05 Dec Corporate threats in 2013 - the expert opinion GReAT
04 Dec ZeuS – now packed as an antivirus update Andrey Kostin
03 Dec Top security stories of 2013 - the expert opinion GReAT
21 Nov Multimedia overwriter with Spy features Dmitry Bestuzhev
15 Nov AutoCAD – new platform for start page Trojans Vigi Zhang
14 Nov The rush for CVE-2013-3906 - a hot commodity Dmitry Tarakanov
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Companies are increasingly falling victim to cyber-attacks. According to a recent survey conducted by Kaspersky Lab and B2B International, 9% of the organizations polled were the victims of targeted attacks - carefully planned activity aimed at infecting the network infrastructure of specific organization. The extensive use of digital devices in business has created ideal conditions for cyber-espionage and the deployment of malware capable of stealing corporate data.
The full report is available here.
Last week, Kaspersky Lab identified a mass mailing of phishing letters sent in the name of leading IT security providers. The messages we detected used the product and service names belonging to Kaspersky Lab, McAfee, ESET NOD32 and many others.
The text and general layout of each letter followed the same template; only the senders’ names and the IT security solutions mentioned in the text were different. In their messages, the cybercriminals invited the reader to install an important security update for his/her security solution to guarantee protection against a new piece of malware supposedly ravaging the web. To do so, the user simply needed to open the attached ZIP archive and launch the executable file in it. Not surprisingly, the writers urged their victims to act immediately rather than spend time thinking about who might be behind this sudden urgent letter.
Once again, it's time for us to deliver our customary retrospective of the key events that have defined the threat landscape in 2013. Let's start by looking back at the things we thought would shape the year ahead, based on the trends we observed in the previous year.
The full report is available here.
In China, start page Trojans have become a popular type of malware because by changing users’ browser start pages to point to some navigation site, the owner of the site can get a large amount of web traffic which can then be converted into large sums of money. In order to spread such Trojans as broadly as possible, Trojan authors have even turned their sights to AutoCAD. This week we found two new AutoCAD Trojans detected as Trojan-Downloader.Acad.Qfas.b and Trojan.Acad.Qfas.o. They are written in AutoLISP mixed with VBA, and are aimed at changing users’ browser start pages and displaying adverts. According to our KSN statistics, this threat appears mainly in China, India and Vietnam.
These two Trojans are compiled AutoLISP files with the file extension .fas. Here is a fragment:
This can cause difficulties during analysis because there is no decompiler as such for .fas files and these Trojans managed to avoid detection by all antivirus programs except Kaspersky’s, which are capable of decompiling such files:
Two days ago FireEye reported that the recent CVE-2013-3906 exploit has begun to be used by new threat actors other than the original ones. The new infected documents share similarities with previously detected exploits but carry a different payload. This time these exploits are being used to deliver Taidoor and PlugX backdoors, according to FireEye.
At Kaspersky Lab we have also detected that yet another APT group has just started spreading malicious MS Word documents exploiting CVE-2013-3906. This APT actor is the Winnti group, which we described in detail here. They have sent spear-phishing emails with an attached document containing the exploit. As usual the Winnti perpetrators are trying to use this technique to deliver 1st stage malware - PlugX.
We became aware of an attack against one gaming company which constantly undergoes attacks from the Winnti group. The MS Word document containing the exploit shows the same TIFF “picture” - 7dd89c99ed7cec0ebc4afa8cd010f1f1 – that triggers the exploitation of the vulnerability, as in the Hangover attacks. If the exploitation is successful, the PlugX backdoor is downloaded from a remote URL:
Microsoft's November 2013 Patch Tuesday delivers a set of three critical Bulletins and five Bulletins rated "important". This month's MS13-088 patches eight critical vulnerabilities and two important vulnerabilities in Internet Explorer. Overall, Microsoft is addressing 19 issues in Internet Explorer, Office and Windows itself.
The star of the show is MS13-090 which addresses CVE-2013-3918, an ActiveX vulnerability being attacked through Internet Explorer, revealed on the 8th by the guys at FireEye to be abused by a long running APT operation they call "DeputyDog". As a part of this operation, the group strategically popped yet another carefully selected web site, then redirected those visitors to their 0day attack. Simply labelling it "just another watering hole" may not fully describe the amount of planning and preparation that goes into selecting the web site property to compromise, and then burn the 0day on attack activity. The identity of the compromised web property in this case has not been publicly disclosed to date. The timing of this 0day delivery could quite possibly reveal the operational maturity of this group as well. On another note, I don't know if I missed something, but in my decade or so of reviewing shellcoding techniques, I don't think that I have ever seen "CreateRemoteThread" used to deliver a payload in a significant exploit.
At the same time, another whopping eight flaws are being fixed in Internet Explorer with MS013-088. No doubt these should be patched by organizations immediately, as the memory corruption issues invite exploit development attention. A few of the eight CVE include issues with "information disclosure", which enable exploit developers to advance their exploit code further into process space and are serious issues.
Surprisingly, Microsoft is patching code in their WordPerfect converter "wpft532.cnv" for stack overflow issue CVE-2013-1324. This vulnerability enables spearphish attacks across all versions of their OS, but on 64bit platforms, the component may not be present. I didn't expect to write about stack BoF in their code at the end of 2013, but hey, it's tricky stuff.
More about this month's patches can be found at the Microsoft site.
Back in March 2012 we teamed up with Crowdstrike, the Honeynet Project and Dell SecureWorks in disabling the second version of the Hlux/Kelihos-Botnet. We thought that now would be a good time for an update on what has happened to that sinkhole-server over the last 19 months.
What we see now is what we expected. The botnet is getting smaller and smaller - victims have been disinfecting or reinstalling their PCs over time. At the moment we're counting about 1000 unique bots on average per month:
Due to the botnet’s peer-to-peer-design, there could still exist an independent subset of the initial botnet which never connected to our sinkhole. But we think that the bot-count for any such subset would have evolved in a similar way, because most likely the bot-herders would leave them alone as well and concentrate on establishing "Hlux 3".
Most of the bots are still running under Windows XP. But we also saw some bots running under Windows Server 2008:
Most of the infected clients are located in Poland:
The group behind Hlux is known to be adept at quickly renewing their illegal infrastructure. Since the group is also known to be behind the Waledac botnet, we think that this is unlikely to be the last we hear about this gang.
Last but not least, a quick review about the story of Hlux/Kelihos:
In September 2011 we performed the first takedown of Hlux. The criminals responsible for that botnet didn´t show a major interest in taking counter-measures - they abandoned the botnet to its fate (of being under our control now) and immediately began to build a new botnet. So after a short time, Hlux 2 appeared on the radar and we did it again - poisoning the p2p-network to sinkhole it. And again, the criminals quickly rebuilt their botnet and Hlux 3 was born - within 20 minutes! In March 2013 the bad guys were faced with a new shutdown operation - initiated and performed live at the RSA Conference 2013 by our friends over at Crowdstrike.
As Bitcoin reached an all-time high of $327/BTC, news about yet another huge robbery hit the world of crypto-currencies. One of the relatively new “Bitcoin banking” services named inputs.io claimed it has been compromised by hackers. The attackers were able to penetrate the server on October 23 and 26 and transfer 4100 BTC (approximately US$1.2 million). According to “Tradefortress”, the service owner, the attackers used old email accounts together with a password reset technique: “They were able to bypass two-factor authorization due to a flaw on the server host side”.
Right now it is not possible to confirm that this was a real hack, and not merely a site owner scamming customers. But it is not the first time this has happened - there were a number of similar incidents in recent years on many different bitcoin storage and exchange services. Examples include, in May and July 2012, the Bitconica theft (approx. 58,000 bitcoins stolen), Linode hacks in March 2012 (approx. 46,000 bitcoins stolen) and Bitfloor Theft in September 2012 (approx. 24,000 bitcoins stolen).
All this accidents happened because of silly mistakes made by service operators. Bitfloor was robbed because its unencrypted wallet backup was mistakenly stored on some of the servers. The Bitconica theft occured when a top privileged email account was compromised giving the cybercriminals access to Bitconica’s rackspace server where the wallet was kept. There are hundreds of similar examples.
Bitcoin is a secure and viable currency, but its security ultimately depends on its users. If users are unable to establish the security of their own wallets they definitely will lose them.
The best strategy for storing and using Bitcoins securely is “Don’t keep all of your eggs in the same basket”. Use different approaches for short-term and long-term storage. The most flexible solutions are usually the least secure ones as well. You don’t want to keep all of your bitcoins on your mobile or Blockchain wallet for instance - but just enough for weekly use. At the end of the week, you can top-up your Bitcoins from your long-term storage, the one which is secured.
If you own a couple of Bitcoins, then the most important thing is how to keep them safe. Here’s a couple of tips from our side based on personal experience and watching cybercriminals at work.
First of all – the Bitcoins should not be kept in online stock exchange services or banks that are new and untrustworthy. Keep in mind that most of these services are anonymous; owners are only known by nicknames so most likely, you will not be able to get a refund of your money if something bad happens. Even if a service has a perfect reputation, it could also be compromised like any ordinary bank. To store your Bitcoins, you can use an open-source “offline” bitcoin client like Electrum or Armory. These encrypt your wallet with a strong password and protect it, ensuring that only you have access to your crypto-currency.
Passphrases for your bitcoin wallets and online storages should be complex as possible – use open source password generating software.
Once you have your bitcoins in an “offline” wallet, secured by a strong password, make sure your PC is protected with a good, solid antivirus and your PC has the latest software updates installed. If you have a huge amount of bitcoins - you should keep them in a wallet on a PC that is not connected to the Internet at all!
Some say Bitcoins will bring down governments or even the society as we know it; others advocate it as the solution to all our financial problems. To be honest, when it comes to Bitcoins, nobody knows what the future will bring. One thing is for sure, though - cybercriminals are highly interested into stealing your hard earned crypto-currencies, so we’re likely to see more attacks in the future.
On November 5, Microsoft announced the discovery of a new vulnerability CVE-2013-3906 which can be exploited when TIFF images are processed. By exploiting this vulnerability it is possible to attack software – including Microsoft Office and Lync – that uses a vulnerable DLL for processing TIFF images. On the same day, there were reports that Microsoft had recorded attacks that exploit CVE-2013-3906.
Several malware samples became available to us that exploit CVE-2013-3906. We analyzed them in detail. All of them make use of heap spraying, recording their code to the address 0x08080808, and execute the code from that location. Exception generation and memory rewrite is performed in the vulnerable ogl.dll.
Fragment of WinDbg shellcode execution
The exploits that we had access to can be divided into two groups according to the shellcodes used in them.