Evasive Tactics: Terminator RAT

October 24, 2013
By  and 

FireEye Labs has been tracking a variety of advanced persistent threat (APT) actors that have been slightly changing their tools, techniques, and procedures (TTPs) in order to evade network defenses. Earlier, we documented changes to Aumlib, the malware used in the attack against the New York Times, and Taidoor, a malware family that is being used in ongoing cyber-espionage campaigns particularly against entities in Taiwan. In this post we will explore changes made to Terminator RAT (Remote Access Tool) by examining a recent attack against entities in Taiwan.

We recently analyzed a sample that we suspect was sent via spear-phishing emails to targets in Taiwan. As shown in Figure 1, the adversary sends a malicious Word document, “103.doc” (md5: a130b2e578d82409021b3c9ceda657b7), that exploits CVE-2012-0158, which subsequently drops a malware installer named “DW20.exe”. This particular malware is interesting because of the following:

  • It evades sandbox by terminating and removing itself (DW20.exe) after installing. Malicious behavior will only appear after reboot.
  • It deters single-object based sandbox by segregation of roles between collaborating malwares. The RAT (svchost_.exe) will collaborate with its relay (sss.exe) to communicate with the command and control server.
  • It deters forensics investigation by changing the startup location.
  • It deters file-based scanning that implements a maximum file size filter, by expanding the size of svchost_.exe to 40MB.

The ultimate payload of the attack is Terminator RAT, which is also known as FakeM RAT. This RAT does not appear to be exclusively used by a single APT actor, but is most likely being used in a variety (of possibly otherwise unrelated) campaigns. In the past, this RAT has been used against Tibetan and Uyghur activists, and we are seeing an increasing number of attacks targeting Taiwan as well.

However, these attacks use some evasive tactics that demonstrate the evolution of Terminator RAT. First, the attackers have included a component that relays traffic between the malware and a proxy server. Second, they have modified the 32-byte magic header that in previous versions attempted to disguise itself to look like either MSN Messenger, Yahoo! Messenger, or HTML code.

These modifications appear to be an attempt to evade network defenses, perhaps in response to defender’s increasing knowledge of the indicators of compromise associated with this malware. We will discuss the individual components of this attack in more detail.

Figure 1

Figure 1

1.   DW20.exe (MD5: 7B18E1F0CE0CB7EEA990859EF6DB810C)

DW20.exe was found to be the installation executable file. It will first create its working folders located at “%UserProfile%\Microsoft” and “%AppData%\2019”. The former is used to store the configurations and executable files (svchost_.exe and sss.exe) and the latter is used to store the shortcut link files. This folder “2019” was then configured to be the new start up folder location by changing the registry “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup” with the location of its path (see Figure 2).

Figure 2

Figure 2

The executable file “sss.exe” was found to be the decrypted form of the resource named 140 with type “ACCELORATOR” (likely misspelling of Accelerator – see Figure 3). This resource was decrypted using customized XTEA algorithm and appended with an encrypted configuration for the domains and ports.

Figure 3

Figure 3

After installation, DW20.exe deletes and terminates itself. The malwares will only run after reboot. This is one effective way to evade sandbox automatic analysis, as malicious activity will only reveal after a reboot.

2.   sss.exe (MD5: 93F51B957DA86BDE1B82934E73B10D9D)

sss.exe is an interesting malware component. As a researcher would analyze it independently, it is not considered a malicious program. This component plays the role as a network relay between the malware and the proxy server, by listening over port 8000. To achieve this, it first tries to identify the list of proxy servers that are used within the system using “WinHttpGetIEProxyConfigForCurrentUser”, and the discovered proxy servers and related ports are stored in the same directory in a file named “PROXY” (see Figure 4).

Figure 4

Figure 4

When there is a new incoming TCP connection over port 8000, it will attempt to create a local to proxy socket connection. With that, it will check connectivity with the CnC server. If the response is 200, it will then start to create a “relay link” between the malware and the CnC server (see Figure 5). The “relay link” was created using two threads, where one thread will transfer data from socket 1 to socket 2 (see Figure 6) and the other will do vice versa.

Figure 5

Figure 5

Figure 6

Figure 6

As depicted in Figure 7, the user agent is hard coded. It is a possible means to identify potentially malicious traffic, as Internet Explorer 6 is significantly outdated and “MSIE 6.0.1.3” is not a valid version token.

Figure 7
Figure 7

The configurations for the malicious domains and ports to use are located at the last 188 bytes of the executable file (see Figure 8). The first 16 bytes is the key (boxed in red) to decrypt the remaining content using modified XTEA algorithm (see Figure 9). The two malicious domains found were “liumingzhen.zapto.org” and “liumingzhen.myftp.org”

Figure 8

Figure 8

Figure 9

Figure 9

3.   Network Traffic

The Terminator sample we analyzed, “103.doc” (md5: a130b2e578d82409021b3c9ceda657b7) was not configured with fake HTML, Yahoo Messenger, or Windows Messenger traffic header as it had in past variants. However, the content is encrypted in exactly the same way as previous versions of Terminator RAT.

Figure 10

Figure 10

The decrypted content reveals that the malware is sending back the user name, the computer name and a campaign mark of “zjz1020”.

Figure 11

Figure 11

This particular sample is configured to one of two command and control servers:

  • liumingzhen.zapto.org / 123.51.208.69
  • liumingzhen.myftp.org / 123.51.208.69

We have located another malicious document that has a Taiwan-related decoy document that drops this same version of Terminator RAT.

Figure 12

Figure 12

The sample we analyzed (md5: 50d5e73ff8a0693ed2ee2d320af3b304) exploits CVE-2012-0158 and has the following command and control server:

  • catlovers.25u.com  / 123.51.208.142

The command and control servers for both samples resolved to IP addresses in the same class C network.

4.   Campaign Connections

In June 2013, we investigated an attack against entities in Taiwan that used spear-phishing emails to deliver a malicious attachment.

Figure 13

Figure 13

The malicious attachment “標案資料.doc” (md5: bfc96694731f3cf39bcad6e0716c5746) exploited a vulnerability in Microsoft Office (CVE-2012-0158), however, the payload in this case was a different malware family known as WinData. The malware connected to the same command and control server, liumingzhen.zapto.org, but the callback is quite different:

XYZ /WinData.DLL?HELO-STX-1*1[IP Address]*[Computer Name]*0605[MAC:[Mac Address]]$

In a separate case where liumingzhen.zapto.org has been used as the command and control server, the payload was neither WinData nor Terminator RAT, but another type of malware known as Protux. The sample we analyzed in August 2012 for this case was “幹!.doc” (md5: 01da7213940a74c292d09ebe17f1bd01).

This particular threat actor has access to a variety of malware families and has been using them to target entities in Taiwan for more than a year.

Conclusion

Terminator RAT is an example of how malware are increasingly becoming more sophisticated and harder to detect. There is a need for continual research to understand various techniques, tactics, and procedures used by the adversaries. Detection of exploitation and identification of anomalous callbacks are becoming extremely critical in preventing the malware from installing into the system or phoning back to the command control servers.

CYBER SECURITY AWARENESS: HOW ONLINE BEHAVIOR PUTS CONSUMERS AT RISK

CYBER SECURITY AWARENESS: HOW ONLINE BEHAVIOR PUTS CONSUMERS AT RISK

October 2013 – rsa-fraud-report-102013

October marks the launch of National Cyber Security Awareness Month in the United
States, a time for the public and private sectors to come together to promote online
awareness about how to stay safe online. Last year, RSA launched the Online Identity Risk
Calculator in conjunction with the National Cyber Security Alliance (NCSA) to provide an
interactive tool for consumers to see how the activities they perform online could put
them at risk for identity theft and other cyber threats.
In the last year, we have received over 14,500 responses from consumers in more than
170 countries. Following are some of the highlights:
–– 67% of consumers access their online banking account at least once a week
–– 83% of consumers make a purchase online once a month or more often
–– 95% of consumers access one email account on a regular basis
– 40% access three or more email accounts on a regular basis
–– 77% of consumers access social networking sites on a regular basis
–– 74% of consumers have downloaded apps to a mobile device within the last year
–– 37% of consumers visit online gaming sites once a month or more often
–– 35% of consumers have been infected with a Trojan in the last year
So why are these statistics so important? Well take for example that 3 out of every 10
phishing emails are targeted at social networking sites1. When you consider that more
than three out of every four consumers uses a social networking site on a regular basis,
it makes the net that phishers are able to cast much wider.

rsa-fraud-report-102013

Coordinated Attacks Against the U.S. Government and Banking Infrastructure

Cisco Blog > Security

Coordinated Attacks Against the U.S. Government and Banking Infrastructure

 | May 1, 2013 at 12:11 pm PST

Prologue

On April 10, 2013, a collective of politically motivated hacktivists announced a round of planned attacks called #OPUSA. These attacks, slated to begin May 7, 2013, are to be launched against U.S.-based targets. #OPUSA is a follow-up to #OPISRAEL, which were a series of attacks carried out on April 7 against Israeli-based targets. Our goal here is to summarize and inform readers of resources, recommendations, network mitigations, and best practices that are available to prevent, mitigate, respond to, or dilute the effectiveness of these attacks. This blog was a collaborative effort between myself, Kevin TimmJoseph KarpenkoPanos Kampanakis, and the Cisco TRAC team.

Analysis

If the attackers follow the same patterns as previously witnessed during the #OPISRAEL attacks, then targets can expect a mixture of attacks. Major components of previous attacks consisted of denial of service attacks and web application exploits, ranging from advanced ad-hoc attempts to simple website defacements. In the past, attackers used such tools as LOICHOIC, and Slowloris.

Publicly announced attacks of this nature can have highly volatile credibility. In some cases, the announcements exist only for the purpose of gaining notoriety. In other cases, they are enhanced by increased publicity. Given the lack of specific details about participation or capabilities, the exact severity of the attack can’t be known until it (possibly) happens.

Likely Avenues of Attack

Using previous attacks as indicators, there are three major categories in which likely attacks can be placed.

Vulnerable Software Exploitation
Some of the lowest-hanging fruit for attackers are systems that aren’t patched against current, well-known, or even old vulnerabilities. Always make sure your software and firmware are upgraded to the most recent vendor-recommended releases, and make doubly sure your edge devices are patched. For Cisco software and hardware, you can always check our PSIRT page for the latest information on Cisco security advisories and our Applied Mitigation Bulletin page for up-to-date information on techniques that use Cisco product abilities to detect and mitigate exploits.

Bandwidth Saturation
Against such common distributed denial of service (DDoS) attack tools as LOIC and HOIC, there are a few suitable mitigations, including the following:

These mitigations will be discussed in more detail below.

Moreover, the reader should note that some mitigations might only be able to drop attack traffic after it has saturated the victim’s link to the Internet. For example, we can block traffic at the Internet edge of the network of the web resource under attack. Even when that is achieved, the mitigation has not succeeded in protecting the infrastructure or resource under attack, since the Internet edge link is already saturated. In these situations, traffic must be blocked with the upstream Internet service provider (ISP). With this in mind, the mitigations below will prevent any internally compromised devices from triggering an attack, and the mitigations should be deployed close to the edge of these devices.

  • Unicast Reverse Path Forwarding (uRPF)
  • Reputation-based blocking (of compromised servers)
  • Access control list (ACL) filtering from the upstream provider

The mitigations themselves will be discussed in more detail below.

DNS amplification attacks, also known as DNS reflection attacks, leverage DNS ANY queries and Internet-based open DNS resolvers to amplify denial of service (DoS) traffic and overwhelm targets. Additionally, you make sure your DNS infrastructure adheres to industry best practice and your DNS servers should not function as open resolvers.

DNS amplification attacks should be expected in the event the operation takes place. Cisco has the following additional recommendations:

Resource Starvation
In contrast to the bandwidth consumption denial of service attacks, attackers can also starve off resources using so-called “low and slow” techniques. Tools in the Slowloris family, in addition to tools like R.U.D.Y., work by exhausting web server resources. The tools typically open a large number of connections to the target and slowly trickle small amounts of traffic using never-ending streams of data. Note that these attacks have been shown to use HTTPS as well as HTTP and in some cases odd port and protocol combinations such as UDP port 80.

Mitigating these attacks against affected web servers can prove challenging, but some of the methods to use include:

  • Increasing the maximum number of clients the web server will allow (you would want to ensure the web server can handle this increased load)
  • Reducing the number of concurrent connections a single IP address can have (this can cause problems for customers behind Network Address Translation [NAT] or proxied connections)
  • Imposing restrictions on the minimum transfer speed a connection is allowed to have (this can cause problems for customers on unreliable or very remote networks)
  • Reducing the amount of a time a client can stay connected (this too can cause problems for customers transferring large files or working in long interactive sessions)

Some of these mitigations can be enforced using network devices (firewalls) and will be discussed in more detail below.  The best defense will probably be to use a blended approach and utilize a combination of the above methods.  Finally, we even recommended moving affected web servers to software that is unaffected by this form of attack. It is worth noting that while the above mitigations can help, volumetric attacks can overwhelm any of these stateful devices used for mitigation.

Other network devices that can help in mitigating these types of attacks are:

  • Intrusion prevention systems
  • Web Application Firewalls ensuring web application conformance

Network Identification and Mitigation Technologies

The following technologies are extremely helpful in many different forms of attack detection and mitigation.

NetFlow
NetFlow is a protocol for collecting IP-based telemetry information about traffic flowing through a network. NetFlow offers a treasure trove of security-related information about who is doing what on the network and can be one of the early warning indicators of network misuse.
A few resources are below:

Source-Based Remotely Triggered Black Hole Routing
Remotely triggered black hole (RTBH) routing is a BGP-based DDoS mitigation technique for service providers and large enterprises. It works by injecting a NULL BGP route into the network, forcing all BGP routers to drop malicious traffic based on destination. This technique is effective at filtering attack traffic to Internet hosts, but it is also considered quite heavy handed. It some cases it is better to block only certain source IP ranges (blocking based on source address) rather than blocking all traffic intended for a single target (blocking based on destination address). Combining uRPF with RTBH routing, (known as Source-Based RTBH routing or S/RTBH routing) allows the network to null route based on source address, which will only block attacking source addresses. For more information, you can read our white paper and some additional resources can be found here:

Global Resources
For organizations that can leverage global data centers, geographical resource distribution can be an important DDoS protection. This can be achieved using global server load balancing (GSLB) or anycast. Anycast is a network addressing and routing methodology that provides an increase of speed and resilience. Using anycast, a single server is replicated in several physically disparate locations, all with the same IP address. Using GSLB or anycast, when a client wants to connect to the server, it is routed to the topologically closest node out of the group. Thus, by leveraging an HTTP/HTTPS termination point in each location, users throughout the globe will always reach the resource closest to them as shown in the figure below.

DNS_MS

While complicated to set up, anycast presents a larger attack surface against would-be DDoS attacks. If one server is taken offline, users in other parts of the world will not be affected and mitigation can be deployed on the location that is attacked. Additionally, it would require many more resources for the attackers to take down all the locations. Of course, the requirement for this scheme to work is for a global infrastructure that can distribute the load.

In March 2013, anti-spam juggernaut Spamhaus came under a massive 75Gb/s DDoS attack. To mitigate the attack, they turned to Cloudflare and its massive anycast network.

Unicast Reverse Path Forwarding
Unicast Reverse Path Forwarding (uRPF) is a security feature enabled on the router that helps to limit the propagation of spoofed IP addresses. Please refer to a comprehensive white paper on what uRPF is and how configure it on a Cisco router and a paper on using uRPF to deter DoS attacks.

Tightening Connection Limits and Timeouts
For those of you with Cisco Adaptive Security Appliance (ASA) deployments, you can tighten connection limits and timeouts, which will reduce your susceptibility to some of the attacks mentioned above. For example, if the normal traffic to a web server is a quick connection of a few seconds, we may want to drop connections that are open for more than 5 minutes. Cisco provides a document explaining Cisco ASA connection limits and timeouts, such as how to set maximum TCP and UDP connections, maximum embryonic connections, maximum per-client connections, connection timeouts, and dead connection detection. When enabling embryonic connection limits, the Cisco ASA leverages its TCP intercept feature in order to enforce TCP SYN cookies that are used to mitigate the threat of TCP SYN flood attacks. TCP SYN cookies practically complete the TCP handshake before allowing the connection to the server, which ensures that spoofed traffic cannot waste TCP connections to the server. Resources are available for learning about SYN flood attacks and several mitigations. Readers should note that before changing connection limits, you must have a good understanding of the normal traffic profiles and baselines to ensure you do not inadvertently cause issues.

Reputation-Based Blocking
All Internet traffic must originate from an IP address. A plethora of organizations use various criteria and methods to rank, rate, and score IP addresses with respect to how “notorious” they are. More specifically, if a given IP address is known to be that of a spammer, distributing malware or a part of a botnet army, it can be flagged in one of the ill repute databases, often with a numeric score contextual to the rating system. For example, Cisco Email and Web Security and ASA Botnet Traffic Filter use an integral system from -10 for the worst offenders to +10 for the most angelic. Integrating with one of many IP reputation products or services available can help to reduce the malicious traffic generated by compromised servers.

Web Application Firewalls
A Web Application Firewall (WAF) is a device that provides firewall-like functionality to web-based applications. For organizations with substantial web-based applications, WAFs are recommended as a front-line defense against attackers. There is a thorough best practices document on WAF deployment.

Intrusion Prevention Systems
Intrusion prevention systems (IPS) are appliances that monitor the network for malicious activity. When malicious activity is detected, the IPS can alert or block the traffic and prevent it from entering your network.

Access Control Lists
Access control lists (ACLs) are used by network devices to restrict network traffic flows. Most of the time, ACLs are focused on filtering ingress traffic at network edge devices, specifically traffic that is considered provocative or malicious. A common but effective ACL methodology is to adopt a doctrine of least privilege where only what is absolutely necessary is allowed in. Cisco offers a detailed paper on how to configure ACLs on Cisco IOS Software. Note that using ACLs to block DDoS traffic can be challenging due to the dynamic nature of the attack and the management overhead it would introduce. Additionally, you can read up on transit ACLs and infrastructure ACLs.

Conclusion

Distributed denial of service attacks are a moving target. We may be familiar with many of the tools and how they look on a network, but until the actual attack we don’t know all of its characteristics. Now is a good time to re-evaluate your defenses and determine where they can be improved. When preparing for possible attacks it is best to cover as many possible attack vectors as possible. Yes, this means simple things like patching, monitoring NetFlow, working with Internet service providers, and having a strong incident response and contingency plan.

VSkimmer Botnet Targets Credit Card Payment Terminals

March  2013 at 11:20am by 

While monitoring a Russian underground forum recently, we came across a discussion about a Trojan for sale that can steal credit card information from machines running Windows for financial transactions and credit card payments. The malware, vSkimmer, can detect the card readers, grab all the information from the Windows machines attached to these readers, and send that data to a control server. The author of the thread also discusses other capabilities of this malware, which appears to be a successor of Dexter, but with additional functions.

Chintan1

chintan2

 

We already know about botnets such as Zeus and SpyEye, which perform financial fraud using extremely sophisticated techniques including  intercepting the victims’ banking transactions. VSkimmer  is another example of how financial fraud is actively evolving and how financial Trojans are developed and passed around in the underground community. This botnet is particularly interesting because it directly targets card-payment terminals running Windows.

Our Automated Botnet Replication Framework first saw this Trojan on January 18. We’ve analyzed  samples of this malware and figured out how it steals the credit card information and its additional control functionalities. While performing the API tracing , we found it uses fairly standard antidebugging techniques:

chintan3

The malware collects the following information from the infected machine and sends it to the control server:

  • Machine GUID from the Registry
  • Locale info
  • Username
  • Hostname
  • OS version

chintan4

 

This malware uses a standard installation mechanism and copies itself as svchost.exe into %APPDATA% , modifies the registry key to add itself under the authorized list of apps, and runs ShellExecute to launch the process. One function of vSkimmer if the Internet is not available is to wait for a USB device with the volume name KARTOXA007  to be connected to the infected machine and to copy all the logs with the file name dumz.log and the card info collected from the victim to the USB drive.

chintan5

I checked by disconnecting from the Internet: The malware enumerated all the drives and created the file dumz.log in the drive with the preceding name.

chintan6

Extracting credit card information

VSkimmer maintains the whitelisted process, which it skips while enumerating the running processes on the infected machine.

chintan7

Once vSkimmer finds any running process not in the whitelist, it runs OpenProcess and ReadProcessMemory to read the memory pages of the process and invokes the pattern-matching algorithm to match the regular expression “?[3-9]{1}[0-9]{12,19}[D=\\u0061][0-9]{10,30}\\??”)” and extract the card info read by the payment devices. This is done recursively for every process running in the infected machine and not on the whitelist.

chintan8

VSkimmer control

Before communicating with the control server, the malware B64-encodes all the machine information collected and appends it to the URI. The encoded string follow this format:

  • machine guid|build_id|bot_version|Windows_version|Host_name|User_Name

chintan9

 

Next, vSkimmer creates the HTTP request and connects to the control server:

 

chintan10

While this malware ran, we saw the following response. Note that the commands are within the <cmd> </cmd> tag.

chintan11

Once vSkimmer receives a response from the server, it executes the following routine to parse the command:

 

chintan12

 

Because the response from the server during execution was <cmd>null</cmd>, the malware extracts the 3-byte command and tries to match it with the other commands implemented by vSkimmer. First it checks if the command from the server is “dlx.”

chintan13

If not, then vSkimmer checks for the “upd” command. These commands implement the HTTP download and execute (“dlx”) and update of the bot (“upd”), respectively.

As we saw earlier in this post, vSkimmer can also grab the Track 2 data stored on the magnetic strip of the credit cards. This track stores all the card information including the card number. (You can read more about the Track 2 data format on Wikipedia. The chief information:

  • Primary Account Number: the number printed on the front of the card
  • Expiration Date
  • Service Code: the three-digit number

 

VSkimmer bot control panel

Here’s a look at the control panel of the command server:

chintan14

 

 

chintan15

 

2013 Threats Predictions by McAfee Labs

McAfee Labs collected an immense amount of data on malware, vulnerabilities, and threats to endpoints, networks, email, and the web in 2012. Using our Global Threat Intelligence, we analyzed this data to block these intrusions and reduce the danger to our customers. Next year we anticipate more of the same: Cybercriminals and hacktivists will strengthen and evolve the techniques and tools they use to assault our privacy, bank accounts, mobile devices, businesses, organizations, and homes.
Mobile Threats
  • Malware shopping spree
Once criminals discover a profit-making technique that works, they’re likely to reuse and automate it. For example, Android/Marketpay.A is a Trojan horse program that buys apps from an app store without user permission. We’re likely to see crooks take this malware’s app-buying payload and add it to a mobile worm.
Buying apps developed by malware authors puts money in their pockets. A mobile worm that uses exploits to propagate over numerous vulnerable phones is the perfect platform for malware that buys such apps; attackers will no longer need victims to install a piece of malware. If user interaction isn’t needed, there will be nothing to prevent a mobile worm from going on a shopping spree.
  • Block that update!
One of the advantages that a mobile service provider (as opposed to Microsoft, for example) has in fighting malware is that once the cell company recognizes malware it can automatically push an update to customers to clean their devices. This works on phones that have not been rooted (or unlocked) by their owners. For mobile malware to stick around for a long time, it will have to prevent updates. Putting an app on a store that does nothing more than download external malware which locks the phone from communicating with the cell provider will achieve this.
Malware
  • Kits lead to an explosion in malware for OS X and mobile
Given the popularity of mobile computing, we should perhaps be surprised that cybercriminals have taken so long to extensively exploit this field. In 2012, however, we’ve seen the number of mobile threats go up dramatically. As we look at them in more detail, we see the large amount of Windowsbased malware owes its existence to the easy availability of malware kits in the underground market. In 2013, there is a good chance ransomware kits will take the lead from malware kits. We have already seen Android and OS X as targets of ransomware. Now the first ransomware kits are being marketed in the underground. For the moment the kits attack only Windows systems, but this may change soon.
  • Ransomware continues to expand to mobile devices
Ransomware on Windows PCs has more than tripled during the past year. Attackers have proven that this “business model” works and are scaling up their attacks to increase profits. One way ransomware is different from other types of malware—such as backdoors, keyloggers, and password stealers—is that attackers do not rely on their victims using the infected systems for financial transactions to separate them from their money. Instead these criminals hijack the users ability to access data, communicate, or use the system at all. The victims are faced with either losing their data or paying a ransom in the hope of regaining access.
One limitation for many malware authors seeking profit from mobile devices is that more users transact business on desktop PCs rather than on tablets or phones. But this trend may not last; the convenience of portable browsers will likely lead more people do their business on the go. Attackers have already developed ransomware for mobile devices. What if the ransom demand included threats to distribute recorded calls and pictures taken with the phone?
We anticipate considerably more activity in this area during 2013.
  • Rootkits diversify, using MBR and other bootkit techniques
The evolution of computer security software and other defenses on client endpoints is driving threats into different areas of the operating system stack, especially for covert and persistent attackers. The frequency of threats attacking Microsoft Windows below the kernel are increasing. Some of the critical assets targeted include the BIOS, master boot record (MBR), volume boot record (VBR), GUID Partition Table (GPT), and NTLoader. Although the volume of these threats is unlikely to approach that of simpler attacks on Windows and applications, the impact of these complex attacks can be far more devastating. We expect to see more threats in this area during 2013.
  • Windows 8 the next big target
Criminals go where the money is. And if this means they have to cope with a new, more secure version of Windows, that’s just what they will do. In many cases they attack the user and not the OS. Via phishing and other techniques users are tricked into revealing information or installing a malicious program. So if you upgrade, don’t rely solely on Windows to protect your system: Remain vigilant and watch out for phishing scams.
Windows 8 should provide improved security against malware and exploits compared with earlier versions of Windows, at least for a while. Now that the underground market for attack and malware kits is much more competitive than three years ago, it is likely that Windows 8–specific malware will be available quicker than Windows 7–specific malware appeared. Systems running the new Unified Extensible Firmware Interface are still vulnerable to MBR-based rootkits, just as previous OS versions were, according to one research company. On the day of Windows 8’s release, the firm announced for sale to its customers the availability of a zero-day vulnerability that circumvents all new security enhancements in Windows 8 and Internet Explorer 10.
In spite of any flaws, Windows 8 is a more secure OS, so upgrading is worth considering. Millions still run Windows XP, which only in fall 2012 was finally eclipsed in the number of its users by newer versions of Windows.
Big-Scale Attacks
Destructive payloads in malware have become rare because attackers prefer to take control of their victims’ computers for financial gain or to steal intellectual property. Recently, however, we have seen several attacks—some apparently targeted, others implemented as worms—in which the only goal was to cause as much damage as possible. We expect this malicious behavior to grow in 2013.
Whether this is hacktivism taken to a new level, as some claim, or just malicious intent is impossible to say, but the worrying fact is that companies appear to be rather vulnerable to such attacks. As with distributed denial of service (DDoS) attacks, the technical bar for the hackers to hurdle is rather low. If attackers can install destructive malware on a large number of machines, then the result can be devastating.
Citadel Trojan Zeros In
Citadel is likely to become the Trojan of choice among cybercriminals who want the rich functionality of Zeus along with dedicated support. With the recent release of Citadel Rain, the Trojan can now dynamically retrieve configuration files, enabling a fraudster to send a targeted payload to a single victim or a selection of victims. This allows thieves to compromise accounts on a one-off basis depending on their criteria and wage attacks in a very targeted manner. Detection will become much harder because the footprint is minimal on the endpoint until the attack occurs. Typically Zeus attacks have been relatively widespread. We will likely see that change in 2013 as more cybercriminals adopt Citadel Rain and its future variants and focus on narrowly targeted attacks seeking the greatest possible gain.
Most Citadel infections are concentrated in just a few populations in Europe, but we expect that number to increase in 2013. The following map shows Germany is the prime location, with more than 200 infections to date.
HTML5
HTML5 is the next version of the standard language of Internet browsers. It provides language improvements, capabilities to remove the need for plug-ins, new layout rendering options, and new powerful APIs that support local data storage, device access, 2D/3D rendering, web-socket communication, and many other features. Today 74 percent of users in North America, 72 percent in Asia, and 83 percent in Europe use browsers that support the majority of HTML5 features.2 Websites are quickly adopting HTML5 for its richer user experience. HTML5 continues the move to the browser, and away from the operating systems, as the platform to run applications. HTML5-based applications are increasing in number, with major players taking advantage of freedom from app stores and improved cross-browser and cross-device compatibility.
Browsers have long been one of the primary vectors for security threats, and HTML5 won’t change that. With HTML5 the threats landscape will shift and broaden. We will see a reduction in exploits focused on plug-ins as browsers provide this functionally via their new media capabilities and APIs. However, HTML5 will offer other opportunities for attackers because the additional functionality will create a larger attack surface. Powerful JavaScript APIs that allow device access will expose the browser as websites gain direct access to hardware.
Botnets and Spam
  • Botnets call home
The biggest threat to botmasters is the unrecoverable loss of their botnets. International cooperation in policing spam, malware, child exploitation, and illegal pills has made that loss a reality for many major botnets over the past few years, and will continue to threaten the proliferation of botnets. When the largest botnets get taken down, then the next largest botnets become the new targets. Botmasters have already reacted to this activity by subdividing botnets and increasing the costs associated with activities that are easily detectable (such as DDoS and spam). It is only a matter of time before botmasters implement fail-safes to reestablish command of a botnet that has lost all of the control servers it usually reports to.
In many cases botnets are temporarily hijacked by whitehat security researchers. Due to possible negative side effects, however, these takeovers do not lead to new commands reaching the infected hosts. There is a massive liability issue associated with the unauthorized remote operation of systems, even with the best of intentions. Pushing new commands to an old Windows machine serving a hospital could turn the PC into a brick and lead to incorrect care or even the death of a patient. Botmasters will take advantage of this reluctance by the good guys to meddle by hardwiring their botnets to reestablish control after a takedown.
  • SMS spam from infected phones
Cell phone providers are working to prevent SMS spam. Their primary method of receiving reports from consumers is for the latter to forward messages to SPAM (7726) on their phones and report the messages so that they can be blocked. An infected phone can also send spammy text messages; then the victims face the problem of having their accounts closed by the providers. We expect to see pill advertising or phishing lures delivered by SMS in 2013.
Crimeware
  • Hacking as a Service
For a long time, cybercriminals have attended public forums to discuss and make business deals with other criminals. In these meetings, they not only offer software for sale but also services. Highly professional cybercrooks, however, see these forums as a waste of time (they are full of “newbies”), a loss of confidentiality (each deal needs direct contact with the client, who could be an undercover agent), and a loss of money (as the purchaser attempts to negotiate a lower price). For these reasons, the number of invitation-only criminal forums requiring registration fees and/or guarantors (vouchers) has increased.
This trend will continue, but to improve anonymity without discouraging buyers, online sales sites modeled on legal trade activities will grow in 2013. On these sites, buyers can make their choices at the click of a mouse, use an anonymous online payment method (such as Liberty Reserve), and receive their purchases without any negotiations or direct contact with the seller.
More secure and anonymous, these offers will be easier to find on the Internet. They will also be more diversified. We have already started to see high-level audit services and offers for project development for cybercriminals.
The number of suspicious outfits claiming to sell zero-day attacks or the sale of spying services reserved for the sole use of governments or secret services will grow. It will be difficult to separate the wheat from the chaff, or to ascertain real activities and real customers.
Hacktivism
  • The decline of Anonymous
Sympathizers of Anonymous are suffering. Too many uncoordinated and unclear operations have been detrimental to its reputation. Added to this, the disinformation, false claims, and pure hacking actions will lead to the movement’s being less politically visible than in the past. Because Anonymous’ level of technical sophistication has stagnated and its tactics are better understood by its potential victims, the group’s level of success will decline. However, we could easily imagine some short-lived spectacular actions due to convergence between hacktivists and antiglobalization supporters, or hacktivists and ecoterrorists.
References:
2013 Threats Predictions, McAfee Labs

Iran capable of deterring cyber attacks: Interior Min. official

iran11
A senior Interior Ministry official says Iran is capable of heading off cyber attacks, emphasizing the significance of boosting the nation’s capacity to counter soft threats.

Amir Shojaeian said on Wednesday that “Iran is currently engaged in a practical cyber war.”

“This issue is not simply a potential danger, but a real threat organized and planned by certain governments to harm Iranian organizations,” he added.

The official stated that a new information and communications security management system is currently being installed in Iran to improve the country’s cyber defense capability.

Iran has been the target of several cyber attacks over the past few years.

In June 2012, the New York Times reported that US President Barack Obama had secretly ordered a cyber attack with the Stuxnet computer virus against Iran to sabotage the country’s nuclear energy program.

A report published by the Washington Post also in June said the United States and the Israeli regime had jointly created the computer virus Flame — a Stuxnet-like espionage malware — to spy on Iran.

In response to such attacks, Iran launched a cyber defense headquarters tasked with preventing computer worms from breaking into or stealing data from the country’s maximum security networks, including nuclear facilities, power plants, data centers, and banks.

Android malware spreads through compromised legitimate Web sites

By Dancho Danchev – blog.webroot.com

Over the past 24 hours, our sensor networks picked up an interesting website infection affecting a popular Bulgarian website for branded watches, which ultimately redirects and downloads premium rate SMS Android malware on the visiting user devices. The affected Bulgarian website is only the tip of the iceberg, based on the diversified portfolio of malicious domains known to have been launched by the same party that launched the original campaign.

More details:

 

Sample screenshot of the executed Android malware:

Android_Malware_Fake_Adobe_Flash_Player_Fake_Android_Browser_Fake_Google_Play_Applications

The first variation of the campaign attempts to trick Russian-speaking users into installing a fake version of Adobe’s Flash Player, followed by a second campaign using a fake Android browser as a social engineering theme, and a third campaign which is attempting to trick mobile users into thinking that it’s a new version of Google Play.

Sample malicious URLs displayed to Android users:
hxxp://adobeflashplayer-up.ru/?a=RANDOM_CHARACTERS – 93.170.107.184
hxxp://googleplaynew.ru/?a=RANDOM_CHARACTERS – 93.170.107.184
hxp://browsernew-update.ru/?a=RANDOM_CHARACTERS – 93.170.107.184

Responding to the same IP (93.170.107.184) are also the following domains part of the campaign’s infrastructure:
flashupdate.org
mobiserver-russia.com
flash-news-systems1.net
bruser-2012.net
erovideo2.net
file-send09.net
tankonoid.net
oneiclick.net
free3porn.net
nashe9porevo.net
filemoozo.net
flashupdates.net
yandexfilyes.net
erovidoos.net
yandexfiloys.net
anindord-market.net
api-md-new.net
girlsexx.net
1jan-unilo55.ru
officemb56.ru
brwsrupdate.ru
android-mk.ru
android-gt.ru

Detection rate for the malicious .apk files:
flash_player_installer.apk – MD5: 29e8db2c055574e26fd0b47859e78c0e – detected by 5 out of 46 antivirus scanners as Android.SmsSend.212.origin.
Android_installer-1.apk – MD5: e6be5815a05c309a81236d82fec631c8 – detected by 5 out of 46 antivirus scanners as HEUR:Trojan-SMS.AndroidOS.Opfake.bo.

Required permissions for flash_player_installer.apk:
android.permission.ACCESS_NETWORK_STATE
android.permission.CHANGE_NETWORK_STATE
com.android.launcher.permission.INSTALL_SHORTCUT
com.android.launcher.permission.UNINSTALL_SHORTCUT
android.permission.ACCESS_NETWORK_STATE
android.permission.RECEIVE_BOOT_COMPLETED
com.android.alarm.permission.SET_ALARM
android.permission.SYSTEM_ALERT_WINDOW
android.permission.WRITE_SETTINGS
android.permission.WRITE_SECURE_SETTINGS
android.permission.ACCESS_WIFI_STATE
android.permission.UPDATE_DEVICE_STATS
android.permission.CHANGE_WIFI_STATE
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.INTERNET
android.permission.READ_PHONE_STATE
android.permission.READ_SMS
android.permission.SEND_SMS
android.permission.RECEIVE_SMS
android.permission.READ_CONTACTS
android.permission.DELETE_PACKAGES
android.permission.GET_PACKAGE_SIZE
android.permission.INSTALL_PACKAGES
android.permission.MANAGE_APP_TOKENS
android.permission.PERSISTENT_ACTIVITY
android.permission.GET_ACCOUNTS
android.permission.WAKE_LOCK
android.permission.WAKE_LOCK

Used the following features once executed:
android.hardware.wifi
android.hardware.telephony
android.hardware.touchscreen
android.hardware.screen.portrait

Upon execution, the Android sample phones back to gaga01.net/rq.php – 93.170.107.57 – Email: mypiupiu1@gmail.com transmitting the following information back to the cybercriminals behind the operation: oard=unknown;brand=generic;device=generic;imei=CENSORED;imsi=CENSORED;session_id=1;operator=XXX;sms0=CENSORED;sms1=CENSORED;sms2=CENSORED;time=CENSORED;timezone=CENSORED

Required permissions for Android_installer-1.apk:
android.permission.ACCESS_NETWORK_STATE
android.permission.CHANGE_NETWORK_STATE
com.android.launcher.permission.INSTALL_SHORTCUT
com.android.launcher.permission.UNINSTALL_SHORTCUT
android.permission.ACCESS_NETWORK_STATE
android.permission.RECEIVE_BOOT_COMPLETED
com.android.alarm.permission.SET_ALARM
android.permission.SYSTEM_ALERT_WINDOW

Used the following features once executed:
android.hardware.wifi
android.hardware.telephony
android.hardware.touchscreen
android.hardware.screen.portrait

It also connects back to gaga01.net/rq.php – 93.170.107.57 – Email: mypiupiu1@gmail.com transmitting the following information back to the cybercriminals behind the operation: oard=unknown;brand=generic;device=generic;imei=CENSORED;imsi=CENSORED;session_id=1;operator=XXX;sms0=CENSORED;sms1=CENSORED;sms2=CENSORED;time=CENSORED;timezone=CENSORED