After we had published the CosmicDuke report in July 2014, we continued to actively follow the malware. Today, we discovered two new samples that both leverage timely, political topics to deceive the recipient into opening the malicious document.
The first one discusses the Ukraine crisis and EU sanctions over Russia and the original document was published here less than a week ago
It is obvious that the attackers are keeping abreast of the latest political news, and they are very agile: they have the capability and capacity to rapidly utilize the information to increase the odds of social engineering.
If you are interested in learning more about CosmicDuke, these latest samples, as well as other interesting discoveries, will be discussed in detail at T2, an information security conference during October 23-24 in Helsinki, Finland.
I remember setting up our first website. That was 20 years ago, in 1994. When the Web was very young and there were only a handful of websites, it was easy to forecast that the Web was going to grow. And indeed, during these past 20 years, it has exploded in size. What’s even more important, the Web brought normal everyday people online. Before the Web, you would only find geeks and nerds online. Now everybody is online.
Back in 1994, we were guessing what would fuel the upcoming growth of the Web. For it to grow, there has to be online content—content like news or entertainment. And for news and entertainment to move online, somebody has to pay for it. How would users pay for online content? We had no idea. Maybe newspapers would start charging an annual online subscription fee, just like they did for their paper version? Or maybe the web would incorporate some kind of an online on-demand payment system; the user would have an easy way of doing in-browser micropayments in order to access content. This would enable the user pay, say, one cent to read today’s Dilbert cartoon.
As we know now, such a micropayment system never happened—even though it looked like such an obvious thing 20 years ago. Instead, a completely different way of paying for online content surfaced: ads. I remember seeing the first banner ad on a website, maybe in 1995 or 1996. I chuckled at the idea of a company paying money for showing their ad on someone else’s website. I should not have chuckled; that same idea now fuels almost all of the content online. And highly efficient ad profiling engines create practically all the profit for companies like Google and Facebook.
Google is a particularly good example of just how profitable user profiling can be. Its services — like Search, Youtube, Maps and Gmail — are free. You don’t pay a cent for using them. These services are massively expensive to run: Google’s electricity bill alone is more than $100 million a year. You would think that a company that runs very expensive services but doesn’t charge for them would be making losses — but it isn’t. In 2013, Google’s revenue was $60 billion. And their profit was $12 billion. So, if we make a modest estimate that Google has one billion users, every user made 12 dollars of profit for Google last year — without paying a cent.
Frankly, I’d be happy to pay Google $12 a year to use their services without tracking or profiling. Heck, I would be ready to pay $100 a year! But they don’t give me that option. We — the users — are more valuable in the long run by having our data and our actions profiled and saved.
Of course, Google is a business. And they are doing nothing illegal by profiling us—we volunteer our data to them. And their services are great. But sometimes I wish things would have turned out otherwise and we would have a simple micropayment system to pay for content and services. Now, with the rise of cryptocurrencies, that might eventually become a reality.
• What is your favorite children's book? • What is your dream job? • What was your childhood nickname? • What was the model of your first car? • Who was your favorite singer or band in high school? • Who was your favorite film star or character in school?
Security Question 2:
• What was the first name of your first boss? • In what city did your parents meet? • What was the name of your first pet? • What is the first name of your best friend in high school? • What was the first film you saw in the theater? • What was the first thing you learned to cook?
Security Question 3:
• What is the last name of your favorite elementary school teacher? • Where did you go the first time you flew on a plane? • What is the name of the street where you grew up? • What is the name of the first beach you visited? • What was the first album that you purchased? • What is the name of your favorite sports team?
The problem is painfully obvious — the questions are far too subjective or else are based on easily obtainable information.
What then does one do?
Whatever the question, create a nonsense answer. But then you'll have another problem… you'll forget the nonsense when needed.
Twitch.tv is a video gaming focused live streaming platform. It has more than 50 million viewers and was acquired by Amazon.com in August for nearly a billion dollars.
We recently received a report from a concerned user about malware that is being advertised via Twitch's chat feature. A Twitch-bot account bombards channels and invites viewers to participate in a weekly raffle for a chance to win things such as "Counter-Strike: Global Offensive" items:
The link provided by the Twitch-bot leads to a Java program which asks for the participant's name, e-mail address and permission to publish winner's name, but in reality, it doesn't store those anywhere.
Those who have fallen victim to this fake giveaway will be shown this message after entering their details:
After this message, the malware proceeds to dropping a Windows binary file and executing it to perform these commands:
• Take screenshots • Add new friends in Steam • Accept pending friend requests in Steam • Initiate trading with new friends in Steam • Buy items, if user has money • Send a trade offer • Accept pending trade transactions • Sell items with a discount in the market
This malware, which we call Eskimo, is able to wipe your Steam wallet, armory, and inventory dry. It even dumps your items for a discount in the Steam Community Market.
Previous variants were selling items with a 12% discount, but a recent sample showed that they changed it to 35% discount. Perhaps to be able to sell the items faster.
Being able to sell uninteresting items will allow the attacker to gather enough money to buy items that he deems interesting. The interesting items are then traded to an account possibly maintained by the attacker.
Victims have reported in forums.steamrep.com that their items were being traded to this Steam account without receiving anything in return:
All this is done from the victim's machine, since Steam has security checks in place for logging in or trading from a new machine. It might be helpful for the users if Steam were to add another security check for those trading several items to a newly added friend and for selling items in the market with a low price based on a certain threshold. This will lessen the damages done by this kind of threat.
Windows Phone 8.1 (Lumia Cyan) updates are currently rolling-out to various Lumia devices. One of the new features is Microsoft's "Wi-Fi Sense" which will automatically connect to Wi-Fi networks and accept terms.
Your phone will automatically accept Wi-Fi network terms?
"Not all Wi-Fi networks are secure."
(At least you're able to edit the infomation provided on your behalf.)
Also, Wi-Fi Sense will share Wi-Fi network access with your contacts and "friends".
So… if your phone knows the password to your company's Wi-Fi network, now your Facebook friends can access it too?
Information security managers are going to love that.
What is Pitou? A recently spotted spambot malware that shares many similarities from the notorious kernel-mode spambot Srizbi. After further analysis, we confirmed it is a revival of Srizbi. We named this latest malware Pitou. After some in-depth analysis, we found some other interesting technical features and wrote a whitepaper on it.
Why it is called Pitou? The name Pitou came from our colleague's existing detection name for it. We decided to use this family name to avoid confusion. Another reason why we think this spambot deserves a new name (rather than continuing with the Srizbi moniker, that is) is because the malware code has been completely rewritten with more robust features, including now being equipped with a bootkit.
Where was it first discovered? We first encountered the threat on a client machine that reported a suspicious system driver file to our automated analytical systems. After some manual analysis, we found it to be malicious and containing a payload that is highly obfuscated and protected by Virtual Machine (VM) code. This implied that there was something the malware was trying to hide from researchers. So naturally we decided to do an in-depth analysis.
When was it first seen? The threat was first found in April 2014 based on the dates from our sample collection systems, though it may have existed in the wild at an earlier date. The whitepaper includes more timeline information.
Who should be concerned by this threat? This threat could cause havoc or bring inconvenience to both corporate and home users. The spambot will utilize an infected machine to spread spam emails, which can lead to the spamming IP address being blacklisted in Realtime Black List (RBL) by an Internet Service Provider (ISP). A blacklisted IP address is blocked from sending (even legitimate) email via standard Simple Mail Transfer Protocol (SMTP), which is commonly configured in most corporate email servers. A regular home users meanwhile would be concerned if they use a non-Web based email client, for example Microsoft Outlook, that ends up having its IP address blacklisted by an ISP.
What are some of Pitou's indicators of compromise (IOC)? The threat is not particularly stealthy compared to other modern rootkits. We list a couple of IOCs in our document for someone (reasonably technically astute) who is interested in quickly identifying if their machine is Pitou-infected.