Regular readers of Krebs on Security will know that small and medium sized businesses and organizations have been the target of cybercrime gangs for several years now. What you might not know is which law enforcement agency investigates those crimes.
It turns out that many ZeuS banking trojan investigations were done by the (little known) Omaha (Nebraska, USA) office of the FBI. The FBI's special agent in charge, Weysan Dun retired on Friday, and gave an interview to the Omaha World-Herald.
It's a good read. And a real eye-opener for anybody working for an SMB.
Wanted: Money Mules
Our favorite bit of trivia from the article: Brian Krebs apparently traumatizes small business owners with tales of banking trojan terror if they end up sitting next to him on airplanes…
Filmmakers Charles and Walker Koppelman are working on a new movie project about cybercrime. We've met with Charles and the project seems really interesting.
The project is still underway, and now the filmmakers are looking for additional funding via crowdsourcing. Check out the current status of the project at Kickstarter. If you feel like it, you can fund part of the movie.
Rogue antivirus has not really taken much attention recently, probably because they are no longer boldly screaming in everyone's faces, as compared to the time a couple of years ago when most trending topics produced massive amounts of blackhat SEO-poisoned URLs.
So where are they lurking nowadays?
They are still using the SEO-poisoning method, of course. They do need to gain some visibility after all. But in addition to the usual compromised domains, they are now happily residing in Tumblr.
The screenshot below is taken from one of the several rogue-pushing Tumblr accounts:
And well, as an Internet user, when we are presented with a video and a play button in the middle what do we do? We click it! Right? And the video will promptly play… well, not this time. That "video" is actually an image. So, that innocent click activates the malware and will take you to a page which redirects to an exploit page and finally to a rogue antivirus.
It downloads a file named YvMiN.jar, which exploits Java vulnerability CVE-2012-0507. In addition, if the browser used is not Chrome, additional files (named DoNbI.pdf and hCJkApns.pdf) are also downloaded, which then exploit vulnerabilities in Adobe Reader, specifically CVE-2008-2992, CVE-2007-5659, and CVE-2010-0188.
Successful exploitation currently leads to a rogueware called Windows Performance Adviser.
So… tip of the day… if those wonderful videos are not on a trusted domain… don't click them… but… but… just don't. ;)
Computer security is confusing. It's not a simple topic to write about. Mass media often gets the details wrong.
However, we rarely see as confused news articles as we have with Police Themed Ransomware.
So, what are these Police Themed Ransomwares? They are malicious trojans, spread by online criminals.
What do they do? They lock up your PC, claim that it was locked by the police as you had illegal content on your system and demand a payment to open up the PC.
We've written about such Police Themed Ransomware previously. For more details, see this blog post.
Obviously these police trojans have nothing to do with Bundespolizei, New Scotland Yard or the United States Department of Justice — they are just stealing their brand.
But today we saw news agency called ANI publish a confused wire story on the topic.
The story claims that "the scam is believed to come from Scotland Yard's specialist cyber crime officers, the Police Central e-Crime Unit" and "Scotland Yard has warned that police have detected paedophile or terrorist activity as being behind a virus".
The story references an earlier article in The Telegraph, which does get the details correct.
And because ANI is a wire service, the story has already been reprinted across the web.
No, these police trojans are not coming from the police. Trust us on this one.
An SMS-sending Trojan, which targets mobile devices with Java midlet installed, has been circulating in Malaysia. Some victims reported that they have been receiving an SMS message which appears to be an update from Samsung.
A message that appears as an update from Samsung
But upon clicking the link, they are redirected to another link (http://mmgbu[...].com:90/[...].jar) that leads to a JAR file. This JAR file carries out the details for the malware to send SMS messages to multiple short numbers.
Upon execution, the trojan sends three SMS messages (most likely to premium numbers) without the user's consent. The contents and recipient numbers are as follows:
• "On GB" to 39914 • "On DF" to 39914 • "On HB" to 33499
Then, it will show a title of "HOT WEB DL" and images of ladies which are grouped into five selections: DANCE CLUB, BEACH GIRLS, FUNNY VIDEO, GT MODEL, and HOT CAM. Once the option is selected, it sends out SMS messages containing the string "On (content)" to (number), where the contents could be:
• HB • MODEL • LY • AV • GA
These messages are later sent out to the following numbers:
• 33499 • 33499 • 36660 • 36660 • 36989
A file containing the details on message contents and recipient numbers
Images used by SmsSy.A
An analysis of another sample of the same trojan revealed that this one was assigned with a different set of contents and recipient numbers:
Another sample of SmsSy.A was assigned with different set of contents and numbers
A different set of images used by SmsSy.A
We have properly rated the offending URL, and published the detection as Trojan:Java/SmsSy.A.
Ransomcrypt encrypts files using Tiny Encryption Algorithm (TEA). The key is formed from a "base key" which is modified based on the first character of the name of the file that is being encrypted to form a "file specific key". Both the base key and the file specific key are 16 bytes long.
Our analysts have created a decryption script, written in Python, for our support team. Fortunately, we've only seen a small number of customer cases. The decryption script works with two variants of Ransomcrypt.
Reports of new Mac malware variants exploiting CVE-2012-0507 surfaced last week. The Java vulnerability is the same one used by Flashback to infect more than 600 thousand Macs.
The first new threat was analyzed by the folks at Trend Micro. The Java applet for Mac actually exploits CVE-2012-0507, and if successful, the payload is the same malware that AlienVault Labs discovered last month (being used in targeted attacks against human rights NGOs).
The second threat seems to be a completely new piece of malware at first. However, succeeding samples that have been collected reveal that the malware is also being dropped by the same word documents exploiting MS09-027/CVE-2009-0563, used to drop Backdoor:OSX/Olyx.C and Backdoor:OSX/MacKontrol.A. Which was also reported by AlienVault last month.
Both malware seem to be active at the moment and are controlled manually as observed by ESET and Kaspersky respectively. Both use the same malicious Java class dropper component. MD5: 5a7bafcf8f0f5289d079a9ce25459b4b
MD5: 78f9bc441727544ebdc8374da4a48d3f – Backdoor:OSX/Olyx.B (also known as Lamadai.A) MD5: 40c8786a4887a763d8f3e5243724d1c9 – Backdoor:OSX/Sabpab.A (also known as Lamadai.B) MD5: 3aacd24db6804515b992147924ed3811 – Backdoor:OSX/Sabpab.A
These malware variants are being used in targeted attacks against Tibetan focused NGOs and are therefore very unlikely to be encountered "in-the-wild" by day to day Mac users. If you're a Mac using human rights lawyer however… your odds of exposure are another matter entirely. If you don't have it already, now is the time to install antivirus on your Mac.
We are receiving reports of a ransom trojan, it's been circulating during the last two days.
When first run on the system, the ransomware will iterate all folders on the system. Every document, image, and shortcut (.lnk) file found will be encrypted and appended with an extension of .EnCiPhErEd. In each folder it will drop a text file called "HOW TO DECRYPT.TXT" which contains instructions on how to proceed. The bandit is demanding 50€.
It drops a copy of itself in the system's temp folder with a random name. It creates registry entries to associate the .EnCiPhErEd extension with itself, so that the temp folder copy will be launched whenever those files are run, in order to demand the decryption password. After five attempts it will no longer accept passwords. And it then deletes itself, leaving your data encrypted.
Our threat hunters think that the source of this ransomware may be from inserted malicious tags in sites, particularly in forums.
Here's how encrypted files look once the trojan has done its work:
This is the content of the text file:
The "Error!" message that you'll get if the wrong password is input:
Another error message, repeating the demands found in the .txt file:
The encryption used by this trojan is not as complex as some other ransomware we've analyzed, such as Gpcode. Investigations to determine if its encryption can be cracked are ongoing.
We have created a free tool that automates the detection and removal of the widespread Flashback Mac OS X malware.
How to use the tools:
1) Download FlashbackRemoval.zip to the Mac machine you want to scan. 2) Double-click the zip package to unzip it in the current folder. 3) Double-click the FlashBack Removal app to run the tool. 4) Follow the instructions to check your system and clean any infections.
The tools creates a log file (RemoveFlashback.log) on current user's Desktop. If any infections are found, they are quarantined into an encrypted ZIP file (flashback_quarantine.zip) to the current user's Home folder. The ZIP is encrypted with the password "infected".
Apple has announced that it's working on a fix for the malware, but has given no schedule for it.
Quite surprisingly, Apple hasn't added detection for Flashback — by far the most widespread OS X malware ever — to the built-in XProtect OS X antivirus tool.
Also note that Apple has not provided a patch for the Java vulnerability used by Flashback for OS X v10.5 (or earlier). More than 16% of Macs still run OS X 10.5.
If you run an older version of Mac OS X, update to a current version. Or disable Java in your browser. Or uninstall Java. And run our free tool. And yes, we have a full-blown F-Secure Antivirus for Mac available as well.
Update: Small false positive fix. The tool linked above has been updated (April 12th). Version 1.1.0.
For those of you celebrating the Easter Holiday this weekend — if you're visiting your parents and they have a Mac — now is the time to update, disable, or remove their Java client plugin/installation!
Over the last several weeks, we've been monitoring a rash of ransomware campaigns across Europe, in which messages, supposedly from the local police, are displayed demanding that a fine must be paid in order to unlock the computer. We wrote about a Finnish language variant last month. Attacks are still quite active according to our statistics.
Even when somebody is savvy enough to recognize the message is a fake, the malware's accusations of offensive materials having been discovered on the user's hard drive creates a chilling effect, which has likely prevented some folks from seeking outside help.
Here's a screenshot we took earlier today using a recent variant:
To unlock their computer, the user is asked to purchase a Paysafecard from a local convenience store chain (in Finland, it's R-Kioski) in the amount of 100 euros. The technique is effective, as even non-technical people who might not be able to use online payment services such as Webmoney or eGold will be able to walk to the nearest store to part with their money.
In this particular case, the e-mail address email@example.com shown in the screenshot does not belong to the attackers. The domain cybercrime.gov is valid and belongs to the US Department of Justice.
For this variant (SHA1: e6e330614c46939b144cff9bd627ba098dce9873), the easiest way to manually disable it is as follows:
1 – Press Ctrl-O (that's the letter O, not the number zero). 2 – Select "Browse", go to c:\windows\system32 and open cmd.exe. 3 – Type "explorer.exe" into the newly opened window. You should now be able to use the desktop again. 4 – Browse to your Startup folder. The path will vary depending on the language settings and Windows version. The screenshot below shows the path on the English version of Windows XP. You will also have to replace "Administrator" with your user name in the path (unless you're already using the Administrator account, but lets not get started on that…).
5 – Delete any entries you don't recognize. The names of the malicious entries may be different than the ones shown in the screenshot. If you are unsure, you can remove all entries, but at the risk of disabling other valid applications from automatically starting. 6 – Reboot the computer.
After this the threat is disabled but malicious files still remain on the computer. Scanning the computer with an antivirus product is highly recommended.
The steps may vary slightly depending on the variant. CERT-FI has published removal instructions for a different variant with slightly different steps, and Microsoft provides information in their description.
Updated to add on April 5th: Our description for Trojan:W32/Reveton includes removal instructions.
The first exploit targets CVE-2012-0507, the latest Java vulnerability that's been seen being exploited in the wild. This vulnerability was patched (for Windows) by Oracle in February 2012. I found the second exploit to be more interesting. It clearly appeared to be related to some Java CORBA vulnerability, possibly CVE-2012-0506, a Java vulnerability not yet known to be exploited in the wild. Last Friday I decided to take a closer look at this mysterious exploit.
First, I decompiled and analyzed the applet. However, I did not recognize anything in particular as there have not been any exploits or Proof-Of-Concepts made publicly available for CVE-2012-0506. So I decided to test the exploit with different versions of Java Runtime Environment to narrow down the list of potential vulnerabilities. I started by trying the latest version (JRE6 update 31) and, as expected; the exploit did not work because it was already patched. Then I tested with an older Java version (JRE6u25) just to make sure that the exploit would work in my test environment, and it did. I was a bit surprised when I tested JRE update 30 and the exploit did not work. This was a clear indication that the sample was not exploiting CVE-2012-0506 (as I was expecting) because JRE6u30 still had this vulnerability.
I continued testing different JREs and determined that JRE6 update 29 is the version that patches this mysterious vulnerability. The Update Release Notes link to an Oracle Java SE Critical Patch Update Advisory – October 2011 that lists all the vulnerabilities patched in the update. Based on my initial analysis it was clear that the sample exploits some deserialization problem and the only vulnerability in the Risk Matrix related to deserialization is CVE-2011-3521. The ZDI advisory reveals two interesting facts. Firstly, the vulnerability was discovered by fellow Finn Sami Koivu who recently joined Oracle. Secondly, the problem is in IIOP deserialization which is exactly the piece of CORBA code that the exploit calls. This confirms that the mysterious vulnerability is… CVE-2011-3521.
On Saturday, Contagiodump wrote about the same sample. Michael Schierl e-mailed Contagiodump and also commented on the original Kahu Security blog post that the vulnerability was most likely not CVE-2012-0506, but rather, CVE-2011-3521.
Although Blackhole has been investigated and dissected multiple times, there are still some surprises that emerge. One thing we just discovered is an exploit for CVE-2011-0559, which is one of the two Flash exploits being used by Blackhole currently.
Compared to other exploits, this one has been used by Blackhole for quite some time and yet… the coverage using different security products is very low.
With very low antivirus coverage, no Metasploit module, and PoCs being extremely difficult to find, this increases the chances of exploitation. Blackhole targets to exploit Adobe Flash 10.0 and earlier versions, 10.1, and 10.0.x (where x is later than 40). The vulnerability has been patched since March 2011. Detection has been added to F-Secure Anti-Virus as Exploit:W32/CVE-2011-0559.A.
So if you haven't already disabled your Java client, please do so before this thing really become an outbreak. Check out our previous post for instructions on how to disable Java on your Mac.
Our previous instructions on how to check whether you are infected with Flashback is still applicable. However, for this variant, there is an additional updater component that is created in the infected user's home folder. By default it is created as "~/.jupdate".
A corresponding property list file is also created so that it will execute every time the infected user logs in. By default, the property list is created as "~/Library/LaunchAgents/com.java.update.plist".
However, these filenames may be different in the actual infected system as they are configurable by the malicious webpage delivering the exploit: