Evasive Tactics: Terminator RAT

October 24, 2013
By  and 

FireEye Labs has been tracking a variety of advanced persistent threat (APT) actors that have been slightly changing their tools, techniques, and procedures (TTPs) in order to evade network defenses. Earlier, we documented changes to Aumlib, the malware used in the attack against the New York Times, and Taidoor, a malware family that is being used in ongoing cyber-espionage campaigns particularly against entities in Taiwan. In this post we will explore changes made to Terminator RAT (Remote Access Tool) by examining a recent attack against entities in Taiwan.

We recently analyzed a sample that we suspect was sent via spear-phishing emails to targets in Taiwan. As shown in Figure 1, the adversary sends a malicious Word document, “103.doc” (md5: a130b2e578d82409021b3c9ceda657b7), that exploits CVE-2012-0158, which subsequently drops a malware installer named “DW20.exe”. This particular malware is interesting because of the following:

  • It evades sandbox by terminating and removing itself (DW20.exe) after installing. Malicious behavior will only appear after reboot.
  • It deters single-object based sandbox by segregation of roles between collaborating malwares. The RAT (svchost_.exe) will collaborate with its relay (sss.exe) to communicate with the command and control server.
  • It deters forensics investigation by changing the startup location.
  • It deters file-based scanning that implements a maximum file size filter, by expanding the size of svchost_.exe to 40MB.

The ultimate payload of the attack is Terminator RAT, which is also known as FakeM RAT. This RAT does not appear to be exclusively used by a single APT actor, but is most likely being used in a variety (of possibly otherwise unrelated) campaigns. In the past, this RAT has been used against Tibetan and Uyghur activists, and we are seeing an increasing number of attacks targeting Taiwan as well.

However, these attacks use some evasive tactics that demonstrate the evolution of Terminator RAT. First, the attackers have included a component that relays traffic between the malware and a proxy server. Second, they have modified the 32-byte magic header that in previous versions attempted to disguise itself to look like either MSN Messenger, Yahoo! Messenger, or HTML code.

These modifications appear to be an attempt to evade network defenses, perhaps in response to defender’s increasing knowledge of the indicators of compromise associated with this malware. We will discuss the individual components of this attack in more detail.

Figure 1

Figure 1

1.   DW20.exe (MD5: 7B18E1F0CE0CB7EEA990859EF6DB810C)

DW20.exe was found to be the installation executable file. It will first create its working folders located at “%UserProfile%\Microsoft” and “%AppData%\2019”. The former is used to store the configurations and executable files (svchost_.exe and sss.exe) and the latter is used to store the shortcut link files. This folder “2019” was then configured to be the new start up folder location by changing the registry “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup” with the location of its path (see Figure 2).

Figure 2

Figure 2

The executable file “sss.exe” was found to be the decrypted form of the resource named 140 with type “ACCELORATOR” (likely misspelling of Accelerator – see Figure 3). This resource was decrypted using customized XTEA algorithm and appended with an encrypted configuration for the domains and ports.

Figure 3

Figure 3

After installation, DW20.exe deletes and terminates itself. The malwares will only run after reboot. This is one effective way to evade sandbox automatic analysis, as malicious activity will only reveal after a reboot.

2.   sss.exe (MD5: 93F51B957DA86BDE1B82934E73B10D9D)

sss.exe is an interesting malware component. As a researcher would analyze it independently, it is not considered a malicious program. This component plays the role as a network relay between the malware and the proxy server, by listening over port 8000. To achieve this, it first tries to identify the list of proxy servers that are used within the system using “WinHttpGetIEProxyConfigForCurrentUser”, and the discovered proxy servers and related ports are stored in the same directory in a file named “PROXY” (see Figure 4).

Figure 4

Figure 4

When there is a new incoming TCP connection over port 8000, it will attempt to create a local to proxy socket connection. With that, it will check connectivity with the CnC server. If the response is 200, it will then start to create a “relay link” between the malware and the CnC server (see Figure 5). The “relay link” was created using two threads, where one thread will transfer data from socket 1 to socket 2 (see Figure 6) and the other will do vice versa.

Figure 5

Figure 5

Figure 6

Figure 6

As depicted in Figure 7, the user agent is hard coded. It is a possible means to identify potentially malicious traffic, as Internet Explorer 6 is significantly outdated and “MSIE” is not a valid version token.

Figure 7
Figure 7

The configurations for the malicious domains and ports to use are located at the last 188 bytes of the executable file (see Figure 8). The first 16 bytes is the key (boxed in red) to decrypt the remaining content using modified XTEA algorithm (see Figure 9). The two malicious domains found were “liumingzhen.zapto.org” and “liumingzhen.myftp.org”

Figure 8

Figure 8

Figure 9

Figure 9

3.   Network Traffic

The Terminator sample we analyzed, “103.doc” (md5: a130b2e578d82409021b3c9ceda657b7) was not configured with fake HTML, Yahoo Messenger, or Windows Messenger traffic header as it had in past variants. However, the content is encrypted in exactly the same way as previous versions of Terminator RAT.

Figure 10

Figure 10

The decrypted content reveals that the malware is sending back the user name, the computer name and a campaign mark of “zjz1020”.

Figure 11

Figure 11

This particular sample is configured to one of two command and control servers:

  • liumingzhen.zapto.org /
  • liumingzhen.myftp.org /

We have located another malicious document that has a Taiwan-related decoy document that drops this same version of Terminator RAT.

Figure 12

Figure 12

The sample we analyzed (md5: 50d5e73ff8a0693ed2ee2d320af3b304) exploits CVE-2012-0158 and has the following command and control server:

  • catlovers.25u.com  /

The command and control servers for both samples resolved to IP addresses in the same class C network.

4.   Campaign Connections

In June 2013, we investigated an attack against entities in Taiwan that used spear-phishing emails to deliver a malicious attachment.

Figure 13

Figure 13

The malicious attachment “標案資料.doc” (md5: bfc96694731f3cf39bcad6e0716c5746) exploited a vulnerability in Microsoft Office (CVE-2012-0158), however, the payload in this case was a different malware family known as WinData. The malware connected to the same command and control server, liumingzhen.zapto.org, but the callback is quite different:

XYZ /WinData.DLL?HELO-STX-1*1[IP Address]*[Computer Name]*0605[MAC:[Mac Address]]$

In a separate case where liumingzhen.zapto.org has been used as the command and control server, the payload was neither WinData nor Terminator RAT, but another type of malware known as Protux. The sample we analyzed in August 2012 for this case was “幹!.doc” (md5: 01da7213940a74c292d09ebe17f1bd01).

This particular threat actor has access to a variety of malware families and has been using them to target entities in Taiwan for more than a year.


Terminator RAT is an example of how malware are increasingly becoming more sophisticated and harder to detect. There is a need for continual research to understand various techniques, tactics, and procedures used by the adversaries. Detection of exploitation and identification of anomalous callbacks are becoming extremely critical in preventing the malware from installing into the system or phoning back to the command control servers.



October 2013 – rsa-fraud-report-102013

October marks the launch of National Cyber Security Awareness Month in the United
States, a time for the public and private sectors to come together to promote online
awareness about how to stay safe online. Last year, RSA launched the Online Identity Risk
Calculator in conjunction with the National Cyber Security Alliance (NCSA) to provide an
interactive tool for consumers to see how the activities they perform online could put
them at risk for identity theft and other cyber threats.
In the last year, we have received over 14,500 responses from consumers in more than
170 countries. Following are some of the highlights:
–– 67% of consumers access their online banking account at least once a week
–– 83% of consumers make a purchase online once a month or more often
–– 95% of consumers access one email account on a regular basis
– 40% access three or more email accounts on a regular basis
–– 77% of consumers access social networking sites on a regular basis
–– 74% of consumers have downloaded apps to a mobile device within the last year
–– 37% of consumers visit online gaming sites once a month or more often
–– 35% of consumers have been infected with a Trojan in the last year
So why are these statistics so important? Well take for example that 3 out of every 10
phishing emails are targeted at social networking sites1. When you consider that more
than three out of every four consumers uses a social networking site on a regular basis,
it makes the net that phishers are able to cast much wider.


Coordinated Attacks Against the U.S. Government and Banking Infrastructure

Cisco Blog > Security

Coordinated Attacks Against the U.S. Government and Banking Infrastructure

 | May 1, 2013 at 12:11 pm PST


On April 10, 2013, a collective of politically motivated hacktivists announced a round of planned attacks called #OPUSA. These attacks, slated to begin May 7, 2013, are to be launched against U.S.-based targets. #OPUSA is a follow-up to #OPISRAEL, which were a series of attacks carried out on April 7 against Israeli-based targets. Our goal here is to summarize and inform readers of resources, recommendations, network mitigations, and best practices that are available to prevent, mitigate, respond to, or dilute the effectiveness of these attacks. This blog was a collaborative effort between myself, Kevin TimmJoseph KarpenkoPanos Kampanakis, and the Cisco TRAC team.


If the attackers follow the same patterns as previously witnessed during the #OPISRAEL attacks, then targets can expect a mixture of attacks. Major components of previous attacks consisted of denial of service attacks and web application exploits, ranging from advanced ad-hoc attempts to simple website defacements. In the past, attackers used such tools as LOICHOIC, and Slowloris.

Publicly announced attacks of this nature can have highly volatile credibility. In some cases, the announcements exist only for the purpose of gaining notoriety. In other cases, they are enhanced by increased publicity. Given the lack of specific details about participation or capabilities, the exact severity of the attack can’t be known until it (possibly) happens.

Likely Avenues of Attack

Using previous attacks as indicators, there are three major categories in which likely attacks can be placed.

Vulnerable Software Exploitation
Some of the lowest-hanging fruit for attackers are systems that aren’t patched against current, well-known, or even old vulnerabilities. Always make sure your software and firmware are upgraded to the most recent vendor-recommended releases, and make doubly sure your edge devices are patched. For Cisco software and hardware, you can always check our PSIRT page for the latest information on Cisco security advisories and our Applied Mitigation Bulletin page for up-to-date information on techniques that use Cisco product abilities to detect and mitigate exploits.

Bandwidth Saturation
Against such common distributed denial of service (DDoS) attack tools as LOIC and HOIC, there are a few suitable mitigations, including the following:

These mitigations will be discussed in more detail below.

Moreover, the reader should note that some mitigations might only be able to drop attack traffic after it has saturated the victim’s link to the Internet. For example, we can block traffic at the Internet edge of the network of the web resource under attack. Even when that is achieved, the mitigation has not succeeded in protecting the infrastructure or resource under attack, since the Internet edge link is already saturated. In these situations, traffic must be blocked with the upstream Internet service provider (ISP). With this in mind, the mitigations below will prevent any internally compromised devices from triggering an attack, and the mitigations should be deployed close to the edge of these devices.

  • Unicast Reverse Path Forwarding (uRPF)
  • Reputation-based blocking (of compromised servers)
  • Access control list (ACL) filtering from the upstream provider

The mitigations themselves will be discussed in more detail below.

DNS amplification attacks, also known as DNS reflection attacks, leverage DNS ANY queries and Internet-based open DNS resolvers to amplify denial of service (DoS) traffic and overwhelm targets. Additionally, you make sure your DNS infrastructure adheres to industry best practice and your DNS servers should not function as open resolvers.

DNS amplification attacks should be expected in the event the operation takes place. Cisco has the following additional recommendations:

Resource Starvation
In contrast to the bandwidth consumption denial of service attacks, attackers can also starve off resources using so-called “low and slow” techniques. Tools in the Slowloris family, in addition to tools like R.U.D.Y., work by exhausting web server resources. The tools typically open a large number of connections to the target and slowly trickle small amounts of traffic using never-ending streams of data. Note that these attacks have been shown to use HTTPS as well as HTTP and in some cases odd port and protocol combinations such as UDP port 80.

Mitigating these attacks against affected web servers can prove challenging, but some of the methods to use include:

  • Increasing the maximum number of clients the web server will allow (you would want to ensure the web server can handle this increased load)
  • Reducing the number of concurrent connections a single IP address can have (this can cause problems for customers behind Network Address Translation [NAT] or proxied connections)
  • Imposing restrictions on the minimum transfer speed a connection is allowed to have (this can cause problems for customers on unreliable or very remote networks)
  • Reducing the amount of a time a client can stay connected (this too can cause problems for customers transferring large files or working in long interactive sessions)

Some of these mitigations can be enforced using network devices (firewalls) and will be discussed in more detail below.  The best defense will probably be to use a blended approach and utilize a combination of the above methods.  Finally, we even recommended moving affected web servers to software that is unaffected by this form of attack. It is worth noting that while the above mitigations can help, volumetric attacks can overwhelm any of these stateful devices used for mitigation.

Other network devices that can help in mitigating these types of attacks are:

  • Intrusion prevention systems
  • Web Application Firewalls ensuring web application conformance

Network Identification and Mitigation Technologies

The following technologies are extremely helpful in many different forms of attack detection and mitigation.

NetFlow is a protocol for collecting IP-based telemetry information about traffic flowing through a network. NetFlow offers a treasure trove of security-related information about who is doing what on the network and can be one of the early warning indicators of network misuse.
A few resources are below:

Source-Based Remotely Triggered Black Hole Routing
Remotely triggered black hole (RTBH) routing is a BGP-based DDoS mitigation technique for service providers and large enterprises. It works by injecting a NULL BGP route into the network, forcing all BGP routers to drop malicious traffic based on destination. This technique is effective at filtering attack traffic to Internet hosts, but it is also considered quite heavy handed. It some cases it is better to block only certain source IP ranges (blocking based on source address) rather than blocking all traffic intended for a single target (blocking based on destination address). Combining uRPF with RTBH routing, (known as Source-Based RTBH routing or S/RTBH routing) allows the network to null route based on source address, which will only block attacking source addresses. For more information, you can read our white paper and some additional resources can be found here:

Global Resources
For organizations that can leverage global data centers, geographical resource distribution can be an important DDoS protection. This can be achieved using global server load balancing (GSLB) or anycast. Anycast is a network addressing and routing methodology that provides an increase of speed and resilience. Using anycast, a single server is replicated in several physically disparate locations, all with the same IP address. Using GSLB or anycast, when a client wants to connect to the server, it is routed to the topologically closest node out of the group. Thus, by leveraging an HTTP/HTTPS termination point in each location, users throughout the globe will always reach the resource closest to them as shown in the figure below.


While complicated to set up, anycast presents a larger attack surface against would-be DDoS attacks. If one server is taken offline, users in other parts of the world will not be affected and mitigation can be deployed on the location that is attacked. Additionally, it would require many more resources for the attackers to take down all the locations. Of course, the requirement for this scheme to work is for a global infrastructure that can distribute the load.

In March 2013, anti-spam juggernaut Spamhaus came under a massive 75Gb/s DDoS attack. To mitigate the attack, they turned to Cloudflare and its massive anycast network.

Unicast Reverse Path Forwarding
Unicast Reverse Path Forwarding (uRPF) is a security feature enabled on the router that helps to limit the propagation of spoofed IP addresses. Please refer to a comprehensive white paper on what uRPF is and how configure it on a Cisco router and a paper on using uRPF to deter DoS attacks.

Tightening Connection Limits and Timeouts
For those of you with Cisco Adaptive Security Appliance (ASA) deployments, you can tighten connection limits and timeouts, which will reduce your susceptibility to some of the attacks mentioned above. For example, if the normal traffic to a web server is a quick connection of a few seconds, we may want to drop connections that are open for more than 5 minutes. Cisco provides a document explaining Cisco ASA connection limits and timeouts, such as how to set maximum TCP and UDP connections, maximum embryonic connections, maximum per-client connections, connection timeouts, and dead connection detection. When enabling embryonic connection limits, the Cisco ASA leverages its TCP intercept feature in order to enforce TCP SYN cookies that are used to mitigate the threat of TCP SYN flood attacks. TCP SYN cookies practically complete the TCP handshake before allowing the connection to the server, which ensures that spoofed traffic cannot waste TCP connections to the server. Resources are available for learning about SYN flood attacks and several mitigations. Readers should note that before changing connection limits, you must have a good understanding of the normal traffic profiles and baselines to ensure you do not inadvertently cause issues.

Reputation-Based Blocking
All Internet traffic must originate from an IP address. A plethora of organizations use various criteria and methods to rank, rate, and score IP addresses with respect to how “notorious” they are. More specifically, if a given IP address is known to be that of a spammer, distributing malware or a part of a botnet army, it can be flagged in one of the ill repute databases, often with a numeric score contextual to the rating system. For example, Cisco Email and Web Security and ASA Botnet Traffic Filter use an integral system from -10 for the worst offenders to +10 for the most angelic. Integrating with one of many IP reputation products or services available can help to reduce the malicious traffic generated by compromised servers.

Web Application Firewalls
A Web Application Firewall (WAF) is a device that provides firewall-like functionality to web-based applications. For organizations with substantial web-based applications, WAFs are recommended as a front-line defense against attackers. There is a thorough best practices document on WAF deployment.

Intrusion Prevention Systems
Intrusion prevention systems (IPS) are appliances that monitor the network for malicious activity. When malicious activity is detected, the IPS can alert or block the traffic and prevent it from entering your network.

Access Control Lists
Access control lists (ACLs) are used by network devices to restrict network traffic flows. Most of the time, ACLs are focused on filtering ingress traffic at network edge devices, specifically traffic that is considered provocative or malicious. A common but effective ACL methodology is to adopt a doctrine of least privilege where only what is absolutely necessary is allowed in. Cisco offers a detailed paper on how to configure ACLs on Cisco IOS Software. Note that using ACLs to block DDoS traffic can be challenging due to the dynamic nature of the attack and the management overhead it would introduce. Additionally, you can read up on transit ACLs and infrastructure ACLs.


Distributed denial of service attacks are a moving target. We may be familiar with many of the tools and how they look on a network, but until the actual attack we don’t know all of its characteristics. Now is a good time to re-evaluate your defenses and determine where they can be improved. When preparing for possible attacks it is best to cover as many possible attack vectors as possible. Yes, this means simple things like patching, monitoring NetFlow, working with Internet service providers, and having a strong incident response and contingency plan.

VSkimmer Botnet Targets Credit Card Payment Terminals

March  2013 at 11:20am by 

While monitoring a Russian underground forum recently, we came across a discussion about a Trojan for sale that can steal credit card information from machines running Windows for financial transactions and credit card payments. The malware, vSkimmer, can detect the card readers, grab all the information from the Windows machines attached to these readers, and send that data to a control server. The author of the thread also discusses other capabilities of this malware, which appears to be a successor of Dexter, but with additional functions.




We already know about botnets such as Zeus and SpyEye, which perform financial fraud using extremely sophisticated techniques including  intercepting the victims’ banking transactions. VSkimmer  is another example of how financial fraud is actively evolving and how financial Trojans are developed and passed around in the underground community. This botnet is particularly interesting because it directly targets card-payment terminals running Windows.

Our Automated Botnet Replication Framework first saw this Trojan on January 18. We’ve analyzed  samples of this malware and figured out how it steals the credit card information and its additional control functionalities. While performing the API tracing , we found it uses fairly standard antidebugging techniques:


The malware collects the following information from the infected machine and sends it to the control server:

  • Machine GUID from the Registry
  • Locale info
  • Username
  • Hostname
  • OS version



This malware uses a standard installation mechanism and copies itself as svchost.exe into %APPDATA% , modifies the registry key to add itself under the authorized list of apps, and runs ShellExecute to launch the process. One function of vSkimmer if the Internet is not available is to wait for a USB device with the volume name KARTOXA007  to be connected to the infected machine and to copy all the logs with the file name dumz.log and the card info collected from the victim to the USB drive.


I checked by disconnecting from the Internet: The malware enumerated all the drives and created the file dumz.log in the drive with the preceding name.


Extracting credit card information

VSkimmer maintains the whitelisted process, which it skips while enumerating the running processes on the infected machine.


Once vSkimmer finds any running process not in the whitelist, it runs OpenProcess and ReadProcessMemory to read the memory pages of the process and invokes the pattern-matching algorithm to match the regular expression “?[3-9]{1}[0-9]{12,19}[D=\\u0061][0-9]{10,30}\\??”)” and extract the card info read by the payment devices. This is done recursively for every process running in the infected machine and not on the whitelist.


VSkimmer control

Before communicating with the control server, the malware B64-encodes all the machine information collected and appends it to the URI. The encoded string follow this format:

  • machine guid|build_id|bot_version|Windows_version|Host_name|User_Name



Next, vSkimmer creates the HTTP request and connects to the control server:



While this malware ran, we saw the following response. Note that the commands are within the <cmd> </cmd> tag.


Once vSkimmer receives a response from the server, it executes the following routine to parse the command:




Because the response from the server during execution was <cmd>null</cmd>, the malware extracts the 3-byte command and tries to match it with the other commands implemented by vSkimmer. First it checks if the command from the server is “dlx.”


If not, then vSkimmer checks for the “upd” command. These commands implement the HTTP download and execute (“dlx”) and update of the bot (“upd”), respectively.

As we saw earlier in this post, vSkimmer can also grab the Track 2 data stored on the magnetic strip of the credit cards. This track stores all the card information including the card number. (You can read more about the Track 2 data format on Wikipedia. The chief information:

  • Primary Account Number: the number printed on the front of the card
  • Expiration Date
  • Service Code: the three-digit number


VSkimmer bot control panel

Here’s a look at the control panel of the command server:






2013 Threats Predictions by McAfee Labs

McAfee Labs collected an immense amount of data on malware, vulnerabilities, and threats to endpoints, networks, email, and the web in 2012. Using our Global Threat Intelligence, we analyzed this data to block these intrusions and reduce the danger to our customers. Next year we anticipate more of the same: Cybercriminals and hacktivists will strengthen and evolve the techniques and tools they use to assault our privacy, bank accounts, mobile devices, businesses, organizations, and homes.
Mobile Threats
  • Malware shopping spree
Once criminals discover a profit-making technique that works, they’re likely to reuse and automate it. For example, Android/Marketpay.A is a Trojan horse program that buys apps from an app store without user permission. We’re likely to see crooks take this malware’s app-buying payload and add it to a mobile worm.
Buying apps developed by malware authors puts money in their pockets. A mobile worm that uses exploits to propagate over numerous vulnerable phones is the perfect platform for malware that buys such apps; attackers will no longer need victims to install a piece of malware. If user interaction isn’t needed, there will be nothing to prevent a mobile worm from going on a shopping spree.
  • Block that update!
One of the advantages that a mobile service provider (as opposed to Microsoft, for example) has in fighting malware is that once the cell company recognizes malware it can automatically push an update to customers to clean their devices. This works on phones that have not been rooted (or unlocked) by their owners. For mobile malware to stick around for a long time, it will have to prevent updates. Putting an app on a store that does nothing more than download external malware which locks the phone from communicating with the cell provider will achieve this.
  • Kits lead to an explosion in malware for OS X and mobile
Given the popularity of mobile computing, we should perhaps be surprised that cybercriminals have taken so long to extensively exploit this field. In 2012, however, we’ve seen the number of mobile threats go up dramatically. As we look at them in more detail, we see the large amount of Windowsbased malware owes its existence to the easy availability of malware kits in the underground market. In 2013, there is a good chance ransomware kits will take the lead from malware kits. We have already seen Android and OS X as targets of ransomware. Now the first ransomware kits are being marketed in the underground. For the moment the kits attack only Windows systems, but this may change soon.
  • Ransomware continues to expand to mobile devices
Ransomware on Windows PCs has more than tripled during the past year. Attackers have proven that this “business model” works and are scaling up their attacks to increase profits. One way ransomware is different from other types of malware—such as backdoors, keyloggers, and password stealers—is that attackers do not rely on their victims using the infected systems for financial transactions to separate them from their money. Instead these criminals hijack the users ability to access data, communicate, or use the system at all. The victims are faced with either losing their data or paying a ransom in the hope of regaining access.
One limitation for many malware authors seeking profit from mobile devices is that more users transact business on desktop PCs rather than on tablets or phones. But this trend may not last; the convenience of portable browsers will likely lead more people do their business on the go. Attackers have already developed ransomware for mobile devices. What if the ransom demand included threats to distribute recorded calls and pictures taken with the phone?
We anticipate considerably more activity in this area during 2013.
  • Rootkits diversify, using MBR and other bootkit techniques
The evolution of computer security software and other defenses on client endpoints is driving threats into different areas of the operating system stack, especially for covert and persistent attackers. The frequency of threats attacking Microsoft Windows below the kernel are increasing. Some of the critical assets targeted include the BIOS, master boot record (MBR), volume boot record (VBR), GUID Partition Table (GPT), and NTLoader. Although the volume of these threats is unlikely to approach that of simpler attacks on Windows and applications, the impact of these complex attacks can be far more devastating. We expect to see more threats in this area during 2013.
  • Windows 8 the next big target
Criminals go where the money is. And if this means they have to cope with a new, more secure version of Windows, that’s just what they will do. In many cases they attack the user and not the OS. Via phishing and other techniques users are tricked into revealing information or installing a malicious program. So if you upgrade, don’t rely solely on Windows to protect your system: Remain vigilant and watch out for phishing scams.
Windows 8 should provide improved security against malware and exploits compared with earlier versions of Windows, at least for a while. Now that the underground market for attack and malware kits is much more competitive than three years ago, it is likely that Windows 8–specific malware will be available quicker than Windows 7–specific malware appeared. Systems running the new Unified Extensible Firmware Interface are still vulnerable to MBR-based rootkits, just as previous OS versions were, according to one research company. On the day of Windows 8’s release, the firm announced for sale to its customers the availability of a zero-day vulnerability that circumvents all new security enhancements in Windows 8 and Internet Explorer 10.
In spite of any flaws, Windows 8 is a more secure OS, so upgrading is worth considering. Millions still run Windows XP, which only in fall 2012 was finally eclipsed in the number of its users by newer versions of Windows.
Big-Scale Attacks
Destructive payloads in malware have become rare because attackers prefer to take control of their victims’ computers for financial gain or to steal intellectual property. Recently, however, we have seen several attacks—some apparently targeted, others implemented as worms—in which the only goal was to cause as much damage as possible. We expect this malicious behavior to grow in 2013.
Whether this is hacktivism taken to a new level, as some claim, or just malicious intent is impossible to say, but the worrying fact is that companies appear to be rather vulnerable to such attacks. As with distributed denial of service (DDoS) attacks, the technical bar for the hackers to hurdle is rather low. If attackers can install destructive malware on a large number of machines, then the result can be devastating.
Citadel Trojan Zeros In
Citadel is likely to become the Trojan of choice among cybercriminals who want the rich functionality of Zeus along with dedicated support. With the recent release of Citadel Rain, the Trojan can now dynamically retrieve configuration files, enabling a fraudster to send a targeted payload to a single victim or a selection of victims. This allows thieves to compromise accounts on a one-off basis depending on their criteria and wage attacks in a very targeted manner. Detection will become much harder because the footprint is minimal on the endpoint until the attack occurs. Typically Zeus attacks have been relatively widespread. We will likely see that change in 2013 as more cybercriminals adopt Citadel Rain and its future variants and focus on narrowly targeted attacks seeking the greatest possible gain.
Most Citadel infections are concentrated in just a few populations in Europe, but we expect that number to increase in 2013. The following map shows Germany is the prime location, with more than 200 infections to date.
HTML5 is the next version of the standard language of Internet browsers. It provides language improvements, capabilities to remove the need for plug-ins, new layout rendering options, and new powerful APIs that support local data storage, device access, 2D/3D rendering, web-socket communication, and many other features. Today 74 percent of users in North America, 72 percent in Asia, and 83 percent in Europe use browsers that support the majority of HTML5 features.2 Websites are quickly adopting HTML5 for its richer user experience. HTML5 continues the move to the browser, and away from the operating systems, as the platform to run applications. HTML5-based applications are increasing in number, with major players taking advantage of freedom from app stores and improved cross-browser and cross-device compatibility.
Browsers have long been one of the primary vectors for security threats, and HTML5 won’t change that. With HTML5 the threats landscape will shift and broaden. We will see a reduction in exploits focused on plug-ins as browsers provide this functionally via their new media capabilities and APIs. However, HTML5 will offer other opportunities for attackers because the additional functionality will create a larger attack surface. Powerful JavaScript APIs that allow device access will expose the browser as websites gain direct access to hardware.
Botnets and Spam
  • Botnets call home
The biggest threat to botmasters is the unrecoverable loss of their botnets. International cooperation in policing spam, malware, child exploitation, and illegal pills has made that loss a reality for many major botnets over the past few years, and will continue to threaten the proliferation of botnets. When the largest botnets get taken down, then the next largest botnets become the new targets. Botmasters have already reacted to this activity by subdividing botnets and increasing the costs associated with activities that are easily detectable (such as DDoS and spam). It is only a matter of time before botmasters implement fail-safes to reestablish command of a botnet that has lost all of the control servers it usually reports to.
In many cases botnets are temporarily hijacked by whitehat security researchers. Due to possible negative side effects, however, these takeovers do not lead to new commands reaching the infected hosts. There is a massive liability issue associated with the unauthorized remote operation of systems, even with the best of intentions. Pushing new commands to an old Windows machine serving a hospital could turn the PC into a brick and lead to incorrect care or even the death of a patient. Botmasters will take advantage of this reluctance by the good guys to meddle by hardwiring their botnets to reestablish control after a takedown.
  • SMS spam from infected phones
Cell phone providers are working to prevent SMS spam. Their primary method of receiving reports from consumers is for the latter to forward messages to SPAM (7726) on their phones and report the messages so that they can be blocked. An infected phone can also send spammy text messages; then the victims face the problem of having their accounts closed by the providers. We expect to see pill advertising or phishing lures delivered by SMS in 2013.
  • Hacking as a Service
For a long time, cybercriminals have attended public forums to discuss and make business deals with other criminals. In these meetings, they not only offer software for sale but also services. Highly professional cybercrooks, however, see these forums as a waste of time (they are full of “newbies”), a loss of confidentiality (each deal needs direct contact with the client, who could be an undercover agent), and a loss of money (as the purchaser attempts to negotiate a lower price). For these reasons, the number of invitation-only criminal forums requiring registration fees and/or guarantors (vouchers) has increased.
This trend will continue, but to improve anonymity without discouraging buyers, online sales sites modeled on legal trade activities will grow in 2013. On these sites, buyers can make their choices at the click of a mouse, use an anonymous online payment method (such as Liberty Reserve), and receive their purchases without any negotiations or direct contact with the seller.
More secure and anonymous, these offers will be easier to find on the Internet. They will also be more diversified. We have already started to see high-level audit services and offers for project development for cybercriminals.
The number of suspicious outfits claiming to sell zero-day attacks or the sale of spying services reserved for the sole use of governments or secret services will grow. It will be difficult to separate the wheat from the chaff, or to ascertain real activities and real customers.
  • The decline of Anonymous
Sympathizers of Anonymous are suffering. Too many uncoordinated and unclear operations have been detrimental to its reputation. Added to this, the disinformation, false claims, and pure hacking actions will lead to the movement’s being less politically visible than in the past. Because Anonymous’ level of technical sophistication has stagnated and its tactics are better understood by its potential victims, the group’s level of success will decline. However, we could easily imagine some short-lived spectacular actions due to convergence between hacktivists and antiglobalization supporters, or hacktivists and ecoterrorists.
2013 Threats Predictions, McAfee Labs

Iran capable of deterring cyber attacks: Interior Min. official

A senior Interior Ministry official says Iran is capable of heading off cyber attacks, emphasizing the significance of boosting the nation’s capacity to counter soft threats.

Amir Shojaeian said on Wednesday that “Iran is currently engaged in a practical cyber war.”

“This issue is not simply a potential danger, but a real threat organized and planned by certain governments to harm Iranian organizations,” he added.

The official stated that a new information and communications security management system is currently being installed in Iran to improve the country’s cyber defense capability.

Iran has been the target of several cyber attacks over the past few years.

In June 2012, the New York Times reported that US President Barack Obama had secretly ordered a cyber attack with the Stuxnet computer virus against Iran to sabotage the country’s nuclear energy program.

A report published by the Washington Post also in June said the United States and the Israeli regime had jointly created the computer virus Flame — a Stuxnet-like espionage malware — to spy on Iran.

In response to such attacks, Iran launched a cyber defense headquarters tasked with preventing computer worms from breaking into or stealing data from the country’s maximum security networks, including nuclear facilities, power plants, data centers, and banks.

Android malware spreads through compromised legitimate Web sites

By Dancho Danchev – blog.webroot.com

Over the past 24 hours, our sensor networks picked up an interesting website infection affecting a popular Bulgarian website for branded watches, which ultimately redirects and downloads premium rate SMS Android malware on the visiting user devices. The affected Bulgarian website is only the tip of the iceberg, based on the diversified portfolio of malicious domains known to have been launched by the same party that launched the original campaign.

More details:


Sample screenshot of the executed Android malware:


The first variation of the campaign attempts to trick Russian-speaking users into installing a fake version of Adobe’s Flash Player, followed by a second campaign using a fake Android browser as a social engineering theme, and a third campaign which is attempting to trick mobile users into thinking that it’s a new version of Google Play.

Sample malicious URLs displayed to Android users:
hxxp://adobeflashplayer-up.ru/?a=RANDOM_CHARACTERS –
hxxp://googleplaynew.ru/?a=RANDOM_CHARACTERS –
hxp://browsernew-update.ru/?a=RANDOM_CHARACTERS –

Responding to the same IP ( are also the following domains part of the campaign’s infrastructure:

Detection rate for the malicious .apk files:
flash_player_installer.apk – MD5: 29e8db2c055574e26fd0b47859e78c0e – detected by 5 out of 46 antivirus scanners as Android.SmsSend.212.origin.
Android_installer-1.apk – MD5: e6be5815a05c309a81236d82fec631c8 – detected by 5 out of 46 antivirus scanners as HEUR:Trojan-SMS.AndroidOS.Opfake.bo.

Required permissions for flash_player_installer.apk:

Used the following features once executed:

Upon execution, the Android sample phones back to gaga01.net/rq.php – – Email: mypiupiu1@gmail.com transmitting the following information back to the cybercriminals behind the operation: oard=unknown;brand=generic;device=generic;imei=CENSORED;imsi=CENSORED;session_id=1;operator=XXX;sms0=CENSORED;sms1=CENSORED;sms2=CENSORED;time=CENSORED;timezone=CENSORED

Required permissions for Android_installer-1.apk:

Used the following features once executed:

It also connects back to gaga01.net/rq.php – – Email: mypiupiu1@gmail.com transmitting the following information back to the cybercriminals behind the operation: oard=unknown;brand=generic;device=generic;imei=CENSORED;imsi=CENSORED;session_id=1;operator=XXX;sms0=CENSORED;sms1=CENSORED;sms2=CENSORED;time=CENSORED;timezone=CENSORED

Email hacking for hire going mainstream

By Dancho Danchev – blog.webroot.com

Just as we anticipated on two occasions in 2012, managed email hacking for hire services continue popping-up at publicly accessible cybercrime-friendly communities, a trend that’s largely driven by the demand for such services by unethical competition, “friends”, or current/ex-spouses.

Often pitched as “forgotten password recovery” services, they rely on social engineering, brute-forcing, and spear phishing campaigns, often leading to a successful compromise of a targeted account. Based on the number of positive vouches, the services continue receiving a steady stream off satisfied and verified customers.

In this post, I’ll profile one of the most recently advertised email hacking for hire services, specializing in hacking GMail and Yahoo! accounts, as well as email accounts using popular free Russian email service providers. How much does it cost to hack a Gmail or Yahoo! account? What about corporate email?

Let’s find out.

Sample screenshot of the email hacking for hire service:


The service is also features a catchy video that pitches it’s core features to prospective buyers. What about the prices?

Sample pricing scheme of the email hacking for hire service, offering discounts if customers refer it to friends:


The prices are as follows:

  • Mail.ru,Bk.ru, Inbox.ru, List.ru – 3000 rubles ($100)
  • Yander, Rambler – 4000 rubles ($150)
  • Gmail, Googlemail – 7000 rubles ($230)
  • Yahoo! Mail – 10,000 rubles ($350)

The main problem about these services is that they often produce the promised results thanks to the victim-tailored spear phishing attempt. In comparison, it will be cost-ineffective for them to outsource the CAPTCHA-solving process when brute-forcing for popular passwords, a practice we believe is a thing from the past.

Today’s QA (Quality Assurance) minded cybercriminals tend to do their best to automatically and efficiently personalize their campaigns in an attempt to increase the probability of a successful malware infection/phishing lead. And while they sometimes manage to prepare a convincing email referencing you by username, perhaps even your full name — which they often obtain through harvesting for contacts on the PC of an infected friend of yours — this is where it all ends, at least for massive spamvertised campaigns.

This leads us to a situation where your “friends”, unethical competitors, suspicious/paranoid current/ex spouse will supply the service with crucial details about your personality ( from a social engineering perspective), details that will increase the probability of a successful account compromise. The worst part is that the data obtained from first-hand sources, such as people who know you, is indispensable compared to similar data which could be gathered by data mining social networks in an attempt to tailor a spear phishing campaign that’s exclusively targeting you.

Email users are advised to be extra cautions when receiving emails that suspiciously “know too much” about them, especially emails sent to them from impersonated parties who might have interest in compromising them, and to use two-factor authentication where applicable.

Shylock Banker Trojan Rings Twice on Skype

The home Trojan-banker known as Shylock has just yesterday been updated with new functions. When analyzed, during an investigation, we noticed that Shylock is now capable of spreading using the popular Voice over IP service and software application, Skype. This allows the malicious Trojan-banker to infect more hosts and continue to be a prevalent threat. Also, the timing does not seem completely coincidental as Microsoft just recently announced that they are discontinuing their Messenger solution and replacing it with Skype.

Shylock is active in only a few parts of the world. The epicenter of infections is primarily located in the UK. If we look at sinkhole data collected by CSIS (illustrated below) it becomes quite clear that the attackers prefer to focus only on a few countries instead of random infections in different countries.

When using a tool like Skype, or any “chat” based technology, for replication purpose, it only fuels the geographic focus. Past infections, from e.g. worms spreading across MSN Messenger, Yahoo etc. or any other real-time chat program, shows that people have a tendency to stay connected with friends (usually within their own region) allowing outbreaks to be contained locally.

The Skype replication is implemented with a plugin called “msg.gsm“. This plugin allows the code to spread through Skype and adds the following functionality:

– Sending messages and transferring files
– Clean messages and transfers from Skype history (using sql-lite access to Skype%smain.db )
– Bypass Skype warning/restriction for connecting to Skype (using “findwindow” and “postmessage”)
– Sends request to server: https://a%5Bremoved%5Ds.su/tool/skype.php?action=&#8230;

Besides from utilizing Skype it will also spread through local shares and removable drives. Basically, the C&C functions allow the attacker to:

– Execute files
– Get cookies
– Inject HTTP into a website
– Setup VNC
– Spread through removable drives
– Uninstall
– Update C&C server list
– Upload files

Shylock is one of the most advanced Trojan-banker currently being used in attacks against home banking systems. The code is constantly being updated and new features are added regularly.

As always for this type of Trojans antivirus detection is low:

File name: msg.gsm
Detection ratio: 0 / 46


Leaked DIY malware generating tool spotted in the wild

By Dancho Danchev – blog.weroot.com

How easy is it to create an undetected piece of malware these days? Too easy to be true!

With more DIY malware botnets and DIY malware generating tools continuing to leak at public cybercrime-friendly forums, today’s novice cybercriminals have access to sophisticated point’n’click malware generating tools that were once only available in the arsenal of the experienced cybercriminal.

In this post, I’ll profile a recently leaked DIY malware generating tool, discuss its core features, and emphasize on its relevance in the context of the big picture when it comes to ongoing waves of malicious activity we’ve been monitoring over the years.

More details:

Sample screenshot of the leaked DIY malware generating tool:


The malware generating tool allows potential cybercriminals to tailor their newly generated malware to their specific needs. If they want it to start spreading, they can just turn on the spreading option. If they want it to use targeted attacks, they can choose LAN spreading. They can also enable the option to prevent various antivirus solutions from successfully detecting it, as the malware will detect their presence on the affected hosts, and will either block it, or kill the running processes for the applications of these vendors.

Second screenshot of the leaked DIY malware  generating tool:


The DIY tool currently can spread over USB, P2P, LAN, and through RAR files. It is also targeting the following anti-malware tools:

  • Spybot Search and Destroy
  • Comodo Antivirus
  • Sandboxie
  • Virtual Machine
  • KeyScrambler
  • WireShark
  • Kaspersky
  • Bitdefender
  • ZoneAlarm
  • Anubis
  • Norman
  • NOD32

Third screenshot of the leaked DIY malware generating tool:


The tool also allows complete randomization of key components of the malware, so that every time a new piece of malware is generated, it will use different code obfuscation pre-sets.

Fourth screenshot of the leaked DIY malware generating tool:


How important is the public leak of this tool in the context of the big picture?

One of the most common myths about today’s modern malware is that it’s being coded from scratch. The complete randomization in combination with managed crypting (source code, iFrame, JavaScript etc.) and server-side polymorphism results in massive exploitation campaigns that continue relying on outdated and already patched client-side vulnerabilities as infection vectors.

Don’t misunderstand me, coding malware for hire has been available as a service for years. However, much of today’s modern malware is being generated, rather than coded from scratch. StuxnetDuquFlameRed October are all great example of cyber espionage campaigns where the attackers actually bothered to invest time and resources into coding the malware, utilizingnovel infection vectors and zero day vulnerabilities.

These massively covered cyber sabotage/cyber espionage campaigns resulted in a myopia where people think targeted attacks are all about malware coded from scratch. That’s not the case on a large scale, as on numerous occasions in the past, factual evidence has been presented, indicating that the attackers relied on publicly obtainable RATs (Remote Access Tools/Trojans) that they basically obfuscated to fool antivirus scanners.

Bottom line – in 2013 you don’t need to know Assembly to generate undetected pieces of malware. You don’t need to utilize zero day vulnerabilities to infect tens of thousands of people on a daily basis. And in cases where you seek malicious innovation, coding malware for hire services are there to “take care”.

We expect that the entry barriers into the world of cybercrime will continue to get lower throughout 2013, contributing to today’s mature life cycle of the entire cybercrime ecosystem, and will continue posting updates providing factual evidence for this trend.

by Dancho Danchev