restricted facility they otherwise had no access or right to. So what does that make you? A victim of social engineering.

Social engineering is a term you often hear IT pros and cybersecurity experts use when talking about Internet threats like phishing, scams, and even certain kinds of malware, such as ransomware. But its definition is even more broad. Social engineering is the manipulation or the taking advantage of human qualities to serve an attacker’s purpose.

It is imperative, then, that we protect ourselves from such social engineering tactics the same way we protect our devices from malware. With due diligence, we can make it difficult for social engineers to get what they want.

Know thy vulnerable self

Before we go into the “how” of things, we’d like to lay out other human emotional and psychological aspects that a social engineer can use to their advantage (and the potential target’s disadvantage). These include emotions such as sympathy, which we already touched on above. Other traits open for vulnerability are as follows:


The majority of us have accidentally clicked a link or two, or opened a suspicious email attachment. And depending on how quickly we were able to mitigate such an act, the damage done could range from minor to severe and life-changing.

Examples of social engineering attacks that take advantage of our carelessness include:


You seem to have received an email supposedly for someone else by accident, and it’s sitting in your inbox right now. Judging from the subject line, it’s a personal email containing photos from the sender’s recent trip to the Bahamas. The photos are in a ZIP-compressed file.

If at this point you start to debate with yourself on whether you should open the attachment or not, even if it wasn’t meant for you, then you may be susceptible to a curiosity-based social engineering attack. And we’ve seen a lot of users get duped by this approach.

Examples of curiosity-based attacks include:


According to Charles E. Lively, Jr. in the paper “Psychological-Based Social Engineering,” attacks that play on fear are usually the most aggressive form of social engineering because it pressures the target to the point of making them feel anxious, stressed, and frightened.

Such attacks make participants willing do anything they’re asked to do, such as send money, intellectual property, or other information to the threat actor, who might be posing as a member of senior management or holding files hostage. Campaigns of this nature typically exaggerate on the importance of the request and use a fictitious deadline. Attackers do this in the hopes that they get what they ask for before the deception is uncovered.

Examples of fear-based attacks include

Read: Fake Spectre and Meltdown patch pushes Smoke Loader malware


Whether for convenience, recognition, or reward, desire is a powerful psychological motivation that can affect one’s decision making, regardless of whether you’re seen as an intellectual or not. Blaise Pascal said it best: “The heart has its reasons which the mind knows nothing of.” People looking for the love of their lives, more money, or free iPhones are potentially susceptible to this type of attack.

Examples of desire-based attacks include:

  • Catfishing/romance fraud (members of the LGBTQ community aren’t exempt)
  • Catphishing
  • Certain phishing campaigns
  • Scams that bait you with money or gadgets (e.g. 419 or Nigerian Prince scams, survey scams)
  • Lottery and gambling-related scams
  • Quid pro quo

This is often coupled with uncertainty. And while doubt can sometimes stop us from doing something we would have regretted, it can also be used by social engineers to blindside us with information that potentially casts something, someone, or an idea in a bad light. In turn, we may end up suspecting who or what we think we know is legit and trusting the social engineer more.

One Internet user shared her experience with two fake AT&T associates who contacted her on the phone after she received an SMS report of changes to her account. She said that the first purported associate was clearly fake, getting defensive and hanging up on her when she questioned if this was a scam. But the second associate gave her pause, as the caller was calm and kind, making her think twice if he was indeed a phony associate or not. Had she given in, she would have been successfully scammed.

Examples of doubt-based attacks include:

  • Apple iTunes scams
  • Payment-based scams
  • Payment diversion fraud
  • Some forms of social hacking, especially in social media
Empathy and sympathy

When calamities and natural disasters strike, one cannot help but feel the need to extend aid or relief. As most of us cannot possibly hop on a plane or chopper and race to affected areas to volunteer, it’s significantly easier to go online, enter your card details to a website receiving donations, and hit “Enter.” Of course, not all of those sites are real. Social engineers exploit the related emotions of empathy and sympathy to grossly funnel funds away from those who are actually in need into their own pockets.

Examples of sympathy-based scams include:

Read: Crowdsourced fraud and kickstarted scams

Ignorance or naiveté

This is probably the human trait most taken advantage of and, no doubt, one of the reasons why we say that cybersecurity education and awareness are not only useful but essential. Suffice to say, all of the social engineering examples we mention in this post rely in part on these two characteristics.

While ignorance is often used to describe someone who is rude or prejudice, in this context it means someone who lacks knowledge or awareness—specifically of the fact that these forms of crime exist on the Internet. Naiveté also highlights users’ lack of understanding of how a certain technology or service works.

On the flip side, social engineers can also use ignorance to their advantage by playing dumb in order to get what they want, which is usually information or favors. This is highly effective, especially when used with flattery and the like.

Other examples of attacks that prey on ignorance include:

  • Venmo scams
  • Amazon gift card scams
  • Cryptocurrency scams
Inattentiveness or complacency

If we’re attentive enough to ALT+TAB away from what we’re looking at when someone walks in the room, theoretically we should be attentive enough to “go by-the-book” and check that person’s proof of identity. Sounds simple enough, and it surely is, yet many of us yield to giving people a pass if we think that getting confirmation gets in the way. Social engineers know this, of course, and use it to their advantage.

Examples of complacency-based attacks include:

  • Physical social engineering attempts, such as gaining physical access to restricted locations and dumpster diving
  • Pretexting
  • Diversion theft

Sophisticated threat actors behind noteworthy social engineering campaigns such as BEC and phishing use a combination of attacks, targeting two or more emotional and psychological traits and one or more people.

Whether the person you’re dealing with is online, on the phone, or face-to-face, it’s important to be on alert, especially when our level of skepticism hasn’t yet been tuned to detect social engineering attempts.

Brain gyming: combating social engineering

Thinking of ways to counter social engineering attempts can be a challenge. But many may not realize that using basic cybersecurity hygiene can also be enough to deter social engineering tactics. We’ve touched on some of them in previous posts, but here, we’re adding more to your mental arsenal of prevention tips. Our only request is you use them liberally when they apply to your circumstance.

  • If bearing a dubious link or attachment, reach out and verify with the sender (in person or via other means of communication) if they have indeed sent you such an email. You can also do this to banks and other services you use when you receive an email reporting that something happened with your account.
  • Received a request from your boss to wire money to him ASAP? Don’t feel pressured. Instead, give him a call to verify if he sent that request. It would also be nice to confirm that you are indeed talking with your boss and not someone impersonating him/her.
Phone (landline or smartphone)
  • When you receive a potentially scammy SMS from your service provider, call them directly instead of replying via text and ask if something’s up.
  • Refrain from answering calls not in your contact list and other numbers you don’t recognize, especially if they appear closely related to your own phone number. (Scammers like to spoof area codes and the first three digits of your phone to trick you into believing it’s from someone you know.)
  • Avoid giving out information to anyone directly or indirectly. Remind yourself that volunteering what you know is what the social engineers are heavily counting on.
  • Apply the DTA (Don’t Trust Anyone) or the Zero Trust rule. This means you treat every unsolicited call as a scam and ask tough questions. Throw the caller off by providing false information.
  • If something doesn’t feel right, hang up, and look for information online about the nature of the call you just received. Someone somewhere may have already experienced it and posted about it.
In person
  • Be wary when someone you just met touches you. In the US, touch is common with friends and family members, not with people you don’t or barely know.
  • If you notice someone matching your quirks or tendencies, be suspicious of their motives.
  • Never give or blurt out information like names, department names, and other information known only within your company when in the common area of your office building. Remind yourself that in your current location, it is easy to eavesdrop and to be eavesdropped on. Mingle with other employees from different companies if you like, but be picky and be as vague as possible with what you share. It also pays to apply the same cautious principle when out in public with friends in a bar, club, or restaurant.
  • Always check for identification and/or other relevant papers to identify persons and verify their purpose for being there.
Social media
  • Refrain from filling in surveys or playing games that require you to log in using a social media account. Many phishing attempts come in these forms, too.
  • If you frequent hashtagged conversations (on Twitter, for example), consider not clicking links from those who are sharing, as you have no idea whether the links take you to destinations you want. More importantly, we’re not even sure if those sharing the link are actual people and not bots created to go after the low hanging fruit.
  • If you receive a private message on your social network inbox—say on LinkedIn—with a link to a job offer, it’s best to visit the company’s official website and look up open positions there. If you have clicked the link and the site asks you to fill in your details, close the tab.
A happy smart ending

When it comes to social engineering, no incident is too small to be neglected. There is no harm in erring on the side of safety.

So, what should you do if someone is behind you carrying a tray of hot coffee and can’t get to her access card? Don’t open the door for her. Instead, you can offer to hold her tray while she takes out and uses her access card. If you still think this is a bad idea, then tell her to wait while you go inside and get security to help her out. Of course, this is assuming that security, HR, and the front desk have already been trained to respond forcefully against someone trying to social engineer their way in.

Good luck!

The post Social engineering attacks: What makes you susceptible? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

What’s in the spam mailbox this week?

Tue, 07/31/2018 - 15:00

We’ve seen a fair few spam emails in circulation this week, ranging from phishing to money muling to sexploitation. Shall we take a look?

The FBI wants to give you back your money

First out of the gate, we have a missive claiming to be from the FBI. Turns out you lost a huge sum of money that you somehow don’t have any recollection of, and now the FBI wants to give it back to you via Western Union.

Sounds 100 percent legit, right? Here’s the email. See what you think:

Attn: Beneficiary

After proper and several investigations and research at Western
Union and Money Gram Office, we found your name in Western Union
database among those that have sent money through Western Union
and this proves that you have truly been swindled by those
unscrupulous persons by sending money to them through Western
Union/Money Gram in the course of getting one fund or the other
that is not real.

In this regard a meeting was held between the Board of Directors
of WESTERN UNION, MONEYGRAM, the FBI alongside with the Ministry
of Finance, As a consequence of our investigations it was agreed
that the sum of One Million Five Hundred Thousand United States
Dollars (U.S.1,500,000.00) should be transferred to you out from
the funds that The United States Department of the Treasury has
set aside as compensation payment for scam victims.

This case would be handled and supervised by the FBI. We have
submitted your details to them so that your funds can be
transferred to you. Contact the Western Union agent office
through the information below:

Contact Person: Graham Collins
Address: Western Union Post Office, California
Email: westernunionofficemail0012@[redacted]

Yours sincerely,
Christopher A. Wray
FBI Director

Sadly, the FBI are not going to discover you’re owed millions of dollars then send you off to deal with a Western Union rep to reclaim it. Additionally, a quick search on multiple portions of the text will reveal parts of the above message dating back many years. It’s a common scam tactic to lazily grab whatever text is available then reword it a little bit for a fresh sheen. For example, here’s one from 2013 that came with a malicious executable attachment.

This one has no such nasties lurking, but someone could still be at risk of falling into a money mule scam, or losing a ton of cash from getting involved. The good news is that ancient text reuse tends to send up the spam filter flags for most email clients, so if you do come across this, there’s a good chance it’ll be stuffed inside your spam bin where it belongs. If it’s in there, hammer the delete button and forget about it.

Let’s go Apple phishing

Next up, a pair of Apple phishes:

Click to enlarge

The first links to a site that’s currently offline, but does try to bait potential victims with a fake transaction for a set of $299 headphones:

Click to enlarge

As with most of these scams, they’re hoping you’ll see the amount supposedly paid, then run to the linked site and fill in the phishing form.

The text from the second one reads as follows:

Your Apple ID has been Locked
This Apple ID [EMAIL ADDRESS] has been locked for security reasons.

It looks like your account is outdated and requires updated account ownership information so we can protect your account and improve our services to maintain your privacy.

To continue using the Apple ID service, we advise you to update the information about your account ownership.

Update Account Apple ID
For the security of your account, we advise not to notify your account password to anyone. If you have problems updating your account, please visit Apple Support.

A clickable link leads to the below phishing site located at appelid(dot)idnotice(dot)info-account-update-limiteds(dot)com:

Click to enlarge

Upon entering a username and password, the site claims the account has been locked and needs to be set back to full health.

Click to enlarge

Potential victims are directed to a page asking for name, address, DOB, payment information, and a variety of selectable security questions.

Click to enlarge

We don’t want anybody handing over personal information to scam mails such as the above, much less any fake login portals further down the chain. Always be cautious when seeing wild claims of payments and mysterious orders you have no recollection of; the name of the game is not so much panic buying as panic clicking, and that can lead to only one thing: hours spent dealing with the customer support section of shopping portals or your bank.

Sexploitation, Bitcoin, and old passwords

Speaking of mysterious behavior you have no recollection of participating in, a recent, massive phish email first hooks users by divulging their real, former password in the subject line, and then telling said recipients they’ve been caught on camera looking at porn and, um, doing other stuff.

Now, the drop of a password, even an old one, is enough to get many readers to raise a brow and open the email. Once opened, though, one of two things can happen. Those who haven’t viewed porn on their computer can breathe a sigh of relief. For the millions of others who have, however, a little panic might ensue, especially when the scammers ask for $7,000 in Bitcoin for hush money.

The email reads as follows:

I am well aware [redacted] is your password. Lets get directly to purpose. You don’t know me and you are probably thinking why you’re getting this email? Not a single person has compensated me to check you.

Let me tell you, I setup a malware on the xxx videos (porn material) web-site and you know what, you visited this website to experience fun (you know what I mean). When you were watching video clips, your web browser began functioning as a RDP that has a key logger which provided me with accessibility to your display as well as web cam. Right after that, my software collected all of your contacts from your Messenger, Facebook, as well as emailaccount. After that I made a double video. First part displays the video you were watching (you’ve got a good taste rofl), and next part displays the view of your webcam, & its you.

You actually have two different possibilities. Shall we review each one of these solutions in aspects:

Very first option is to just ignore this email. In such a case, I will send out your actual recorded material to every bit of your personal contacts and thus think about regarding the embarrassment you will see. In addition if you are in a romantic relationship, how it would affect?

2nd solution is to give me $7000. I will call it a donation. Then, I most certainly will straightaway discard your video footage. You will continue on with your way of life like this never occurred and you will not ever hear back again from me.

You’ll make the payment by Bitcoin (if you do not know this, search “how to buy bitcoin” in Google).

BTC Address: 14Fg5D24cxseFXQXv89PJCHmsTM74iGyDb

[CASE-SENSITIVE copy and paste it]

If you may be wondering about going to the authorities, good, this email can not be traced back to me. I have covered my actions. I am just not attempting to charge you very much, I only want to be compensated. I’ve a special pixel within this email, and now I know that you have read this e mail. You have one day to pay. If I do not get the BitCoins, I will definitely send out your video recording to all of your contacts including friends and family, colleagues, and many others. Nevertheless, if I do get paid, I’ll destroy the recording right away. It’s a non-negotiable offer, thus don’t waste mine time and yours by responding to this message. If you want to have evidence, reply with Yup! and I definitely will send your video to your 9 contacts.

This sextortion scam has been around for quite a while; the new twist is the use of real passwords. According to Krebs on Security, the scammers likely collected these passwords and emails from a data dump possibly dating back 10 years or more. Our own Malwarebytes researchers have been scouring various data dumps looking for the source of the breach, but so far have not found the smoking gun. The problem is that most users’ credentials have been swiped in one breach or another, if not multiple—if not dozens! So it’s difficult to triangulate and trace back to a single source.

The good news is, if you received one of these emails, you simply need only flag it as spam and delete. And if you’re suddenly worried about someone being able to see your nocturnal activities, you can buy a webcam cover for between $US5 and $10.

The post What’s in the spam mailbox this week? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (July 23 – July 29)

Mon, 07/30/2018 - 15:57

Last week on Labs, we looked at an adware called MobiDash getting stealthy, a new strain of Mac malware called Proton that was found after two years, and the ‘Hidden Bee’ miner that was delivered via an improved drive-by download toolkit. We also delved into the security improvements expected in the new Android P, and had a fresh look at Trojans to help users define what they really are.

We also gave you a quick introduction to the Malwarebytes Browser Extensions for Chrome and Firefox.

Other news:
  • Russian hackers reached US utility control rooms, Homeland Security officials say. (Source: The Wall Street Journal)
  • Dozens were sentenced for a call center scam, where victims bought iTunes gift cards under threat of arrest. (Source: Gizmodo)
  • Guardian US finds that 72 percent of video spend is fraudulent without Ads.txt. (Source: Mediapost)
  • No, you shouldn’t use the new version of Stylish. (Source: Robert Heaton)
  • These are 2018’s biggest hacks, leaks, and data breaches so far. (Source: ZDNet)
  • Google Translate is doing something incredibly sinister and it looks like we’re all doomed. (Source: IFLScience)
  • The Death botnet targets AVTech devices with a 2-year-old exploit. (Source: Security Affairs)
  • Long Beach Port terminal hit by ransomware attack. (Source: Press Telegram)
  • State governments warned of malware-laden CD sent via snail mail from China. (Source: Krebs on Security)
  • 23andMe sold access to your DNA library to big pharma, but you can opt out. (Source: MotherBoard)
  • Fake websites for Keepass, 7Zip, Audacity, and others found pushing adware. (Source: BleepingComputer)

Stay safe, everyone!

The post A week in security (July 23 – July 29) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

New Android P includes several security improvements

Fri, 07/27/2018 - 19:12

According to the Android developer Program Overview, the next major version of Android, Android 9.0 or P, is set to arrive soon. Their plans show a final release within the next three months (Q3 2018).

The end of the Android P beta program is approaching, with the first release candidate built and released in July. As a security company, we simply can’t help but take a close look at what kind of security updates will be included in Android’s newest version.

We are not going to write about new features of Android P, but instead will focus our attention on security improvements. Android P introduces a number of updates that enhance the security of your apps and the devices that run them.

Improved fingerprint authentication

For our own safety, most devices (and many apps) have an authentication mechanism. The new Android P OS provides improved biometrics-based authentication. In Android 8.1, there were two new metrics that helped its biometric system repel attacks: Spoof Accept Rate (SAR) and Imposter Accept Rate (IAR). Along with a new model that splits biometric security into weak and strong, biometric authentication becomes more reliable and trustworthy in Android P.

Android P also promises to deliver a standardized look, feel, and placement for the dialog that requests a fingerprint. This increases user’s confidence that they are interacting with a trusted source. App developers can trigger the new system fingerprint dialog using a new BiometricPrompt API, and it’s recommended to switch over to the new system dialog as soon as possible. The platform itself selects an appropriate biometric to authenticate with; thus developers don’t need to implement this logic by themselves.

Biometric authentication mechanisms are becoming increasingly popular and they have a lot of potential, but only if designed securely, measured accurately, and implemented correctly.

Signature Scheme v3

Android P pushes support for APK Signature Scheme v3. The major difference from v2 is key rotation support. Key rotation will be useful for developers, as this scheme has ApkSignerLineage included. As the review committee states:

“The signer lineage contains a history of signing certificates with each ancestor attesting to the validity of its descendant. Each additional descendant represents a new identity that can sign an APK. In this way, the lineage contains a proof of rotation by which the APK containing it can demonstrate, to other parties, its ability to be trusted with its current signing certificate, as though it were signed by one of its older ones. Each signing certificate also maintains flags which describe how the APK itself would like to trust the old certificates, if at all, when encountered.”

This gives you an opportunity to sign with a new certificate easily. You simply link the APK files to the ones with which they are now signed.

Although Scheme v3 turns on by default, note that you can still use an old signing certificate.

HTTP Secure (HTTPS) by default

Nowadays, many apps are still transmitting users’ information unencrypted, making personal data vulnerable to hackers. People bothered by potential for breach or invasion of privacy can feel more secure knowing their transmissions in Android P will be secure by default.

In Android P, third-party developers will have to enable HTTPS (It was optional in Android 8.0) for their apps. However, they can still ignore the advice and specify certain domains that will deliver unencrypted traffic.

Protected confirmation

A protected confirmation API exists in all devices launched with Android P. Using this API, apps can use the ConfirmationPrompt class to display confirmation prompts to the user, asking them to approve a short statement. This statement allows the app to confirm that the user would like to complete a sensitive transaction, such as making a bill payment.

Right after the statement acceptance, your app receives a cryptographic signature, protected by a keyed-hash message authentication code (HMAC). The signature is produced by the trusted execution environment (TEE). This protects the display of the confirmation dialog, as well as user input. The signature indicates, with high confidence, that the user has seen the statement and has agreed to it.

Hardware security module

Here’s an additional update that benefits everyone: Devices with Android P will be supporting a StrongBox Keymaster. The module contains its own CPU, secure storage, and a true random number generator. It also protects against package tampering and unauthorized sideloading of apps.

In order to support StrongBox implementations, Android P uses subset of algorithms and key sizes, such as:

  • RSA 2048
  • AES 128 and 256
  • ECDSA P-256
  • HMAC-SHA256 (supports key sizes between 8 bytes and 64 bytes, inclusive)
  • Triple DES 168
Peripherals background policy

With Android P, apps will not be able to access your smartphone’s microphone, camera, or sensors. Users get a notification when apps attempt to access these in the background. On attempting, the microphone will report empty audio, cameras will disconnect (causing an error if the app tries to use them), and all sensors will stop reporting events.

Backup data encryption update

It’s not a secret that Android backs up data from your device. Users can then restore data after signing into their Google account from another device. Starting with Android P, it’ll start using a client-side secret method for its encryption. This means encryption will be done locally on the device, whereas before, a backup of your device was encrypted directly on the server.

Because of this new privacy measure, users will need the device’s PIN, pattern, or password to restore data from the backups made by their device.

Wrapping things up

All these improvements mean only one thing: It’ll be significantly harder for criminals to access your data when they shouldn’t be able to. With the massive amounts of breaches over the last two years, this should come as a relief for consumers, who simply want to use their phones without fear of privacy being compromised.

The post New Android P includes several security improvements appeared first on Malwarebytes Labs.

Categories: Techie Feeds

‘Hidden Bee’ miner delivered via improved drive-by download toolkit

Thu, 07/26/2018 - 21:00

This blog post was authored by @hasherezade and Jérôme Segura.

We recently detected a drive-by download attack trying to exploit CVE-2018-4878, a vulnerability in Flash Player, in a sequence that was not matching any of the exploit kit patterns that we currently track. Upon investigation, we discovered something that was new to us, but is part of an existing exploitation framework referenced in late 2017 by Chinese security firm Qihoo360. At the time, the payload appeared to be a Trojan pushing adware. (Note: On July 26, our colleagues from TrendMicro published a blog post calling it the Underminer exploit kit).

Since it was last documented, there have been changes to the exploits being used, although the distribution method is similar. One interesting aspect that we don’t see much of these days is the use of encryption to package exploits on-the-fly, which requires a key from the backend server to decrypt and execute them.

The payload served in this campaign is also out of the ordinary because it is not a standard PE file. Instead, it is a multiple-stage custom executable format, acting also as a downloader to retrieve LUA scripts used by the threat actors behind the Hidden Bee miner botnet. This was perhaps the first case of a bootkit being used to enslave machines mining cryptocurrencies.

Campaign overview

The attackers are leveraging malvertising via adult sites to redirect their victims to the exploit kit landing page. We believe this campaign is primarily targeting Asian countries based on the ads that are served and our own telemetry data. A server purporting to be an online dating service contains a malicious iframe responsible for the exploitation and infection phases.

Traffic play-by-play

IE exploit

With a few exceptions, exploit kits typically obfuscate their landing page and exploits. But here the threat actors go beyond by using encryption and requiring a key exchange with the backend server in order to decrypt and execute the exploit. In the past, Angler, Nuclear and Astrum exploit kits have abused the Diffie-Hellman key exchange protocol in similar ways to prevents analysts from replaying malicious traffic.

The execution of the malicious code starts from a webpage with an embedded encrypted block. This block is Base64 encoded and encrypted with one of two algorithms: RC4 or Rabbit.

After being decrypted, the block is executed. You can find the decoded version of the Java Script that is being run here. As you can see in the script, it generates a random session key, then encrypts it with the attacker’s public RSA key:

The encrypted key is being passed onto the next function and converted into JSON format to perform a POST request to the hardcoded URL:

This is what we can see if we look at the traffic between the client and the server (the client sends the encrypted “key” and the server responds with the “value”):


  • With the attackers’ private RSA key, the server decrypts the passed session key.
  • It uses it to encrypt the exploit content with a chosen symmetric algorithm (Rabbit or RC4).
  • It returns the encrypted content back to the client.

Thanks to the fact that the client still has an unencrypted version of the key in memory, it is able to decrypt and execute the exploit. However, researchers who just have the traffic captured cannot retrieve the original session key, and replaying the exploit is impossible. Thankfully, we managed to capture the exploit during dynamic analysis.

We believe that the decrypted exploit is CVE-2018-8174, as one of our test machines patched against CVE-2016-0189 got exploited successfully.

Flash exploit

This newer Flash exploit (CVE-2018-4878) was not part of the exploit toolkit at the time Qihoo documented it, and seems to be a more recent addition to boost its capabilities. The shellcode embedded in the exploit is a downloader for the next stage.

Upon successful exploitation, it will retrieve its payload at the following URL:

This file, given the extension .wasm, pretends to be a Web Assembler module. But in fact, it is something entirely different, appearing to be a custom executable format, or a modified, header-less PE file.

It starts from the names of the DLLs that are going to be needed during the execution:

As you can see, it loads Cabinet.dll that is used for unpacking cabinet files. In later sections, we saw the APIs and strings that are used for the communication over HTTP protocol. We also found references to “dllhost.exe” and “bin/i386/core.sdb”.

It is easy to guess that this module will be downloading something and running via dllhost.exe.

Another interesting string is a Base64-encoded content:

The decoded content points to more URLs:

Looking at the traffic captured by Fiddler, we found that, indeed, those URLs are being queried:

The requests are coming from dllhost.exe, so that means the above executable was injected there.

The file glfw.wasm has nothing in common with Web Assembly. It is, in fact, a Cabinet file, containing packed content under the internal path: bin/i386/core.sdb. Looking inside, we found the same custom executable format, starting from DLL names:

Then, HTTP traffic stops. This was another interesting aspect of this threa,t because the threat actors are perhaps trying to hide the traffic by pretending to use the SLTP protocol to retrieve the actual payload, which can be seen in the strings extracted from the Cabinet file inside of core.sdb:

INSTALL_SOURCE &sid=%u INSTALL_SID INSTALL_CID sltp://setup.gohub[.]online:1108/setup.bin?id=128 ntdll.dll ZwQueryInformationProcess VolumeNumber SCSIDISK os=%d&ar=%d kernel32.dll IsWow64Process RtlGetNtVersionNumbers %02x &sz= sltp

That hostname resolves to 67.198.208[.]110:

Pinging [] with 32 bytes of data: Reply from bytes=32 time=76ms TTL=51

Encrypted TCP network traffic from our sandboxed machine shows how the binary payload is retrieved:

This whole exploitation and payload retrieval process is rather complex, especially in light of the intended purpose behind this drive-by campaign. Infected hosts are instructed to mine for cryptocurrencies:

What is unique about this miner is that it achieves persistence by using a bootkit, as described here. Infected hosts will have their Master Boot Record altered to start the miner every time the operating system boots.

A sophisticated attack for a simple payload

This attack is interesting on many levels for its use of different technologies both in the exploit delivery part as well as how the payload is packaged. According to our telemetry, we believe it is also focused on a select few Asian countries, which makes sense when taking its payload into consideration.

It also shows that threat actors haven’t completely given up on exploit kits, despite a noted downward trend over the last couple of years.


Malwarebytes detects both the IE and Flash exploits, resulting in the infection chain being stopped early on.

Indicators of compromise

Injected dating site


Exploit toolkit






Payload URL and IP

setup.gohub[.]online:1108/setup.bin?id=128 67.198.208[.]110

Miner Proxy


The post ‘Hidden Bee’ miner delivered via improved drive-by download toolkit appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Introducing: Malwarebytes Browser Extension

Thu, 07/26/2018 - 17:21

Are you tired of all the unwanted content the world wide web offers up, whether you like it or not? It is our privilege to introduce you to the Malwarebytes Browser Extension (BETA). Or, better said, the Malwarebytes Browser Extensions, because we have one for Firefox and one for Chrome.


Malwarebytes Browser Extension delivers a safer and faster web browsing experience. It blocks malicious websites and filters out unwanted content (resulting in up to three times faster webpage load times). The filtering is not based on definitions, so the extensions can block previously-unidentified fake tech support scams and their tactics.

What will it do for your browsing experience? It prevents pop-ups, browser hijackers, and browser lockers from harassing you and interrupting your surfing. It also blocks clickbait links and fake news content, stops in-browser cryptocurrency miners, and gives other malicious content the boot. All this while relying on threat behavior patterns rather than on researchers who have to track down, identify the malware, and add it to a database of known threats. (We still need those researchers to make our products better. This is just a different, faster method.)

Speaking of behavior patterns, our browser extension is the first that heuristically identifies and blocks tech support scams‘ browser-locker pages, which scare users into calling fake tech support scammers. So it protects you from unwanted social engineering tactics as well.

Why should I use it?

This is where Malwarebytes Browser Extension can help you:

  • Protection from tech support scammers: Blocks browser hijackers, and browser lockers, which are used by scammers to drive victims to call centers that use scare tactics to sell expensive technical support (that you don’t need).
  • Faster web page load times: Popular websites download a lot of unwanted content in the background. By filtering out clickbait and ads, Malwarebytes Browser Extension BETA can speed up your webpage load time, saving your sanity and bandwidth.
  • Prevents visits to malicious pages: Protects you from inadvertently visiting bad websites that host malware content, steal your identity (phishing), load Bitcoin miners in the background, which slow down your computer, and a long list of other obnoxious behaviors that can make your online experience less than stellar.
  • Keeps your privacy private: Blocks third-party ad trackers that follow you around the Internet and target you with the same ads over and over again.

And these are the features it has to offer:

  • Malware protection: Blocks malicious programs or code that can damage your system.
  • Scam protection: Blocks online scams, including technical support scams, browser lockers, and phishing.
  • Advertising/tracker protection: Blocks third-party ads and third-party ad trackers that monitor your online activity. The number of blocked ads/trackers for a website will show beside the Malwarebytes logo in your browser.
  • Clickbait protection: Blocks content and websites that often display behavior of questionable value.
  • Potentially unwanted program (PUP) protection: Blocks the downloading of potentially unwanted programs, including toolbars and pop-ups.
Download and install Chrome

The Chrome extension can be downloaded from Google’s webstore.

Installing the extension is pretty easy. Just follow the prompts when you click “ADD TO CHROME” in the webstore.

Confirm that you want to add the Chrome extension


And you should see this prompt when the install is complete.

To double-check whether the installation was successful, you can check under Settings (use the icon that looks like three vertical dots) > More Tools > Extensions. You should find this entry:


The Firefox extension can be downloaded from the official Firefox Add-ons page. On the Add-ons page, click the “+ Add to Firefox” button and follow the prompts.

Click “Add” to confirm that you want to install the Firefox add-on.

And you should see this confirmation:

To double-check whether the installation was successful, you can check under the Menu icon (otherwise known as a hamburger, which looks like three horizontal bars). Look for “Add-ons,” and you should find this entry:


In both Chrome and Firefox, you can make adjustments to the settings of Malwarebytes Browser Extension for more granular control. To reach the settings menu, click the blue Malwarebytes logo in the browsers’ menu bar. This will show you the current protection status and two additional links.

To enable or disable individual protection features, click the “Settings” link in that prompt. This will show you a menu:

Here, you can also find information about what each protection mode guards against.

Under the “Allow List” tab, you can allow individual domains and IPs manually (in case we block something that you don’t want to be blocked). You can remove them from the list as well, if you change your mind.

Under the “About” tab, you can check the version information and, importantly, allow the telemetry from the Browser Extension to be sent to us anonymously. This will help the researchers I mentioned earlier to assess whether a domain or IP should be blocked permanently.


When the browser extensions block a site, they will show you a warning similar to this one:

The dangers are classified along the lines of the major risks that a web browser might run into:


The “blocked” page will offer a short explanation of these risks in the upper drop-down menu.

But, it’s a BETA

Why, yes, it is! So, you are using it at your own risk. Suffice it to say that both extensions have been downloaded thousands of times, and most complaints so far have been about false positives. All of these have been analyzed, and some have led to changes in the software. On a personal level, false positives are easy to resolve, as the extensions offer you the option to visit the blocked site anyway. Compared to the potential damages done by visiting a malicious site, this seems like small potatoes. It’s also possible to disable some of the features if you find them too aggressive for your liking.

We hope to be able to announce the full, official version of the Malwarebytes Browser Extension soon!

Give the Malwarebytes Browser Extensions a whirl, and stay safe out there!

The post Introducing: Malwarebytes Browser Extension appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Trojans: What’s the real deal?

Wed, 07/25/2018 - 15:40

The fictional Greeks hiding in their legendary Trojan horse would probably be excited to learn that the default Wiki page for Trojan is, in fact, their big wooden horse thingy (vs. computer infections or dubious businesses).

Sorry, fictional ancient Greek warriors. It’s not that we don’t think you’re a big deal—that film with Brad Pitt was at least a 6 out of 10. It’s just that at this point in time, the Trojans we’re most concerned about are the tiny ones that sneak onto your PC under cover of darkness, then lay waste to Troy.

And by Troy I mean our PCs.

The term “Trojan” as we understand it first came to life in the 1970s, used in a USAF report about vulnerabilities in computers [PDF]. The application of said digital Trojan horse is fairly straightforward: a computer program, pretending to be something it’s not, is installed and executed on the target system. For example, a victim could open up a file named dolphin.exe and thinks they’re looking at a fun game called Dolphin. But in reality, all of their personal information is being harvested covertly and sent back to base.

The Trojan hall of shame

The first big-name Trojans many of us in the IT space may remember dealing with date back to the late 1990s and early 2000s. That includes Netbus, Bifrost, and Sub7, though the bulk of the cybercrime spoils went to the notorious Zeus in 2007. After that, Trojans were in business, with DarkComet, the Blackhole exploit kit, which would (for example) push Java or Carberp Trojans, and Koobface (an anagram of Facebook), which would typically pretend to be a video as bait to install a worm.

Most of these have long since gone to the great wooden horse paddock in the sky, but Zeus continues to linger by virtue of having its code leaked in 2011, forming the building blocks for many, many Trojan attacks since then.

Social engineering at its finest

Fittingly, social engineering plays a major part in the Trojan proceedings. A splash of societal pressure, or even just a “Hey, this is cool” is often enough to get someone to compromise their personal computer by their own hand.

You’ve won this free thing! Click here and take a look!

Wait, are hackers bearing gifts now? Though there are no ancient Trojan warriors offering up towering wooden structures, you can bet there’ll be a wide variety of confidence tricks on display. You might get a cool laptop sticker or a pair of novelty-branded socks at an event. Or, you might get this:

Email: Hi, check out this adorable dolphin! Run this file dolphin.exe, it’s great!
Social media: Enter our sweepstakes to win an adorable dolphin!!! Be sure to run dolphin.exe to stand a chance of winning.
Instant messaging: Adorable dolphin webcams. Only $4.99 a month! Download this dolphincam.exe to get started.
Suspiciously abandoned USB stick: Wow, you’ve found my suspiciously abandoned USB stick. Way to go! If you want to return my adorable dolphin photos, please run adorabledolphinphotos.exe to see my address.

Despite the variance in attack methods described above, they’re all using executables disguised as harmless files (Trojans). Types of Trojan vary wildly and encompass everything from government-developed files to people on forums making their own special home-brew versions. We’ve listed the main categories of Trojans below.

Types of Trojans Financial

Plenty of financially-motivated Trojans exist, typically doubling up with keyloggers to try and exfiltrate online banking information. Some may try and snoop connections by performing man-in-the-middle attacks, or dropping a fake bank login page on the PC so the victim happily hands over their credentials. Others take an alternative approach and simply scan the PC for anything that looks like login data stored in a text file, or insecure passwords saved in a browser.


Backdoor the system, and the sky’s the limit. However, botnets are an old favourite of malware authors, and dropping some files that can take commands from a Command & Control server is just what the doctor ordered. Once tagged into a botnet, your machine’s power as a rogue node is amplified many times over, alongside its compromised brethren. In situations where the attackers aren’t particularly interested in your personal information, they may well just use you to join in on a Distributed Denial of Service (DDoS) attack instead.


The ubiquitous ransomware is often served up to potential victims disguised as something else in order to lock up the target PC then demand a ransom. It could be delivered via malspam or phishing and spearphishing campaigns, which tricked users into opening emails from untrustworthy sources.

General data collection/system tampering

The intention behind using a Trojan may be to try and grab card details, or personal information, or download additional malware files, or even just sit quietly in the background and monitor all activity for reasons known only to the attackers. It’s really up to the attacker, and as a result, the definition of “Trojan” can sometimes be murky.

For example, droppers and downloaders are two types of Trojans that do exactly what their names suggest: adding additional bad files onto the system. But what’s the motivation for adding more bad files? Maybe they just want to keep an eye on things for a later date, installing a remote administration tool that keeps a backdoor open and gathers fresh data as you go about your business. Maybe some of your browsing habits trigger another social engineering attack, which attackers can now do easily with access to your system. Or perhaps the data gathered on you is sold to other organizations for marketing purposes, and now you can’t stop getting junk email.

This is nowhere near an exhaustive list, but just an example of the kind of mischief Trojans can cause and create.

Gift horse, mouth, do not look

Regardless of intention, turning your PC into an open access gateway for Trojan dolphins—er, horses—is a bad idea indeed. Even if the initial Trojan is removed from the computer (assuming it hasn’t already self deleted), there’s often no way of telling what else has been placed onboard.

Unlike some other forms of attack, Trojans never really go out of fashion. Only a few weeks ago, fake Fortnite files were causing waves over in Androidland, promising free game points but offering up unrelated downloads instead. Social engineering will never go away, and dressing up a rogue file in attractive packaging goes a long way toward compromising a system.

Feel free to read up on our many social engineering posts because that’ll give you a great head start against your horsey adversary. And if the ancient Greeks had practiced better deduction and use of common sense—You’re in the middle of war. Why invite a giant wooden structure inside your walls?!—they would have surely vanquished the clever Trojans.

The post Trojans: What’s the real deal? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

New strain of Mac malware Proton found after two years

Tue, 07/24/2018 - 15:00

Last week, Kaspersky reported on a new variant of the Mac malware Proton, which they have dubbed Calisto, that has been around for at least two years. Calisto is thoroughly dead at this point, but there are still potential security implications involved with these older infections.

Proton was first revealed to the world back in February 2017 via an Apple security update. It was later seen in the wild when the popular DVD ripping tool Handbrake was hacked to distribute Proton in May. It was seen again in October following a hack of the Eltima Software website that resulted in Elmedia Player and Folx being modified to drop Proton. Yet another incident was recorded when Proton was installed by a fake Symantec app, distributed from a fake Symantec blog promoted by search engine optimization tricks.

Proton has been perhaps the most high-profile pieces of malware in recent Mac history. But it appears the story began much earlier than previously believed. Kaspersky’s discovery of Calisto, which turns out to be an earlier variant of Proton, provides that evidence.

Calisto’s behavior

Calisto, which was distributed in the form of a fake Intego Mac Internet Security X9 installer, was first submitted to the malware-tracking site VirusTotal on August 2, 2016. As Intego’s X9 software was first released on June 20, 2016, that places a distinct time range on the first appearance of this malware. However, there are signs that there might have been even earlier variants of this malware.

Fortunately, this malware is truly and effectively dead at this point, as the server it attempts to call home to no longer exists.

The addition of System Integrity Protection (SIP) to Mac OS X 10.11 (El Capitan) on September 30, 2015, caused problems for this malware. Yet, Calisto relies on being able to make changes to several SIP-protected locations, and some of its functionality fails on El Capitan or later systems. This fact is interesting, as it implies that the malware may have been created prior to this release.

Despite the fact that the malware is unable to perform some of its duties on a modern system, it will still gather password-related files, just like later variants of Proton, meant for exfiltration to a malicious server (which is no longer responding). It’s these files that provide the most reason for interest in this malware, and other variants of Proton, today.

Password leaks

Earlier this month, with the discovery of OSX.Dummy, we discussed the issue of malware leaving behind sensitive data for other future attackers to find. Proton does the same thing, and the Calisto variant is no different.

Proton, just like Dummy, leaves behind a file containing the user’s password in clear text. In the case of the different variants of Proton, these files are located at the following locations:

~/.calisto/cred.dat ~/Library/VideoFrameworks/.crd /Library/.cachedir/.crd

It’s important to ensure that these files do not exist on your system—or any systems that you control.

Why? Well, suppose that you’re a bad guy, and you’ve got access to a system that you want to attack, either through malware or direct access. But, you don’t know the user’s password. If you knew it, you could significantly escalate your attack. One way to get that would be to ask the user, but that might raise suspicions.

What if you could find the password right there, and just pick it up and start using it? On systems that have previously been infected by something like Proton or Dummy, that’s exactly what you could do. A hacker has simply to look for these files, and they’ll find the username and password all wrapped up with a nice bow on it, ready to use.


It’s important to make sure these password files don’t exist on your Mac. You can check for them in the Terminal with commands like this (changing it for each path):

ls -al ~/.calisto/cred.dat

If the command complains that there is “no such file or directory,” you’re clean. If not, you’re going to need to remove that file. This gets a little tricky, since the files are all either invisible or in invisible folders. So seek help from an expert if you don’t know how to do this.

As an alternate solution, Malwarebytes for Mac will remove all of these items for you.

The post New strain of Mac malware Proton found after two years appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (July 16 – July 22)

Mon, 07/23/2018 - 17:30

Last week on Labs, we looked at a Magniber expansion, explored open source vulnerabilities, and checked out the boons and drawbacks of smart assistants. We also continued our ad blocking article extravaganza, gave a whistlestop tour of third-party problems, and published our Q2 Cybercrime tactics & techniques report.

Other news:

Stay safe, everyone!

The post A week in security (July 16 – July 22) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Mobile Menace Monday: Adware MobiDash gets stealthy

Mon, 07/23/2018 - 15:00

The Adware known as MobiDash, detected by Malwarebytes for Android as Android/Adware.MobiDash, is far from a new. However, this ad-displaying nuisance now comes with some additional stealth features.

First appearing last spring, these new features are not limited to a single variant of MobiDash. Instead, the correlation among these stealth versions lays within the package name As a result, these stealth features hide the existence of Adware MobiDash—even when it’s in plain sight!

Look closer

When I first came upon this stealthy MobiDash, a customer was having a terrible time removing the adware from their mobile device. Malwarebytes for Android was unable to remove it, due to it being an active device administrator.

As by design by the Android Operating System, any app given device administrator privileges cannot be uninstalled until first being removed from the device administrator’s list. Attempting to uninstall an app with device administrator rights will display the screen shown above. The screen displays a warning about not being able to uninstall, and provides a link to the device administrator’s list.

Okay, simple enough, just remove the offending piece of adware from the list and uninstall, right?  Well, what if it doesn’t exist in the device administrator’s list!? Have a look for yourself below.

There’s “Find My Device” and “Malwarebytes,” both with legitimate reasons to be in the device administrator’s list. But there’s no adware app in sight.

But wait. Look a little closer.

That blank line right at the bottom of list—bingo! If you didn’t see it at first, you’re not alone.

Even more stealth

After removing Adware MobiDash from the device administrator’s list, now that you see it, the next step is uninstalling. By far, the easiest method to uninstall this tricky adware is to rescan with Malwarebytes for Android. This method assists with easily uninstalling. Removing manually can also be done, albeit it’s a bit trickier.

Manual removal

Depending on your mobile device’s Android OS version, there may be a shortcut icon disguising itself as Settings.

If this exists alongside with the real Settings icon, simply drag the fake Settings icon to Uninstall.

However, there are many cases where this icon doesn’t exist. Thus, it must be removed via the mobile device’s App List: Settings > AppsScroll all the way to the bottom of list, and you’ll discover a blank entry at the very end.

Click on it, and you can uninstall from the app info screen.

The how and why

So how, exactly, can this stealth Adware MobiDash version get device administrator rights? Well, it must be given the rights manually by the user. It’s surprisingly easy for a user to mistakenly do so, and even easier with this piece of adware. Why? Because usually giving an app device administrator rights comes with a list of scary operations to allow. This MobiDash version doesn’t ask for any, as shown below.

So why did it even bother tricking users into activating device administrator if there are no operations to allow? As highlighted above, it makes uninstalling way more tedious—especially with the extra stealth features.

It happens

I could preach about not activating device administrator to unknown apps, but instead I’ll just say, “It happens.” On Android, there are an abundance of features you must allow to get legitimate apps to work properly. This sometimes exhausts users to the point of just blindly allowing everything. It’s no wonder that the bad apps can slip under the radar.

Luckily in this case, the outcome is simply annoying ads and nothing worse. But if you don’t want to deal with the hassle of an adware infection, slowing down and being a little more vigilant can save you time in the long run. Stay safe out there!

The post Mobile Menace Monday: Adware MobiDash gets stealthy appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The danger of third parties: ads, pipelines, and plugins

Fri, 07/20/2018 - 15:00

It may or may not be comforting to know that, ultimately, bulletproof security is out of your hands.

You can have the most locked down PC on Earth, have two-factor authentication (2FA) set up across the board, take sensible actions to protect your personal information, and read all the EULAs under the sun. You can do all this and more, and yet still end up being compromised. How? Welcome to the wonderful world of third parties.

Unsurprisingly, everything you use on a daily basis isn’t necessarily built by the same team. Companies buy off-the-shelf solutions to make technical product A send data to obscure server B. A health organisation might rely on a bespoke tool built by someone who left the company a decade ago, and nobody understands how to update the moving parts, so it gets left where it is (potential vulnerabilities and all).

A hacker may avoid going after the main software creator, instead deciding to poison the supply chain, where third-party developers congregate via fake update files.

We’ll take a look at some of the most popular types of “don’t worry, this wasn’t your fault” dangers below.

Website bits and pieces

If you’re online and your browser is running default settings, you’re trusting that the web you’re interacting with has “benign and definitely not malicious, nope” as its default state. In reality, the sites you visit daily are made up of multiple moving parts, and not all of them are under the control of the webmaster.

The ads come from one company on the other side of the world, the half-dozen plugins that manage everything from comments to chatboxes are built by a half dozen other orgs and coders, and there’s a Content Delivery Network ensuring things like ads and other third-party content are served up quickly. In reality, the website is composed of equal parts from the webmaster and from other third parties.

If you’ve got no controls in place on your end, such as an ad blocker or other cybersecurity programs, that means that all of these bits and pieces of independent coding are free to work their magic, assuming magic is what they’re actually working. If one of them isn’t? You’re in trouble.

In 2015, a company whose code could be placed on websites to warn visitors about their use of ad blocking was compromised. An account for their CDN was phished, leading to some 500 publishers (website owners) offering up a fake Flash update. When the website itself isn’t the problem, but the tools and services bolted onto them (in many cases designed to “optimise” or improve performance), it can spell disaster for both site visitors and the site’s reputation.

There’s also the all-too-common problem of ad networks falling foul to bad actors, pushing out scams and malware to people on the receiving end of bad ads. We’ve covered this kind of attack many times down the years, and it’s one of the primary movers of malvertising.

Supply chain attacks

Sometimes called pipeline attacks, these generally involve inserting yourself into the weak spot of an organisation’s business flow, compromising it utterly, then playing pass the parcel with bad files to others down the supply chain.

For example, a group of mobile developers might congregate on forum X, making tools or apps for mobile phone Y. The forum is compromised, basic files the forum supplies are switched out for something malicious, and now you have a situation where the developers are unknowingly sending malware-laden files onto the phone’s storefront. This tactic also helps confuse the blame game in the immediate fallout, because initial suspicions will probably be aimed at the innocent forum-dwelling developers.

There’s no end to the mischief that can be wrought in one of these scenarios, and they can end up being rather high profile. The onus here is on the organisation as a whole being responsible and checking all parts of their supply chain for vulnerabilities, leaky data, or other problems that can quickly impact everyone involved, including their customers.

Data breaches and third-party problems

There can’t be many of us who haven’t had some personal data exposed when a website or service has had its database compromised, because massive data grabs are sadly a fact of life. Even so, spare a thought for those having their info grabbed via our old friend “the third-party mishap.” Misconfigured or compromised plugins and additional tools aren’t just a risk for websites about cats—they also rear their head on widely-used services such as payment processors.

A customer support chat tool is a good idea for a payment system, right? Except not when a compromise takes place and the chat tool code is surreptitiously sending data to bad people. If a larger org asks a smaller one to build something to specification, they may well be relying on them to ensure their code is secure, as they probably won’t have access to its inner workings. The moment the developers lose control, that chaos is going to quickly spiral out of control.

Some good news?

Regardless of who did what, or which service on that side of the world was hijacked to cause issues for people on this side of the world, we still have some control over the impact wrought on our desktops, if nothing else. No matter how clever or sneaky the pipeline attack, you’ll still have to let a rogue ad past your ad blocker, or switch off your security tools and let some ransomware do its thing, or allow unknown files to run on your mobile device, or…well, you get the idea.

If you start digging into how fragile many of the services and networks we use on a day-to-day basis are under the hood, you might never go online again. There’s no point denying yourself the opportunities the web allows because of people up to no good, so concentrate on your own digital defences, and you’ll hopefully be in good standing no matter what disasters are befalling others behind the scenes.

The post The danger of third parties: ads, pipelines, and plugins appeared first on Malwarebytes Labs.

Categories: Techie Feeds

How to block ads like a pro

Thu, 07/19/2018 - 17:24

In part one of this series, we had a look at a few reasons why you should be blocking online advertisements on your network and devices. From malvertising attacks and privacy-invading tracking systems to just being an outright annoyance, online ads and trackers are a nuisance that provides an attack vector for malware authors, compromise user security, and plainly, diminish the browsing experience.

In the second part of this series, we’ll cover a few of the common ad blocking utilities and how to best configure those tools for maximum effectiveness. We’ll take a look at tools that are easy enough to set up and run on mom’s computer, as well as a few tools that may require a bit more expertise. And later on, we’ll discuss a few tools that do a great job of blocking ads and protecting your privacy, but may require a shift in mindset before realizing the benefit. 

So, go grab your cup of Joe, sit back, and dive into the conclusion of “Everybody and their mother is blocking ads, so why aren’t you?”

A note about filter lists

You’ve read the reasons why it’s important to have a robust ad blocking policy on your network. You understand the risks that are posed by malvertising attacks and data-sucking exchange networks. You now want to configure ad blocking within your own network—but where do you start? Your first stop is to look at filter lists.

Several of the tools we’ll cover use sets of rules, known as filter lists, to help determine what should be blocked. These lists are created by individuals, open-source communities, and private organizations. Popular websites to obtain filter lists include the Adblock Plus subscription page and

Some filter lists can include specific, narrow qualifiers such as “coin miners,” while others are comprised of large subsets of data targeting multiple facets of advertising and tracking. Filter lists are also broken out into languages to help block ads in various regions.

When the browser requests a website, that site—and all the domains requested by that site—are checked against the filter list prior to being displayed. If a domain is on the filter list, then the ad blocker won’t allow the information to pass, effectively blocking the content. But, too many filter lists will result in too many look-ups. This results in a slowing of the browser and increased response times of websites. Users should be mindful when adding filters lists as to not add more than is required and not add duplicate lists.

Adblock Plus

The popular ad blocking extension made by Eyeo is the simplest and most popular of the tools we’ll cover—and it’s easy to see why. Adblock Plus has been blocking banner pop-ups, advertisements, and trackers for the last 12 years. The browser extension works in popular browsers such as Chromium, Mozilla, and Safari, and is easily configured to block a variety of threats. Adblock Plus runs with minimal interruption on PCs (and yes, this is actually configured on my mom’s PC). The company even has its own Adblock Plus browser that can be used on mobile devices (more on this later).

Though Adblock Plus works out-of-the-box without any other configurations needed, it’s best to dive into the settings to make a few adjustments.


After using one of the previous links to install Adblock Plus to your preferred browser, the options menu can be accessed by clicking the red ABP icon that appears at the top of the browser. From there, click the Options button at the bottom of the window.

Adblock Plus encourages publishers to join their Acceptable Ads program. The Acceptable Ads program allows publishers who adhere to a prescribed set of guidelines an opportunity to have their ads shown to users who are using Adblock Plus. While this feature has caused a bit of flak for the company, the subsequent creation of the Acceptable Ads Committee has helped create a dialogue surrounding responsible advertising.

While those things are fine and dandy for publishers, we’re looking to block advertisements, so let’s disable those “acceptable” ads.

Set up

From within the General tab of the Settings window, uncheck the option for Allow Acceptable Ads. This will also be a good time to enable the Privacy and Security settings for Block additional tracking and Block social media icons tracking. Both settings will help prevent trackers from harvesting information about your browsing session (since social media buttons are used to track user behavior).

The default filter lists are shown under the advanced tab. Adblock Plus comes pre-loaded with several popular lists, including: EasyList and Fanboy’s Social Block List.  Additional filters can be downloaded and installed from the Adblock Plus subscription page, but the default lists will sufficiently weigh function and convenience to provide a modest ad blocking experience.


That’s it! Just a few clicks are all that is required to get a baseline setup of Adblock Plus. Let’s test it out and see how it looks.

That’s pretty cool, huh? The advertisements in videos, articles, and search results are all removed. And because the ad content isn’t being displayed, the page response time is faster and the desired content is reduced to a smaller portion of the landscape. This reduces the time spent scrolling around the page.

Sometimes it doesn’t work

Though Adblock Plus works great to block ads on most websites, sometimes it may not. Ads may find their way onto the page, or notices may be shown advising to disable the ad blocker.

Indeed should the need arise, Adblock Plus is easy to disable simply by clicking the ABP logo and then clicking the check mark to disable/enable the service.

But this post is about blocking ads, not succumbing to the pressures of aggressive advertisers. And though it may be possible to configure Adblock Plus to block the majority of these ads and trackers, advanced users may prefer to use a solution which allows for more granularity and greater control over the page elements and individual page frames.

uBlock Origin

uBlock Origin, which is not to be confused with µBlock, is another browser-based plugin, which is available for both Chromium and Mozilla browsers. Like Adblock Plus, the product is widely popular and utilizes a variety of filter lists to help block advertisement and trackers. Unlike Adblock Plus, however, uBlock Origin is an open-source project, which helps to boost the popularity of the product and helps the company to remain free from the outside influence of advertisers and publishers.

Though uBlock Origin works well at its intended purpose, the product may not be suitable for all users due to the technical nature of the program and difficulty in navigating its user interface (UI). Some have complained about the increase in support cases due to the installation of the program from users who may not understand why their webpages don’t look the same. But for those who understand the advertising landscape and the potential for blocking ads to cause trouble, then uBlock Origin appears to be a preferred choice.


Installing uBlock Origin is an almost identical process to installing Adblock Plus. Just head over to the Mozilla Add-ons page, Chrome Web Store, or Safari extensions page to grab a free copy of the software, and click the buttons to install the extension.

After installing uBlock Origin, a red icon will appear in the top right of the browser window. Options can be configured from this icon. Though uBlock Origin works well in the default state, we’ll take a look at the settings and configurations and make a few changes to help block some of the previously missed elements.

Set up

Clicking the uBlock Origin icon will open the panel window. The big blue button can be used to easily turn uBlock Origin off and on. The settings icon looks like a slider bar and will open the settings dashboard.


After opening the uBlock Origin dashboard, users are presented with a window with various tabs. There aren’t any configuration changes required, and the only setting worth noting is I am an advanced user, which will be discussed later.

One area uBlock Origin stands out above the competition is the inclusion of various filter lists. These lists can be enabled and disabled as necessary to allow a quick mechanism to block ads and trackers, but also malware, scam sites, and other annoying website elements. Though the defaults are pretty good, we’re going to add a few more lists to improve the blocking capabilities.

In addition to the default lists, the following lists will also be enabled:

  • uBlock filers – Annoyances
  • Adblock Warning Removal List
  • Malvertising filter list by Disconnect
  • Spam404
  • Fanboy’s Annoyance List
  • Fanboy’s Social Blocking List
  • hpHosts Ad and tracking servers

Once all are enabled, click the Apply changes button to save the settings, and then the Update now button to update the lists.


uBlock Origin is configured to use most of the same filter lists as have been configured for Adblock Plus, so many of the same ads will be blocked as before. The inclusion of the additional filter lists will help to exclude some of the web elements that were previously remaining.

More difficult

Even with strict filtering, not all advertisements will be blocked. There are still videos that auto play from websites, or advertisements hosted on the visited site instead of from a known third-party advertiser. For these types of ads, it’s best to create custom rules to block the individual elements on the page.

Right-click the advertisement—or section of the page where the ad appears—and choose the block option. A window will appear allowing the rule to be previewed before creation. Click the create button, and the only thing we’re left watching is that video disappear!

Elements can also be blocked by clicking the uBlock Origin icon and using element zapper or element picker. The difference between these two is that the element zapper is temporary and only removes the element until the session is closed. Element picker adds the element code to the block list so that it will also be blocked on future visits.

This feature can be used to remove the empty element that remains on the previously examined page. Simply open uBlock Origin and click the Element Picker icon. Carefully select only the desired area of the page to be blocked. Be sure to use the preview option prior to creating the rule to ensure the block works as intended. After verifying, create the rule to remove the desired frame.


There is nothing worse than opening a bunch of tabs only to later find one of them playing video from a small screen sequestered to the corner of a window. Sure, these elements can be blocked on an individual basis, but technically savvy users may desire a blanket approach to prevention. For that, uBlock Origin offers script blocking.

uBlock Origin logs all script activity on a webpage for analysis. Looking at the information helps reveal the number of trackers and ad networks in use on a particular website.

To use the logger feature, open the uBlock Origin panel and click the Logger icon. The logger window will appear. Press the refresh button to start the logger and reload the page. Information about the website will be logged to the window.

The blocking of web scripts tends to leave some websites lacking in functionality or just plain unusable. Blocking scripts should be reserved for those who understand the complications to be expected. The problematic nature prompted uBlock Origin to hide the feature behind the setting titled I am an advanced user. To gain full access to the settings, users must click the link for required reading.

After enabling the setting and reading the document, new options will appear within the uBlock Origin dashboard. The new options give users the ability to block first- and third-party scripts, as well as set individual policies per website.

Group settings based off script source will be displayed on top (red section), while the websites being called will appear below (blue section).

The two columns to the right of the names are used to define global (left) and local (right) policies. The combination of the two columns allows for a varying mixture of blocking capabilities.

For example, uBlock Origin can be configured to block all third-party scripts and frames, but first-party scripts will be blocked ONLY on the local site, since blocking first-party scripts globally will lead to problems loading webpages elsewhere.

Changes can be previewed by clicking the refresh circle. After verifying the changes, save the settings by clicking the lock icon at the top of the screen.

The resulting effect is that the auto-playing news story has now disappeared from all webpages on this site.

Not only did this stop the video, but if we go back and look at the logger, we see that all of the third-party scripts that were previously allowed are now being blocked.

Blocking scripts is one of the most effective mechanisms to block ads and invisible trackers, but will lead to unintended results.  Those who are interested in experimenting with script blocking—and who find the uBlock Origin UI intimidating—may find solace in the simplicity of the next plugin on our list.

A note about scripts

Website scripts come in a variety of forms including JavaScript, Java, and Flash. These scripting languages are used for advertising and tracking, but also to make the internet function.

Videos and graphics may be produced with scripting code. Webpage content may also be generated using these languages. Comment sections and other social media content are produced with scripting languages. As a result, users should expect the following:

Blocking scripts by default WILL cause some websites to fail.

Blocking scripts by default WILL prevent some content from loading.

Users who decide to implement global script-blocking policies will need to be aware of the potential issues and how to resolve such issues when they occur. Having an understanding of the domain landscapes and being able to analyze the necessary domains to enable desired content will also be needed. Simply whitelisting all websites will negate the value of blocking scripts, so understanding the how-to and why is important.

NoScript Security Suite

NoScript is a browser-based plugin for Mozilla browsers only. There is an alternative for Chromium called ScriptSafe, and Safari users have JS Blocker. Both will work similarly.

NoScript provides an extra layer of protection by ensuring that scripting code such as Java, JavaScript, and Flash is only executed by trusted websites. Blocking scripting languages from running on untrusted websites will prevent ads, trackers, and other forms of undesirable activity from occurring.

In addition to blocking scripts, NoScript comes with a robust set of anti-cross-site-scripting (XSS) and clickjacking protections to help prevent malicious actions and undesirable redirects.

NoScript and other script blockers are recommended for advanced users who understand the risks.


The process is no different for NoScript than any other plugin. Jump over to the Mozilla Add-ons page and install the extension to the browser.

NoScript requires absolutely no setup and will begin working immediately after being installed. Unlike the other extensions we’ve covered, there is no way to disable NoScript. If users need to disable the plugin, it must be done through the Mozilla add-on configuration panel.

Using NoScript

Users may immediately notice a difference to their browsing experience after installing NoScript. Videos and gifs may not load correctly, content may not appear, or worse, pages may fail to load altogether. Though this sounds terrible, it’s easy to configure NoScript to your personal browsing needs.

The simple NoScript interface makes it easy to create exclusions and allow blocked content on either a temporary or permanent basis. Instead of settings and filter lists, NoScript simply uses a series of easy-to-understand buttons to control the content.

After NoScript has blocked content on a page, a numbered indicator will be shown on the NoScript icon. Click the icon to view the blocked domains.

This image shows elements being blocked on two domains. One of those would be a desired website; the other would be an ad network. Clicking the Trusted icon next to the desired website will allow scripts to run ONLY from that domain. Click the green refresh circle at the top to reload the page.

After allowing the root domain the privilege of running scripts, the website functionality may still be lacking. Additional domains may be shown after allowing the root domain, and some may need to be allowed before the content appears.

NoScript allows for temporarily allowing script execution from unknown domains. Simply click the Temp Trusted icon to allow code execution until the current session expires. Unfortunately, it may be a bit of trial-and-error to find the domain to allow before seeing the desired content.

Though not designated as an ad blocker, NoScript will block advertisements injected via third-party scripts. NoScript won’t remove the empty elements from the page, so a tool like uBlock Origin will still be required to de-clutter the page landscape.

NoScript comes with a list of already assigned permissions, but the list is not extensive. Users will need to configure the program for the websites they most frequent. If the desired website makes heavy use of third-party scripts and content, it will be necessary to individually allow all content-providing domains for the website to function as intended. Some websites make extensive use of outside content, so users may spend considerable time configuring permissions before streamlining the experience.

NoScript is a valuable tool in any security toolkit. Blocking scripts is an effective way to block malicious activity and unwanted content.  Users may have to overcome the steep configuration curve before recognizing the benefit of the tool, but those who do will be rewarded with a faster browsing experience and fewer online trackers compromising their online privacy.

A note about browsers

Browsers are the key to a successful ad blocking experience. Some browsers support the use of ad blocking extensions whereas others do not. This post has focused on ad blocking using the Mozilla Firefox browser. Though subjective, Firefox provides a better all-around ad blocking experience across platforms. By using the same browser and plugins across machines, configurations and personal filter lists can be shared across devices. This reduces the configuration time on a per-machine basis and produces a similar web experience—regardless of device.

Though Google Chrome is an extremely popular browser, keep in mind that it is distributed freely by a company that makes a substantial portion of its annual revenue from advertising.

According to Statista, Google netted $95.38 billion dollars, or roughly 87 percent of its total revenue, through advertising. Not only is the company selling ad space on the network, but they also collect information about your browsing activity in order to give “contextually relevant suggestions” (a fancy way to say ads).

The Google Chrome Privacy Whitepaper and Chrome Privacy Policy provide plenty of information on Chrome’s collection capabilities, and is an eye-opening read for those concerned about data mining. Some concerning items are shown below with highlighting added for better clarity.

The United States Congress has also become interested in Internet tracking and has recently requested responses from both Google and Apple on user tracking practices.

Yes, other browsers will track your behavior, but the extent will be reduced when using an open-source browser without an advertising agenda. Those who may be interested in using an open-source browser, but are preferential towards the look and feel of Google Chrome, may be interested to experiment with the Chromium browser. Chromium is the open-source project behind Chrome and Opera, and functions almost identical to both—save for all the Google modifications.

Block ads on Android

After having used an ad blocked browser on mobile, returning to an ad-laced mobile Internet is more than just a diminishment of the user experience—rather, it’s a downright dreadful experience.

The mobile landscape is already limited in size by its design, yet publishers and website owners feel it necessary to inundate the screen with irrelevant content and banner ads. This renders the content from the main site barely viewable and forces many users to fumble through troublesome mechanisms simply to read an article.

Some may contend that it’s best to not click on the ads, but a better approach may simply be to get rid of the ads altogether. This will not only declutter the screen and remove the undesirable content, but also improve page response times and lessen the attack surface against devices.

As we’ve seen throughout this write-up, browser extensions have been key to a successful ad blocking experience—and mobile is no different.

All of the tools covered in this post are available on mobile devices. But due to restrictions in Google Chrome on Android, users of that browser will be unable to set up the necessary configurations.

Thus, users who wish to block ads on their Android device will be forced to look to other browsers to accomplish the goal.

One simple solution that even dear old Mom will be able to use is the Adblock Plus browser. This Firefox-based browser is built by the same team that produces the Adblock Plus extension and incorporates all of the blocking capabilities in a pre-packaged browser that is configured for a modest ad blocking experience.

Users wanting more control over the various elements and frames may wish to consider the jump over to Mozilla where all of the plugins and configurations that were discussed in this write-up can be used to block the ads and declutter the screen. Those who opt for the change will see that dreadful mobile experience replaced with an ad-free view of how the page was originally intended to appear.

Mobile browser plugins perform exactly like their desktop counterparts, and will sufficiently block advertisements, trackers, and scripts from your mobile devices. Blocking the content not only improves the mobile web experience, but also helps to conserve battery life, decreases data-usage and the response times of websites, and reduces the attack surface for online threats.

But with the abundance of mobile devices, setting up policies on individual devices may not be the most efficient way to block advertisements. If there are a number of devices under your control, what would be the most efficient manner to block ads across them? For this, the final tool on our list will fill the void.


Administrators of small businesses or moderate home networks who wish to engage in ad blocking practices without the concern of operating systems, browsers, and plugins may wish to implement a free and (moderately) simple network-based solution. For that need, we have Pi-hole.

Pi-hole is a Linux based, network-level advertising and tracker blocker that acts as a DNS sinkhole for blacklisted domains. This means that advertisements and trackers are blocked before making it into the network. This allows Pi-hole to block ads on not just computers and cell phones, but also smart TVs, third-party apps, and even streaming video services.

Like the other tools we’ve covered, Pi-hole uses filter lists to block undesirable content. The Pi-hole filter list is compiled from various third-party sources into a single list. As such, there will be overlap between the lists used between Pi-hole and other ad blockers like uBlock Origin and Adblock Plus.

Pi-hole has been designed to work seamlessly on single board computers, such as Raspberry Pi, but can just as easily function on other Linux machines or cloud-based implementations.

Although not all Pi-hole installations can be as pretty as the above setup, having a dedicated Linux machine to act as the DNS server will be a necessary requirement.

Set up

After having a device to configure Pi-hole, setup is easy and straightforward. The command to install Pi-hole is as simple as:

curl -sSL | bash

Privacy-conscious users may wish to consider using the Cloudflare DNS for the upstream DNS provider. This privacy-focused DNS provider offers a fast and reliable lookup (except for the time it wasn’t). The address is:

After configuring your router DHCP options to force clients to use Pi-hole as the primary DNS server, setup will be complete.

The web-based panel can then be accessed by typing: http:/pi.hole/admin in your browser. The panel will give overall statistics regarding the number of blocked ads, number of DNS queries, and percentages of blocked traffic. Custom whitelists and blacklists can be configured using the tabs on the left.


Now that it’s all set up, we can have a look to see how well Pi-hole blocks the content.

As you can see, Pi-hole does a good job of removing the ads from this page. None of the ads remain, and only a few web elements are left behind. Using the Block Element feature in uBlock Origin or AdBlock Plus (not covered) will clear those unnecessary elements from the page.

And though Pi-hole works great to block ads at the network level and for all devices, users may still be required to configure a per-device ad blocking policy in order to protect laptops and mobile devices when not under the protection of the Pi-hole DNS sinkhole. Pain though this may be, Pi-hole makes an excellent addition to any ad blocking arsenal. The benefits of blocking ads throughout your environment and across streaming platforms outweigh the duplication efforts involved.

A final note

In preparation for this article, I spoke with a number of friends and colleagues regarding their ad blocking preferences. Despite the fact that we are all in security and all read and share the same information, few of us block (or view) online advertisements and trackers the same way.

What I’ve come to realize is ad blocking is often reflective of one’s personal experiences and perception of online threats. The level to which a person is willing to go to maintain personal security can depend on the level of tolerance and compromise that person is willing to extend in exchange for the belief that their activities are secure.

Case in point: Some colleagues block advertisements from third-party advertisers due to security concerns, but those same people may allow suggestions from their search provider on the notion that ads from reputable vendors don’t pose the same risk. Others may be adamant about blocking ads on their network as to not compromise proprietary information, but will tolerate ads on their mobile device as to not interfere with mobile browsing functionality.

A few take a hard-line approach and block as much as possible, which can render websites inoperable, while a majority are willing to compromise in exchange for a more user-friendly experience.

Though this article takes the position that all advertisements should be blocked, not everyone will agree. Some see the benefit in online advertising. Others may agree about blocking advertising content, but disagree with the methodology used in this post.

In a nutshell, there is no right or wrong way to block advertisements and trackers, and there seems to be little consensus regarding the most effective manner in which to do so.

Therefore, those wishing to configure an ad blocking policy within their environment will be encouraged to experiment with various products and methods to find what works best for their needs.

Block ads like a pro!

You’ve read this post and are hopefully coming away with the knowledge of why it’s important to block ads and the tools necessary to do so. But how should you set up your own network?

Of course, I can’t tell you that. You’ll have to come up with the system that best fits your needs, environment, and patience levels. But what I can tell you is how my personal setup is configured.

Desktop Mobile Default Browser: Mozilla Firefox with ad blocking protections Default Browser: Mozilla Firefox with ad blocking protections Secondary Browser(s): Chromium / Internet Explorer without protections Secondary Browser(s): Opera (currently, but this changes) no protections Google Chrome: Rooted & Removed Browser Extensions Browser Extensions Adblock Plus: uBlock Origin: Adblock Warning Removal List uBlock filters Facebook annoyances blocker uBlockfilters – Badware risks NoCoin Filter List uBlock filters – Privacy uBlock Origin: uBlock filters – Resource abuse uBlock filters uBlock filters – Unbreak uBlockfilters – Badware risks Adguard Mobile Filters uBlock filters – Privacy EasyList uBlock filters – Resource abuse EasyPrivacy uBlock filters – Unbreak Fanboy’s Enhanced Tracking List EasyList Malware Domain List EasyPrivacy Malware domains Fanboy’s Enhanced Tracking List Peter Lowe’s Ad and tracking server list Malware Domain List NoScript Malware domains Decentraleyes (not covered) Fanboy’s Annoyance List Fanboy’s Anti-Third-party Social Fanboy’s Cookiemonster List Fanboy’s Social Blocking List Peter Lowe’s Ad and tracking server list NoScript Privacy Badger (not covered) Decentraleyes (not covered)
  • Though not in my current setup, Ghostery deserves a shout-out. Users might consider giving it a try also.

These tools help to maintain a relatively ad-free experience, limit my exposure to privacy-invading trackers and online threats, and along with well-defined personal filter lists, help keep my favorite websites running smoothly and efficiently. Taken together (and considering the nifty calculation provided by uBlock), I’d estimate that anywhere from 18 to 33 percent of total traffic is blocked due to unwanted or unapproved content.

This concludes our series, “Everybody and their mother is blocking ads, so why aren’t you?”. We hope you are coming away with a better understanding of how online advertisements pose a threat to your online security and how trackers can jeopardize your personal privacy. You should now have the knowledge of why it’s important to block advertisements on your devices, and the know-how to create a robust and successful ad-blocking policy within your network and for your devices. Most importantly, we hope we’ve given you the tools and the empowerment to take back control of your browsing experience and to block ads in your own environment—just like the pros.

 This post reflects the opinion of the writer, serving as a review of the tools available to block online advertisements. Malwarebytes has no affiliations with and does not endorse any of the companies or tools listed in this write-up. 

The post How to block ads like a pro appeared first on Malwarebytes Labs.

Categories: Techie Feeds

What’s the real value—and danger—of smart assistants?

Wed, 07/18/2018 - 20:24

You’ve heard them called virtual assistants, digital personal assistants, voice assistants, or smart assistants. Operated by artificial intelligence, technologies such as Siri, Alexa, Google Assistant, and Cortana have become ubiquitous in our culture. But what exactly do they do? And how seriously should we take them? While all the tech giants want us to use their smart assistants all the time, what do they offer us in return? And how do we keep our information and conversations safe?

Each of these smart assistants is limited by the platform and the devices they are running on. I shouldn’t expect Amazon’s Echo to give me step-by-step directions to the nearest pizza place…or should I?

Here’s what you need to know about smart assistants and the real value (and danger) they provide.

Getting started

If you’re looking to purchase a smart assistant, it’s best to take a beat and think about what it is you really need from it. Do you want to be able to control appliances or other devices in your home at the sound of your voice? Do you want to be able to look up valuable information without having to reach for your phone or boot up your computer? Are you looking for some virtual company for yourself or your kids?

While all these virtual assistants have a wealth of information at their disposal, it requires some getting used to in order to make optimal use of their possibilities. In addition, they each have their specialties, so take a good hard look at which technology is the best fit for your needs. And while you are shopping around, do not ignore the security implications—both what’s possible today and what could come to pass.

Understanding voice commands

While smart assistants have come a long way since the early days of Siri, they all have a common flaw: a less-than-accurate reading of voice commands. When the smart assistant is unable to understand the voice command, its AI experiences a dilemma between being sure of the received instructions and the danger of annoying the owner by having to ask to repeat the question or instructions too many times. This brings with it the risk of the assistant misunderstanding the given instructions and taking unwanted actions as a result.

We have covered this subject before, focusing on some of the vulnerabilities that researchers were able to uncover in smart assistants’ voice commands. The possible consequences can range from slightly annoying mistakes to ridiculous behavior, such as sending a recorded conversation to all your contacts.

Improvements in voice command technology are being made each year, as more precise algorithms are created to better adapt to complex vocal signals. Machine learning is being credited with significantly improving voice recognition, but there’s a long way to go before smart assistants can hear and process requests with the accuracy of human beings.

Kids and smart assistants

Do you let your kids/grandchildren play with your phone? Notwithstanding the fact that at a certain age our grandchildren probably have a better understanding of the phone than we do, we must warn against unsupervised usage of smart devices by young children. This absolutely extends to smart assistants, who can be accessed by children in the house alone, by simple voice command.

Parental controls are available for most of these devices, and some smart assistants have even been developed specifically for kids and allow for parents to easily access search history. Unlike phones and other screen devices, smart assistants are screen-less and encourage more human-like interactions. Experts are cautiously optimistic of the effects of smart assistants on children, but we hesitate to fully endorse the technology’s safety for kids, especially considering some of the security vulnerabilities inherent in the software, which we will cover below.

Read: Parenting in the Digital World: a review


Most of us, and I’m including myself here, love to show off what our latest gadgets can do. So we may be tempted, without thinking it through, to give control over our IoT devices to our smart assistants. Under normal circumstances, this shouldn’t be a problem—but circumstances are not always normal. Devices get lost, stolen, hacked into, and otherwise compromised by less-than-well-meaning individuals, which can be troublesome, to say the least, when they are in control of your domestic devices.

One such abnormal circumstance is a cybersecurity attack method that researchers have investigated called “dolphin attacks.” These are ultrasonic audio waves that are hard to hear for humans, but that the smart assistant would interpret as a command. To protect yourself from these types of attacks, you would have to turn the smart assistant off until you need it or introduce a confirmation protocol for certain commands, which would alert the human to the fact that the assistant has received a command of some sort. For convenience, the protocol could be set to work only in the case of sensitive operations. One could compare this to a 2FA for a certain subset of commands.

By using virtual assistants to do our online shopping, we also run the risk of these technologies and their parent companies learning facts about us that could be potentially sensitive, such as payment information and product ordering history. Consequently, this information is stored in the cloud, where security would be in the hands of the operator of the smart assistant or their cloud provider.

And with the growth of smart assistant usage, you can imagine this grows the interest of malware authors looking for associated vulnerabilities and bugs they can abuse for personal gain. In fact, the weaponization of IoT is just starting, but we expect it to grow quickly as there is little security in place to stop it.

Other concerns Paying attention

Another important thing to keep in mind is that we humans are not as good as multi-tasking as we like to think. Even as your virtual assistant reads out your email to you, your brain gets distracted enough to avoid performing tasks that require your full attention. You could end up either missing the point of the mail or spicing up your family dinner with something inedible.


Even though this study showed no conclusive results about apps listening in on our conversations, we should realize that by using voice-activated assistants, we have implicitly given them permission to eavesdrop on us. They are designed to pay attention and wait for an activation command. And how often do we realize this, and turn them off when we don’t want or need them to listen? (My guess would be close to never.) If we are honest with ourselves, we don’t think to do this—plus how inconvenient is it to constantly boot up a device every time you want to use it, especially one designed to interact seamlessly with your life? As a consequence, they are always on standby and therefore always listening.

At least it’s funny

On the bright side, we have been introduced to a whole new dimension of humor, thanks to the snarky writers behind smart assistants’ programmed responses.

  • We can let the virtual assistants talk to each other and see what develops.
  • We can introduce smart assistants as guest stars in comedy TV shows. Who remembers The Big Bang Theory’s Raj meeting Siri “in the flesh”?
  • We can even try to make them tell us jokes.

If the story develops to our liking, maybe in a few years we’ll only remember the fun parts—leaving the security woes behind us. But if it develops in much the same way as many new “smart” applications have over the last few years, it will be more like: We thought it was fun at the time.

Don’t become a victim of your smart assistant. Use the parts of it that give personal value to you and your quality of life, and tighten up security on parts you don’t need. Think about what information you trust your assistant with and who could be behind the scenes. And remember: just because it’s a new, fun technology doesn’t mean you have to have it.

The post What’s the real value—and danger—of smart assistants? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

5 ways to find and fix open source vulnerabilities

Tue, 07/17/2018 - 15:00

Guest post by Limor Wainstein

A recent discovery of surreptitious execution of cryptomining code by a sandboxed app, riding piggyback on the open source software (OSS) ecosystem, raises pertinent questions about the security of open source code and its dependencies. Programmers often use OSS as a jump-off for creating their software—and that includes malware authors.

The rogue app, which was found to be mining customers on May 11, was delivered through snapstore, the new cross-distribution, sandboxed application ecosystem initiated and promoted by Canonical, the developers of Ubuntu. In follow-ups to that incident, Canonical said:

It’s impossible for a large-scale repository to only accept software after every individual file has been reviewed in detail. That’s true whether source code is available or not, as no institution can afford to review hundreds of thousands of incoming source code lines every single day.

As noted by Canonical, reviewing and analyzing open-source dependencies isn’t an easy task. But it’s an important one for programmers who want to make sure their software isn’t infiltrated by bad actors, whether that’s to mine cryptocurrency or to conduct even more nefarious business.

Why do you need to secure your open source libraries?

Developers rely heavily on open source software, and organizations are inclined to use free popular libraries. However, according to Barkley’s 2016 Cybersecurity Confidence Report, only 22 percent of organizations have a framework to regularly identify and analyze the various components built on their applications. With the growth in use of open source code, the risk exposure expands as well.

New vulnerabilities are constantly being unearthed in different open source code and, worryingly, a number of projects have little or no mechanisms in place to identify and fix those problems. According to a recent Snyk survey of open source maintainers, 44 percent have never undergone a security audit of any kind, while only 17 percent can claim to have a high level of security know-how.

In addition, there is no standard operating procedure for documenting security on open source projects. Among the top 400,000 publicly available repositories on GitHub, only 2.4 percent have a form of security documentation in place.

Since an open source dependency might be heavily deployed in a number of web applications, a bug or vulnerability will open up all of those projects to security risks. To improve the security of your open-source components, we recommend the following five best practices for reviewing dependencies, finding vulnerabilities, and patching those vulnerable open-source components once found.

1. Set strict security rules and standards before using a dependency

A good way to improve the security of your open source components is to build and enforce policies that require the developers using them to prove that they do not have any known vulnerabilities.

A lot of developers are largely still unaware of the risks posed by different open source components. It is of utmostimportancet to help them understand that vulnerabilities brought from open source components into the application puts the whole app at risk, if not the organization as a whole.

By creating and enforcing policies that either require the security team to approve of open source components, or require developers to prove the security of the tool, you automatically improve the security of your application—just by making developers aware of such risks.

2. Keep track of security updates for dependencies

Another crucial aspect to the security of open source components is to have an updated inventory of your organization’s open source libraries, both in development as well as in production. There are a fairly large number of organizations that do not have updated information on which open source components are currently under use in their applications. This poses a major security threat.

A lot of the popular proprietary applications contain indirect open source components that might not be in active development. Most of these open-source components remain unpatched and become insecure over time. This is usually because the developers spend their resources on securing and improving the in-house components. However, ignoring the security updates for your OSS components can open up loopholes that will go unnoticed.

A good place to begin rectifying this is by surveying the organization’s development teams on what open source components they use and the last time these were updated. This provides a window into assessing how updated the development team is with open source component security, as well a list of projects in use.

If your organization has the required infrastructure, you can also create a central repository of open source components where security updates and licenses can be managed. Similar to any other security process, managing an open source component is not a one-time effort. It is a continuous process for as long as the app is in deployment. Review, rinse, and repeat.

By ensuring that your policies on open source libraries are being followed, and by monitoring how these are being used, as well as managing your inventory, your overall application security program should be in good stead.

3. Test your components and dependencies

Probably the surest method of improving and ensuring the security of your open source code, and in the process your overall application, is to test the security of open source components being used within your organization once they’ve been identified.

Open source analysis is as important as proprietary code. This is not only because the code could hold unknown security vulnerabilities, but also because its dependencies and functions may differ between different use cases. This could mean that a component may be secure in one application, but found to be insecure when used in a different application. In cases like this, only testing and code review can identify these issues.

4. Build in-house tools instead of unsupported (expired) libraries

For expired libraries, or libraries that no longer have active developer maintenance systems, it is better to build your own in-house tools that you can use to actively check for and fix vulnerabilities. Though the initial cost and time spent might deter some organizations and development teams, in the long run, the functionality of an in-house tool can be an asset to developers.

You can also consider giving your in-house effort back to the community, making the open-source ecosystem stronger. This will encourage more developers to submit patches and revisions and therefore improve the overall security of the library. Apart from that, you will earn the respect of open source developers, which will help you grow as an individual and a business. For instance, over the last couple years, Microsoft has released tons of libraries under an open-source license that have helped them earn the trust of OSS developers and users.

5. Use security tools to check for security vulnerabilities

A number of different open source and commercial tools have been developed over the years to tackle the problem of identifying security vulnerabilities in open source components. Each tool or service tackles the problem a little differently.

Node Security Project (NSP)

The NSP is known largely for its work on Node.js modules and NPM dependencies. The latest version of npm integrates NSP to implement the npm audit script. It checks for any known vulnerabilities in your node modules and related dependencies, and offers support for patching those vulnerabilities.


RetireJS is an open source dependency checker specific to JavaScript. Its unique selling proposition (USP) is its ease of use. RetireJS contains multiple components, including a command line scanner, as well as plugins for Chrome, Firefox, Grunt, Gulp, ZAP, and Burp.


OSSIndex is a tool that supports several different technologies. It effectively covers JavaScript, .NET/C#, and Java ecosystems. It also provides API vulnerability for free.


Dependency-check supports Java, .NET, and JavaScript, as well as Ruby. It pulls its vulnerability information from the NIST NVD.

Commercial tools

Apart from the free tools, there are a few commercial tools that you can use to help find vulnerabilities in your open-source code. The popular ones include:

  • Hakiri: a commercial tool that provides dependency checks for Rub-y and Rails-based GitHub projects via static code analysis
  • Snyk: a commercial service focusing on JavaScript npm dependencies
  • WhiteSource: currently supports Ruby, NPM, PHP, Python, and Bower
  • SRC:CLR: Source Clear comes with a load of plugins to several IDEs, deployment systems, and source repositories, as well as a command-line interface

Open-source components are generally safe when there are a large number of people reviewing the code. However, making the source code available or having many users look at the source code doesn’t guarantee that all the security issues have been found and fixed. That’s why it’s important to integrate industry standard security policies into your application.

In this post, we’ve covered some of the best possible ways to secure your open source components against vulnerabilities and other security exploits. So, what are your thoughts on securing open source components? Share them in the comments below.

Limor Wainstein is a technical writer and editor at Agile SEO, a boutique digital marketing agency focused on technology and SaaS markets. She has over 10 years’ experience writing technical articles and documentation for various audiences, including technical on-site content, software documentation, and dev guides. 

The post 5 ways to find and fix open source vulnerabilities appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Cybercrime tactics & techniques Q2 2018

Tue, 07/17/2018 - 12:05

A generally slow quarter reflects an overall lull in cybercrime, picking up where Q1 left off with cryptominers continuing to dominate, ransomware continuing to evolve through experimentation, and exploits making a small but significant comeback.

In nearly every malware category for both business and consumer detections, we saw a decrease in volume, corroborating our general “Dang, it’s been a little too quiet in here” sentiments since starting the new year. Our relative malaise was punctuated, however, with some interesting developments moving from Q1 to Q2. What threat actors lacked in quantity they made up for in quality.

Malwarebytes’ top two consumer detections continue to be adware and cryptomining, respectively, while miners took over the number one spot for business detections in Q2. Spyware, which had a strong Q1 for business, dipped down by 40 percent to number five, while banking Trojans held steady in the number two position, despite dropping in detections by nearly 50 percent. Meanwhile, backdoors shot up on both the consumer and business side, with consumer detections increasing by 442 percent.

New developments in ransomware and cryptomining drove the market, as Q2 attacks generally showed more sophistication than their Q1 counterparts. The introduction of complex VPNFilter malware, which dropped multi-stage attacks on hundreds of thousands of unsuspecting small office and consumer users, shook the sleepy cybersecurity industry awake. While 2017 outbreaks such as WannaCry and NotPetya have been as yet unmatched in terms of distribution volume and impact, VPNFilter, SamSam, and other such complicated campaigns show that 2018 may just be the year of higher-level, targeted attacks.

So how did we draw these conclusions? As we’ve done for the last several quarterly reports, we combined intel and statistics gathered from April through June 2018 from our Intelligence, Research, and Data Science teams with telemetry from both our consumer and business products, which are deployed on millions of machines. Here’s what we learned about cybercrime in the second quarter of 2018.

  • Cryptomining still hot, but starting to decline
  • GandCrab the king ransomware variant
  • Adware up 19% over last quarter for consumers
  • VPNFilter debuts with over 500,000 detections
  • Exploits on the rise
  • Scammers increasingly targeting PII (Personally Identifiable Information)

To read more about the above as well as get a detailed look at detection statistics & predictions for next quarter. Download the:

Cybercrime Tactics & Techniques Report for Q2 2018

The post Cybercrime tactics & techniques Q2 2018 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Magniber ransomware improves, expands within Asia

Mon, 07/16/2018 - 17:00

This blog post was authored by @hasherezade and Jérôme Segura.

The Magnitude exploit kit is one of the longest-serving browser exploitation toolkits among those still in use. After its inception in 2013, it enjoyed worldwide distribution with a liking for ransomware. Eventually, it became a private operation that had a narrow geographic focus.

During 2017, Magnitude delivered Cerber ransomware via a filtering gate known as Magnigate, only to a select few Asian countries. In October 2017, the exploit kit operator began to distribute its own breed of ransomware, Magniber. That change came with an interesting twist—the malware authors went to great lengths to limit infections to South Korea. In addition to traffic filtering via country-specific malvertising chains, Magniber would only install if a specific country code was returned, otherwise it would delete itself.

In April 2018, Magnitude unexpectedly started pushing the ever-growing GandCrab ransomware, shortly after having adopted a fresh Flash zero-day (CVE-2018-4878). What may have been a test campaign did not last long, and shortly after, Magniber was back again. In our recent captures of Magnitude, we now see the latest Internet Explorer exploit (CVE-2018-8174) being used primarily, which it integrated after a week-long traffic interruption.

In this post, we take a look at some notable changes with Magniber. Its source code is now more refined, leveraging various obfuscation techniques and no longer dependent on a Command and Control server or hardcoded key for its encryption routine. In addition, while Magniber previously only targeted South Korea, it has now expanded its reach to other Asia Pacific countries.

Extracting the payload

There are several stages before the final payload is downloaded and executed. After Magnigate’s 302 redirection (Step 1), we see a Base64 obfuscated JavaScript (Step 2) used to launch Magnitude’s landing page, along with a Base64 encoded VBScript. (Both original versions of the scripts are available at the end of this post in the IOCs.) After CVE-2018-8174’s exploitation, the XOR-encrypted Magniber is retrieved.

Figure 1. Traffic view of a Magniber infection, via Magnigate redirection and Magnitude EK

Figure 2. Decoded Javascript shows redirection to Magnitude’s landing page

Figure 3. VBScript code snippet showing part of CVE-2018-8174

Once exploitation of the Use After Free vulnerability in Internet Explorer (CVE-2018-8174) is successful, the VBScript will execute the following shellcode:

Figure 4. Byte array (shellcode)

Functionality-wise, this shellcode is a simple downloader. It downloads the obfuscated payload, decodes it by XOR with a key, and then deploys it:

Figure 5. Downloading the final payload via InternetOpenUrlw API

The downloaded payload (72fce87a976667a8c09ed844564adc75) is, however, still not the Magniber core, but a next stage loader. This loader unpacks the Magniber’s core DLL (19599cad1bbca18ac6473e64710443b7) and injects it into a process.

Both elements, the loader and Magniber core, are DLLs with Reflective Loader stub, that load themselves into a current process using the Reflective DLL injection technique.

Behavioral analysis

The actions performed by Magniber haven’t changed much; it encrypts files and at the end drops a ransom note named README.txt.

Figure 6. Ransom note left on the infected machine

The given links lead to an onion page that is unique per victim and similar to many other ransomware pages:

Figure 7. Magniber’s payment page

The files encrypted by this version of Magniber can be identified by their extension: .dyaaghemy. While in the past each file was encrypted with the same AES key, this time each file is encrypted with a unique key—the same plaintext gives a different ciphertext. The encrypted content has no patterns visible. That suggests that a stream cipher or a cipher with chained blocks was used (probably AES in CBC mode). Below you can see a BMP file before and after being encrypted by Magniber:

Figure 8. Visualizing a file before and after encryption

Code changes

Magniber is constantly evolving with big portions of its code fully rewritten over time. Below you can see a code comparison between the current Magniber DLL and an earlier version (8a0244eedee8a26139bea287a7e419d9), created with the help of BinDiff:

Figure 9. Comparing an older Magniber with the newer one


The authors put a lot of effort in improving obfuscation. The first version we described was not obfuscated at all. The current, in contrast, is obfuscated using a few different techniques. First of all, API functions are now dynamically retrieved by their checksums. For example:

Figure 10. Calling API functions via checksum

Comparing the new and the old version, we can see some overlapping fragments of code:

Figure 11. Old version with normal import calls vs. new version with dynamically retrieved functions

The function pointer is retrieved by searching through export tables of the DLLs that are currently loaded. This technique requires that the DLL from which we want to retrieve the function to be already loaded. This algorithm of retrieving function was added to Magniber a few months ago, for example in the sample 60af42293d2dbd0cc8bf1a008e06f394.

In addition, some of the parameters for the calls are dynamically calculated and junk code is added in between the operations. A string that is supposed to be loaded is scattered through several variables.

Figure 12. Adding junk code to make analysis more tricky

File encryption

We can also observe some changes at the functionality level. The early versions relied on the AES key downloaded from the CnC server (and in case if it was not available, falling back to the hardcoded one, making decryption trivial in such case). This time, Magniber comes with a public RSA key of the attackers that makes it fully independent from the Internet connection during the encryption process. This key is used for protecting the unique AES keys used to encrypt files.

The attacker’s RSA key is hardcoded in the sample in obfuscated form. This is how it looks after deobfuscation:

Figure 13. Deobfuscated RSA key

Each time a new file is going to be encrypted, two 16-byte long strings are generated. One will be used as an AES key, and another as an initialization vector (IV). Below you can see the fragment of code responsible for generating those pseudo-random strings.

Figure 14. Generating pseudo-random strings

The interesting fact is what they use as a random generator—a weak source of randomness may create a vulnerability. We can see that under the hood GetTickCount is called:

Figure 15. Random generator using GetTickCount

The full reconstruction of the code generating the key and IV is available in the following snippet:

Before the ransomware proceeds to encrypt the file, the RSA key is imported and used to encrypt the generated data (key+IV):

Figure 16. RSA key import right before file encryption begins

It produces an encrypted block of 256 bytes that is passed to the encrypting function, and later appended at the end of the encrypted file. Apart from those changes, files are encrypted similar to before, with the help of Windows’ Crypto API.

Figure 16. Setting the AES key and initialization vector

Figure 17. Encrypting and writing to a file

Geographic expansion

In early July, we noted exploit attempts happening outside of the typical area we had become used to, for instance in Malaysia. At about the same time, a tweet from MalwareHunterTeam mentioned infections in Taiwan and Hong Kong.

Following the changes in the distribution scope, the code of Magniber got updated to whitelist more languages. Now the list expanded, adding other Asian languages, such as Chinese (Macau, China, Singapore) and Malay (Malysia, Brunei).

Figure 17. Expanded language checks

Continuing evolution

While Magniber was not impressive at first, having simple code and no obfuscation, it is actively developed and its quality continuously improves. Their authors appear professional, even though they commit some mistakes.

This ransomware operation is carried with surgical precision, from a careful distribution to a matching whitelist of languages. Criminals know exactly which countries they want to target, and they put their efforts to minimize noise and reduce collateral damage.

Malwarebytes users are protected against this threat thanks to our anti-exploit module, which blocks Magnitude EK’s attempt to exploit CVE-2018-8174 (VBScript engine vulnerability):

Thanks to David Ledbetter for his help with deobfuscating the VBScript.

Indicators of compromise (IOCs) 178.32.62[.]130,bluehuge[.]expert,Magnigate (Step 1) 94.23.165[.]192,69a5010hbjdd722q.feedrun[.]online,Magnigate (Step 2) 92.222.121[.]30,08taw3c6143ce.nexthas[.]rocks,Magnitude EK (Landing Page) 149.202.112[.]72,Magniber

Code snippets

Magniber (original)


Magniber (core DLL)


The post Magniber ransomware improves, expands within Asia appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (July 9 – July 15)

Mon, 07/16/2018 - 15:00

Last week, we talked about domestic abuse fuelled by IoT, doing threat intel programs right, blocking ICO fraud, and man-in-the-middle attacks. We also explained why we block shady ad blockers and provided tips to online shoppers for Prime Day.

Other news:

Stay safe, everyone!

The post A week in security (July 9 – July 15) appeared first on Malwarebytes Labs.

Categories: Techie Feeds