Alienvault Labs has discovered more malware that targets human rights focused Non-Governmental Organizations (NGOs). This is in addition to last week's discovery. This time, it's an exploit taking advantage of a 2009 vulnerability in Microsoft Word (MS09-027).
Here's an example of the decoy document which is embedded within the exploit doc.
The tool was written with Visual Basic 6.0, and has a simple user interface. We tested it on machines running on Windows XP 32-bit and Windows 7 64-bit.
Both the Windows XP 32-bit and the Windows 7 64-bit computers were affected by the Denial of Service (DoS) attack. The service crashed and triggered a "Blue Screen of Death" (BSoD) condition (the error screen seen when Windows crashes).
We detect this tool as Hack-Tool:W32/RDPKill.A. (SHA-1: 1d131a5f17d86c712988a2d146dc73367f5e5917).
Besides RDPKill.A, other similar tools and Metasploit module can also be found online. Due to their availability, an unpatched RDP server would be an easy target of DoS attack by attackers who might be experimenting with these tools.
For those who still haven't patched their system, especially those running RDP service on their machines, we strongly advise that you to do so as soon as possible.
Microsoft's Digital Crimes Unit expanded its legal arsenal against malicious botnets this past weekend when – in collaboration with financial services industry members – it took out servers belonging to ZeuS botnets. Microsoft filed with the U.S. District Court for the Eastern District of New York on March 23rd. The successful application allowed Microsoft and its partners to do a coordinated seizure of some of the worst known Zeus C&Cs.
And as you can see below, F-Secure Labs played its small part by providing the DCU with information and analysis.
This is the first time that Microsoft's legal team has used the Racketeer Influenced and Corrupt Organizations (RICO) Act as part of a botnet takedown. For those of you that aren't familiar with it, RICO is usually directed at "the mob".
And this is indeed a very useful legal move for Microsoft, because there are plenty more of ZeuS botnets out there.
The dedicated folks at abuse.ch's ZeuS Tracker are currently reporting 350 C&C servers online.
To better understand the steps below, it is better to also know a bit about Flashback. It's an OS X malware family that modifies the content displayed by web browsers. To achieve this, it interposes functions used by the Mac's browsers. The hijacked functions vary between variants but generally include CFReadStreamRead and CFWriteStreamWrite:
The webpages that are targeted and changes made are determined based on configurations retrieved from a remote server. The following is an example of configuration data:
When decoded, you can see the targeted webpage (in red) and the injected contents (in yellow):
This ability more or less makes it some sort of a backdoor. Because of this, and the fact that the malware initially relied on tricking users by pretending to be a Flash Player installer, it was dubbed Flashback. It has however evolved since then and has started incorporating exploits to spread in recent variants. In all the cases that I've seen, they at least target Google which causes me to believe that it is actually the next evolution of Mac QHost.
With its interposing function in place, the next thing Flashback does is to get the browser(s) to load it.
This is where the DYLD_INSERT_LIBRARIES environment variable comes in handy:
There are generally two types of infections. The first one occurs when the malware has admin privileges. An example would be the 2nd variant, Flashback.B, or the screenshot above. In this type of infection, the DYLD_INSERT_LIBRARIES environment variable is added to the context of the targeted applications only, specifically the browsers. Earlier variants target Safari and Firefox. Recent variants only target Safari. This type of infection can be more difficult for a user to notice because the infected system will be more stable.
The second type of infection occurs when the malware does not have admin privileges. An example would be the first variant, Flashback.A. In this type of infection, the DYLD_INSERT_LIBRARIES environment variable is added to the context of the infected user. This means that the malware will be loaded to all applications launched by the infected user. This makes the infected system much more unstable because there will be more crashes caused by incompatible applications. To solve this, recent variants have introduced a new filter component:
In the example above, the filter component only loads the main component when the process is Safari (ignore "WebPo" from the screenshot; it's probably just a typo by the malware author for WebProcess, which is part if Safari).
So how to locate an infection in this case? The simplest way is to check the DYLD_INSERT_LIBRARIES environment variable of our browsers. You can use the following command in Terminal:
If you don't get any results, it means you don't have this type of infection.
You can use the following command again to locate the main component if you have the filter component:
• grep -a -o ' __ldpath__[ -~]*' %path_from_previous_step%
Now what to do with the samples? Send them to us. By sending us the sample, you will be helping the community as well since we have sample sharing arrangements with other AV vendors.
When deleting the samples from a system, you have to make sure you remove the DYLD_INSERT_LIBRARIES environment variable as well. Otherwise your browsers or even worse your whole account may refuse to load next time.
Use the following for the first type of infection:
Variants of the SpyEye trojan target banks using a plugin called webinject.txt. We collected 1,318 samples in our back end that matched those from SpyEye Tracker's RSS Feed. Taking a look inside, we discovered that this collection of samples contains 632 different bank domains and that commerzbank.com was the most targeted bank domain.
Here's a graph of the top 40 banks targeted by SpyEye:
Click image to biggify.
The Y-Axis represents the number of instances a bank was referenced within the sample set.
A new Mac backdoor exploiting CVE-2011-3544 (a Java vulnerability) is being reported. The backdoor appears to be connected to GhostNet. The malware is being used in targeted attacks against non-governmental organizations (NGO).
Greg Walton published details of targeted mails sent to NGOs related to Tibet. The message contains a link to: dns.assyra.com. Read more from Walton here. AlienVault Labs has posted a technical report.
CERT-FI is warning about SMS messages being sent by GTradeInc which are about subscription confirmation to a premium value service. These messages are apparently being sent to random people who have not ordered such service or taken part in Facebook or other campaign that would ask phone numbers.
The SMS messages contain the following content:
Mainoskirje aktivoitu. Saat 3 mainosta/vko. Hinta 20e/kk, veloitetaan puhelinlaskussasi. Peruuta milloin tahansa ilmaiseksi, tekstaa: TXT5 PERU numeroon 17163.
A brief English translation is that an advertising campaign has been activated, the subscriber will receive three advertisements per week, price being 20€/month, cancellation can be done at any time for free.
It is still unclear whether an actual billing agreement has been made, and would people actually receive bills. Also, there have been claims that the cancellation message would actually cost 5€, which is possible as 17163 is in the paid SMS range.
According to CERT, no billing can be done without user approval. So people should not try to contact GTradeInc, and just ignore the messages and write a reclamation if additional charges appear in their phone bill.
However, contacting your phone operator might be wise to confirm that no billing agreement has been made with GTradeInc.
A couple of months ago, there was an overly polite variant of ZeuS circulating here in Finland. And while the Finnish localization was pretty good — it used "Suo anteeksi" within an error message… not typically the kind of thing you'd read via software.
We continue to see decent localization within ZeuS variants (and not just Finnish). Clearly, some bad guys out there have evolved from Google Translate, which is the level of localization we used to expect in the past.
But the bad guys still make basic mistakes. One variant of ZeuS, which is circulating now, includes a Finn's name within the localized efforts. Instead of stating "Welcome Bank Customer", the trojan declares "Welcome name withheld".
Here are some of the banks that are being targeted.
For banks that use Java applications, this ZeuS appears to attempt a replace and imitate approach. (Our analysis is ongoing.)
The server which hosted the configuration file (from which the screenshot was taken) has been taken offline, so this variant can infect, but cannot download the locations of its Command & Control servers. Unfortunately, any computers infected last week will have downloaded a configuration file that includes lots of redundant server names.
But fortunately… most of the banks that we've worked with in the past have extensive transaction controls on their back end systems. So it isn't just a simple thing for the ZeuS trojan to transfer funds from the account of somebody with an infected computer.
Best advice: update your computer software to avoid infection. Also: avoid haphazard web searches. There are tons of compromised sites out there, and you're most likely to fall into a trap when you're searching for something.
Best advice for those infected: don't panic. If you see something that looks unusual in your online bank account, it's not too late to block the bad guys. Call your bank's customer support and they'll be able to assist.
It's been a while since we last wrote about Mac malware, so I thought it would be good to give our readers an update on what's been happening during the last few months. Last year we detailed a possible Mac trojan in the making. At that time we were still speculating whether it would be part of a bundle or just a standalone binary. Now it's clear: a new variant was discovered and it is a full-blown application, complete with an icon.
The author calls this variant version 1.0 ("FILEAGENTVer1.0" in little-endian) as seen from the binary's code:
The sample I analyzed uses thumbnail images/icons of Irina Shayk, apparently taken from the March 2012 issue of FHM (South Africa) magazine. The malicious application bundle is being spread inside an archive file together with other images taken from the magazine hoping that its file type will be overlooked by users.
Nothing else is new besides the implementation. The backdoor payload is still the same but uses a new C&C server. The server is currently active (at time of publication). It is important to take note that the new C&C server still points to the same IP address as the previous variant as mentioned by the folks at ESET. We have reported the server to CERT-FI. Hopefully they will be able notify the proper authorities.
Moving along — there's another more serious OS X malware threat lurking out there. The Flashback trojan, which first appeared around the same time as Revir, is still in the wild. It is using exploits to infect systems without user interaction. Though what it's exploiting are old Java vulnerabilities (CVE-2011-3544 and CVE-2008-5353), we might begin seeing a real OS X outbreak if the gang upgrades their operation a notch higher and start targeting unpatched vulnerabilities.
In a future post, I will detail how to locate a Flashback infection. In the meantime, the easiest way to avoid infection is to just disable Java from your browser(s). Based on our surveys, most users don't really need Java when browsing the Web. If for some reasons you do need Java, say for online banking, turn it on only when you need it. And then turn it off again after you're done.
In Safari, you can disable Java by unchecking "Enable Java" in Safari Preferences, Security tab.
Or you can disable Java from the Snow Leopard (Lion doesn't come with Java by default) by going to Applications, Utilities, Java Preferences. Uncheck everything in the General tab.
Last week, we advised readers to apply Microsoft update MS12-020 sooner than later. For those of you that have — good work. And if you haven't yet applied the patch — stop delaying.
Ever since MS12-020 was released, there's been a flurry of activity attempting to "weaponize" the Remote Desktop Protocol (RDP) vulnerability. The race to an exploit is on and is in top gear. Lab Analyst Timo Hirvonen is tracking the situation on his Twitter account.
We have to agree with Ellis, small and medium business are at significant risk. Fortunately, Ellis and a friend have offered a helpful tool that a small business owner could use to access risk: RDPCheck.
To use RDPCheck, visit rdpcheck.com. From there, you can initiate a scan for vulnerabilities on your IP address.
WordPress.org is being targeted once again, and although this time there isn't much sneaky sophistication, the infection is still prevalent enough for Internet users to be wary.
Spam appears to be the driver of these campaigns. Various websites have already been identified to be redirecting to Blackhole exploit kit. Compromised websites would render any of the following pages upon visit:
Simple and unsuspecting… but really, in an age in which beautifully crafted websites are the norm, these fakes are just too plain to be the real deal…
And indeed they aren't…
Currently, these sites redirect to the following domains that host Blackhole exploit kit:
First: Microsoft's Remote Desktop Protocol is disabled on Windows by default. So most computers are unaffected by issues highlighted as a result of the month's "Patch Tuesday". However: If you administer RDP enabled workstations — then you probably should read Microsoft's Security Research & Defense post about CVE-2012-0002.
CVE-2012-0002 was privately reported to Microsoft, and there are no reports of it being exploited in the wild. But it's only a matter of time before the patch is reverse, and this vulnerability is exploitable.
So read Microsoft's post, schedule, test, and deploy. And do it sooner than later.
Over the past few days we've received reports of Finns being targeted by ransomware which is localized in Finnish language and claims to be from Finnish police.
The Ransomware in question is part of a family we call Trojan:W32/Ransom and is localized to several European countries: Germany; UK; Spain; and now Finland. In all countries, the social engineering method is the same. Upon infection, the Ransomware expands Internet Explorer to full screen (F11) and displays a message claiming to be from a local police unit claiming that the user's computer has been used in browsing sites containing child and animal abuse. It also claims that it has been used to send e-mail spam on topics related to terrorism, and has thus been locked until a fine is paid.
In this case, the Ransomware claims to be from "Tietoverkkorikosten tutkinnan yksikkö" which translates as information networks crime unit. However, the Finnish police doesn't have a unit with that exact name. Also to be noted is that the quality of Finnish is not very good and the contact address is to cyber-metropolitan-police.co.uk. Further inspection reveals that the cyber-metropolitan-police.co.uk domain is registered to a fake person Mr. “be happy” residing in Gette, Poland. Very credible indeed.
The Finnish ransom message is demanding payment using Paysafecard, which is a disposable prepaid card that can be used for anonymous online transactions. It is sold nationally at kiosks within Finland.
F-Secure Internet Security detects known variants of Trojan:W32/Ransom either by family name or generic detection names, but as always it pays to be careful. Our back end statistic indicate that this is definitely "liikkeellä" (in-the-wild).
The initial infection vector for this trojan has been either a Java runtime exploit or Adobe Acrobat PDF reader exploit, there is no information about fresh (0-day) exploits being used.
So to be safe:
1. Update your Acrobat PDF reader to the latest version, or switch to another PDF reader. 2. Update your Java runtime. Or, if you do not need Java, it is highly advisable to uninstall it. If you do need Java, at least consider disabling it within the browser when not in use. Or, switch to Google Chrome which will ask before Java is executed from unknown sites.
If your computer is ever compromised by Ransomware, do not pay anything to the malware authors. In almost all of the cases paying does not free up your computer anyway. Also remember that neither the Finnish police nor any other Police in the world uses Paysafe, Ucash or any other prepaid billing systems for fines. If any message is demanding your credit card or any other payment method it is most certainly a scam and not legitimate government official.
AV-TEST published its "Anti-Malware solutions for Android" report today.
Out of 41 products tested — we're proud to be in the top tier!
Because AV-TEST is still in the process of refining its test methodologies, it hasn't announced direct rankings.
But if you download their detailed report, available from www.av-test.org/en/tests/android, you'll see in Figure 5. that only one other vendor matched our detection rates for all of the families tested.
This is the week! (No… that's not an "iPad 3" reference.)
Back in November, the F.B.I. shutdown servers belonging to the DNSChanger botnet, operated by Rove Digital, which was based in Estonia. The Feds have been running substitute DNS servers since then, but their authority to do so expires on March 8, 2012.
And that means tens of thousands of compromised machines may be cut off from Internet services on Thursday.
Based on research by Merike Kaeo, it could even be hundreds of thousands.