20 May Jumcar. From Peru with a focus on Latin America [First part] Jorge Mieres
18 May NoSuchCon 2013 Stefano Ortolani
17 May Malicious PACs and Bitcoins Fabio Assolini
13 May Telecom fraud — phishing and Trojans combined Dong Yan
27 Apr CeCOS VII Michael
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Defcon 2012 marked its 20th anniversary with unexpected speakers, some pretty tough content, and the cultural dark magic that buzzes the conference every year.
The Dark Tangent welcomed Mark Weatherford. an ex-Navy and Raytheon security guy that became the CISO of the State of Colorado and California and then CSO at the highly regulated NERC before recently moving on to a top spot at the Department of Homeland Security. Weatherford provided some insight into the amount of attacks he sees every day, and then moved on to explaining that some of the best people he is working with don't have a college degree and some recruiting - they are hiring.
The next, huge name that Dark Tangent brought out was General Keith Alexander, Commander of the US Army CyberCom and Director of the NSA/CSS. It seems to be a sign of the times that the hacker community would be approached by the individual building out what is becoming the largest group of "cyberwarriors" in the world, attempting to draw shared principles and parallels between the groups. The guy was genuinely funny, rolling out jokes throughout his talk and Q&A answers, inviting kids onstage and showing off multiple tshirts. Aside from the explanation of their mission and the recruiting talk, a couple other interesting topics came up. According to Alexander, folks should know better than claiming that the NSA maintains files on every individual in the US, and he thinks that the Cybercom doesn't need to become larger than the current US Navy, partly because of the power that automation and smart work provides. Oh, and they are hiring. It was a repeated theme this past week.
A couple of the talks were shocking in their presentation. FX from Phonoelit and Recurity Greg analysed just how bad Huawei router code really is from a security perspective, it was almost unbelievable for a product line from a $21 billion company. Their preso began with a Code Quality slide that they claimed was almost left empty. Every slide's content made it seem like Huawei security practices and implementation couldn't be worse than suggested by the previous slide, but it did. And it was bad. After pouring over the router codes' open services and inability to be disabled, they described a lack of security advisories and updates, interrupt tables with RWX access, a Chinese-only debug interface, a lack of any communication channel whatsoever for reporting vulnerabilities, and a lack of real security development lifecycle throughout the code development, they followed Huawei's lead and copy/pasted their decades old Cisco IOS exploit code into exploits developed for these Huawei routers, targeting 90s style vulnerabilities. The company clearly has't also taken security lessons learned from Cisco's experience in this space.
At first, I was disappointed that the "Dr Strangelove" nuclear power plant SCADA system talk was cancelled without notice to attendees until arrival at the talk. It was replaced with a talk on SCADA HMI (or human-machine interfaces) security issues from Wesley McGrew titled "SCADA HMI and Microsoft Bob: Modern Authentication Flaws With a 90's Flavor". At face value, it sounded comparably uninteresting. But, it was eye-opening. The talk itself weaved through known, commonly approached technical problems that were met with disturbingly juvenile, incorrect security implementations - these systems are critical infrastructure and security requirements are not being met. This talk was complemented by Alberto Garcia Illera's pen-testing adventures in the transportation systems of Spain, using simple, unforeseen flaws in publicly accessible systems, to peel layers back until they reached the poorly protected SCADA systems called "How to Hack All the Transport Networks of a Country". The first talk revealed incredibly weak implementations in SCADA systems, and the second revealed exactly why those weaknesses need to be fixed and better understood by their developers and vendors.
BlackHat USA may have been wrapped up for the year but DEFCON is in full swing. I didn't stay around for DEFCON though, which means I finally have some time to reflect on BlackHat.
This year featured the first time Apple presented at BlackHat, about iOS security. While the presentation lacked the details usually seen in BH talks it definitely showed Apple is trying to open up. Being (more) communicative is vital to doing security response right.
This is of particular importance for Apple as there were quite a few talks focusing on Apple's security. Ranging from attacks on iOS to Mac-oriented EFI rootkits.
The Blackhat 2012 keynote started the event with Shawn Henry, former Executive Assistant Director of the Fbi, painting a grim, seemingly unspeakable picture of cyberespionage in the US. It was interesting that he continually spoke about the gravity of the situation and the need to apply what he learned at the Fbi to protecting digital assets, but he couldn't describe a single concrete example. At the same time, other than a weapon of mass destruction, he claimed that cyber threats are the single biggest problem facing this nation. This inability to convey concrete details during the Blackhat keynote only highlights some of the problem in understanding the cyber problem. And it's the problem of overclassification of computer network exploitation (CNE) incidents and a tangled set of dynamics that silence breach data sharing and exchange. There is a long way to go here to fixing it.
While parts of the talk were very interesting, especially discussion of creating a hostile network for your adversaries and taking intrusion tolerance a step further, it was criticized for being a bit self-promoting. All across the twittersphere, tweets like this one protested signs of this year's corporate influence.
The two days of talks explored some new territory. Day 1 included "Advanced ARM Exploitation", where Stephen Ridley and Stephen Lawler provided some more indepth Android exploitation details and the quirks in exploring the software and developing exploits on the platform. For example, ROP techniques are required even to perform the ancient ret2libc technique on Android. They poured over data manipulation on ARM and particular assembly level tricks, specifics of discovering ROP pivots and pushing data into the stack on ARM for control. The talk provided content from their hands-on, 650+ slides across 12 decks, 80 page lab manual, multi-day course "Practical ARM Exploitation".
In this blogpost, we will continue our analysis with information on the Madi infrastructure, communications, data collection, and victims.
The Madi infrastructure performs its surveillance operations and communications with a simple implementation as well. Five command and control (C2) web servers are currently up and running Microsoft IIS v7.0 web server along with exposed Microsoft Terminal service for RDP access, all maintaining identical copies of the custom, C# server manager software. These servers also act as the stolen data drops. The stolen data seems to be poorly organized on the server side, requiring multiple operators to log in and investigate the data per each of the compromised systems that they are managing over time.
The services at these IP addresses have been cycled through by the operators for unknown reasons. There does not appear to be a pattern to which malware reports to which server just yet. According to sinkhole data and other reliable sources, the approximate locations of Madi victims are distributed mainly within the Middle East, but some are scattered lightly throughout the US and EU. It seems that some of the victims are professionals and academia (both students and staff) running laptops infected with the Madi spyware, travelling throughout the world:
Here is an approximate global map representing the approximate location of Madi victims, dependent on GeoIP data. While the overwhelming percentage of Madi victims in the middle east is not best visualized in this graphic, it helps to understand the Madi reach:
Last night, we received a new version of the #Madi malware, which we previously covered in our blog.
Following the shutdown of the Madi command and control domains last week, we thought the operation is now dead. Looks like we were wrong.
The new version appears to have been compiled on July 25th as it can be seen from its header:
It contains many interesting improvements and new features. It now has the ability to monitor VKontakte, together with Jabber conversations. It is also looking for people who visit pages containing ?USAĀ and ?govĀ in their titles. In such cases, the malware makes screenshots and uploads them to the C2.
Here's a full list of monitored keywords:
"gmail", "hotmail", "yahoo! mail" , "google+", "msn messenger", "blogger", "massenger", "profile", "icq" , "paltalk", "yahoo! messenger for the web","skype", "facebook" ,"imo", "meebo", "state" , "usa" , "u.s","contact" ,"chat" ,"gov", "aol","hush","live","oovoo","aim","msn","talk","steam","vkontakte","hyves", "myspace","jabber","share","outlook","lotus","career"
Together with our partner, Seculert, we-ve thoroughly investigated this operation and named it the ?MadiĀ, based on certain strings and handles used by the attackers. You can read the Seculert analysis post here.
The campaign relied on a couple of well known, simpler attack techniques to deliver the payloads, which reveals a bit about the victims online awareness. Large amounts of data collection reveal the focus of the campaign on Middle Eastern critical infrastructure engineering firms, government agencies, financial houses, and academia. And individuals within this victim pool and their communications were selected for increased monitoring over extended periods of time.
This post is an examination of the techniques used to spread the Madi malware to victim systems, the spyware tools used, and quirks about both. In some cases, targeted organizations themselves don't want to provide further breach information about the attack, so some perspective into the parts of the campaign can be limited.
There are just 11 days to go until the opening ceremony of the Summer Olympic Games in London. With the games fast approaching, now's a good time for us to issue a gentle reminder about security.
I'm not thinking here about the security of the games themselves. It's possible, of course, that someone might try to disrupt the systems used to support the games - for example, defacing web sites, tampering with scoreboards, or planting malware on official games web sites. But the UK government has put in place a team to try to minimise the risk of direct attacks on London 2012 systems.
But I'd like to highlight two possible dangers that might affect visitors to the games.
First, there's the risk of being tricked into visiting a fraudulent web site that, at first glance, seems to be a legitimate site, e.g. 'www.london2o12.com'. It's possible that scammers might try and cash-in on the last-minute scramble for tickets. This could be done to sell bogus tickets, or simply to trick people into entering personal information. And phishers don't just use e-mail to drive people to such sites. These days, cybercriminals are just as likely to use instant messaging, or messages in social networks.
Second, there's the risk associated with accessing unsecured wi-fi networks. In an 'always-on' world, wi-fi offers a way of staying connected; and you can find a wi-fi hot-spot nearly everywhere you go now. But if it's an unknown, untrusted wi-fi network, it's possible for someone to intercept the data you transmit. So if you're using a laptop or tablet, make sure you have a secure connection by always using 'https'; and use a unique, complex password for every online account (i.e. one that mixes letters, numbers and symbols and is more than eight characters). If you're using a smartphone, don't use an untrusted wi-fi network for any online transaction where you need to type in confidential data - this includes banking, shopping and social networking. And if you have to use public wi-fi (for example, for work), it's best to use VPN functionality, whichever operating system you use - Windows, Mac OS, Android or iOS.
So if you're looking to buy tickets for the games, or just planning to be in London this summer, be vigilant and stay safe.
* Wenlock and Mandeville are the official mascots of the London 2012 Summer Olympics.
This month's patch Tuesday brings a set of three "critical" bulletins focused on Windows/web browser component vulnerabilities and six other bulletins rated "important". In other words, two of the critical components are considered "Windows" components, but most likely would be attacked through the web browser. Also, the top priority bulletin patches the CVE-2012-1889 vulnerability being exploited not only by attackers targeting high value targets, but common-off-the-shelf/commodity exploit packs.
Kaspersky products detect malicious web pages exploiting CVE-2012-1889 with "HEUR:Exploit.Script.Generic". Addition of a working exploit targeting MSXML Core Services 3.0 within IE6 and IE7 XPSP3 to the Metasploit Framework on June 12th helped make this one more mainstream. While it may seem that targeting XP would limit its reach, it's important to note that various market share surveys and reports show that Windows XP continues to take major OS market share. Interestingly, the MS12-043 Bulletin addressing this vulnerability patches MSXML Core Services 3, 4, and 6, leaving out version 5. Versions 3 and 6 ship with Windows itself. Accordingly, msxml3.dll and msxml6.dll reside in c:\windows\system32 across all supported versions of Windows, while the other versions are installed by Microsoft Office and other software.
Also patching the potential for web client-side drive-by's, MS12-045 addresses an MDAC vulnerability, reminiscent of MS06-014, one of the longest lasting, reliable, most heavily targeted client-side vulnerabilities in Microsoft technology. It was taken advantage of for years by the Russian Business Network, purchasers of MPack, and later others, distributing Torpig and Rustock, while the nascent exploit kit market was solidifying back in 2006. It continues to be included in some of the live exploit pack control panels that we see. We'll see how this new MDAC issue compares.
The third of the bulletins fighting "critical" rated web client side vulnerabilities fixes a couple of newer vulnerability types being targeted ("Cached Object Remote Code Execution Vulnerability - CVE-2012-1522", "Attribute Remove Remote Code Execution Vulnerability - CVE-2012-1524") introduced by Internet Explorer version 9 itself. Versions 6, 7 and 8 do not maintain the vulnerable code.
With that, we leave you to your regularly scheduled patching.
Thank you Barry Greene and the DCWG. The DCWG-run DNS servers have been taken down:
"On 12:01 Eastern Time on Monday July 9th 2012, the DCWG stop responding to DNS queries from infected machines. This is in compliance with the US Justice Department Court Order authorizing the clean DNS servers.
At 12:23 Eastern Time on Monday July 9th 2012, the server started to reply to all DNS request with an ICMP Unreachable. This would help infected computers troubleshot their problem is they find they cannot access DNS servers."
Here we are. It's the last call on DNSChanger cleanup. On Monday, the Fbi-run replacement DNS servers are coming down because the court-ordered extension is coming to an end, and your systems may using these servers for resolution. There are a set of sites that may unreliably help you identify whether your machine or router continues to maintain DNS settings to the "DNSChanger" operators' servers. This unreliability is partly because upstream major internet backbone providers have created unintended confusion, and partly because of poor/ineffective web-side detection implementations.
In the US, 60k hosts are reported to require that their DNS settings remain to be changed. How many of those systems are truly "infected"? No one knows. And, the number could be inflated. It could be that none of these systems are infected. Or all of them could be infected. Perhaps all LAN-side systems behind home and corporate routers, or systems cleaned of malware that may still maintain artifacts of this infection, continue to use Rove Digital servers for DNS resolution.
In other words, it doesn't mean you have pneumonia, but you still have a cough. And it makes you extraordinarily more likely to get sick again. Some vendors' products, like here at Kaspersky, have been detecting the artifact DNSChanger settings on effected machines and offering to reconfigure these settings to a set of "clean" DNS servers. This DNS reset routine is presented by Kaspersky Endpoint Security 8.0 and 2010+ home products with this popup for "Trojan.Multi.DNSChanger.Gen":
Just click on "Yes" and your system's DNS settings will be reconfigured to use DHCP-assigned or clean, open DNS services. After host-side reconfiguration, it still would be interesting to visit the www.dns-ok.us sites to find out if your home router is still maliciously configured.
Next Monday, 9th of July, at 06:00 (MEZ) the temporary DNS-servers setup by FBI will be shut down. But still there are still thousands of infected machines – one can wonder, what will happen to them?
Computers in the internet have their own address – the IP-address. There are two versions:
You clearly see that these addresses are not so easy to remember compared to e.g. “kaspersky.com”. Therefore the “Domain Name System” was created which translates domain-names as “kaspersky.com” to their respective IP-address to connect to the server.
The DNS-Changer malware replaces the DNS-servers on the infected system with its own. FBI Press Release
The reason they do this is because it facilitates “Click Hijacking”. This is a technique where infected users are redirected to advertisement websites from the criminals and “Advertising Replacement” where on legitimate websites the advertisements were exchanged with one from the criminals.
Luckily, the FBI caught the criminals and installed temporary DNS-Servers in order to avoid a “black-out” for the mass of infected computers.
This temporary solution will come to an end on Monday when the servers are shut down. When this happens, the infected machines will no longer able to resolve domain names in order to connect to e.g. a website.
Of course, if you know the address of the server you can still use it instead of the name e.g. 220.127.116.11 is “securelist.com” but this is not easy solution.
We would like to point out that despite the big noise around this topic, there is no need to panic. The solution is rather simple – read below for more.
First of all, it might be interesting to point out that in 2012 we detected 101.964 attempts by DNSChanger malware to infect our users.
The good news is that the infections were blocked and the number of infection attempts is going down.
For instance, this map of the past week shows that the amount of infection attempts/detections as decreasing. Of course, computers with no or old protection are still in danger of possible unspotted infections.
So, how to check if you are infected with DNSChanger?
The DNS Changer Working Group provides helpful information on their website – unfortunately, we previously mentioned that automatic websites setup for this purpose do not work 100% well. So, the manual solution of checking the DNS server IPs is better.
If you are infected, you can change your DNS entries to the free DNS-Servers from Google: 18.104.22.168 and 22.214.171.124. OpenDNS also offers two: 126.96.36.199 and 188.8.131.52, which we also recommend for additional security features.
The best solution is of course to install a security suite capable of detecting and cleaning the infection and fixing the DNS servers.
Since many DNSChanger infections are accompanied by TDSS, a rather nasty rootkit, you can also use our tool “Kaspersky TDSSKiller” in order to detect and delete the infection
Yesterday we were contacted by our partner MegaFon, one of the major mobile carriers in Russia. They notified us about a suspicious application, which was found in both the Apple App Store and Google Play. At first glance, this seemed to be an SMS worm spread via sending short messages to all contacts stored in the phone book with the URL to itself.
However, our analysis of the iOS and Android versions of the same application showed that it’s not an SMS worm but a Trojan that uploads a user’s phonebook to remote server. The 'replication' part is done by the server - SMS spam messages with the URL to the application are being sent from the remote server to all the contacts in the user’s address book.
The application is called ‘Find and Call’ and can be found in both the iOS Apple App Store and Android’s Google Play. We’ve already informed both Apple and Google but we haven’t received an answer yet.
Find and Call in the Apple Store
Find and Call in the Google Play
All user comments (both in Apple Store and Google Play) are pretty angry and contain the same complaint that the app sends SMS spam:
You may wonder why is this relevant? Well, on 6th of July, his holiness will be 77 years old, a kind of round number. There is no surprise that “Dalai Lama Birthday” attacks are already ongoing.
On July 3rd, we’ve noticed a new APT campaign entitled “Dalai Lama’s birthday on July 6 to be low-key affair”:
Browsing is a risky activity from a security point of view. The good old times when we could identify a bunch of suspicious sites and avoid them are gone forever. Massive infections of websites are common nowadays, blindly infecting as many sites as possible. Once these sites are compromised, the access is usually sold to cybercriminals. At this point the site hosts malware or redirects victims to some exploit kit.
We have seen this hundreds of times, for example the recent example such as the distribution of Flashfake through compromised Wordpress blogs.
Thanks to KSN we have nice stats of the sites browsed by our customers and detected as malicious. And thanks to KIS/KAV protection, users can happily continue browsing without further inconvenience.
I have been analyzing compromised sites with ES TLD during the last month, wondering what the most dangerous sites for Spanish users are. These are the top 5 verdicts: