News from the Lab Archive : January 2004 to September 2015
The original antivirus blog.
Scammers, fraudsters, and phishers take advantage of every season. But the holiday shopping season - which includes Black Friday, Cyber Monday, and Christmas - may be their favorite. As retailers rush to capitalize on what is generally their most profitable time of year, they will generally flood email boxes with great offers that are often time sensitive and may even seem too-good-to-be-true. Meanwhile, consumers also feel the urgency to get their shopping done, along with the stresses of work and family. Add in the financial pressure of an inflationary economy and the likelihood of making a quick mistake keeps increasing. Read on for some simple yet effective ways to ruin the scammers' fun as you celebrate the season of giving.
Posted by Sean @ 12:52 GMT Our "construction project" is progressing nicely. And it should resolve this… Fix mobile usability issues? Translation: your site doesn't help us sell more Android phones and ads. But whatever, the "issues" should be fixed soon enough. On 18/08/15 At 12:52 PM
Posted by Sean @ 13:25 GMT Regular readers will have noticed it's been slow here of late. Under Construction We're finally undertaking an upgrade from Greymatter 1.7.3. This may be the world's oldest Greymatter blog… that will now change. More info coming soon. In the meantime, you can still catch us on Twitter. On 13/08/15 At 01:25 PM
Posted by Sean @ 09:53 GMT Ask, and sometimes, you shall receive. Last Friday, we wrote about call center scammers targeting iOS. And today, Apple released a new (beta) feature that should help. Apple released iOS 9 Public Beta 2: And it appears that one of Safari's new features allows people to block fraud-focused JavaScript. We tested a scam-site and after a few attempts to dismiss the JavaScript dialog, Safari included a prompt to "Block Alerts". We were then easily able to close the page. Kudos Apple! Looking forward to seeing this in iOS 9's general release. Big hat tip to Rosyna Keller. On 23/07/15 At 09:53 AM
Posted by Artturi @ 11:59 GMT Recent weeks have seen the outing of two new additions to the Duke group's toolset, SeaDuke and CloudDuke. Of these, SeaDuke is a simple trojan made interesting by the fact that it's written in Python. And even more curiously, SeaDuke, with its built-in support for both Windows and Linux, is the first cross-platform malware we have observed from the Duke group. While SeaDuke is a single - albeit cross-platform - trojan, CloudDuke appears to be an entire toolset of malware components, or "solutions" as the Duke group apparently calls them. These components include a unique loader, downloader, and not one but two different trojan components. CloudDuke also greatly expands on the Duke group's usage of cloud storage services, specifically Microsoft's OneDrive, as a channel for both command and control as well as the exfiltration of stolen data. Finally, some of the recent CloudDuke spear-phishing campaigns have born a striking resemblance to CozyDuke spear-phishing campaigns from a year ago. Linux support added with the cross-platform SeaDuke malware Last week, both Symantec and Palo Alto Networks published research on SeaDuke, a newer addition to the arsenal of trojans being used by the Duke group. While older malware by the Duke group has always been written with a combination of the C and C++ programming languages as well as assembly language, SeaDuke is peculiarly written in Python with multiple layers of obfuscation. This Python code is usually then compiled into Windows executables using py2exe or pyinstaller. However, the Python code itself has been designed to work on both Windows and Linux. We therefore suspect, that the Duke group is also using the same SeaDuke Python code to target Linux victims. This is the first time we have seen the Duke group employ malware to target Linux platforms. An example of the cross-platform support found in SeaDuke. A new set of solutions with the CloudDuke malware toolset Last week, we also saw Palo Alto Networks and Kaspersky Labs publish research on malware components they respectively called MiniDionis and CloudLook. MiniDionis and CloudLook are both components of a larger malware toolset we call CloudDuke. This toolset consists of malware components that provide varying functionality while partially relying on a shared code framework and always using the same loader. Based on PDB strings found in the samples, the malware authors refer to the CloudDuke components as "solutions" with names such as "DropperSolution", "BastionSolution" and "OneDriveSolution". A list of PDB strings we have observed is below: � C:\DropperSolution\Droppers\Projects\Drop_v2\Release\Drop_v2.pdb � c:\BastionSolution\Shells\Projects\miniDionis4\miniDionis\obj\Release\miniDionis.pdb � c:\BastionSolution\Shells\Projects\miniDionis2\miniDionis\obj\Release\miniDionis.pdb � c:\OneDriveSolution\Shells\Projects\OneDrive2\OneDrive\obj\x64\Release\OneDrive.pdb The first of the CloudDuke components we have observed is a downloader internally called "DropperSolution". The purpose of the downloader is to download and execute additional malware on the victim's system. In most observed cases, the downloader will attempt to connect to a compromised website to download an encrypted malicious payload which the downloader will decrypt and execute. Depending on the way the downloader has been configured, in some cases it may first attempt to log in to Microsoft's cloud storage service OneDrive and retrieve the payload from there. If no payload is available from OneDrive, the downloader will revert to the previously mentioned method of downloading from compromised websites. We have also observed two distinct trojan components in the CloudDuke toolset. The first of these, internally called "BastionSolution", is the trojan that Palo Alto Networks described in their research into "MiniDionis". Interestingly, BastionSolution appears to functionally be an exact copy of SeaDuke with the only real difference being the choice of programming language. BastionSolution also makes significant use of a code framework that is apparently internally called "Z". This framework provides classes for functionality such as encryption, compression, randomization and network communications. A list of classes in the BastionSolution trojan, including multiple classes from the "Z" framework. Classes from the same "Z" framework, such as the encryption and randomization classes, are also used by the second trojan component of the CloudDuke toolset. This second component, internally called "OneDriveSolution", is especially interesting because it relies on Microsoft's cloud storage service OneDrive as its command and control channel. To achieve this, OneDriveSolution will attempt to log into OneDrive with a preconfigured username and password. If successful, OneDriveSolution will then proceed to copy data from the victim's computer to the OneDrive account. It will also search the OneDrive account for files containing commands for the malware to execute. A list of classes in the OneDriveSolution trojan, including multiple classes from the "Z" framework. All of the CloudDuke "solutions" use the same loader, a piece of code whose primary purpose is to decrypt the embedded, encrypted solution, load it in memory and execute it. The Duke group has often employed loaders for their malware but unlike the previous loaders they have used, the CloudDuke loader is much more versatile with support for multiple methods of loading and executing the final payload as well as the ability to write to disk and execute additional malware components. CloudDuke spear-phishing campaigns and similarities with CozyDuke CloudDuke has recently been spread via spear-phishing emails with targets reportedly including organizations such as the US Department of Defense. These spear-phising emails have contained links to compromised websites hosting zip archives that contain CloudDuke-laden executables. In most cases, executing these executables will have resulted in two additional files being written to the victim's hard disk. The first of these files has been a decoy, such as an audio file or a PDF file while the second one has been a CloudDuke loader embedding a CloudDuke downloader, the so-called "DropperSolution". In these cases, the victim has been presented with the decoy file while in the background the downloader has proceeded to download and execute one of the CloudDuke trojans, "OneDriveSolution" or "BastionSolution". Example of one of the decoy documents employed in the CloudDuke spear-phishing campaigns. It has apparently been copied by the attackers from here. Interestingly, however, some of the other CloudDuke spear-phishing campaigns we have observed this July have born a striking resemblance to CozyDuke spear-phishing campaigns seen almost exactly a year ago, in the beginning of July 2014. In both spear-phishing campaigns, the decoy document has been the exact same PDF file, a "US letter fax test page" (28d29c702fdf3c16f27b33f3e32687dd82185e8b). Similarly, the URLs hosting the malicious files have, in both campaigns, purported to be related to eFaxes. It is also interesting to note, that in the case of the CozyDuke-inspired CloudDuke spear-phishing campaign, the downloading and execution of the malicious archive linked to in the emails has not resulted in the execution of the CloudDuke downloader but in the execution of the "BastionSolution" component thereby skipping one step from the process described for the other CloudDuke spear-phishing campaigns. The "US letter fax test page" decoy employed in both CloudDuke and CozyDuke spear-phishing campaigns. Increasingly using cloud services to evade detection CloudDuke is not the first time we have observed the Duke group use cloud services in general and Microsoft OneDrive specifically as part of their operations. Earlier this spring we released research on CozyDuke where we mentioned observing CozyDuke sometimes either directly use a OneDrive account to exfiltrate stolen data or alternatively CozyDuke downloading Visual Basic scripts that would copy stolen files to a OneDrive account and sometimes even retrieve files containing additional commands from the same OneDrive account. In these previous cases the Duke group has only used OneDrive as a secondary communication channel but still relied on more traditional C&C channels for most of their actions. It is therefore interesting to note that CloudDuke actually enables the Duke group to rely solely on OneDrive for every step of their operation from downloading the actual trojan, passing commands to the trojan and finally exfiltrating stolen data. By relying solely on 3rd party web services, such as OneDrive, as their command and control channel, we believe the Duke group is trying to better evade detection. Large amounts of data being transferred from an organization's network to an unknown web server easily raises suspicions. However, data being transferred to a popular cloud storage service is normal. What better way for an attacker to surreptitiously transfer large amounts of stolen data than the same way people are transferring that same data every day for legitimate reasons. (Coincidentally, the implications of 3rd party web services being used as command and control channels is also the subject of an upcoming talk at the VirusBulletin 2015 conference). Directing limited resources towards evading detection and staying ahead of defenders Developing even a single multipurpose malware toolset, never mind many, requires time and resources. Therefore it seems logical to attempt to reuse code such as supporting frameworks between different toolsets. The Duke group, however, appear to have taken this a step further with SeaDuke and the CloudDuke component BastionSolution, by rewriting the same code in multiple programming languages. This has the obvious benefits of saving time and resources by providing two malware toolsets, that while similar on the inside, appear completely different on the outside. This way, the discovery of one toolset does not immediately lead to the discovery of the second toolset. The Duke group, long suspected of ties to the Russian state, have been running their espionage operation for an unusually long time and - especially lately - with unusual brazenness. These latest CloudDuke and SeaDuke campaigns appear to be a clear sign that the Duke's are not planning to stop any time soon. Research and post by Artturi (@lehtior2) F-Secure detects CloudDuke as Trojan:W32/CloudDuke.B and Trojan:W64/CloudDuke.B Samples: 04299c0b549d4a46154e0a754dda2bc9e43dff76 2f53bfcd2016d506674d0a05852318f9e8188ee1 317bde14307d8777d613280546f47dd0ce54f95b 476099ea132bf16fa96a5f618cb44f87446e3b02 4800d67ea326e6d037198abd3d95f4ed59449313 52d44e936388b77a0afdb21b099cf83ed6cbaa6f 6a3c2ad9919ad09ef6cdffc80940286814a0aa2c 78fbdfa6ba2b1e3c8537be48d9efc0c47f417f3c 9f5b46ee0591d3f942ccaa9c950a8bff94aa7a0f bfe26837da22f21451f0416aa9d241f98ff1c0f8 c16529dbc2987be3ac628b9b413106e5749999ed cc15924d37e36060faa405e5fa8f6ca15a3cace2 dea6e89e36cf5a4a216e324983cc0b8f6c58eaa8 e33e6346da14931735e73f544949a57377c6b4a0 ed0cf362c0a9de96ce49c841aa55997b4777b326 f54f4e46f5f933a96650ca5123a4c41e115a9f61 f97c5e8d018207b1d546501fe2036adfbf774cfd Compromised servers used for command and control: hxxps://cognimuse.cs.ntua.gr/search.php hxxps://portal.sbn.co.th/rss.php hxxps://97.75.120.45/news/archive.php hxxps://portal.sbn.co.th/rss.php hxxps://58.80.109.59/plugins/search.php Compromised websites used to host CloudDuke: hxxp://flockfilmseries.com/eFax/incoming/5442.ZIP hxxp://www.recordsmanagementservices.com/eFax/incoming/150721/5442.ZIP hxxp://files.counseling.org/eFax/incoming/150721/5442.ZIP On 22/07/15 At 11:59 AM
Posted by Mikko @ 12:40 GMT VPRO (the Dutch public broadcasting organization) produced a 45-minute documentary about hacking and the trade of zero days. The documentary has now been released in English on YouTube. The documentary features Charlie Miller, Joshua Corman, Katie Moussouris, Ronald Prins, Dan Tentler, Eric Rabe (of Hacking Team), Felix Lindner, Rodrigo Branco, Ben Nagy, The Grugq, and many others. On 20/07/15 At 12:40 PM
Posted by Sean @ 10:15 GMT The Telegraph published an article on Thursday about a scam targeting iOS users. Here's the gist: scammers are using JavaScript generated dialogs to display warnings of so-called "IOS Crash" reports prompting people to call for tech support. Near the end of the Telegraph's article, the following advice is offered: "To prevent the issue happening again, go to Settings -> Safari -> Block Pop-ups." Unfortunately, this advice is incorrect. And perhaps even more unfortunately, some security and tech pundits are now repeating the bad advice on numerous websites. How do we know the advice is wrong? Because we actually tested it… First of all, this "IOS Crash Report" scam is a variation of the technical support scam, cases of which have been documented as early as 2008. In the past, cold-calls originated directly from call centers in India. But more recently, web-based lures are used to prompt potential victims into contacting the scammers. A Google Search returns several live scam sites with this text: "Due to a third party application in your phone, IOS is crashed." Here's one of the sites as viewed with iOS Safari on an iPad: Safari's "Fraudulent Website Warning" and "Block Pop-ups" features didn't prevent the page from loading. What looks like a pop-up on the image above is actually a JavaScript generated dialog. One which will continuously re-spawn itself and can be very difficult to dismiss. Turning off JavaScript in Safari is the quickest way to regain control. Unfortunately, leaving JavaScript disabled will significantly impact a large number of legitimate websites. Here's the same site as viewed with Google Chrome for Windows: Notice the additional text in the image above: prevent this page from creating additional dialogs. Current versions of Chrome and Firefox (for Windows, at least) will inject this option into re-spawning dialogs, allowing the user to break the loop. Sadly, Internet Explorer and Safari do not. (We tested with IE for Windows / Windows Phone, and iOS Safari.) Wouldn't be great if all browsers supported this prevention feature? Yeah, we think so, too. But it's not just browsers, apps with browser functionality can also be affected. Here's an example of a JavaScript dialog displayed via Cydia. The end of the Telegraph's article included the following advice from City of London police: "Never give your iCloud username and password or your bank details to someone over the phone." Indeed! Giving somebody your iCloud password could quickly turn a support scam into a data hijacking and extortion scheme. We attempted to call several of the scammer telephone numbers to see if they would ask for our iCloud credentials — only to discover that the numbers we tried are currently not in service. Hopefully they stay that way. (They won't.) On 17/07/15 At 10:15 AM
Posted by Patricia @ 12:29 GMT After Hacking Team was compromised, a lot of information were publicly disclosed beginning 5th of July, particularly its business clients and a zero-day vulnerability for the Adobe Flash Player that they have been using. Since the info about the first zero-day was made freely available, we knew attackers would swiftly move into using it. As expected, the flash exploit was integrated into exploit kits such as Angler, Magnitude, Nuclear, Neutrino, Rig, and HanJuan as reported by Kafeine. Based on our telemetry, there was a rise in Flash exploits beginning 6th and continued until 9th. Here are the stats for each exploit kit: The security advisory for CVE-2015-5119 zero-day was released on 7th July and the patch was made available on 8th. So the hits started to decline about two days after the patch. But just when people have started updating their systems, there was yet another spike from the Angler flash exploit hits: Apparently, two more flash vulnerabilities, CVE-2015-5122 and CVE-2015-5123, were discovered. These vulnerabilities are still waiting to be patched. According to Kafeine, one of the two vulnerabilities were added into the Angler exploit kit. As a side note related to Angler exploit kit, if you noticed in the second chart above, Angler and HanJuan share the same statistics. This was due to the fact that our detections for Angler Flash exploits were also hitting on HanJuan Flash exploits. We have verified this after discovering that there was a different URL pattern being detected by Angler: We looked at the flash exploit used by both kits, and the two are very much identical. Angler Flash Exploit: HanJuan Flash Exploit: There were already speculations that there seem to be strong connections between the actors behind the two exploits kits. For example, both have used �fileless� delivery of payload and even similar encryption methods. Perhaps at some point we will see HanJuan supporting this new flash 0 day as well. In the meantime, since there hasn�t been a patch out yet for these new ones, our users remain protected from the effects of the exploit kits through Browsing Protection as well as these detections: Exploit:SWF/AnglerEK.L Exploit:SWF/NeutrinoEK.C Exploit:SWF/NeutrinoEK.D Exploit:SWF/NuclearEK.H Exploit:SWF/NuclearEK.J Exploit:SWF/Salama.H Exploit:SWF/Salama.R Exploit:JS/AnglerEK.D Exploit:JS/NuclearEK.I Exploit:JS/MagnitudeEK.A UPDATE: Adobe has released patches for the recent two vulnerabilities: CVE-2015-5122 and CVE-2015-5123. Users are recommended to update to the latest version of Adobe Flash Player. On 13/07/15 At 12:29 PM
Posted by FSLabs @ 02:31 GMT When hackers get hacked, that's when secrets are uncovered. On July 5th, Italian-based surveillance technology company Hacking Team was hacked. The hackers released a 400GB torrent file with internal documents, source code, and emails to the public - including the company's client list of close to 60 customers. The list included countries such as Sudan, Kazakhstan and Saudi Arabia - despite official company denials of doing business with oppressive regimes. The leaked documents strongly implied that in the South-East Asian region, government agencies from Singapore, Thailand and Malaysia had purchased their most advanced spyware, referred to as a Remote Control System (RCS). According to security researchers Citizen Lab, this spyware is extraordinarily intrusive, with the ability to turn on microphone and cameras on mobile devices, intercept Skype and instant messages, and use an anonymizer network of proxy servers to prevent harvested information from being traced back to the command and control servers. Based on images of the client list posted to pastebin the software was purchased in Malaysia by the Malaysia Anti-Corruption Commission (MACC), Malaysia Intelligence (MI) and the Prime Minister's Office (PMO): Additional images of leaked invoices posted to medium.com indicated the spyware was sold through a locally-based Malaysian company named Miliserv Technologies (M) Sdb Bhd (registered with the Ministry of Finance Malaysia), which specializes in providing digital forensics, intelligent gathering and public security services: Why the Prime Minister's Office would need surveillance software remains puzzling. Mind you, professional grade spyware ain't cheap - a license upgrade could cost you MYR400, 000 and maintenance renewal will set you back about MYR160,000. According to reports of the incident in Malaysian alternative media, Malaysian government agencies have probably been using the spyware even before discovery of the FinFisher malware that was detected in the run-up to the 2013 General Elections. Coincidentally, Malaysia has also been the frequent host of the annual ISS World Asia tradeshow, where companies promote their arsenal of 'lawful' surveillance software to law enforcement agencies, telco service provider or government employees. During the 2014 event, the Hacking Team was present and the associate lead sponsor of the event. MiliServ Technologies is currently involved in the upcoming 2015 ISS World Asia in Kuala Lumpur. The event is invitation-only � though it may be interesting to see if Hacking Team will make it there this year. Post by – Su Gim On 08/07/15 At 02:31 AM
Posted by Sean @ 13:25 GMT The Wassenaar Arrangement, a multilateral export control regime, defines "intrusion software" as software specially designed or modified to avoid detection by monitoring tools, or to defeat protective countermeasures, of a computer or network capable device. Intrusion software is used to: extract data or information, or to modify system or user data; or to modify the standard execution path of a program or process in order to allow the execution of externally provided instructions. Wassenaar states that monitoring tools are software or hardware devices that monitor system behaviours or processes running on a device. This includes antivirus (AV) products, end point security products, Personal Security Products (PSP), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) or firewalls. (Source) So… what we at F-Secure (and the rest of the antivirus industry) call "malware" appears to easily fit Wassenaar's definition of intrusion software. Why is this interesting? Well, the US Bureau of Industry and Security (BIS), part of the US Department of Commerce, has proposed updating its rules to require a license for the export of intrusion software. And according to the Dept of Commerce, "an export" is –any– item that is sent from the United States to a foreign destination. "Items" include among other things, software and technology. The Paradox So… if malware is intrusion software, and any item is an export, how exactly are US-based customers supposed to submit a malware sample to their European antivirus vendor? Seriously, customers send us zero-day using malware all the time. Not to mention the samples that we routinely exchange with other trusted AV vendors from around the globe. Unintended Consequences The text associated with the BIS proposal says the scope includes penetration testing products that use intrusion software in what looks like an attempt to limit "hacking" tools, but there is nothing about what is excluded from the scope. So the BIS might not intend to limit customers from uploading malware samples to their AV vendor, but that could be the effect if this new rule is adopted and arbitrarily enforced. Or else it could just force people to operate in a legal limbo. Is that what we want? The BIS is taking comments until July 20th. On 09/06/15 At 01:25 PM
Posted by Sean @ 13:27 GMT I visited the UK last Thursday, found a coffee shop offering "free" Wi-Fi, and read this… "UK Law states that we must know who is using our Wi-Fi at all times." Now I'm not a lawyer — but that seems like quite the disingenuous claim. Mobile number, post code, and date of birth?? I wonder how many people fall for this type of malarkey. Post by — @Sean On 08/06/15 At 01:27 PM
Posted by Sean @ 13:56 GMT There's an iOS vulnerability affecting iPhone, iPad, and even Apple Watch that allows for a denial of service. Crashing a phone with an SMS? That's so 2008. S60 SMS Exploit Messages Unlike 2008, this time kids are reportedly using the vulnerability to harass others. Apple is working on a security update. But unfortunately… that update very likely won't be available for older iPhones. Updated to add: Here's the "Effective Power" exploit crashing an iPhone 6: Effective Power Unicode iOS hack on iPhone 6 And this… is Effective Power crashing the iOS Twitter app: Effective Power Unicode iOS hack vs Twitter On 28/05/15 At 01:56 PM
Posted by FSLabs @ 03:17 GMT In the past few days, we received some cases from our customers in Italy and Spain, regarding malicious spam e-mails that pointed to Cryptowall or Cryptolocker ransomware. The spam e-mails pretended to come from a courier/postal service, regarding a parcel that was waiting to be collected. The e-mails offer a link to track that parcel online: When we did the initial investigation of the e-mails from our standard test system, the link redirected to Google: So, no malicious behavior? Well, we noted that the first two URLs were PHP. Since PHP code is executed on the server side, not locally on the client, it is possible that the servers were 'deciding' whether to redirect the user to Google or to serve malicious content, based on some preset conditions. Since this particular spam e-mail is written in Italian - perhaps only a customer based in Italy would be able to see the malicious payload? Fortunately, we have Freedome, so we can travel to Italy for a little while to experiment. So we turned on Freedome, set the location to Milan and clicked the link in the e-mail again: Now we see the bad stuff. If the user is (or appears to be) located in Italy, the server will redirect them to a malicious file hosted on a cloud storage server. The e-mail spam sent to Spanish users is similar, though in those cases, a CAPTCHA challenge is included to make the site seem more authentic. If the link in the e-mail is clicked by a user located outside Spain, again we end up in Google: If the site is visited instead from an Spanish IP, we get to the CAPTCHA screen: And then to the malware itself: This spam campaign doesn't use any exploits (so far), just old-fashioned social engineering; infection only occurs if the user manually downloads and executes the files offered on the malicious URLs. For our customers, the URLs are blocked and the files are detected. (malware SHA1s: 483be8273333c83d904bfa30165ef396fde99bf2, 295042c167b278733b10b8f7ba1cb939bff3cb38) Post by — Victor On 19/05/15 At 03:17 AM
Posted by Sean @ 12:46 GMT Securing your SSH password is very important. Otherwise, you might be pwned by a little girl with her Raspberry Pi. Don't worry, it's an authorized hack, she asked her mom for permission. On 15/05/15 At 12:46 PM
You can subscribe to this RSS to get more information