Most Recent News from the Lab

Friday, March 6, 2015

Is Babar a Bunny? Posted by FSLabs @ 09:37 GMT

Babar-cartoon-wallpaper (611k image)
Lately there has been a lot of research and publicity around a strange case of Babar, a malware connected to suspected high-level espionage operation called SNOWGLOBE.

SNOWGLOBE was first brought to media attention about a year ago by French newspaper Le Monde, when they wrote about top secret SCEC slides leaked by, who else than Edward Snowden himself. In the set of slides, there are numerous claims about French-originating malware which internally calls itself Babar. It didn't take a long time for the security community to dig out samples resembling Babar [1] [2] [3].

What exactly can we say about Bunny and its connection to Babar? For Bunny and EvilBunny, we have a lot of research available, so it is already quite known to the security community. But when it comes to Babar, we only have screenshots of the mysterious top secret slides. However, there is now enough correlation to say with a high level of probability that Bunny and Babar, as described in the SCEC slides, belong to same family of espionage tools.

Fact 1. Both operations seem to be active mostly 2010-2011. This is evident from Bunny PE header timestamps, and the CSEC slides are from 2011.

Fact 2. Some Bunny samples present the same typing error in User-Agent as document in the slides (MSI instead of MSIE, see the SCEC slide SNOWBALL Beacons). Doesn't sound like a coincidence.

MSI (81k image)

Fact 3. One of the samples connected to Bunny drop a file named ntrass.exe, also mentioned in the SCEC slides. Doesn't sound like a coincidence.

Fact 4. Latest findings from the Bunny family actually reveal another internal project name: Babar64 [2] [3]. Doesn't sound like a coincidence.

Fact 5. Bunnies and little elephants are both cute and fluffy little animals. Very unusual in the APT world.

Also, it can be said with a high likelyhood that this malware originates from France. Some of the Bunny samples use Accept-Language: fr in the HTTP headers. There are also some really strange decisions in the internal namings, like for example naming task threads as "hearer" [1]. In the English-speaking software development world, this kind of task is usually named as "listener" or "monitor". "Hearer" isn't exactly one of the default terms used by an English-speaking developer. It sounds more like a non-native English speaker who used a literal translation of a language they are used to. For example, French "auditeur" translates to "auditor, listener, hearer".

But there are some things we cannot say about the connection. First off, the slides themselves do not name any specific actor, so rumors about French Intelligence are not based on sound facts at the moment. The fact that Bunny uses the Lua programming language for extending its capabilities also adds up to the mess (remember Flame?). Also, it should be noted that all the juicy pieces of attribution are in the slides, so we don't have first hand evidence about that. There is also something to think about the complexity level of Bunny. It is nowhere near the level of the high-profile APT's, such as Turla and Equation. But that doesn't of course mean that there couldn't be a high-profile actor behind SNOWGLOBE. Sometimes it just makes one wonder why these people make the tools so obvious, like a glowing Christmas tree in the dark.



Wednesday, March 4, 2015

Malicious DNS Servers Deliver Fareit Posted by FSLabs @ 16:04 GMT

Last year we wrote about Fareit being massively spammed.

A couple of months later, they added another means of infecting systems - via malicious DNS servers.

When the DNS server settings has been changed to point to a malicious server used by Fareit, the unsuspecting user visiting common websites gets an alert saying "WARNING! Your Flash Player may be out of date. Please update to continue".

_flash_update_chrome (2k image)

A "Flash Player Pro" download page will be shown pretending to be served from the website that the user is trying to visit.

_setupimg (90k image)

Downloading the "setup.exe" file does not really pull any binary from Google. Instead, the user will end up with a copy of Fareit from a malicious IP. Fareit is an information stealer and downloader.

_urls_1 (72k image)

The recent samples that we've encountered connect and download from:

Fareit infections via malicious DNS servers that we have seen were mostly from Poland.

_map (91k image)

From the beginning of the year, we've observed that users were redirected to these IPs:

While here are some of the reported malicious DNS servers:

If you would like to know more about your current DNS server settings, you can try out our beta tool which is available here.

If you've determined that your DNS server settings are affected, we recommend that you try these steps:
• Disconnecting the router from the Internet and resetting it
• Changing the password on the router, especially if it is still the default password
• Disabling remote administration on the router
• Checking and updating the router to use the latest firmware
• Rebooting a desktop system to flush the DNS cache
• Scanning the desktop system using a trusted, up-to-date antivirus program


Monday, March 2, 2015

How To Keep Your Smart Home Safe Posted by Mika @ 22:11 GMT

The Internet of Things (IoT) devices can help you save time and hassle and improve your quality of life. As an example, you can check the contents of your fridge and turn on the oven while at the grocery store thus saving money, uncertainty, and time when preparing dinner for your family. This is great and many people will benefit from features like these. However, as with all changes, along with the opportunity there are risks. Particularly there are risks to your online security and privacy but some of these risks extend to the physical World as well. As an example, the possibility to remotely open your front door lock for the plumber can be a great time saver but it also means that by hacking your cloud accounts it will be possible for also the hackers to open your door -- and possibly sell access to your home on dark markets. And it's not just about hacking: These gadgets collect data about what's happening in your home and life and hence they themselves present a risk to your privacy.

Example of a smart home set up

Image: The above image shows a typical smart home configuration and the kinds of attacks it can face. While the smart home is not a target at the moment due to its low adoption rate and high fragmentation, all of the layers can be attacked with existing techniques.

If you are extremely worried about your privacy and security, the only way to really stay safe is to not buy and use these gadgets. However, for most people, the time-saving convenience benefits of IoT and the Smart Home will outweigh most privacy and security implications. Also, IoT devices are not widely targeted at the moment and even when they are, the attackers are after the computing power of the device -- not yet your data or your home. Actually, the biggest risk right now comes from the way how the manufacturers of these devices handle your personal data. This all said, you shouldn't just blindly jump in. There are some things that you can do to reduce the risks:

•  Do not connect these devices directly to public internet addresses. Use a firewall or at least a NAT (Network Address Translation) router in front of the devices to make sure they are not discoverable from the Internet. You should disable UPnP (Universal Plug and Play) on your router if you want to make sure the devices cannot open a port on your public internet address.

•  Go through the privacy and security settings of the device or service and remove everything you don't need. For many of these devices the currently available settings are precious few, however. Shut down features you don't need if you think they might have any privacy implications. For example, do you really use the voice commands feature in your Smart TV or gaming console? If you never use it, just disable it. You can always enable it back if you want to give the feature a try later.

•  When you register to the cloud service of the IoT device, use a strong and unique password and keep it safe. Change the password if you think there is a risk someone managed to spy it. Also, as all of these services allow for a password reset through your email account, make sure you secure the email account with a truly strong password and keep the password safe. Use 2-factor authentication (2FA) where available -- and for most popular email services it is available today.

•  Keep your PCs, tablets, and mobile phones clear of malware. Malware often steals passwords and may hence steal the password to your smart home service or the email account linked to it. You need to install security software onto devices where you use the passwords, keep your software updated with the latest security fixes, and, as an example, make sure you don't click on links or attachments in weird spam emails.

•  Think carefully if you really want to use remotely accessible smart locks on your home doors. If you're one of those people who leave the key under the door mat or the flower pot, you're probably safer with a smart lock, though.

•  If you install security cameras and nannycams, disconnect them from the network when you have no need for them. Consider doing the same for devices that constantly send audio from your home to the cloud unless you really do use them all the time. Remember that most IoT devices don't have much computing power and hence the audio and video processing is most likely done on some server in the cloud.

•  Use encryption (preferably WPA2) in your home Wi-Fi. Use a strong Wi-Fi passphrase and keep it safe. Without a passphrase, with a weak passphrase, or when using an obsolete protocol such as WEP, your home Wi-Fi becomes an open network from a security perspective.

•  Be careful when using Open Wi-Fi networks such as the network in a coffee shop, a shopping mall, or a hotel. If you or your applications send your passwords in clear text, they can be stolen and you may become a victim of a Man-in-the-Middle (MitM) attack. Use a VPN application always when using Open Wi-Fi. Again, your passwords are they key to your identity and also to your personal Internet of Things.

•  Limit your attack surface. Don't install devices you know you're not going to need. Shut down and remove all devices that you no longer need or use. When you buy a top of the line washing machine, and you notice it can be connected through Wi-Fi, consider if you really want and need to connect it before you do. Disconnect the device from the network once you realize you actually don't use the online features at all.

•  When selecting which manufacturer you buy your device from, check what they say about security and privacy and what their privacy principles are. Was the product rushed to the market and were any security corners cut? What is the motivation of the manufacturer to process your data? Do they sell it onwards to advertisers? Do they store any of your data and where do they store it?

•  Go to your home router settings today. Make sure you disable services that are exposed to the Internet -- the WAN interface. Change the admin password to something strong and unique. Check that the DNS setting of the router points to your ISP's DNS server or some open service like OpenDNS or Google DNS and hasn't been tampered with.

•  Make sure you keep your router's firmware up-to-date and consider replacing the router with a new one, especially, if the manufacturer no longer provides security updates. Consider moving away from a manufacturer that doesn't do security updates or stops them after two years. The security of your home network starts from the router and the router is exposed to the Internet.

The above list of actions is extensive and maybe a bit on the "band-aid on the webcam"-paranoid side. However, it should give you an idea of what kinds of things you can do to stay in control of your security and privacy when taking a leap to the Internet of Things. Security in the IoT World is not that different from earlier: Your passwords are also very important in IoT as is the principle of deploying security patches and turning off services you don't need.


Tuesday, February 17, 2015

The Equation Group Equals NSA / IRATEMONK Posted by Sean @ 13:20 GMT

On December 29, 2013, Der Spiegel, a German weekly news magazine, published an article about an internal NSA catalog that lists technology available to the NSA's Tailored Access Operations (TAO). Among that technology is "IRATEMONK".

"IRATEMONK provides software application persistence on desktop and laptop computers by implanting the hard drive firmware to gain execution through Master Boot Record (MBR) substitution."

Source: Wikimedia

"This technique supports systems without RAID hardware that boot from a variety of Western Digital, Seagate, Maxtor, and Samsung hard drives."

On January 31, 2014, Bruce Schneier deemed IRATEMONK his "NSA Exploit of the Day" which prompted this from Nicholas Weaver.


"This is probably the most interesting of the BIOS-type implants."

"yet the cost of evading the 'boot from CD' detection is now you have guaranteed 'NSA WAS HERE' writ in big glowing letters if it ever IS detected."

Well, funny story — components related to IRATEMONK have now been detected — by the folks at Kaspersky Labs. Kaspersky's research paper refers to a threat actor called the "Equation group" whose country of origin is not named, but the group has exactly the capabilities detailed by the NSA's ANT catalog.

Ars Technica has an excellent summary here: How "omnipotent" hackers tied to NSA hid for 14 years—and were found at last.


Wednesday, February 11, 2015

An Early History of the Crypto Wars Posted by Sean @ 14:17 GMT

Stanford University's Alumni Association Magazine recently published a very interesting article on the early history, politics, and publication of academic (non-classified) encryption research. The article, Keeping Secrets, focuses on Martin Hellman, who is known for his work on public key cryptography.

Work that in retrospect, even Bobby Ray Inman (NSA Director, 1997-1981) thinks he should have been less concerned about.


"Rather than being careful to make sure they were[n't] going to damage [our collection capabilities]… I would have been interested in how quickly they were going to be able to make [cryptosystems] available in a form that would protect proprietary information as well as government information."

Proprietary information such as Lockheed Martin's F-35 fighter jet.

(Hat tip to Thomas Rid.)


Tuesday, February 10, 2015

The Ear of Sauron Posted by Sean @ 14:31 GMT

A recent story by The Daily Beast seems to have ignited a real firestorm over Samsung's "smart" television terms and conditions. Which is somewhat surprising to us as we read about it months ago via Mikko. But anyway, things that listen are topical.

So… do the words "always-listening voice search" sound good to you? Or do they give you the creeps?

Because that's the potential future of Google's Chrome browser:

Always-Listening Voice Search
Image: How-To Geek

The "always-listening" feature is currently available via: Google Voice Search Hotword (Beta)

And as always, the interesting details are in the fine print:

plus a few seconds before
Video: Talk to Google on Chrome

Interesting phrasing: plus a few seconds before.

That's the thing about voice "activated" devices. They're always listening. Always recording (to a buffer). The question is: how much gets uploaded to the voice recognition service?

Are you comfortable with a "few" seconds?


Monday, February 9, 2015

CTB-Locker Infections on the Rise Posted by Artturi @ 15:12 GMT

We have recently observed a significant increase in infections from a nasty strain of file-encrypting ransomware called CTB-Locker.

CTB-Locker infection statistics
Daily CTB-Locker infections in relation to the total number of such infections this year.

CTB-Locker is most commonly spread through email spam. These emails usually contain an attached .zip file that contains a second .zip file that finally contains an .scr executable file. This executable is a malicious downloader known as Dalexis. If the user executes the .scr file, the downloader will attempt to contact a predetermined list of compromised websites hosting encrypted copies of CTB-Locker. It will then proceed to download, decrypt and execute CTB-Locker. In other cases, the malicious attachment won't be a .zip file, but instead it'll be a .cab file. Again, the .cab file is actually Dalexis which will proceed to infect the victim's computer with CTB-Locker.

Example of spam used to spread CTB-Locker
An example of spam used to spread CTB-Locker.

Upon infection, CTB-Locker will encrypt the victim's files and append the original filenames with a randomly generated 7 character long extension. Additionally, it will proceed to write a copy of itself to the users local temporary files folder with a randomly generated name of 7 characters and the extension .exe. To ensure CTB-Locker is kept running, it will create a scheduled task with a randomly generated 7 character name. Lastly, CTB-Locker will present the victim with a ransom notice and countdown timer showing how long the victim has left to pay the ransom. CTB-Locker will also change the victim's desktop background picture to an image containing the same ransom payment instructions. Finally, a copy of the same instructions will also be stored to the victim's My Documents folder as both an image and a text file, with the names Decrypt All Files [random 7 characters].bmp and Decrypt All Files [random 7 characters].txt respectively. The ransom instructions will direct the victim to pay the ransom, in Bitcoins, to a specified Bitcoin address. In most cases, we have observed the ransom to be 3 BTC (about 650USD or 575EUR).

CTB-Locker ransom notice
The ransom notice displayed by CTB-Locker.

There is no known way to break the encryption used by CTB-Locker. Therefore the only way for a victim to get their files back is from back ups or by receiving the decryption key from the malware operators. However, you should never pay the ransom, as you'll only help finance the criminal activities of malware operators! There is also no guarantee paying the ransom will actually get you your files back. That's entirely up to the trustworthiness of the criminals.

To protect against threats such as CTB-Locker and other file-encrypting ransomware, you should ensure you are running an up-to-date antivirus solution. You should also take care to not open executable files received as email attachments. In addition to preventative actions, it might be a good idea to attempt to minimize the damage a ransomware infection can cause. Most importantly, you should take regular back ups of all your data. If you use network shares, you should additionally be aware that CTB-Locker will search all mounted drives for files to encrypt including network storage or other mapped shares. In such cases, we recommend you consider restricting write permissions to such shares and keeping them mounted only when strictly necessary.

We detect CTB-Locker variously as Trojan.CTBLocker.Gen.1 and Trojan.Downloader.CryptoLocker.F

We also detect the malicious attachments leading to CTB-Locker as Trojan-Downloader:W32/Dalexis.B

Sample hashes:

6eb03d6cb4f9a5aae49a9d85652a4daa4f984ba8 (Dalexis)
f1897120c2bbcd5135db0295249118aa5f5eb116 (Dalexis)
81f68349b12f22beb8d4cf50ea54d854eaa39c89 (CTB-Locker)

Files suggesting a CTB-Locker infection:

%TEMP%\[random 7 characters].exe
%USERPROFILE%\My Documents\Decrypt All Files [random 7 characters].bmp
%USERPROFILE%\My Documents\Decrypt All Files [random 7 characters].txt
Any files with an extension of 7 random characters