NEWS FROM THE LAB - March 2012
 

 

Wednesday, March 28, 2012

 
More Mac Malware (Word Exploit) Targeting NGOs Posted by Sean @ 13:49 GMT

Alienvault Labs has discovered more malware that targets human rights focused Non-Governmental Organizations (NGOs). This is in addition to last week's discovery. This time, it's an exploit taking advantage of a 2009 vulnerability in Microsoft Word (MS09-027).

Here's an example of the decoy document which is embedded within the exploit doc.

Mac Word Exploit MS09-027

Read the details at Alienvault Labs: MS Office exploit that targets MacOS X seen in the wild – delivers "Mac Control" RAT

 
 

 
 
Tuesday, March 27, 2012

 
A Tool Exploiting MS12-020 Vulnerabilities Posted by ThreatSolutions @ 06:48 GMT

Since the public release of Microsoft's MS12-020 bulletin, there have been plenty of attempts to exploit vulnerabilities in the Remote Desktop Protocol (RDP). Last week, we received a related sample, which turned out to be a tool called "RDPKill by: Mark DePalma" that was designed to kill targeted RDP service.

RDPKill

The tool was written with Visual Basic 6.0, and has a simple user interface. We tested it on machines running on Windows XP 32-bit and Windows 7 64-bit.

RDPKill

Both the Windows XP 32-bit and the Windows 7 64-bit computers were affected by the Denial of Service (DoS) attack. The service crashed and triggered a "Blue Screen of Death" (BSoD) condition (the error screen seen when Windows crashes).

RDPKill BSoD

We detect this tool as Hack-Tool:W32/RDPKill.A. (SHA-1: 1d131a5f17d86c712988a2d146dc73367f5e5917).

Besides RDPKill.A, other similar tools and Metasploit module can also be found online. Due to their availability, an unpatched RDP server would be an easy target of DoS attack by attackers who might be experimenting with these tools.

For those who still haven't patched their system, especially those running RDP service on their machines, we strongly advise that you to do so as soon as possible.

—————

Threat Solutions post by — Azlan and Yeh

 
 

 
 
Monday, March 26, 2012

 
Microsoft's Digital Crimes Unit Targets ZeuS Posted by Sean @ 13:34 GMT

Microsoft's Digital Crimes Unit expanded its legal arsenal against malicious botnets this past weekend when – in collaboration with financial services industry members – it took out servers belonging to ZeuS botnets. Microsoft filed with the U.S. District Court for the Eastern District of New York on March 23rd. The successful application allowed Microsoft and its partners to do a coordinated seizure of some of the worst known Zeus C&Cs.

And as you can see below, F-Secure Labs played its small part by providing the DCU with information and analysis.

Microsoft Joins Financial Services Industry to Disrupt Massive Zeus Cybercrime Operation That Fuels Worldwide Fraud and Identity Theft, F-Secure

This is the first time that Microsoft's legal team has used the Racketeer Influenced and Corrupt Organizations (RICO) Act as part of a botnet takedown. For those of you that aren't familiar with it, RICO is usually directed at "the mob".

And this is indeed a very useful legal move for Microsoft, because there are plenty more of ZeuS botnets out there.

The dedicated folks at abuse.ch's ZeuS Tracker are currently reporting 350 C&C servers online.

ZeuS Tracker 2012.03.26
Source: zeustracker.abuse.ch

So there's plenty more work to do done…

Read more: Microsoft and Financial Services Industry Leaders Target Cybercriminal Operations from Zeus Botnets
Legal documents: zeuslegalnotice.com

Congratulations to Microsoft's DCU on their efforts thus far.

 
 

 
 
Friday, March 23, 2012

 
Are you having a (Mac) Flashback? Posted by Brod @ 12:52 GMT

On Monday, I provided steps on how to avoid your Mac being compromised by the Flashback trojan. Today I will provide information on how to locate a Flashback infection.

To better understand the steps below, it is better to also know a bit about Flashback. It's an OS X malware family that modifies the content displayed by web browsers. To achieve this, it interposes functions used by the Mac's browsers. The hijacked functions vary between variants but generally include CFReadStreamRead and CFWriteStreamWrite:



The webpages that are targeted and changes made are determined based on configurations retrieved from a remote server. The following is an example of configuration data:



When decoded, you can see the targeted webpage (in red) and the injected contents (in yellow):



This ability more or less makes it some sort of a backdoor. Because of this, and the fact that the malware initially relied on tricking users by pretending to be a Flash Player installer, it was dubbed Flashback. It has however evolved since then and has started incorporating exploits to spread in recent variants. In all the cases that I've seen, they at least target Google which causes me to believe that it is actually the next evolution of Mac QHost.

With its interposing function in place, the next thing Flashback does is to get the browser(s) to load it.

This is where the DYLD_INSERT_LIBRARIES environment variable comes in handy:



There are generally two types of infections. The first one occurs when the malware has admin privileges. An example would be the 2nd variant, Flashback.B, or the screenshot above. In this type of infection, the DYLD_INSERT_LIBRARIES environment variable is added to the context of the targeted applications only, specifically the browsers. Earlier variants target Safari and Firefox. Recent variants only target Safari. This type of infection can be more difficult for a user to notice because the infected system will be more stable.

The second type of infection occurs when the malware does not have admin privileges. An example would be the first variant, Flashback.A. In this type of infection, the DYLD_INSERT_LIBRARIES environment variable is added to the context of the infected user. This means that the malware will be loaded to all applications launched by the infected user. This makes the infected system much more unstable because there will be more crashes caused by incompatible applications. To solve this, recent variants have introduced a new filter component:



In the example above, the filter component only loads the main component when the process is Safari (ignore "WebPo" from the screenshot; it's probably just a typo by the malware author for WebProcess, which is part if Safari).

So how to locate an infection in this case? The simplest way is to check the DYLD_INSERT_LIBRARIES environment variable of our browsers. You can use the following command in Terminal:

  •  defaults read /Applications/%browser%.app/Contents/Info LSEnvironment



In the example above, it means your Firefox is clean. If you are infected, you will see something similar to this:



Take note of the value of DYLD_INSERT_LIBRARIES as shown in the red box. We need that to locate the main component in case it is just the filter component:

  •  grep -a -o '__ldpath__[ -~]*' %path_from_previous_step%



Take note of the files pointed out in the red boxes as they are the Flashback files. I believe most users won't have a DYLD_INSERT_LIBRARIES environment variable.

If you didn't get any result from grep, it means that the variant in your system doesn't have the filter component.

The next thing that you may also want to check is the DYLD_INSERT_LIBRARIES environment variable of your users in case they have the second type of infection:

  •  defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES



If you don't get any results, it means you don't have this type of infection.

You can use the following command again to locate the main component if you have the filter component:

  •  grep -a -o ' __ldpath__[ -~]*' %path_from_previous_step%



Now what to do with the samples? Send them to us. By sending us the sample, you will be helping the community as well since we have sample sharing arrangements with other AV vendors.

When deleting the samples from a system, you have to make sure you remove the DYLD_INSERT_LIBRARIES environment variable as well. Otherwise your browsers or even worse your whole account may refuse to load next time.

Use the following for the first type of infection:

  •  sudo defaults delete /Applications/%browser%.app/Contents/Info LSEnvironment
  •  sudo chmod 644 /Applications/%browser%.app/Contents/Info.plist



Use the following for the second type of infection:

  •  defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
  •  launchctl unsetenv DYLD_INSERT_LIBRARIES



You can visit our Trojan-Downloader:OSX/Flashback.I description for additional details about a more recent Flashback variant.

Regards,
Brod

Updated to add on April 18: You may also need to update the LaunchServices cache if you modify the Info.plist of your browsers. You can use the following command to do so:

  •  sudo touch /Applications/%browser%.app

 
 

 
 
Tuesday, March 20, 2012

 
Is your bank on SpyEye's Top 40 list? Posted by ThreatResearch @ 16:37 GMT

Variants of the SpyEye trojan target banks using a plugin called webinject.txt. We collected 1,318 samples in our back end that matched those from SpyEye Tracker's RSS Feed. Taking a look inside, we discovered that this collection of samples contains 632 different bank domains and that commerzbank.com was the most targeted bank domain.

Here's a graph of the top 40 banks targeted by SpyEye:

SpyEye's Top 40 Banks
Click image to biggify.

The Y-Axis represents the number of instances a bank was referenced within the sample set.

And here's a table of the same:

List of SpyEye's Top 40 Banks

Don't see your bank on the list? Don't worry… if SpyEye doesn't target your bank, then perhaps ZeuS does.

Click here to download an Excel file with the data above.

—————

Analysis by — M. Hyykoski







 
 

 
 
China Targets Macs Used by NGOs #Tibet Posted by Sean @ 15:20 GMT

A new Mac backdoor exploiting CVE-2011-3544 (a Java vulnerability) is being reported. The backdoor appears to be connected to GhostNet. The malware is being used in targeted attacks against non-governmental organizations (NGO).

Greg Walton published details of targeted mails sent to NGOs related to Tibet. The message contains a link to: dns.assyra.com. Read more from Walton here. AlienVault Labs has posted a technical report.

Based on today's news, Brod, one of our Mac malware analysts, remembered this post by Microsoft: Backdoor Olyx – is it malware on a mission for Mac? The post is about a similarly themed attack targeting both Mac and Windows users last July.

We detect these new threats as:

Exploit:Java/CVE-2011-3544.E — MD5: 6C8F0C055431808C1DF746F9D4BB8CB5, MD5: 453A3DC32E2FAFD39F837A1EBE62CA80
Backdoor:OSX/Olyx.B — MD5: 39084b60790ca3fdebe1cd93a4764819
Backdoor:W32/Poison.CE — MD5: 7F7CBC62C56AEC9CB351B6C1B1926265

See yesterday's Mac related post for Java mitigation tips.







 
 

 
 
Wired UK: The Digital Detective Posted by Sean @ 12:22 GMT

Wired UK's Greg Williams' profile of Mikko is now available at wired.co.uk.

The Digital Detective

There's also a very nice online gallery of images used by the iPad/print editions of the article.







 
 

 
 
SMS Spam About Premium Value Service Circulating in Finland Posted by Jarno @ 11:09 GMT

CERT-FI is warning about SMS messages being sent by GTradeInc which are about subscription confirmation to a premium value service. These messages are apparently being sent to random people who have not ordered such service or taken part in Facebook or other campaign that would ask phone numbers.

The SMS messages contain the following content:

Mainoskirje aktivoitu. Saat 3 mainosta/vko. Hinta 20e/kk, veloitetaan puhelinlaskussasi. Peruuta milloin tahansa ilmaiseksi, tekstaa: TXT5 PERU numeroon 17163.

A brief English translation is that an advertising campaign has been activated, the subscriber will receive three advertisements per week, price being 20�/month, cancellation can be done at any time for free.

It is still unclear whether an actual billing agreement has been made, and would people actually receive bills. Also, there have been claims that the cancellation message would actually cost 5�, which is possible as 17163 is in the paid SMS range.

According to CERT, no billing can be done without user approval. So people should not try to contact GTradeInc, and just ignore the messages and write a reclamation if additional charges appear in their phone bill.

However, contacting your phone operator might be wise to confirm that no billing agreement has been made with GTradeInc.

 
 

 
 
Monday, March 19, 2012

 
ZeuS: Me Talk Pretty Finnish One Day Posted by ThreatResearch @ 17:27 GMT

A couple of months ago, there was an overly polite variant of ZeuS circulating here in Finland. And while the Finnish localization was pretty good — it used "Suo anteeksi" within an error message… not typically the kind of thing you'd read via software.

We continue to see decent localization within ZeuS variants (and not just Finnish). Clearly, some bad guys out there have evolved from Google Translate, which is the level of localization we used to expect in the past.

But the bad guys still make basic mistakes. One variant of ZeuS, which is circulating now, includes a Finn's name within the localized efforts. Instead of stating "Welcome Bank Customer", the trojan declares "Welcome name withheld".

Here are some of the banks that are being targeted.

zeus configuration, bank list

For banks that use Java applications, this ZeuS appears to attempt a replace and imitate approach. (Our analysis is ongoing.)

The server which hosted the configuration file (from which the screenshot was taken) has been taken offline, so this variant can infect, but cannot download the locations of its Command & Control servers. Unfortunately, any computers infected last week will have downloaded a configuration file that includes lots of redundant server names.

But fortunately… most of the banks that we've worked with in the past have extensive transaction controls on their back end systems. So it isn't just a simple thing for the ZeuS trojan to transfer funds from the account of somebody with an infected computer.

Best advice: update your computer software to avoid infection. Also: avoid haphazard web searches. There are tons of compromised sites out there, and you're most likely to fall into a trap when you're searching for something.

Best advice for those infected: don't panic. If you see something that looks unusual in your online bank account, it's not too late to block the bad guys. Call your bank's customer support and they'll be able to assist.







 
 

 
 
Mac Malware at the Moment Posted by Brod @ 14:47 GMT

It's been a while since we last wrote about Mac malware, so I thought it would be good to give our readers an update on what's been happening during the last few months. Last year we detailed a possible Mac trojan in the making. At that time we were still speculating whether it would be part of a bundle or just a standalone binary. Now it's clear: a new variant was discovered and it is a full-blown application, complete with an icon.

The author calls this variant version 1.0 ("FILEAGENTVer1.0" in little-endian) as seen from the binary's code:

FILEAGENTVer1.0

The sample I analyzed uses thumbnail images/icons of Irina Shayk, apparently taken from the March 2012 issue of FHM (South Africa) magazine. The malicious application bundle is being spread inside an archive file together with other images taken from the magazine hoping that its file type will be overlooked by users.

FHM Feb Cover Girl Irina Shayk H-Res Pics

Nothing else is new besides the implementation. The backdoor payload is still the same but uses a new C&C server. The server is currently active (at time of publication). It is important to take note that the new C&C server still points to the same IP address as the previous variant as mentioned by the folks at ESET. We have reported the server to CERT-FI. Hopefully they will be able notify the proper authorities.

We detect this new variant as Trojan-Dropper:OSX/Revir.C, MD5: 7DBA3A178662E7FF904D12F260F0FFF3.

Moving along — there's another more serious OS X malware threat lurking out there. The Flashback trojan, which first appeared around the same time as Revir, is still in the wild. It is using exploits to infect systems without user interaction. Though what it's exploiting are old Java vulnerabilities (CVE-2011-3544 and CVE-2008-5353), we might begin seeing a real OS X outbreak if the gang upgrades their operation a notch higher and start targeting unpatched vulnerabilities.

In a future post, I will detail how to locate a Flashback infection. In the meantime, the easiest way to avoid infection is to just disable Java from your browser(s). Based on our surveys, most users don't really need Java when browsing the Web. If for some reasons you do need Java, say for online banking, turn it on only when you need it. And then turn it off again after you're done.

In Safari, you can disable Java by unchecking "Enable Java" in Safari Preferences, Security tab.

Safari, Java settings

Or you can disable Java from the Snow Leopard (Lion doesn't come with Java by default) by going to Applications, Utilities, Java Preferences. Uncheck everything in the General tab.

Java Preferences

Regards,
Brod







 
 

 
 
Joe's Garage (SMB): Most Likely to be Pwned by RDP Posted by Sean @ 11:54 GMT

Last week, we advised readers to apply Microsoft update MS12-020 sooner than later. For those of you that have — good work. And if you haven't yet applied the patch — stop delaying.

Ever since MS12-020 was released, there's been a flurry of activity attempting to "weaponize" the Remote Desktop Protocol (RDP) vulnerability. The race to an exploit is on and is in top gear. Lab Analyst Timo Hirvonen is tracking the situation on his Twitter account.

This security update resolves two privately reported vulnerabilities in the Remote Desktop Protocol.
Microsoft Security Bulletin MS12-020 - Critical

So… just how many computer could be affected by this RDP bug?

Well, researcher Dan Kaminsky scanned the Internet and estimates that there are millions of computers that are exposed.

Extrapolating from this sample, we can see that there's approximately five million RDP endpoints on the Internet today.
RDP and the Critical Server Attack Surface

What do you need to do?

Lenny Zeltser offers the following advice.

Understand what systems in your environment expose RDP to the Internet. Create a plan to apply the MS12-020 as soon as practical.
The Risks of Remote Desktop for Access Over the Internet

A good portion of our (enterprise) readership has probably already started taking action on this issue.

Consumers (home users) don't generally have RDP enabled.

So… what does that leave us? Small and medium businesses.

As Casey John Ellis points out, Remote Desktop is very often enabled by outsourced IT contractors, and the small business owners may not have any idea that it's enabled.

RDP is usually enabled by I.T. contractors without explanation to the business owner
Why Small/Medium Businesses are at the Greatest Risk from the New Microsoft RDP Bug

We have to agree with Ellis, small and medium business are at significant risk. Fortunately, Ellis and a friend have offered a helpful tool that a small business owner could use to access risk: RDPCheck.

To use RDPCheck, visit rdpcheck.com. From there, you can initiate a scan for vulnerabilities on your IP address.

 
 

 
 
Thursday, March 15, 2012

 
WordPress Page is Loading... an Exploit Posted by ThreatInsight @ 17:02 GMT

WordPress.org is being targeted once again, and although this time there isn't much sneaky sophistication, the infection is still prevalent enough for Internet users to be wary.

Spam appears to be the driver of these campaigns. Various websites have already been identified to be redirecting to Blackhole exploit kit. Compromised websites would render any of the following pages upon visit:

tuit html

quick html

opek html

irta html

company html

aic html

Simple and unsuspecting… but really, in an age in which beautifully crafted websites are the norm, these fakes are just too plain to be the real deal…

And indeed they aren't…

Browsing Protection Result

Currently, these sites redirect to the following domains that host Blackhole exploit kit:

  •  georgekinsman.net
  •  icemed.net
  •  mynourigen.net
  •  synergyledlighting.net
  •  themeparkoupons.net

Be wary of where you're clicking, folks. Safe browsing everyone!

Threat Insight post by — Karmina

 
 

 
 
Wednesday, March 14, 2012

 
Microsoft's Guidance on CVE-2012-0002 Posted by Sean @ 13:03 GMT

First: Microsoft's Remote Desktop Protocol is disabled on Windows by default. So most computers are unaffected by issues highlighted as a result of the month's "Patch Tuesday". However: If you administer RDP enabled workstations — then you probably should read Microsoft's Security Research & Defense post about CVE-2012-0002.

CVE-2012-0002

CVE-2012-0002 was privately reported to Microsoft, and there are no reports of it being exploited in the wild. But it's only a matter of time before the patch is reverse, and this vulnerability is exploitable.

So read Microsoft's post, schedule, test, and deploy. And do it sooner than later.

 
 

 
 
Monday, March 12, 2012

 
Found Object: SpyEye Manual Posted by Sean @ 15:40 GMT

File this in the "we shouldn't be surprised" folder.

This morning, one of our analysts, currently researching SpyEye, came across a new component name. And so, he did a Google search for that component.

He found… a copy of the SpyEye Manual:

SpyEye Manual

Not exactly what he expected to find…

But then, it really isn't really that surprising (sadly) to just find such stuff laying around on the Web.

 
 

 
 
Friday, March 9, 2012

 
Finns Targeted By Localized Ransomware Posted by Jarno @ 13:26 GMT

Over the past few days we've received reports of Finns being targeted by ransomware which is localized in Finnish language and claims to be from Finnish police.

The Ransomware in question is part of a family we call Trojan:W32/Ransom and is localized to several European countries: Germany; UK; Spain; and now Finland. In all countries, the social engineering method is the same. Upon infection, the Ransomware expands Internet Explorer to full screen (F11) and displays a message claiming to be from a local police unit claiming that the user's computer has been used in browsing sites containing child and animal abuse. It also claims that it has been used to send e-mail spam on topics related to terrorism, and has thus been locked until a fine is paid.

kuvakaappaus
Image: Poliisi

In this case, the Ransomware claims to be from "Tietoverkkorikosten tutkinnan yksikk�" which translates as information networks crime unit. However, the Finnish police doesn't have a unit with that exact name. Also to be noted is that the quality of Finnish is not very good and the contact address is to cyber-metropolitan-police.co.uk. Further inspection reveals that the cyber-metropolitan-police.co.uk domain is registered to a fake person Mr. �be happy� residing in Gette, Poland. Very credible indeed.

The Finnish ransom message is demanding payment using Paysafecard, which is a disposable prepaid card that can be used for anonymous online transactions. It is sold nationally at kiosks within Finland.

F-Secure Internet Security detects known variants of Trojan:W32/Ransom either by family name or generic detection names, but as always it pays to be careful. Our back end statistic indicate that this is definitely "liikkeell�" (in-the-wild).

The initial infection vector for this trojan has been either a Java runtime exploit or Adobe Acrobat PDF reader exploit, there is no information about fresh (0-day) exploits being used.

So to be safe:

1. Update your Acrobat PDF reader to the latest version, or switch to another PDF reader.
2. Update your Java runtime. Or, if you do not need Java, it is highly advisable to uninstall it. If you do need Java, at least consider disabling it within the browser when not in use. Or, switch to Google Chrome which will ask before Java is executed from unknown sites.

If your computer is ever compromised by Ransomware, do not pay anything to the malware authors. In almost all of the cases paying does not free up your computer anyway. Also remember that neither the Finnish police nor any other Police in the world uses Paysafe, Ucash or any other prepaid billing systems for fines. If any message is demanding your credit card or any other payment method it is most certainly a scam and not legitimate government official.

Links:

  •  Finnish Police advisory, 08.03.2012
  •  Finnish Police advisory, 09.03.2012
  •  Cert-FI advisory

 
 

 
 
Tuesday, March 6, 2012

 
AV-TEST Results for Android Malware Protection Posted by Sean @ 13:50 GMT

AV-TEST published its "Anti-Malware solutions for Android" report today.

Out of 41 products tested — we're proud to be in the top tier!

AV-TEST, Android 2012-02

Because AV-TEST is still in the process of refining its test methodologies, it hasn't announced direct rankings.

But if you download their detailed report, available from www.av-test.org/en/tests/android, you'll see in Figure 5. that only one other vendor matched our detection rates for all of the families tested.

And if you find AV-TEST's report to be of interest, we remind you that you can also download our Mobile Threat Report, Q4 2011.

Cheers!

Update: If you'd like to try mobile security, visit: mobile.f-secure.com.

 
 

 
 
Monday, March 5, 2012

 
Countdown to March 8th Posted by Sean @ 19:40 GMT

This is the week! (No… that's not an "iPad 3" reference.)

Back in November, the F.B.I. shutdown servers belonging to the DNSChanger botnet, operated by Rove Digital, which was based in Estonia. The Feds have been running substitute DNS servers since then, but their authority to do so expires on March 8, 2012.

And that means tens of thousands of compromised machines may be cut off from Internet services on Thursday.

Based on research by Merike Kaeo, it could even be hundreds of thousands.

DNS Changer Infections
DNS Changer NANOG54 Slides

Internet Service Providers in many countries have been working to reach affected customers for weeks, but there are still plenty that haven't yet heeded the call.

Don't be caught out, more information is available from these DNS configuration test pages:

  •  dns-ok.ax
  •  dns-ok.be
  •  dns-ok.ca
  •  dns-ok.de
  •  dns-ok.fi
  •  dns-ok.fr
  •  dns-ok.lu
  •  dns-ok.us

Update: Added some additional sites, courtesy of CERT-LEXSI.

Update: The U.S. District Court, Southern District of New York has granted the F.B.I. permission to host its substitute DNS servers for an additional 120 days — July 9th is the new deadline.

DNS Changer, July 9th

Update: Added dns-ok.ca to the list above. O Canada!

 
 

 
 
Friday, March 2, 2012

 
Wired UK 04.12 Posted by Sean @ 17:28 GMT

Greetings, folks.

Here's a weekend reading suggestion for you: the Labs' very own Mikko Hypponen is profiled in Wired UK magazine's April edition in an article titled _THE_DIGITAL_DETECTIVE.

Wired UK 04.12

An iPad version is available, for those of you that don't live near a newsstand…