18 May NoSuchCon 2013 Stefano Ortolani
17 May Malicious PACs and Bitcoins Fabio Assolini
13 May Telecom fraud — phishing and Trojans combined Dong Yan
27 Apr CeCOS VII Michael
25 Apr Security policies: remote access programs Kirill Kruglov
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
The Fbi's "Operation Ghost Click" announcement in Nov 2011, involving the Rove Digital botnet delayed cleanup efforts that we previously discussed, continues to haunt both the internet networks and the mass media. A Forbes article and a Times article yesterday brought the apparition back to the front, with some claiming that the site offered by the DNSChanger Working Group is a new one, which it is not. The 2011 Operation being described, and the temporarily outsourced DNS server replacements and delayed cleanup, is the same. This phantom is nothing supernatural, so why all the discussion? The federal judge's extension allowing the Fbi to run these replacement DNS servers still cuts off access in early July. When those replacement servers are removed in early July, the infected systems resolving DNS queries at these previously-owned Rove Digital servers will simply not be able to resolve DNS requests. July 9th will arrive soon, and notifications continue to go out related to the hundreds of thousands of systems in the US alone that are still infected.
In the simplest terms, connectivity will not be severed for DNSChanger-infected systems, but internet communications will not function for infected systems that have not been cleaned up. In the US, government agencies, home users, and other organizations still infected with the malware will have systems that effectively can't get online, can't send email, etc. It will look like they are connected to their network, but they just won't communicate with anything.
At the same time, there seems to be issues with some existing identification efforts. Yesterday, I infected a system with DNSChanger and visited dns-ok.us. Results here:
Regarding the dns-ok site visit, my ISP's support team isn't aware of any "DNS redirections" that would cause the test to fail, and I will update this post with any update from our network admin that they are redirecting my system's dns queries. But that piece is highly doubtful. My point here is that infected system owners may be confused by this check. And the ip address was within the Fbi-provided ranges run by Rove Digital - perhaps a reader knows differently?
UPDATE (1:40 p.m. MST) - I received some details from my local ISP network admin. They are not redirecting any related DNS queries. However, one of their large upstream providers is redirecting DNS requests to another DNS server of their own. The other upstream link to the net does not seem to be re-routing DNS requests. So my infected client's traffic must be favoring routes through the larger upstream provider, and poof, the green/clean response banner appears. Any way you look at it, the response from the site can be inconsistent - sometimes red, sometimes green. Unfortunately, this sort of situation is going to confuse cleanup efforts. So, here we are again. To the potentially millions of folks running DNSChanger infected systems and are listening to the cacophony of incident responder consultants tossing out cheap cynicism that "AV is dead!", go ahead and download an "AV product" to scan your system. Of course, I like recommending our scanners (just visit http://www.kaspersky.com) because I have cleaned up DNSChanger infected systems with it (and the products have fully functional trial periods), along with our TDSSKiller rootkit removal tool to clean up especially complex DNSChanger infections.
Market share! It’s an easy answer, but not the only one.
In 2011, Apple was estimated to account for over 5% of worldwide desktop/laptop market share. This barrier was a significant one to break - Linux maintains under 2% market share and Google ChromeOS even less. This 15 year peak coincided with the first exploration by the aggressive FakeAv/Rogueware market targeting Apple computers, which we discovered and posted in April 2011 and later in May 2011, which no longer seem to be such an odd coincidence. Also, the delay in Apple malware until now most likely was not because Apple exploits were unavailable, or because the Mac OS X system is especially hardened. The 2007 "Month of Apple Bugs" demonstrated that the Mac OS X and supporting code is full of exploitable flaws. Safari, Quicktime, and other software on Apple devices is regularly exploited during pwnage contests, but widespread cybercrime attention hadn’t caught on until this past year.
At this point, we still don't know who is behind Flashfake, so we don’t know for sure that they were the same Mac OS X FakeAv/Rogueware group. Speculating that eastern euro-cybercrime is behind the botnet would be a pretty confident way to go right now. There are known groups from the region that have succeeded at wringing ad revenues from traffic hijacking. We don't believe that other sensitive data has been targeted. And the exploit distribution URLs that we are aware of have only targeted mac users. These factors limit the operational and technical needs of a financially motivated cybercrime gang.
In a sense, it would appear that their activity was somewhat similar to the Koobface or Tdss gangs. They haven't commited large unique financial crimes to attract the attention of law enforcement, and their malware contains hooks and other code to perform more sophisticated banking crime than search traffic hijacking, but they most likely were looking to make a multitude of small financial gains. On the other hand, thankfully, Apple hasn't given these guys ample notice to make their run. There can be plenty of money in that business - it is estimated that the Koobface guys ran off with millions after Facebook "outted" their operation under investigation. But based on the domain registrations we have examined, the individuals are not quite so public and they are hiding their identities while they hijack search engine traffic. The malware itself injects a number of hooks into running applications, much like the Zeus, SpyEye, and other spyware. If these were used for financial crimes, the group operating this botnet would need to organize money mules and accomplices to launder their stolen money, which would grow the group and attract the attention of other authorities.
On the technology side, Java is a big part of the puzzle. Although the Trojan is called Flashfake because users were being convinced to install the malware as an Adobe Flash update, more recent versions of the malware were being installed via client-side Java exploitation.
Three vulnerabilities were targeted with client-side exploits, none of them were 0day, which seem to have become much more difficult to come by. Besides, this set worked just as well for these operators. It is interesting to note the duration of time from the original Oracle Java security update to the Apple Java security update, and when in that timeframe the release offensive security research publicly appeared. And, when were Metasploit open source exploit modules were released targeting the related Java vulnerabilities? The windows of time may be alarming – these are not 0day exploits, but Apple simply hasn’t released patches, leaving their customers exposed to the equivalent of known 0day exploits.
2012-02-15 Oracle patches Atomic Reference Array vulnerability
2012-03-10 First Itw exploits targeting the vuln
2012-03-30 Metasploit developers add Java atomicreferencearray exploit module
2012-04-03 Apple patches their code
2011-05-12 Reported to vendor
2011-11-18 Oracle patched their Java SE
2011-11-30 Metasploit developers add "Rhino exploit" module
2011-11-30 Krebs reports operational Blackhole site with the new Java exploit
2012-3-29 Patched by Apple
"Deserializing Calendar objects"
2008-08-01 Reported to Sun with first instance of the vulnerability
2008-12-03 Sun patches their code (Sun link down)
2009-05-15 Apple patches MacOSX code
2009-06-16 Metasploit developers add Java deserialization exploit
Also on this list is a lame exploit described as a signed applet social engineering trick.
I'd prefer to call it the "the terribly confused user presented with the Java 'do you want to trust this applet?' dialog and will run anything you present them" gamble. It first became a part of the Metasploit exploit module list on 2010-01-27. Basically, these guys present the user with a file that the user thinks is a JavaUpdate provided by Apple Inc themselves, which they grant trust to perform any action on their machine. The downloader will then communicate with a couple of sites to register and download new Flashfake components. These components in turn, collect the system UUID and timestamp, then auto-generate with a crypto algorithm a set of C2 domains, along with maintaining a list of hard coded domains. A couple of the newer components inject into running processes on the system hooking software functionality and hijacking traffic, much like past TDS malware.
Dan Geer's fantastic Keynote Speech kicked off Day 2 of SOURCE Conference Boston this morning. The talk itself was heady and complex, something to keep up with. Notable talks also were Jeremey Westerman's "Covering *aaS - Cloud Security Case Studies for SaaS, PaaS and IaaS", and Dan Rosenberg's "Android Modding for the Security Practitioner".
"The internet will never be as free as it is this morning." Dan Geer is one of the best, sharpest computing/network security speakers around. His talk descended from a high-level, lengthy, example-laden description of most every developed nation's dependency on the internet: "Dependence with respect to the internet is transitive, dependence on television is not...We are at the point where it may no longer be possible to live your life without having a critical dependence on the Internet, even if you live at the end of a dirt road but still occasionally buy nails or gasoline." And, he wound through multiple examples of failures in US systems to provide fallback options. He talked about his little local bank, whom he wrote a letter to close down the auto-created online account he wouldn't use. They, as an exception, closed it down immediately. His 401k account administrator Fidelity Investments, on the other hand, would not accept customer instructions from him in writing. The company continues to send him mailed marketing content of all kinds in writing at the address from which he sends his letters. Their auditors apparently approve of Fidelity's rejection of customer-initiated hand-written delivered communications, instead, accepting email/online chat messaging or instructions over the phone. This discussion made its way through systems design, unified field theory, and fault tolerance, eventually landing on key points that intrusion prevention is agreed not to be a workable model, instead, the elegance of "intrusion tolerance" must be built into systems, and countries and organizations that cannot build tolerance into their systems are not sustainable. Favorite quotes: "forget the banks, it is the internet that is too big to fail", "Is there room for those who choose simply to not participate in the internet?", "HTML5 is Turing complete. HTML4 is not", and "Should we preserve a manual means? Preserving fallback is prudent if not essential."
Jeremy Westerman's "Covering *aaS - Cloud Security Case Studies..." presented several design cases for Universities and other organizations. The single most important point to learn from this talk is that API key management is unfortunately not handled with as much urgency and awareness as private SSL keys for large organizations. This API key, in the context of multiple, popular single sign-on (SSO) solutions in use at large universities, is the key to tens of thousands, if not hundreds of thousands, of email accounts. Similar API key schemes are implemented on IaaS solutions like the Xen supported Amazon EC2 environment and VMWare vCloud Teramark environments. Without appropriate awareness, developers are storing that key in improper locations like the hard drive of the sign-on machine, or the developers themselves are storing keys on their development system hard drives in non-obvious places, emailing/"dropboxing" them around to each other and then simply transferring the API keys to the production environment, instead of re-issuing production API keys. It is practically imperative that these keys are taken out of the hands of developers. These loose handling practices are bad news - viral code like Sality and other viral code and worms previously high in our prevention stats have maintained functionality to steal FTP and web admin account passwords in order to silently host malicious code, encrypted or otherwise, on legitimate web sites without the owner's knowledge. In other words, developers have been effective and weak targets in the past for credential theft, enabling silent site compromise and malicious use. Most schools don't want that - I remember one unfortunate notification at a small Arts college, where the web admin really didn't want to believe that the encrypted blob of data hosted on his school's web server was a viral payload updating other students' infected systems, located there because his credentials were Sality-stolen after trying to run cracked software distributed over a P2P network. Anyway, it happens and it can be planned for and prevented.
Early today, Kaspersky Lab discovered a new ongoing spam campaign on Twitter. hundreds of compromised accounts are currently spamming malicious links, hosted on .TK and .tw1.su domains, leading to Rogue Anti Virus softwares.
Here is an analysis of the infection at a given time. Keep in mind that it is just a snapshot of the infection, and that the numbers are actually lower than reality.
2012 SOURCE Boston kicked off the first of three days with an opening talk on hacktivism and the Anonymous movement, Costin Raiu and Vitaly Kamluk presented the latest in Duqu C2 research, and Vercode's Shyama Rose talked about designing and building out strategic programs for complex organizations. It's a difficult subject to get right, finding the right fit, the right competence, avoiding hype, and getting these folks to work together to build the right implementation requires all sorts of magic that fly over the heads of many technical solution focused folks.
There were many others, but I thought that the most interesting talks included the full assessment of the ~Duqu operators' C2 infrastructure and a review of the comical mistakes and activities of this group of humans working under pressure. Kaspersky's Vitaly Kamluk included a review of the ~Duqu targets and delivery, and binaries. Hard to pick, but I suppose that the most interesting thing here is the visualization providing more proof that ~Duqu is the 2008 precursor to ~Stuxnet, found in Iran, Sudan, and a few European countries. Costin Raiu focused on the C2 and infrastructure itself. Because Kaspersky Lab was able to gain access to 6 of the 10 C2 servers, our research team was able to comb through the trail of bits on these hard drives. Implications of the data left behind led to statements about login times, informed speculation of the location and workday schedule of the attackers, the (sometimes lack of) experience of the operators, and tools used to assess the data were all provided. If you haven't seen this one, it's really good. And who knew full on nation state cyber-conflict C2 operations could be so comical? The whole room was laughing along at the unexpected junior operator mistakes that turned up during the sensitive Duqu operation.
Also very interesting was the Shyama Rose presentation on strategically building a successful security program. It's not often that security conference speakers include real world operational talks that discuss culture and fit within development and security teams. And it is operations that can break defender successes quickly. She discussed distributed vs. centralized security team models and their application, significant buy-in from executives and development teams, and how to get these strategic security programs done successfully.
I personally am most excited that Dan Geer is speaking tomorrow for the conference second day keynote. The guy developed a bit of a following on the DailyDave list with incredibly insightful comments on the world of technical and operational security that you don't get anywhere else. He's a wicked good thinker and speaker. We'll have more later.
For the past two days, we have been monitoring a “fake” infected system - which is a typical procedure we do for APT bots. We were extremely surprised when during the weekend, the APT controllers took over our “goat” infected machine and started exploring it.
On Friday Apri 13, port 80 on the C&C server located at rt*****.onedumb.com and hosted on a VPS in Fremont, U.S. was closed. Saturday, the port was opened and bot started communicating with the C&C server. For the entire day, the traffic was just basic handshakes and exchanges, nothing more.
On the morning of Sunday April 15, the traffic generated by the C&C changed. The attackers took over the connection and started analysing our fake victim machine. They listed the contents of the root and home folders and even stole some of the goat documents we put in there!
1. Remove the Flashback malware about which we have already written
2. Automatically deactivate the Java browser plugin and Java Web Start, effectively disabling java applets in browsers
Particularly, the second step shows the severity of the CVE-2012-0507 vulnerability exploited by Flashback to infect almost 700,000 users via drive-by malware downloads.
Actually, it was the right decision because we can confirm yet another Mac malware in the wild - Backdoor.OSX.SabPub.a being spread through Java exploits.
This new threat is a custom OS X backdoor, which appears to have been designed for use in targeted attacks. After it is activated on an infected system, it connects to a remote website in typical C&C fashion to fetch instructions. The backdoor contains functionality to make screenshots of the user’s current session and execute commands on the infected machine.
This month's patch Tuesday fixes a small set of critical vulnerabilities in a variety of client side software and one "important" server side Forefront UAG data leakage/information disclosure issue. Six bulletins have been created to address eleven exploitable flaws. Three of the six bulletins are top priority and should be addressed ASAP. These are the MS12-023 bulletin, patching a set of five Internet Explorer vulnerabilities leading to remote code execution, and the MS12-027 bulletin, patching the MSCOMCTL ActiveX Control currently receiving some attention as a part of very limited targeted attacks. If they must prioritize deployment, administrators should start their work here. Most folks should have automatic updates enabled and will silently receive the patches, or they can simply navigate their start menu and manually begin the Windows update process.
RCE attacks abusing these six IE and ActiveX vulnerabilities would look like web browser redirections to malicious sites hosting web pages attacking Internet Explorer and emails carrying malicious attachments constructed to appear familiar to the targeted victim. These are currently significant vectors of attack for both consumer/home and corporate Microsoft product users.
Microsoft also is recommending that administrators prioritize the Authenticode flaw and rated it critical, which could be used as a part of targeted attacks. And ActiveX controls can be delivered leveraging this vulnerability, so some distribution vectors may become enhanced. But this flaw allows for additions and modifications to existing code that in turn won't invalidate the existing signature.
A vulnerability exists in the .Net framework, allowing for XBAP applications to be run from the Internet Zone with a prompt. But anytime a decision like that is left to a user, it seems that we have a 50/50 chance of successful exploitation. The remaining vulnerabilty in the Office converter is significant and may result in RCE, but is much less likely to be attacked.
Dangerous, but manageable.
I really like the new app by OMGPOP called Draw Something. I play this game with my friends possibly a little too much. Draw Something has attracted more than 50 million downloads, and was just acquired by Zynga for $200 million dollars. It was surprising the other day when I noticed an advertisement at the bottom of the screen for a battery optimizer app. In fact it even told me two upgrades were available!
After intercepting one of the domain names used by the Flashback/Flashfake Mac Trojan and setting up a special sinkhole server last Friday, we managed to gather stats on the scale and geographic distribution of the related botnet. We published information on this in our previous blog entry.
We continued to intercept domain names after setting up the sinkhole server and we are currently still monitoring how big the botnet is. We have now recorded a total of 670,000 unique bots. Over the weekend (7-8 April) we saw a significant fall in the number of connected bots:
This doesn’t mean, however, that the botnet is shrinking rapidly – these are merely the numbers for the weekend.
Over the last few days our server has registered all the data sent by bots from the infected computers and recorded their UUIDs in a dedicated database. Based on this information we have set up an online resource where all users of Mac OS X can check if their computer has been infected by Flashback.
To find out if your computer is infected and what to do if it is, visit: flashbackcheck.com
Also users can check if they’re infected with Flashfake by using Kaspersky Lab’s free removal tool.
Here’s our recommendation on 10 simple tips to boost the security of your Mac:
Earlier this week, Dr.Web reported the discovery of a Mac OS X botnet Flashback (Flashfake). According to their information, the estimated size of this botnet is more than 500, 000 infected Mac machines.
We followed up with an analysis of the latest variant of this bot, Trojan-Downloader.OSX.Flashfake.ab.
It is being distributed via infected websites as a Java applet that pretends to be an update for the Adobe Flash Player. The Java applet then executes the first stage downloader that subsequently downloads and installs the main component of the Trojan. The main component is a Trojan-Downloader that continuously connects to one of its command-and-control (C&C) servers and waits for new components to download and execute.
The bot locates its C&C servers by domain names, and these names are generated using two algorithms. The first algorithm depends on the current date, and the second algorithm uses several variables that are stored in the Trojan’s body and encrypted with the computer’s hardware UUID using RC4 cipher.
We reverse engineered the first domain generation algorithm and used the current date, 06.04.2012, to generate and register a domain name, "krymbrjasnof.com". After domain registration, we were able to log requests from the bots. Since every request from the bot contains its unique hardware UUID, we were able to calculate the number of active bots. Our logs indicate that a total of 600 000+ unique bots connected to our server in less than 24 hours. They used a total of 620 000+ external IP addresses. More than 50% of the bots connected from the United States.
We cannot confirm nor deny that all of the bots that connected to our server were running Mac OS X. The bots can be only identified by a unique variable in their User-Agent HTTP header named “id”, the rest of the User-Agent is statically controlled by the Trojan. See example below:
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:2; id:9D66B9CD-0000-5BCF-0000-000004BD266A) Gecko/20100101 Firefox/9.0.1"
We have used passive OS fingerprinting techniques to get a rough estimation. More than 98% of incoming network packets were most likely sent from Mac OS X hosts. Although this technique is based on heuristics and can’t be completely trusted, it can be used for making order-of-magnitude estimates. So, it is very likely that most of the machines running the Flashfake bot are Macs.
On 20 March, we detected a spam campaign targeting passengers of US Airways. Almost the entire week cybercriminals were sending users the following email allegedly from US Airways:
There is a brief description of the check-in procedure and a confirmation code is provided for online reservation.
The criminals are obviously banking on any recipients flying on the flight mentioned in the email clicking on the link "Online reservation details".
Different emails contained different links — for example, we noticed the following domains: sulichat.hu, prakash.clanteam.com, panvelkarrealtors.com.
After clicking the link a series of redirects eventually leads to a domain hosting BlackHole Exploit Kit.