Tuesday, July 23, 2013

Windows Version of the Janicab Malware Posted by Brod @ 11:56 GMT

Last week, we wrote about a script-based malware targeting Mac users. Yesterday, the folks from avast! revealed a Windows version.

tweet from Jindrich Kubec

Here is a summary of the difference between the Windows and OS X version:

Summary table

Our Windows users are already protected by our cloud technology.


Monday, July 22, 2013

Summer Listening: BBC Playlist Posted by Sean @ 10:37 GMT

"There are now three certainties in life — there's death, there's taxes and there's a foreign intelligence service on your system."
~ MI5's Head of Cyber

BBC Radio 4 recently aired a very interesting series on cyber espionage, theft, and war.

Under Attack: The Threat from Cyberspace
Under Attack: The Threat from Cyberspace

Reporter Gordon Corera interviewed numerous individuals including Michael Hayden (Former Director of the N.S.A.), Toomas Hendrik Ilves (President of Estonia), and MI5's Head of Cyber (who preferred not to be named). Episode 3 is still available for a limited time.

A 50 minute compilation is available from BBC World Service.

BBC World Service, Documentaries
Download (Available indefinitely.)

And if you're interested in security… you're probably also interested in privacy.

"Mobile phones really are now tracking devices that let us make calls."
~ Nick Pickles, Director of Big Brother Watch

BBC Radio 4: Privacy Under Pressure

Rovio — The Golden Egg of Mobile Advertising — gets a mention of course.


Friday, July 19, 2013

Augmenting Society's Collective IQ Posted by Sean @ 14:14 GMT

Doug Engelbart died on July 2, 2013. He is probably best known, to the general public, as the inventor of the computer mouse. But he was much more than that…

"They called him kooky, and laughed at him for doing weird stuff."

(The Economist: Doug Engelbart, computer engineer, died on July 2nd, aged 88)

Among some technology enthusiasts, he is known for The Mother of All Demos.

If you're not familiar with it, The Demo included demonstrations of "hypertext, object addressing and dynamic file linking, as well as shared-screen collaboration involving two persons at different sites communicating over a network with audio and video interface."

And the best part… The Demo took place on December 9, 1968.

Stanford University has an excellent series of annotated clips: here.

Truly a man ahead of his time, Engelbart's vision was to ask:

"How do we collectively use technology to map our future with integrity mindful of the perspectives of others and future generations?"

Doug Engelbart Tribute Video



Thursday, July 18, 2013

Surveillance Will Soon Be the Lesser of Your Worries Posted by Sean @ 16:05 GMT

The debate continues regarding the U.S. Government's domestic surveillance programs — which U.S. privacy advocates argue are a violation of Fourth Amendment constitutional protections.

Meanwhile in Europe:

Several E.U. countries such as France, Belgium and the U.K. already have laws that compel individuals or companies to decrypt data requested by law enforcement authorities for investigations.

Laws to force suspects to decrypt their data?

However, introducing a law that forces suspects to decrypt information could violate Article 6 of the ECHR, which states that a person doesnít have to incriminate oneself
(Dutch judges: Decryption orders could violate human rights)

The law could be a violation Article 6 of the ECHR. As in Article 6 of the European Convention on Human Rights — which like the Fifth Amendment of the U.S. Constitution — provides protections to individuals from being forced to incriminate themselves.

Refuse to provide your password?

Go to jail.

The issue needs more debate.

But what happens when you can't refuse? After all, science is getting better at understanding kinesic information leakage (video).

And technology is rapidly attempting to automate what science has learned… Deception Is Futile When Big Brotherís Lie Detector Turns Its Eyes on You

In the not too distant future — even your own mind won't be able to protect secrets.

Wanted: a new kind of firewall.


Wednesday, July 17, 2013

On "FBI" "Ransomware" and Macs Posted by Sean @ 15:34 GMT

On Monday, Malwarebytes researcher Jerome Segura posted a nice write up (and video) about FBI themed ransom scams targeting users of Apple Mac OS X.

The basics are as such:

  •  Segura discovered the scam via a Bing Images search for Taylor Swift.
  •  A compromised site hosting the image linked to a webpage mimicking police ransomware.
  •  Only it isn't really "ware" in the normal sense of a ransomware trojan.
  •  The scam uses clever persistent JavaScript in its attempt to trick people into paying a supposed fine.

And now we'd like to contribute some additional notes.

Located in Canada, Segura was directed to an FBI themed webpage. This is probably due to his North American IP address, or else he was using a US-based proxy.

In Europe, the result is Europol themed:


And the scam uses a Europol-themed URL:


Also, such scams are not just targeting Macs, as this comment from The Safe Mac explains.


Crimeware kits are always targeting everything all the time. Windows, Macs, every OS.

But most of the time… there isn't a good exploit vector with which to target Macs with malware, so they are redirected to something "spammy" instead. For example, now that the ransom scam has been exposed, this is what the FBI and Europol URLs are currently redirecting to:

Find Your Adult Friend

Find Your Adult Friend: a site which uses scraped images. (Avoid.)


Monday, July 15, 2013

Signed Mac Malware Using Right-to-Left Override Trick Posted by Brod @ 10:48 GMT

Right-to-left override (RLO) is a special character used in bi-directional text encoding system to mark the start of text that are to be displayed from right to left. It is commonly used by Windows malware such as Bredolab and the high-profile Mahdi trojan from last year to hide the real extension of executable files. Check out this Krebs on Security post for more details on the trick.

We've spotted a malware for Mac using the RLO trick. It was submitted to VirusTotal last Friday.

RLO character

The objective here is not as convoluted as the one described in Kreb's post. Here it's simply to hide the real extension. The malware could have just used "Recent". However OS X has already considered this and displays the real extension as a precaution.

RLO trick in Finder
RLO trick in Terminal

The malware is written in Python and it uses py2app for distribution. Just like Hackback, it's signed with an Apple Developer ID.

Apple Developer ID

However, because of the RLO character, the usual file quarantine notification from OS X will be backwards just like the Krebs case.

OS X file quarantine notification

The malware drops and open a decoy document on execution.

Decoy document

Then it creates a cron job for its launch point and a hidden folder in the home directory of the infected user to store its components.

Launch point and drop files

The malware connects to the following pages to obtain the address of its command and control server:


It parses for the address in the string "just something i made up for fun, check out my website at (address) bye bye".

The YouTube page look like this:

YouTube page

Doing a Google search for the string reveals that there are other sites being abused besides those mentioned above.

Google search

The malware then continuously takes screen shots and records audio (using a third party software called SoX) and uploads them to the command and control server. It also continuously polls the command and control server for commands to execute.

The malware is detected by F-Secure as Backdoor:Python/Janicab.A.

Updated to add:

Here are the stats from one of the YouTube videos being used as a C&C locater:



The videos predate the Janicab.A binary by at least a month. Based on the stats, it seems likely there are earlier variants in the wild.


Thursday, July 4, 2013

Who won the free Bitcoins? Posted by Mikko @ 20:07 GMT

As mentioned a week ago, I was running a competition where I would give a physical Bitcoin coin to my 50,000th follower on Twitter.

Well, it happened last night. My 50,000th follower was an account called WantBTC.


WantBTC is actually a bot, run by Eric Bauersachs.


Eric was running a script with 16 Twitter bots competing for the 50,000th follower slot. Hard work paid off, and he won!


Eric will be getting the Bitcoin and a copy of Thomas Rid's upcoming book Cyber War Will Not Take Place. Congratulations!

However, I also promised a Bitcoin and the book to a random follower of mine. Which one got it? Did you get it? You'll have to watch the video to find out.

Thanks all!


Wednesday, July 3, 2013

Redux: Metadata Matters Posted by Sean @ 10:53 GMT

The term "metadata" is nothing new to us. One year ago, we linked to the story of German Green party politician, Malte Spitz.

Given current events, a refresher on just what metadata is seems useful. From our June 29, 2012 post:

"A 2008 German law required all telecommunications providers with more than 10,000 customers to retain six months worth of data on all calls, messages and connections. Germany's Constitutional Court ruled the law unconstitutional in 2010.

Spitz acquired (meta)data from his telecom provider covering a period from August 2009 to February 2010. Zeit Online has made the raw data available via Google Docs. To demonstrate just how much of a personal profile can be crafted, Zeit Online augmented the data with publicly available information such as Spitz's tweets and blog entries."

(Meta)data or metadata… it's all data.

Anyway, the result is an incredibly cool, very revealing, interactive map:


Now you can hear Spitz himself…

PRI's The World interviewed Spitz yesterday on its July 2nd broadcast.

Also of interest, from Geoffrey Nunberg: Calling It "Metadata" Doesn't Make Surveillance Less Intrusive


Monday, July 1, 2013

Android Hack-Tool Steals PC Info Posted by SecResponse @ 07:07 GMT

Over the weekend, Yeh, one of our Security Response Analysts, came across some interesting analysis on a Chinese language forum about an Android app that basically turns a mobile device into a hack-tool capable of stealing information from a connected Windows machine.

He managed to find a sample (MD5:283d16309a5a35a13f8fa4c5e1ae01b1) for further investigation. When executed, the sample (detected as Hack-Tool:Android/UsbCleaver.A) installs an app named USBCleaver on the device:

Android Hack-tool, USBCleaver

When the app is launched, it directs the user to download a ZIP file from a remote server:

USBCleaver, Download Payloads

It then unzips the downloaded file to the following location: /mnt/sdcard/usbcleaver/system folder.

The files saved are essentially utilities used to retrieve specific pieces of information when the device is connected via USB to a Windows machine. Note: we detect most of the files with older detections.

The following details are grabbed from the connected PC machine:

  •   Browser passwords (Firefox, Chrome and IE)
  •   The PC's Wi-Fi password
  •   The PC's network information

The app gives the user the option of choosing what information they want to retrieve:




To run the utilities, the sample creates an autorun.inf and go.bat file at /mnt/sdcard. When the device is connected to a Windows computer, the autorun script gets triggered, which then silently runs the go.bat file in the background, which in turn runs the specified files from the usbcleaver/system folder.

The collected details are stored on the device at /mnt/sdcard/usbcleaver/logs.The app's user can click on the "Log Files" button to view the information retrieved from the PC:


This isn't the first Android trojan reported this year with PC-infecting capabilities, since that "distinction" belongs to the trojan-spy apps family we detect as Sscul (listed in our Q1 2013 Mobile Threat Report).

Unlike the Sscul malware however, which is more focused on remote eavesdropping, USBCleaver seems to be designed to facilitate a targeted attack by gathering details that would be helpful in a later infiltration attempt.

Fortunately, USBCleaver's Windows-infecting routine can be blocked by a simple measure that's been standard security advice for the last couple years: disabling the Autorun by default (this is already standard on Windows 7 machines). An additional mitigating factor is that most older Windows systems need to have mobile drivers manually installed in order for this attack to work.


Analysis by — Yeh