Most Recent News from the Lab
 

Tuesday, May 19, 2015

 
Ransomware spam e-mails targeting users in Italy and Spain Posted by FSLabs @ 03:17 GMT

In the past few days, we received some cases from our customers in Italy and Spain, regarding malicious spam e-mails that pointed to Cryptowall or Cryptolocker ransomware.

The spam e-mails pretended to come from a courier/postal service, regarding a parcel that was waiting to be collected. The e-mails offer a link to track that parcel online:

crypt_email (104k image)

When we did the initial investigation of the e-mails from our standard test system, the link redirected to Google:

crypt_email_redirect_italy (187k image)

So, no malicious behavior? Well, we noted that the first two URLs were PHP. Since PHP code is executed on the server side, not locally on the client, it is possible that the servers were 'deciding' whether to redirect the user to Google or to serve malicious content, based on some preset conditions.

Since this particular spam e-mail is written in Italian - perhaps only a customer based in Italy would be able to see the malicious payload? Fortunately, we have Freedome, so we can travel to Italy for a little while to experiment.

So we turned on Freedome, set the location to Milan and clicked the link in the e-mail again:

crypt_email_mal_italy (302k image)

Now we see the bad stuff. If the user is (or appears to be) located in Italy, the server will redirect them to a malicious file hosted on a cloud storage server.

The e-mail spam sent to Spanish users is similar, though in those cases, a CAPTCHA challenge is included to make the site seem more authentic. If the link in the e-mail is clicked by a user located outside Spain, again we end up in Google:

crypt_email_redirect_spain (74k image)

If the site is visited instead from an Spanish IP, we get to the CAPTCHA screen:

crypt_email_target_spain (57k image)

And then to the malware itself:

crypt_email_mal_spain (313k image)

This spam campaign doesn't use any exploits (so far), just old-fashioned social engineering; infection only occurs if the user manually downloads and executes the files offered on the malicious URLs. For our customers, the URLs are blocked and the files are detected.

(malware SHA1s: 483be8273333c83d904bfa30165ef396fde99bf2, 295042c167b278733b10b8f7ba1cb939bff3cb38)

Post by — Victor

 
 

 
 
Friday, May 15, 2015

 
Mac Hack Demonstration Posted by Sean @ 12:46 GMT

Securing your SSH password is very important. Otherwise, you might be pwned by a little girl with her Raspberry Pi.

Kids hack their Dad's computer on her Raspberry Pi

Don't worry, it's an authorized hack, she asked her mom for permission.

 
 

 
 
Tuesday, May 12, 2015

 
HackerStrip: Brain Posted by Sean @ 14:42 GMT

"Hackerstrip is a comics website that publishes comics about hackers and their real life stories."

Brain: Searching for the first PC virus in Pakistan

HackerStrip, Brain

Read the rest of the story at hackerstrip.com; watch the video it's based on here.

 
 

 
 
Wednesday, May 6, 2015

 
Tinba - Yet Another Anti-Sandbox Trickster Posted by FSLabs @ 06:46 GMT

Malware authors certainly do not take a breather when it comes to inventing new tricks for detecting sandbox, a very useful system to automatically analyze millions of samples nowadays. Recently, Seculert unveiled an unprecedented sandbox detection method that was employed by the Dyre/Dyreza malware. We have seen similar anti-sandbox tricks used by the notorious Tinba banking trojan and would like to discuss our findings, which could be helpful in improving sandbox technology. Joe Security has also seen the same evasion technique seen in Tinba in one of their samples.

User interaction combo detection

In the latest Tinba sample, we found it adopted an evasion technique where it checks for mouse movement using the GetCursorPos API. Additionally, its author has also introduced a new way to detect sandbox using the GetForeGroundWindow API, which enables the malware to check on the active window which the user is currently working on.

An automated sandbox system typically stays in the same window, and this could be a desktop from the point where the malware was executed. The malware tries to take advantage of this situation by checking for the values returned by two consecutive calls of the GetForeGroundWindow API. There is a couple of seconds interval between the two calls to simulate a real user interaction with the window. If the sample was executed on a sandbox environment, the values returned by both GetForeGroundWindow API calls will always be the same. This indicates that the current active window remains the same since the sample was executed. In this case, the code will keep looping and will only execute the main routine until the active window has been changed and the mouse cursor has been moved.

tinba_user_interaction_detection (135k image)

I hope I'm a real machine

Before executing its main routine after the user interaction detection, Tinba will employ another trivial evasion technique that is somewhat similar to the detection of the number of CPU cores done by Dyre/Dyreza. In Tinba's case, it looks for the number of cylinder available on the running machine. Basically, this is similar to checking for the disk capacity. Perhaps due to the ease of implementation, it only checks for the number of cylinder on the disk using the ioctl code IOCTL_DISK_GET_DRIVE_GEOMETRY_EX instead of the finding out the physical size of the disk. In this particular case, it determines whether the disk has at least 5000 (0x1388) cylinder, which is around (41GB), otherwise the sample will quit. Just like detecting the number of CPU cores, checking for the disk capacity could be an effective evasion technique because regular computer machines nowadays should have more cores and disk space.

tinba_i_hope_im_a_real_machine (81k image)

Tinba demonstrates that it can detect a sandbox simply by testing user interaction on a window and by checking for the disk capacity on a machine. When hardening their sandbox technology, other sandbox providers should keep in mind that malware authors are relentless in pursuing new ways to evade detection and thus, should make adjustment accordingly to keep up with them.

Tinba sample used in the analysis - 5c42e3234b8baaf228d3ada5e4ab7e2a5db36b03

—————

Note (18 May 2015): Corrected text to change the calculated figure for the number of cylinders from 11GB to 41GB.

 
 

 
 
Tuesday, May 5, 2015

 
More than 22 Thousand Finns Clicked WhatsApp Spam Today Posted by Sean @ 13:43 GMT

Daavid, a senior researcher on our Threat Intelligence team, received two "Samsung Galaxy Pro" themed spam messages to his WhatsApp account this morning.

Onneksi olkoon!

"Onneksi olkoon! Olet voittanut Samsung Galaxy Pro Tableting." Which translates as: Congraulations! You've won a Samsung Galaxy Pro Tablet. The message includes a link with a location from where you can supposedly redeem your prize, the middle of a golf course in central Finland, Paltamo Golf.

WhatsApp Spam WhatsApp Spam

A somewhat funny coincidence; I enjoyed a very nice family lunch there last summer. I'm certain it doesn't have an +86 number. The +86 country code belongs to China. The 132 and 150 prefixes belong to two GSM based networks.

Using the info function of WhatsApp reveals a larger version of the profile picture.

WhatsApp Spam WhatsApp Spam

And that image appears to have been pulled from some "Lotto24" campaign.

Google results

On an iPhone, a map was opened, the same as what happened with Windows Phone.

But on an Android device, the map linked to Chrome which followed a Google short-link to lotto24.fi.

The short-link metrics reveal that more 22,000 people (and counting) have clicked on the spam's link, almost all are from Finland.

Google link analytics
(Click image to embiggen.)

—————

Thanks to Daavid for the screenshots.

Post by — Sean

 
 

 
 
Thursday, April 30, 2015

 
Video: Mikko's Stanford Seminar Posted by Sean @ 12:15 GMT

Mikko recently presented at Stanford University:


The seminar is available via YouTube.

 
 

 
 
Tuesday, April 28, 2015

 
Reply All #21 Hack the Police Posted by Sean @ 12:07 GMT

Banned from using "the Internet" in 2015? What's that like when you're surrounded by an Internet of Things?

Alex Goldman discovered the answer in episode #21 of Reply All:


Hack the Police

"When Higinio Ochoa got out of prison for hacking in September of 2014, one of the terms of his parole was that he is not allowed to use any internet connected device. We went to his home in Austin to find out how he got caught and what it's like – in 2015 – to go from living online to not having any internet access."