We started thinking; if our automation can detect malware by looking for references to Chuck Norris, what else can we do? Then it hit us: we need to look for references to David Hasselhoff. Obvious, when you think about it!
Picture (C) F-Secure Corporation
Sure enough — there is malware that references "the Hoff".
As an example Backdoor:W32/IndSocket.A (a7de748dc32a8edda9e81a201e2a83da8f60bd42) which is a remote administration trojan (RAT) and consists of a client and a backdoor. It allows the attacker to do certain things on a compromised computer; the typical things, such as running programs, logging keystrokes, and changing the wallpaper of user's Windows desktop. There is a catch, though; the attacker cannot choose which wallpaper to use. When the attacker clicks the "David Hasselhoff Atach" (sic) button on the remote trojan control panel, the wallpaper changes automatically to a well known picture of the "Knight Rider" with two strategically placed puppies.
Picture (C) F-Secure Corporation
So, if you yourself did not change your wallpaper to a picture of "The Hoff", you know what hit you. We're sure our customers rest easily knowing our Internet Security includes "Anti-Hassle Hoff Technology(TM)".
Real-world events occasionally generate a massive number of online searches. Japan's recent earthquake and the subsequent tsunami that followed is a good example of a sudden event that turned the world's attention to Google. And as topics trend in Google's search results, Search Engine Optimization (SEO) attacks are attempted. Our March 11th post urged caution while searching for information.
The post also noted that Google has been doing a pretty good job of keeping SEO attacks at bay and filtered out of their search results. Web results that is…
Since October of last year, we've seen a steady growth in image based SEO attacks. Because Google is winning the (cat and mouse) battle against malicious site SEO, some attackers have shifted to image searches. Image based SEO attacks are more of a technical challenge. Instead of following trends and then connecting to a hosted attack site, the attacker must instead connect a trending topic to a particular image, and then link that image to a compromised site, which then links to the attacker's site.
It's a fascinating evolution that our Threat Insights team has been investigating.
But we'll provide more details about that in a future post.
Today, we want to mention what's likely to be a heavily searched for image tomorrow, Kate Middleton's wedding dress.
We're already seeing some "royal wedding coverage" SEO attacks.
Here's an example which includes some well known footballers in the results:
The image is called "0611-soccer-studs1-credit.jpg" is linked to "lingerie-now.com".
Google's preview is loaded in the front, while the host site is loaded in the background.
What happens next is that the background site is linked to the attack site, which takes over the page and displays a warning message, an attempted scareware attack.
You can see the linkages here:
The site then renders an animated "Online Scan":
All of the results are nonsense of course, this example is from a clean test machine:
Unfortunately, SEO driven scareware attacks are very successful, relatively speaking. Consumers have been scammed out of millions of dollars by this type of attack.
So be wary of this potential threat if you're among those searching for wedding pictures.
Goggle's Web search result for "royal wedding" places the couple's official site at the top of the page.
And here's another timely example of an image based SEO attack targeting those that searched for US President Barak Obama's birth certificate, which was released by the White House yesterday, from GFI Labs' Christopher Boyd.
Q: What is PSN? A: It's the Sony PlayStation Network, an online gaming network.
Q: What devices can access it? A: Sony PlayStation 3 (PS3) Sony PlayStation Portable (PSP). You can also use your PSN login on the Sony discussion forums.
Q: If I have a Playstation 3, do I also have a PSN account? A: Not necessarily. PS3s and PSPs work fine without an Internet connection. However, the majority of users do use the online access feature and thus have created an account.
Q: Why does a gaming network have credit card information? A: PSN is also a media delivery network. Users buy games, movies and music from there with their credit cards.
Q: How long has PSN been down? A: Since 20th of April, 2011.
Q: What was stolen? A: Sony believes that the stolen information includes name, address, e-mail address, birth date, password, and handle of all PSN users. They also believe credit card numbers may have been stolen, but not their security (CVV) codes.
Q: How many accounts were stolen? A: Up to 77 million. Which would make this one of the biggest data breaches ever.
Q: What should end users do? A: If you have used the same username/e-mail address with the same password in some other service, change the password now. When PSN comes back online, change your password there as well.
Q: What should end users do regarding their credit cards? A: They should follow their credit card bills careful for any signs of fraudulent purchases. If you see any signs of fraud, report it to your credit card issuer.
Q: What kind of credit cards do you recommend for online use? A: In general, credit cards are safer than alternatives, as long as you carefully follow your bills. We especially like systems such as the one provided by Bank of America, where you can generate temporary credit card numbers for online use. Citibank and Discover offer the same or similar technology.
Q: Who hacked PSN? A: We don't know.
Q: Was it "Anonymous"? A: Anonymous has recently launched several attacks against Sony to protest Sony's tactics. However, Anonymous has announced they are not behind this breach.
Q: What's the connection to Rebug? A:Rebug is a custom firmware for PS3 that enables access to lots of features that are otherwise unreachable. In particular, recent versions made it possible for a normal PS3 to look like a developer unit. In some cases, this could be used to steal content from PSN shops for free. While the Rebug hack could be used to steal credentials and credit cards numbers from the PS3 unit it's running on, there's no obvious way it could be used to steal information on a larger scale. Rebug developers do not believe it was connected to the breach in any way.
Q: So, this could never happen on the gaming networks of XBOX and Wii, right? A: We wouldn't bet on that.
Q: What's SOE? A: It's Sony Online Entertainment System, which is an online gaming network like PSN but for PC games.
Q: Does SOE have any games I would have heard of? A: Yes, EverQuest (also known as EverCrack for its addictiveness). There are some other games too, including Star Wars Galaxies, The Matrix Online, PlanetSide and DC Universe Online.
Q: What happened with SOE? A: It was hacked as well. Sony announced on the 3rd of May that attackers had stolen personal information for a 24.6 million SOE accounts, including names, addresses, telephone numbers, e-mail addresses, gender, date of birth, login ID, and hashed passwords. Combining stolen records from PSN and SOE takes the total over 100 million stolen accounts, which must be some sort of a record. This is pretty big. For example, we have scores of employees at F-Secure who are affected.
Q: Did they steal anything else? A: Yes. They were able to steal "an outdated database from 2007", which included 12,700 credit or debit card numbers and 10,700 direct debit records of European customers. That means bank account information.
Q: Why did Sony have "an outdated database from 2007" online? A: Beats us.
Q: Were the credit card numbers in the "outdated database from 2007" encrypted? A: Sony isn't telling.
Q: What do they say? A: They have an announcement to SOE customers here.
Q: Any idea who did it? A: We don't know. But there is some speculation there could be a connection to layoffs that just happened in Sony's Denver, Seattle and Tucson studios.
Q: Why do people hate Sony? A: The MAKE magazine has a long article on this. To summarize, Sony has long history of going after legitimate innovation, hobbyists, and competition. Examples:
• Shipping hidden Windows rootkits on music CDs • Threatening hobbyists for creating software that enables Sony's Aibo robot dog to dance • Shutting down vendors who want to write emulators that would allow playing your old original PlayStation 1 CDs on your PC • Suing companies that build systems for bypassing region restrictions • Killing Linux support on PS3 • Suing makers, hackers, and tinkers such as Geohot • And now: losing your personal info, your credit card number and your bank account details
The article got started after we broke the news on the connections between Gamma Technologies, Elaman GmbH and the Egyptian Government.
Photo by Rüdiger Trost, F-Secure GmbH
It's more than unsettling to realize there are large companies out there developing backdoors, exploits and trojans.
Elaman HQ Photo by Rüdiger Trost, F-Secure GmbH
Of course, most of these are designed for "lawful interception".
Lawful interception has been around forever. Originally it meant just tapping landline phone calls, by the operator. Eventually it expanded to mobile calls and text messages. And then it expanded to tapping e-mails and web surfing information. However, if the suspect accesses a website that uses SSL (such as, say, Gmail), the operator can't tap it. This created a need to use malware and backdoors to infect the target's computer. Once you infect a machine, you can monitor everything done on it.
In theory, there's nothing wrong in lawful interception. When it's done by the police. In a democratic nation. With a court order. And where the suspect is actually guilty. In all other cases, it is problematic.
Other companies mentioned in Eli Lake's article include HBGary Federal and Endgame Systems.
Forensic researcher Alex Levinson has discovered a way to map out where an iPhone has been. The information comes from a location cache file found on an iPhone (Library/Caches/locationd/consolidated.db).
In practice, this file contains your travel history.
It should be noted that this file can't be accessed by third-party apps on an iPhone, as you need root rights to reach it. However, the file is copied to your PC or Mac during standard iPhone sync operations and is accessible from there.
Yesterday, security researchers Pete Warden and Alasdair Allanreleased an application that can take such a file and show your movements on a map.
Now, this sounds bad from a privacy viewpoint. For example, authorities could gain a court order to do a forensic examination on your phone to figure out where you've been.
But why is Apple collecting this information to begin with? We don't know for sure. But we're guessing it's likely related to Apple's global location database.
Like Google, Apple maintains a global database of the locations of Wi-Fi networks. They use this to get an estimate of your location without using GPS. For example, if your handset sees three hotspots which have MAC addresses that Apple knows are within a certain city block in London, it's a fair bet you're in that city block.
We know how Google collected their location database: they recorded them world-wide while they had their Google Maps Street View cars driving around the globe.
However, the Skyhook database is expensive. So beginning with iPhone OS 3.2 released in April 2010, Apple started replacing the Skyhook location database with their own location database.
And the real question is: How did Apple create their own location database? They did not have cars driving around the world. They didn't need to. They had existing iPhone owners around the world do the work for them.
If you run a modern iPhone, it will send your location history to Apple twice a day. This is the default operation of the device.
How can they do this? By asking for your permission first. There is an opt-in process during initial iTunes installation, but the prompt is highly misleading:
We believe the new secret location database found on the devices is connected to this functionality. Apparently iPhones always collect your location information, even if it's not getting sent to Apple.
Short URL services are problematic, and they are becoming even more so in combination with IP location technologies.
From twitter.com earlier today:
If you look closely, you'll notice it's one spambot, @olasher, replying to another spambot, @MorabsShimb3554. Lame, right?
Well, the @olasher account was too obvious, Twitter suspended the account within hours of its creation. The @MorabsShimb3554 is more subtle however, and attempts to fly under the radar (successfully so far) by asking the reader to "copy & paste" the ow.ly link.
The ow.ly short link directs through maxbounty.com, and from Finland, redirects to http://fi.toluna.com/Register.aspx, but with an affiliate ID attached, which is how the spammer hopes to make money.
There's no good way of telling just how many sites the ow.ly link opens, it's entirely subjective to the user's point of origin (IP address) and the number of MaxBounty commissions.
Twitter has a very nice tool tip feature that attempts to help by expanding short URLs, but it suffers from being too USA-centric. The links displayed are based on twitter.com's home IP address. It works great for legitimate links, but not always so well for spammy and/or malicious links, because results vary according to location.
And sometimes Twitter can't expand to the end point for some other reason.
Let's look at the link that was being pushed by @olasher:
It pointed to adf.ly, that's another short URL service, one which attempts to monetize short URL with an advertisement that the viewer needs to click past.
From a Finnish based IP address, the adf.ly URL will open to legitimate sites such as Groupon's citydeal.fi. Again, with an affiliate ID attached. There could be many dozens of variations within Europe alone.
Once you click to skip the ad, you'll be directed to amazon.com.
And yes, there's another affiliate ID on the iPad 2 page as well.
All of the links used in this example are rather harmless. Unfortunately, short URL services with IP location technologies and benign affiliate ID spam are just the tip of the iceberg. More malicious links are on the horizon.
So what can be done?
Feature suggestion to bit.ly et al. — disallow URL to other short URL services, there's no real legitimate reason for this.
Short URLs are useful, please make them less so for spammers and scareware vendors.
Finland's parliamentary elections take place this weekend, on Sunday, April 17th. According to the Ministry of Justice's election statistics, 31.2% of Finland's eligible voters (4,159,857 people) have already cast their votes in early balloting. 2007's elections received a 67.9% overall turnout.
Finnish political campaigns last two weeks, an incredibly short period of time when compared to a country such as the United States (which is already preparing for November 2012 elections).
Some candidates, such as Foreign Affairs Minister, Alexander Stubb, have obviously been using Twitter for some time (one would almost expect it from a self-declared foreign affairs geek), while others, such as Prime Minister, Mari Kiviniemi, actually use social media less frequently.
Analysts will have to wait until post-election to begin determining just how much of an effect social media played in the results. But one thing seems certain, in a country where anybody can download a Master list of all 2,315 candidates in Excel format and their demography statistics in PDF format, 2015's parliamentary elections could require a master list of "official" social media accounts.
The New Haven office of the Federal Bureau of Investigation (FBI) hijacked and "killed" the Coreflood botnet this week. You can read more about it from Kim Zetter at Wired.com. Zetter's article references similar action which was taken by Dutch authorities against the Bredolab botnet. We blogged about it last October.
Shutting down a botnet isn't technically difficult. Bots often include instructions to uninstall themselves. But sending instructions for a bot to do so is legally considered "unauthorized use", and so antivirus companies don't do this. This has sometimes been an issue of debate on this very blog, see the comments of this post, for an example.
It is always been our assertion that only governments and their law enforcement agencies could authorize a botnet shutdown. And even then it is a tricky issue… should the FBI be allowed to kill a bot installed on a non-USA (e.g. Canadian) computer? Are they restricting themselves to US based IP addresses?
Yesterday, Adobe issued Security Advisory APSA11-02. The advisory states that:
"A critical vulnerability exists in Flash Player 10.2.153.1 and earlier versions (Adobe Flash Player 10.2.154.25 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 10.2.156.12 and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems."
And… this new vulnerability is currently being exploited in the wild:
"There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Word (.doc) file delivered as an email attachment, targeting the Windows platform."
Our thought is why disable what you can easily uninstall?
We don't generally use Internet Explorer, so we don't need the IE version of Flash Player enabled at all. For Flash on the Web, you can use a designated browser (other than IE). Do you really need Flash enabled for Office?
This is what Microsoft Office will prompt when opening a document/spreadsheet/presentation containing embedded Flash content with no ActiveX version of Flash installed.
The "Non-IE" versions of Flash Player are of course still vulnerable to exploit, but it's harder to image a successful targeted attack (via e-mail) against them, which is probably why current attacks are using Office.
Incidentally, it looks as if the next version of Flash Player (10.3) will include a control panel applet:
While these numbers may look like generic service numbers, they aren't. They go to various countries ("00" is the prefix for international dialing). The countries are: São Tomé and Principe (239), Denmark (45), Madagascar (261) and Globalstar Mobile Satellite Service (8819).
The trojan claims that the call is "free of charge" but it isn't, and the trojan author will earn money from the call via a technique known as short stopping. This method involves rogue phone operators who route the expensive calls to cheaper countries.
After three minutes or so, the caller is given this unlock code: 1351236.
The unlock code appears to be the same every time the number is called.
It's a pretty clever bit of social engineering and some victims may never even realize that they've been scammed.
Here's a video demonstration on the Labs YouTube channel, which also includes some discussion of other ransom trojans.
The GPcode screenshots referenced in the video can be seen here and here.
We detect this trojan (md5: 9a6f87b4be79d0090944c198a68012b6) as Trojan.Generic.KDV.153863.
A full audio recording of our call to the ransom number is here (MP3, 4 minutes).
Virus:W32/Ramnit is no stranger to many malware analysts/researchers, as it was in the wild back in 2010.
Other malware researchers have blogged about the technical details of this interesting virus (here and here, for example); however there are still some noteworthy techniques — and an "easter egg" — waiting to be discovered.
One of the interesting techniques is the injection method that Ramnit uses. This differs from the traditional method, in which a virus would create a suspended thread and inject code using a memory writing Windows API function, then resume the suspended thread after the injection is done.
In this case, what makes Ramnit different is that it calls a Windows API function to spawn a new process, either the default web browser process or the Generic Host Process for Win32 Services, also known as svchost.exe. By injecting into this newly spawned process, the code is not easily visible to users and able to bypass the firewall.
Before this happens though, Ramnit installs an inline hook in an undocumented Windows native system service called Ntdll!ZwWriteVirtualMemory. The picture below depicts how this injection works:
The hooked Windows native system service redirects the code execution flow to the module defined in the caller process to perform the code injection routine. The injected code in the new process includes the capability for file infection (Windows executable and HTML files), as well as backdoor and downloader functionalities.
Another noteworthy detail in Ramnit is its "easter egg", found in the DLL that it injects to the processes mentioned above. The code snapshot below should explain everything:
Basically, this easter egg navigates to the registry key and looks for "WASAntidot":
When we try to create "WASAntidot" registry key on a test machine, we see this:
Voila! The machine is safe from Ramnit infection now!
We've been seeing a run of malware distributed via spammed e-mails in the last couple days.
The e-mail messages and the malware aren't particularly new. The message is fake and pretends to be related to a delivery service; attached to it is a disguised ZIP file containing a trojan-downloader.
If the ZIP file is run, what a user would see is:
"Hmm, I have an incoming parcel from DHL. I'd better check the attached document for the tracking number. Uh wait… or was it from FedEx?"
This variant of SpyEye has been used in an attack against a European bank. The bank uses SMS based mTANs to authorize transfers. The trojan injects fields into the bank's webpage and asks the customer to input his mobile phone number and the IMEI of the phone. The bank customer is then told the information is needed so a "certificate" can be sent to the phone and is informed that it can take up to three days before the certificate is ready.
Our detection for this (and other SpyEye variants made with the same kit) is Trojan-Spy:W32/Spyeye.AG.
The so-called certificate, the Symbian component of the malware, is detected as Trojan:SymbOS/Spitmo.A.
Spitmo.A contains the malicious executable (sms.exe) and another installer which contains an executable named SmsControl.exe. SmsControl.exe will just display the message "Die Seriennummer des Zertifikats: Ü88689-1299F" to fool the user into thinking that the installer was indeed a certificate.
The name SmsControl.exe is quite a co-incidence as a variant of ZeusMitmo used the same filename for the file containing the actual trojan. Faking the trojan to be a certificate is also a trick that ZeusMitmo has used. However, the code itself looks completely different than in ZeusMitmo. Full details of how the SMS based mTANs are delivered to the attacker are still under investigation, but it looks as if they are delivered via HTTP and not by SMS as with ZeusMitmo.
The trojan is signed with a developer certificate. Developer certificates are tied to certain IMEIs and can only be installed to phones that have an IMEI that is listed in the certificate. This is why the malware author(s) request the IMEI in addition to the phone number on the bank's website. Once they receive new IMEIs, they request an updated certificate with IMEIs for all victims and create a new installer signed with the updated certificate. A possible source for the certificate is OPDA (http://cer.opda.cn/en), as searching for the unusually long organization name ("Beijing shi ji yi jia wang dian zi shang wu you xian gong si") returns hits related to OPDA. The delay in getting the new certificate explains why the SpyEye-injected message states it can take up to three days for the certificate to be delivered.
• c:\Private\E13D4ECD\settings.dat — contains two URLs http://[*].net/input.php and http://[*].net/delete.php — also contains: c:\Data\delete.sis — sms.exe contains code to silently install other applications • c:\Private\E13D4ECD\first.dat — an empty file, deleted by sms.exe if present, used as execution check • c:\sys\bin\Sms.exe — payload, executed after installation • c:\private\101f875a\import\[E13D4ECD].rsc — runs sms.exe when the phone is turned on
Embedded installer SmsControl.sis:
• c:\resource\apps\SmsControl.r01 • c:\private\10003a3f\import\apps\SmsControl_reg.r01 • c:\resource\apps\SmsControl_aif.mif • c:\Private\EAF7F915\data.txt — contains the message displayed to the user • c:\sys\bin\SmsControl.exe — executed after installation, displays decoy message
Passwords from over 3,000,000 user accounts were apparently set to "password" late last night in a wide-spread hack that affected hundreds of news, retail and Web 2.0 sites. Most affected users are completely unaware of the attack.
According to current statistics, 62% of affected users would not notice such a change as their password was already "password".
Several sites have reported that they are taking steps to protect compromised accounts. In addition, many sites are creating a new rule to ban using the word "password" as a password.
Users are reacting fiercely to the hack but even more so to the ban many sites are putting on one of the world's most popular passwords. Online riots are to be expected.
The hacker group named "Obvious" has claimed credit for last evening's attack. Thousands of hacked Twitter and Facebook accounts posted the message "We are all Obvious! Don't Expect Us".
A 1.9 GB file containing more than 3,000,000 user names — and one password — is now available for download as a torrent file via The Pirate Bay.
To avoid problems like this in the future, we are recommending users to change their password everywhere to "password1", which is obviously more secure.