DigiNotar is a Dutch Certificate Authority. They sell SSL certificates.
Somehow, somebody managed to get a rogue SSL certificate from them on July 10th, 2011. This certificate was issued for domain name .google.com.
What can you do with such a certificate? Well, you can impersonate Google — assuming you can first reroute Internet traffic for google.com to you. This is something that can be done by a government or by a rogue ISP. Such a reroute would only affect users within that country or under that ISP.
But why would anybody want to intercept Google? Well, this is not really about the search engine at www.google.com. This is about the Gmail servers at mail.google.com and Google Docs at docs.google.com and maybe Google+ at plus.google.com.
We saw a similar attack in May (via Certificate reseller instantssl.it in Italy). That case was tied to Iran. So is this one. It's likely the Government of Iran is using these techniques to monitor local dissidents.
Iran does not have its own Certificate Authority. If they did, they could just issue rogue certificates themselves. But since they don't, they need such certificates from a widely trusted CA. Such as DigiNotar.
In fact, these hacks are so old, it's unlikely they are connected to the current problem. Or at least so we hope.
P.S. The news of the whole incident was first broken on Twitter by S. Hamid Kashfi (@hkashfi). He has blogged about man-in-the-middle attacks in Iran already in 2010. Here's his blog post from May 2010 (via Google Translate).
P.P.P.S. DigiNotar's public statement on the breach is out now. It raises more questions than answers. DigiNotar indeed was hacked, on the 19th of July, 2011. The attackers were able to generate several fraudulent certificates, including possibly also EVSSL certificates. But while DigiNotar revoked the other rogue certificates, they missed the one issued to Google. Didn't DigiNotar think it's a tad weird that Google would suddenly renew their SSL certificate, and decide to do it with a mid-sized Dutch CA, of all places? And when DigiNotar was auditing their systems after the breach, how on earth did they miss the Iranian defacement discussed above?
Updated to add: As September 5th, here's the list of known domains that the attacker managed to create fake certificates for:
We don't see that many Internet worms these days. It's mostly just bots and trojans. But we just found a new Internet worm, and it's spreading in the wild. The worm is called Morto and it infects Windows workstations and servers. It uses a new spreading vector that we haven't seen before: RDP.
RDP stands for Remote Desktop Protocol. Windows has built-in support for this protocol via Windows Remote Desktop Connection. Once you enable a computer for remote use, you can use any other computer to access it.
When you connect to another computer with this tool, you can remotely use the computer, just like you'd use a local computer.
Once a machine gets infected, the Morto worm starts scanning the local network for machines that have Remote Desktop Connection enabled. This creates a lot of traffic for port 3389/TCP, which is the RDP port.
When Morto finds a Remote Desktop server, it tries logging in as Administrator and tries a series of passwords: admin password server test user pass letmein 1234qwer 1q2w3e 1qaz2wsx aaa abc123 abcd1234 admin123 111 123 369 1111 12345 111111 123123 123321 123456 654321 666666 888888 1234567 12345678 123456789 1234567890
Once you are connected to a remote system, you can access the drives of that server via Windows shares such as \\tsclient\c and \\tsclient\d for drives C: and D:, respectively. Morto uses this feature to copy itself to the target machine. It does this by creating a temporary drive under letter A: and copying a file called a.dll to it.
The infection will create several new files on the system including \windows\system32\sens32.dll and \windows\offline web pages\cache.txt.
Morto can be controlled remotely. This is done via several alternative servers, including jaifr.com and qfsl.net.
We've seen several different samples. Some MD5 hashes include:
RSA was hacked in March. This was one of the biggest hacks in history.
The current theory is that a nation-state wanted to break into Lockheed-Martin and Northrop-Grumman to steal military secrets. They couldn't do it, since these companies were using RSA SecurID tokens for network authentication. So, the hackers broke into RSA with a targeted e-mail attack. They planted a backdoor and eventually were able to gain access to SecurID information that enabled them to go back to their original targets and successfully break in. In the aftermath of the attack, RSA was forced to replace SecurID tokens for their customers around the world.
Already in April, we knew that the attack was launched with a targeted e-mail to EMC employees (EMC owns RSA), and that the e-mail contained an attachment called "2011 Recruitment plan.xls". RSA disclosed this information in their blog post. Problem was, we didn't have the file. It seemed like nobody did, and the antivirus researcher mailing lists were buzzing with discussion about where to find the file. Nobody had it, and eventually the discussion quieted down.
This bothered Timo Hirvonen. Timo is an analyst in our labs and he was convinced that he could find this file. Every few weeks since April, Timo would go back to our collections of tens of millions of malware samples and try to mine it to find this one file — with no luck. Until this week.
Timo wrote a data analysis tool that analyzed samples for flash objects. We knew the XLS file in question used a Flash object to take over the system. The new tool located several relevant samples. However, one of them was not an Excel file. It was an Outlook message file (MSG). When Timo opened it up, he knew he was onto something. The message file turned out to be the original e-mail that was sent to RSA on the 3rd of March, complete with the attachment 2011 Recruitment plan.xls.
After five months, we finally had the file.
And not only that, we had the original e-mail. Turns out somebody (most likely an EMC/RSA employee) had uploaded the e-mail and attachment to the Virustotal online scanning service on 19th of March. And, as stated in the Virustotal terms, the uploaded files will be shared to relevant parties in the anti-malware and security industry. So, we all had the file already. We just didn't know we did, and we couldn't find it amongst the millions of other samples.
The sample was uploaded on 19th of March as file-1994209_msg
So, what did the e-mail look like? It was an e-mail that was spoofed to look like it was coming from recruiting website Beyond.com. It had the subject "2011 Recruitment plan" and one line of content:
"I forward this file to you for review. Please open and view it".
The message was sent to one EMC employee and cc'd to three others.
When opened, this is what the XLS attachment looked like:
Here's a YouTube video that shows in practice what happens when you open the malicious Excel file.
In this video you can see us opening the e-mail to Outlook and launching the attachment. The embedded flash object shows up as a [X] symbol in the spreadsheet. The Flash object is executed by Excel (why the heck does Excel support embedded Flash is a great question). The Flash object then uses the CVE-2011-0609 vulnerability to execute code and to drop a Poison Ivy backdoor to the system. The exploit code then closes Excel and the infection is over.
After this, Poison Ivy connects back to its server at good.mincesur.com. The domain mincesur.com has been used in similar espionage attacks over an extended period of time.
Once the connection is made, the attacker has full remote access to the infected workstation. Even worse, it has full access to network drives that the user can access. Apparently the attackers were able to leverage this vector further until they gained access to the critical SecurID data they were looking for.
The attack e-mail does not look too complicated. In fact, it's very simple. However, the exploit inside Excel was a zero-day at the time and RSA could not have protected against it by patching their systems.
So, was this an Advanced attack? The e-mail wasn't advanced. The backdoor they dropped wasn't advanced. But he exploit was advanced. And the ultimate target of the attacker was advanced. If somebody hacks a security vendor just to gain access to their customers systems, we'd say the attack is advanced, even if some of the interim steps weren't very complicated.
Timo will be discussing his research on the topic in detail in the T2 Data Security conference in October in his talk titled "How RSA Was Breached".
P.S. For those who are still looking for the sample:
MD5 of the MSG file: 1e9777dc70a8c6674342f1796f5f1c49 MD5 of the XLS file: 4031049fe402e8ba587583c08a25221a
Aha! Now this is interesting (Facebook buried a good lead here…):
"This setting has been replaced so that instead of just being about your friends, this now prevents anyone you shared something with from re-sharing it with applications."
If we are interpreting this correctly — Facebook will now prevent third-party applications from seeing your information via your friends. This is something that the American Civil Liberties Union (ACLU) took issue with already back in December 2009 (the last time that Facebook made similar changes).
The ACLU even created an application to demonstrate just how much access applications have via your friends:
And this is the information that is available by default:
Based on our polling, not many people realize the implications of this privacy setting.
And the only real way to be sure your friend's third-party applications are blocked is to completely disable Facebook's "platform".
Facebook recently began offering refined privacy controls in its Application Settings for what your applications share with your friends. Each individual application's "App privacy" can be adjusted:
But based on our reading of these new details, it looks as if Facebook is about to take this one step further and will simply prevent all third-party application access via Friends.
And that would be excellent news.
Still, if you have a Facebook account, don't wait, take the time now to examine your Privacy Settings and adjust the "Info accessible through your friends" in the "Apps, Games, and Websites" section, just to make sure that your settings reflect your personal preferences… before Facebook's changes are applied.
P.S. to the ACLU: You really should consider decommissioning your "Quizzes" application and delete its page.
The application doesn't work properly anymore, and you've allow the page to become overrun by spam.
Updated to add on September 5th: Unfortunately, we've now seen the new setting and our interpretation was far too optimistic.
Facebook claims it tries to use simple English… but this is clear as mud.
This is the language of the old setting:
"Info accessible through your friends: Control what information is available to apps and websites when your friends use them."
Here's the language of the new settings:
"How people bring your info to apps they use: People who can see your info can bring it with them when they use apps. Use this setting to control the categories of information people can bring with them."
In other words:
Info accessible through [anyone]: Control what information is available to apps and websites when [anyone] uses them.
It now appears to us that Facebook is doing the exactly the opposite of what we had hoped and is expanding the reach of applications to data mine from your account if Facebook's platform is enabled.
Here's the details from within the setting:
"People on Facebook who can see your info can bring it with them when they use apps. This makes their experience better and more social. Use the settings below to control the categories of information that people can bring with them when they use apps, games and websites."
So, the applications of anyone that can see your info can use it. If you don't want "anyone's" applications accessing your information — make sure that your important info isn't shared with "everyone", and deselect all of the categories from the setting.
Because otherwise… Facebook will share it almost all of it by default to anyone that asks for it.
China is often blamed for launching online attacks, but the evidence is almost always circumstantial. Many of the targeted espionage trojans seem to come from China, but we can't actually prove it.
However, some new evidence has just surfaced.
On 17th of July, a military documentary program titled "Military Technology: Internet Storm is Coming" was published on the Government-run TV channel CCTV 7, Millitary and Agriculture (at military.cntv.cn).
The program seems to be a fairly standard 20-minute TV documentary about the potential and risks of cyber warfare. However, while they are speaking about theory, they actually show camera footage of Chinese government systems launching attacks against a U.S. target. This is highly unusual. The most likely explanation is that this footage ended up in the final cut because the editor did not understand the significance of it.
Here's the critical snippet from the program:
Rough translations of the texts shown in the dialog:
People's Liberation Army Information Engineering University
Select Attack Destinations
List of Falung Gong sites
Falun Dafa in North America Falun Dafa website Meng Hui website Witnesses of Falun Gong website 1 Witnesses of Falun Gong website 2
The targets listed in the tool are related to Falun Gong or Falun Dafa — a religious organization that is banned in China. In particular, the attack is launched against an IP address, 126.96.36.199, which belongs to a U.S. University. What kind of an attack is launched remains unclear. But already the existence of such software with such targets is breaking news.
The software is credited to have been written in the Information Engineering University of China's People's Liberation Army.
People that have already fell for one scam are more likely to fall for another. That seems to be the logic behind the latest Nigerian advance-fee fraud scams.
They explain to you that if you've lost money in a Nigerian 419 scam, you can apply for compensation — after paying a suitable fee…
Here's a copy of the scam e-mail:
From: "Ministry of Foreign Affairs Nigeria" (firstname.lastname@example.org) Subject: Swindled by Nigerian? Apply for compensation now! Reply-To: email@example.com
Ministry of Foreign Affairs Federal Republic of Nigeria Maputo Street off Abidjan Street Wuse Zone 3, P.M.B. 130, Garki Abuja.
Our Ref: FGN/WB/MFA/CitiBank/2011 (1/1)
This is to announce to you that the Federal Government of Nigeria supported by the World Bank Group and International Monetary Fund (IMF) have allocated $50.000 each for every scam victims for monetary loss and damages.
The compensation funds were deposited at Citibank Nigeria (CN) and the funds will be transferred free of charge by Citibank Nigeria (CN) as instructed by the Federal Government of Nigeria so you do not need to pay any transfer fee or tax of any kind and the transfer will also be monitored by the Ministry of Foreign Affairs for confirmation reasons. The funds have been insured to avoid unnecessary deductions until they get to their various destinations.
Take note that we have never held any scam victims compensation program in Nigeria. This is the First-Of-Its-Kind. Do not be deceived by anybody, any organization or any Ministry!
If you have been scammed send your NAME and ADDRESS for verification to any of the two (2) email addresses listed below, the email addresses are set up by Citibank Nigeria (CN) for this compensation purpose only:
According to our friends at Commtouch, malware using Right to Left Override (RLO) Unicode tricks have "resurfaced extensively in the past week". Unicode character (U+202E) "reverses" text for languages that are traditionally read from right to left, and it's a feature that can be used to obfuscate file names.
We examined a sample a few days ago.
Here's the archive file viewed in Windows:
The Windows Compressed Folder view shows us that the extension is ".exe" and that the file type is an Application:
But once extracted, the file appears to have an extension of ".doc".
Windows Explorer recognizes the file as an application, but the malware is using a Word icon as part of its social engineering trickery.
Being curious, we decided to test some third-party archive managers.
Here's the malware as viewed in WinZip:
And here's 7-Zip:
Surprisingly to us, 7-Zip doesn't display the file type even though it sorts by type.
In any case, be aware of this RLO trick, and carefully examine any archived attachments before extracting and/or opening them.
F-Secure has a long history in protecting it's customers. As a result, we have customers who have used our products for years and years.
And just like any other software vendor, we have to stop support for old legacy products at some stage.
Thus, we would like to remind our home users and corporate customers that antivirus updates for the F-Secure 8-series products will end on the 1st of January, 2012.
In practice, this means that products such as these will not get new antivirus updates anymore:
• F-Secure Internet Security 2009 • F-Secure Anti-Virus 2009 • F-Secure Client Security 8-series • F-Secure Linux Security 7-series
There are other affected products as well. For a full list of affected consumer products, see here, and for a full list of affected corporate products, see here.
To reiterate: this doesn't just mean that these products are no longer supported (some of them have actually been out of support for quite a while). This means that the actual antivirus update signatures will no longer be shipped for these products.
A good deal of this year's mobile malware is being developed in China. And Chinese mobile malware tends to include stuff such as backdoors, password stealers and spy tools.
Knowing that Chinese malware likes to spy, we've been keeping an eye out for various functions, such as photo scraping. Stealing photos from a phone could be used for harassment and blackmail.
We didn't have to look for long. A member our Threat Research team just found something interesting in a Symbian malware sample.
Here are our analyst's notes:
The code of Trojan:SymbOS/Spinilog.A includes a class named CMyCameraEngine which inherits and implements the Symbian class MCameraObserver. This enables the trojan to receive control when an image has been captured with the camera. Spinilog.A then encodes the raw bitmap to a JPG, which it saves to the phone's memory. This feature seems to still be unused and possibly incomplete as the constructor of the CMyCameraEngine class is not called in the code. Other data stolen by the trojan is more traditional such as the content and details of SMS and e-mail messages, phone call details and calendar and contact information.
So while this particular backdoor won't yet steal your photos, it's clear which direction we're headed to.
Here's the file's md5: b346043b4efb1e9834a87dce44d6d433
Here's a new maxim for politicians, policy makers and public administrators: curtail, censor or otherwise limit communications technology in the real-world — expect online reprisals.
Hacker collective Anonymous released a "pressrelease" on Saturday announcing OpBritain, a reaction to UK Prime Minister David Cameron's suggestions that social media should be restricted in a time of crisis.
Not surprisingly, or it shouldn't be, Anonymous announced OpBART, complete with its own modified Bartman logo.
And a hack of myBART.org, currently offline, followed in which names, e-mails, and passwords of myBART members where dumped to pastebin.com. OpBART also calls for a real-world peaceful protest at Civic Center station at 17:00 PST (approximately nine hours from now).
Of all places, San Francisco may well be the heartland of the Anonymous collective, so it should be interesting to see just how many people attend the gathering, and how it is reported by the USA and UK press.
If today's OpBART protest turns violent… expect the negative feedback loop to continue.
A partner of ours is feeling some pain. He's located in Central Europe and some of his customers have limited hardware budgets, and so… he ends up doing a lot of Windows XP SP3 installations. (Yes, we know, Windows 7 is cool, but the customer is always right, and you have to give them what they want.)
And here's where the pain comes in — Windows/Microsoft Updates.
There's a ton of post-SP3 updates and it takes a great deal of time to install them. It cuts into his productivity, i.e., his profit.
We checked one of our virtual machine test images and it has 157 post-SP3 updates installed, and that's a very base installation (calculator isn't even installed).
Service Pack 3 for Windows XP was basically an "Update Rollup" and we understand that "SP4" is probably not an option (for marketing reasons)…
But perhaps you would consider doing an Update Rollup 1 for Windows XP SP3? It would be very helpful for those that are working to build, configure, and maintain secure systems (within their means).
Windows XP's end of extended support is over two and half years away… and while its installed base is shrinking, we still have lots of customers around the world that use it. Please consider our request. It's a difficult economy at the moment, and small/medium sized business needs all the help you can give.
Thanks for the consideration, F-Secure Labs
Updated to add: Few things generate comments and debate as does support for Windows XP. Tech journalist Larry Seltzer's comment to this post includes a link to his article: I want my Windows Update Rollup! That article now has more than 50 comments of its own. And among those comments are links to resources that others have found helpful.
Check them out, and join in the discussion. Cheers.
Facial recognition technology is a hot topic and this recently caught my attention: German authorities have suggested that Facebook's "facial recognition" feature is illegal. From Deutsche Welle: Hamburg's data protection official Johannes Caspar claims that the software violates both German and European Union data protection laws and that Facebook users don't know how to delete the data that Facebook is gathering. "If the data were to get into the wrong hands, then someone with a picture taken on a mobile phone could use biometrics to compare the pictures and make an identification," Caspar told the Hamburger Abendblatt. "The right to anonymity is in danger."
The legal keyword appears to be "biometrics".
According to Caspar: "A normal user doesn't know how to delete the biometric data. And besides, we have demanded that biometric data be stored with the subject's express consent."
Another keyword appears to be "stored" (though… Deutsche Welle's article also states that no data can be "collected" without consent). Collected or stored biometric data, which is it?
Is on the fly facial recognition analysis legal if the data isn't retained or stored after it's used?
In any case, having several self-tagged Wall photos, I decided to test the feature with my own personal Facebook account. (Existing tagged photos is a prerequisite, even if the user hasn't opted-out. No tagged photos, no biometric data will exist.)
First, I re-enabled my "Suggest photos of me to friends" option in Facebook's privacy settings.
And then I uploaded a photo:
While Facebook's photo upload service "detected" two faces, neither of them were "recognized" and no tag suggestions where offered. So it would appear that there's no hidden biometric "faceprint" of me in Facebook's databases. Either none was collected between the time when the feature was introduced and I opted-out, or else they deleted what was stored after I disabled the feature.
I ask myself, is Facebook's biometric data really such a big deal?
Google Images recently released reverse image search. That feature is much more likely to be used in future photo comparisons than any Facebook data that falls "into the wrong hands". If you have an iPhone/Android device, try Google Goggles and then imagine the Google+ possibilities.
Then there's current camera technology to consider. My Canon S90 does a very decent job of detecting faces on its own. If a face is detected, the photo's EXIF metadata includes "SceneCaptureType – Portrait" and the faces are tagged.
And that's just a start. Some vendors, such as Samsung, have "Smart Face Recognition", as demonstrated in this video from April 2009. It's not a far leap at all before our cameras are detecting, recognizing, and tagging faces in our photos at the moment they're taken. And that includes camera phones: Apple reportedly plans to include facial recognition features in iOS 5.
Mr. Caspar may indeed have legitimate concerns regarding Facebook's current biometric practices. But what happens if (when) it's no longer a matter of analysis? If consumers upload photos that contain facial tags, can Facebook then make the suggestion?
It should be noted that Facebook currently strips EXIF metadata from uploaded images. (Kudos.)
Germany (and the EU) has excellent data protection laws. But the law itself cannot hope to forestall the issue of facial recognition forever. The technology exists and policy makers need to address the issue and seek solutions as if biometric data is already freely available.
Because even if legitimate companies can be successfully regulated from storing this type of data, criminals won't be so restrained. Computing power is cheap, and getting cheaper. The worst case scenario could be unregulated black market search engines providing facial recognition services as a service.
It wouldn't be the first time such a business model developed.
The "viral civil unrest" has been spreading for several days now, and reportedly, RIM's BlackBerry Messager (BBM) is one of the viral components would-be anarchists have used to organize themselves. As a result, RIM made a public statement that it would assist the UK authorities. And what happened next was rather predictable (at least to us).
Here's the text: This hack is a response to this statement by RIM:
“We feel for those impacted by this weekend’s riots in London. We have engaged with the authorities to assist in any way we can. As in all markets around the world Where BlackBerry is available, we cooperate with local telecommunications operators, law enforcement and regulatory officials. Similar to other technology providers in the UK we comply with The Regulation of Investigatory Powers Act and co-operate fully with the Home Office and UK police forces.”
Dear Rim; You Will _NOT_ assist the UK Police because if u do innocent members of the public who were at the wrong place at the wrong time and owned a blackberry will get charged for no reason at all, the Police are looking to arrest as many people as possible to save themselves from embarrassment…. if you do assist the police by giving them chat logs, gps locations, customer information & access to peoples BlackBerryMessengers you will regret it, we have access to your database which includes your employees information; e.g – Addresses, Names, Phone Numbers etc. – now if u assist the police, we _WILL_ make this information public and pass it onto rioters…. do you really want a bunch of angry youths on your employees doorsteps? Think about it…. and don’t think that the police will protect your employees, the police can’t protect themselves let alone protect others….. if you make the wrong choice your database will be made public, save yourself the embarrassment and make the right choice. don’t be a puppet..
p.s – we do not condone in innocent people being attacked in these riots nor do we condone in small businesses being looted, but we are all for the rioters that are engaging in attacks on the police and government…. and before anyone says “the blackberry employees are innocent” no they are not! They are the ones that would be assisting the police
In the real world, you only have to worry about the criminals who live in your city. But in the online world, you have to worry about criminals who could be on the other side of the planet. Online crime is always international because the Internet has no borders.
Today computer viruses and other malicious software are no longer written by hobbyist hackers seeking fame and glory among their peers, but by professional criminals who are making millions with their attacks. These criminals want access to your computer, your Paypal passwords and your credit card numbers.
Criminal online gangs recruit people with high level computing skills but no job opportunities in the real-world economy. There is now a global market for sinister crimeware -- viruses, worms, trojans, spyware -- that is produced and sold on underground market sites on the Web.
The international community has failed to address the real nature and extent of the problem. National police forces and legal systems are finding it extremely difficult to keep up with the rapid growth of online crime. They have limited resources and expertise to investigate online criminal activity. The victims, police, prosecutors and judges rarely uncover the full scope of the crimes that often take place across international boundaries. Action against the criminals is too slow, the arrests are few and far between, and too often the penalties are very light, especially compared with those attached to real-world crimes.
We are sending the wrong message to the criminals and that's why online crime is growing so fast. Right now would-be online criminals can see that the likelihood of their getting caught and punished is vanishingly small, yet the profits are great.
If a gunman walks into a bank and demands cash, the police are ready to leap into action. If international borders are crossed during such a crime, the international police agencies become involved. If the gunman is caught, there is always a trial and the bank will push the prosecutor for the maximum penalties possible.
This is not the case with online crime. Virtual gunmen are free to roam with almost nobody to stop them. Online crime is always international but local police authorities usually only have their local resources to conduct the investigation. Online crime is easier to carry out than "offline" crime and costs less to get started.
Computer security companies are doing their best to protect their customers' computers but little can be done directly by non-governmental organizations to fight the criminals at the heart of the matter. Anti-virus companies are not law enforcement, nor should they be. Tackling online crime requires a serious investment of resources on the international level and expert law enforcement agencies need to follow criminals into the online world.
Traditionally, international law enforcement has focused on large international crimes such as drug trafficking or smuggling. Countries involved in investigations like these can easily see the value of catching such criminals.
However, online crime is typically composed of small individual crimes. The attackers don't hack the bank, they hack the bank's customers. One victim might have only lost few hundred dollars from his bank account. Starting an international investigation looks like an overkill and thus getting international cooperation might be difficult. The problem is, of course, that there is more than one victim. A banking trojan botnet might steal money from tens of thousands of people at the same time.
What we need is an international police force with the enforcement power to really target the organized crime that operates on the net. It would investigate the top of the crimeware food chain and track down the people who are running the online crime syndicates. Each member country would be required to co-operate with others, regardless of the apparent size of the crime.
Of course, establishing such a new force would mean a number of legal challenges. For example, malicious code is often created in countries where it is not even illegal or where the perpetrators are not prosecuted.
In my opinion, such an agency should focus only on fighting international malware crime gangs. If it would try to extend to other areas, such as fighting pirates or hactivists, things would get much more complicated. Nobody wants banking trojan gangs around, and we should focus on this problem. The last thing I'd want is some sort of a net police that would try to restrict the freedom of the net. This very freedom is the reason Internet has become as useful as it is.
But we need to take action now. If we don't, online crime will continue to grow stronger and we might risk losing all the great benefits the net has brought to us. Our generation is the first generation that got online. We should make sure this resource will stay around for future generations.
It's the week of Black Hat and DEF CON and thousands of computer security experts have gathered to Las Vegas.
Hot topics this year include Siemens PLC security, revamping the SSL model and Mac laptop batteries.
Mikko keynoting in DEF CON 19
One talk which was highly anticipated was Riley Hassell's and Shane Macauley's "Hacking Android". For mysterious reasons both speakers never showed up for their own talk, leading to wild conspiracy theories on why this might have happened.
However, from antivirus point of view, the most interesting talk was Tavis Ormandy's talk titled "Sophail".
In the summer of 2010, Tavis Ormandy found a zero-day vulnerability from Windows Help and Support Center. Five days after informing Microsoft of the vulnerability, and before Microsoft had shipped a patch for it, Tavis publicly released proof-of-concept code. Days later, unknown malware authors integrated this code into drive-by-download exploits, which went on to infect tens of thousands of computers around the world.
Sophos experts vocally criticized Tavis for his action, and even nicknamed the patch that eventually followed to "Patch Tavis".
Fast forward to summer of 2011, and Tavis Ormandy released "A critical analysis of Sophos Anti-virus" in Black Hat.
In his highly unusual talk, Tavis explained that he had reverse engineered the Sophos antivirus engine and released tools to decrypt the protection systems of Sophos detection databases.
Shifting gears, it's good to note that connecting to a wireless network during DEF CON is really not recommended. There are simply too many hackers playing with the networks to make them safe. Even the official program pamphlet wishes you "good luck" in connecting to the party network. This is nicely illustrated by just looking at the list Wi-Fi hotspots that were available in the DEF CON hotel:
Bitcoin is an electronic currency which is not tied in value to any other currencies. You can convert other currencies (like US dollars) to Bitcoins, or you can mine new Bitcoins by completing complex mathematical tasks.
This creates an incentive for botnet masters to use other people's computers to mine bitcoins for them. And we've seen a some examples of botnets that try to do this.
But now we've found a bot that uses Twitter as the control channel.
The bots are created with a generator. Generator sets a specific Twitter account to be the one which can be used to control the mining botnet.
The commands follow a simple syntax.
We detect bots generated with this generator as Trojan.Generic.KD.
We've come across a fake FlashPlayer.pkg installer (MD5: 1fc90b8f532028805d167b2b0ac9ce11) for Mac:
Once installed, the trojan adds entries to the hosts file to hijack users visiting various Google sites (e.g., Google.com.tw, Google.com.tl, et cetera) to the IP address 188.8.131.52, which is located in Netherlands.
The server at the IP address displays a fake webpage designed to appear similar to the legitimate Google site.
As an example, this is what Google.com.tw looks like on a normal, uninfected system:
In contrast, this is what Google.com.tw looks like on an infected system:
When a search request is entered, the remote server returns a fake page that mimics a legitimate Google search results page.
Here's a search request on the real Google.com.tw site on a clean system:
And here's the same request on an infected system:
Even though the page looks fairly realistic, clicking on any of the links does not take the user to any other sites. Clicking on the links does however open new pop-up pages, which are all pulled from a separate remote server:
At the time of writing, the pop-up pages aren't displaying anything, though we presume they are ads of some sort. It appears that the remote server serving the pop-up pages is down.
The other remote server returning fake search requests appears to be still active.
We detect this trojan as Trojan:BASH/QHost.WB.
Analysis by — Brod
Corrected on August 9th: The MD5 for the installer is as above; the previous MD5 cited (2ee750f19f2cb43968af78b0dd0be541) is for the BASH file in the PKG.