"There are now three certainties in life — there's death, there's taxes and there's a foreign intelligence service on your system." ~ MI5's Head of Cyber
BBC Radio 4 recently aired a very interesting series on cyber espionage, theft, and war.
Reporter Gordon Corera interviewed numerous individuals including Michael Hayden (Former Director of the N.S.A.), Toomas Hendrik Ilves (President of Estonia), and MI5's Head of Cyber (who preferred not to be named). Episode 3 is still available for a limited time.
Doug Engelbart died on July 2, 2013. He is probably best known, to the general public, as the inventor of the computer mouse. But he was much more than that…
"They called him kooky, and laughed at him for doing weird stuff."
If you're not familiar with it, The Demo included demonstrations of "hypertext, object addressing and dynamic file linking, as well as shared-screen collaboration involving two persons at different sites communicating over a network with audio and video interface."
And the best part… The Demo took place on December 9, 1968.
Stanford University has an excellent series of annotated clips: here.
Truly a man ahead of his time, Engelbart's vision was to ask:
"How do we collectively use technology to map our future with integrity mindful of the perspectives of others and future generations?"
The debate continues regarding the U.S. Government's domestic surveillance programs — which U.S. privacy advocates argue are a violation of Fourth Amendment constitutional protections.
On Monday, Malwarebytes researcher Jerome Segura posted a nice write up (and video) about FBI themed ransom scams targeting users of Apple Mac OS X.
The basics are as such:
• Segura discovered the scam via a Bing Images search for Taylor Swift. • A compromised site hosting the image linked to a webpage mimicking police ransomware. • Only it isn't really "ware" in the normal sense of a ransomware trojan. • The scam uses clever persistent JavaScript in its attempt to trick people into paying a supposed fine.
And now we'd like to contribute some additional notes.
Located in Canada, Segura was directed to an FBI themed webpage. This is probably due to his North American IP address, or else he was using a US-based proxy.
In Europe, the result is Europol themed:
And the scam uses a Europol-themed URL:
Also, such scams are not just targeting Macs, as this comment from The Safe Mac explains.
Crimeware kits are always targeting everything all the time. Windows, Macs, every OS.
But most of the time… there isn't a good exploit vector with which to target Macs with malware, so they are redirected to something "spammy" instead. For example, now that the ransom scam has been exposed, this is what the FBI and Europol URLs are currently redirecting to:
Find Your Adult Friend: a site which uses scraped images. (Avoid.)
Right-to-left override (RLO) is a special character used in bi-directional text encoding system to mark the start of text that are to be displayed from right to left. It is commonly used by Windows malware such as Bredolab and the high-profile Mahdi trojan from last year to hide the real extension of executable files. Check out this Krebs on Security post for more details on the trick.
We've spotted a malware for Mac using the RLO trick. It was submitted to VirusTotal last Friday.
The objective here is not as convoluted as the one described in Kreb's post. Here it's simply to hide the real extension. The malware could have just used "Recent New.pdf.app". However OS X has already considered this and displays the real extension as a precaution.
The malware is written in Python and it uses py2app for distribution. Just like Hackback, it's signed with an Apple Developer ID.
However, because of the RLO character, the usual file quarantine notification from OS X will be backwards just like the Krebs case.
The malware drops and open a decoy document on execution.
Then it creates a cron job for its launch point and a hidden folder in the home directory of the infected user to store its components.
The malware connects to the following pages to obtain the address of its command and control server:
It parses for the address in the string "just something i made up for fun, check out my website at (address) bye bye".
The YouTube page look like this:
Doing a Google search for the string reveals that there are other sites being abused besides those mentioned above.
The malware then continuously takes screen shots and records audio (using a third party software called SoX) and uploads them to the command and control server. It also continuously polls the command and control server for commands to execute.
The malware is detected by F-Secure as Backdoor:Python/Janicab.A.
Updated to add:
Here are the stats from one of the YouTube videos being used as a C&C locater:
The videos predate the Janicab.A binary by at least a month. Based on the stats, it seems likely there are earlier variants in the wild.
Eric was running a script with 16 Twitter bots competing for the 50,000th follower slot. Hard work paid off, and he won!
Eric will be getting the Bitcoin and a copy of Thomas Rid's upcoming book Cyber War Will Not Take Place. Congratulations!
However, I also promised a Bitcoin and the book to a random follower of mine. Which one got it? Did you get it? You'll have to watch the video to find out.
Given current events, a refresher on just what metadata is seems useful. From our June 29, 2012 post:
"A 2008 German law required all telecommunications providers with more than 10,000 customers to retain six months worth of data on all calls, messages and connections. Germany's Constitutional Court ruled the law unconstitutional in 2010.
Spitz acquired (meta)data from his telecom provider covering a period from August 2009 to February 2010. Zeit Online has made the raw data available via Google Docs. To demonstrate just how much of a personal profile can be crafted, Zeit Online augmented the data with publicly available information such as Spitz's tweets and blog entries."
(Meta)data or metadata… it's all data.
Anyway, the result is an incredibly cool, very revealing, interactive map:
Over the weekend, Yeh, one of our Security Response Analysts, came across some interesting analysis on a Chinese language forum about an Android app that basically turns a mobile device into a hack-tool capable of stealing information from a connected Windows machine.
He managed to find a sample (MD5:283d16309a5a35a13f8fa4c5e1ae01b1) for further investigation. When executed, the sample (detected as Hack-Tool:Android/UsbCleaver.A) installs an app named USBCleaver on the device:
When the app is launched, it directs the user to download a ZIP file from a remote server:
It then unzips the downloaded file to the following location: /mnt/sdcard/usbcleaver/system folder.
The files saved are essentially utilities used to retrieve specific pieces of information when the device is connected via USB to a Windows machine. Note: we detect most of the files with older detections.
The following details are grabbed from the connected PC machine:
• Browser passwords (Firefox, Chrome and IE) • The PC's Wi-Fi password • The PC's network information
The app gives the user the option of choosing what information they want to retrieve:
To run the utilities, the sample creates an autorun.inf and go.bat file at /mnt/sdcard. When the device is connected to a Windows computer, the autorun script gets triggered, which then silently runs the go.bat file in the background, which in turn runs the specified files from the usbcleaver/system folder.
The collected details are stored on the device at /mnt/sdcard/usbcleaver/logs.The app's user can click on the "Log Files" button to view the information retrieved from the PC:
This isn't the first Android trojan reported this year with PC-infecting capabilities, since that "distinction" belongs to the trojan-spy apps family we detect as Sscul (listed in our Q1 2013 Mobile Threat Report).
Unlike the Sscul malware however, which is more focused on remote eavesdropping, USBCleaver seems to be designed to facilitate a targeted attack by gathering details that would be helpful in a later infiltration attempt.
Fortunately, USBCleaver's Windows-infecting routine can be blocked by a simple measure that's been standard security advice for the last couple years: disabling the Autorun by default (this is already standard on Windows 7 machines). An additional mitigating factor is that most older Windows systems need to have mobile drivers manually installed in order for this attack to work.