FacebookTwitterLinkedIn

News Archive June 2013

Table of contents:

Ruby on Rails Server Exploit

01.06.13

An active malware campaign has been discovered that is targeting the Ruby on Rails web development framework.  The exploit works by remotely editing the web server to allow the download of a file which can then be compiled and executed. First introduced as an open source platform in 2004, Ruby on Rails is a full-stack framework that allows creating pages and applications that can gather information from a web server, query a database, and render templates.  Rails uses many software engineering “best practices” including active record pattern, convention over configuration, and model-view-controller and has become a popular web development tool.

The framework began to receive widespread attention in 2006 when Apple announced that it would begin shipping OSX with Rails already installed.

Some of the most well-known Rails installations include Heroku (PaaS owned by Salesforce.com), Engine Yard (privately owned PaaS), and TextDrive. This exploit relies on a known vulnerability that was originally announced in January and has since been patched by the Ruby on Rails development community.  The original National Vulnerability Database announcement, CVE-2013-0156, describes the vulnerability as being capable of unauthorized disclosure of information, unauthorized modification, and allowing disruption of service.  Access complexity is deemed as “low” meaning that the vulnerability is easy to exploit.  The affected code in the Rails framework is designed to process parameters.

Ruby on Rails Exploit When an unpatched server is located, the exploit works by editing the web server’s chrontab to download a file into the /tmp directory where it can be compiled and executed.  A custom chron job, which is a scheduled task for Linux, is added to the chrontab and executes commands after execution.

Although the functionality is limited to downloading files and changing servers, there is no authentication performed.

This means that these newly created bots could be hijacked and used very easily by issuing commands through an Internet Relay Chat (IRC).  The communications path between the bots and the attacker is unencrypted.  Any hacker could intercept and modify the instructions being sent to the botnet just by listening on the correct IRC channel.  The exploit can also be used to launch a DoS attack on the web server according to the report.

The result is a loophole that can download malicious source files from a remote server where it is compiled locally and before connecting to an IRC server.

Listening on a specified channel, the bot will then wait for commands to be issued through the IRC by the attacker. This vulnerability has been patched starting with Version 2.3.15.  Administrators should update the framework installation to at least this version to prevent this exploit from affecting their systems.

Back to Top

Microsoft and the FBI Work Together

07.06.13

Citadel malware has recently been responsible for at least $500 million in global losses.  Although the crime ring is still in operation, Microsoft took a big chunk out of the operation with help from the FBI this week.  Two large data centers that reportedly manage Citadel botnets were confiscated.  This action effectively shut down almost 1,500 botnets and experts are saying that it is only the beginning of the end for the criminals who are responsible. Like any botnet malware, the program is capable of sitting dormant while waiting for instructions from a host that could be located anywhere in the world. This Citadel botnet relies on keylogging techniques to record the keystrokes on victim’s computers. Specifically, the criminals have been targeting the online banking credentials of individuals and then using those credentials to clean out the accounts.

Additionally, the criminals have been able to view personal information about the victims by accessing their online account profiles and this information has been used in more than one instance for identity theft. Citadel is a fully functioning crimeware kit.

This means that potential criminals can purchase or even rent the kit to create their own malware twist.

These criminals do not even need to understand coding to successfully deploy one of these dangerous packages because the Citadel kit uses a simple graphical interface that just about anyone can understand.  The commercial sale of malware packages has become a big business on its own and accounts for a large majority of cybercrime in the United States and throughout the world.

Microsoft and the FBI Work Together Against Massive "Citadel" Cybercrime Ring The Citadel malware is especially dangerous because it disables anti-virus software on the infected computer.  This makes it nearly impossible for the average user to remove the malware effectively. Using DNS redirection techniques that are embedded within the Citadel framework, a spoofed map of the Internet can be fed to infected machines making it impossible to download programs capable of containing the infection. This same technique is what allows Citadel to redirect computers to phishing pages that can reveal even more information about victims than the keylogging software alone.

Estimates reported by Microsoft state that approximately 5 million people have been affected in more than 90 different countries.

The majority of infections were reported in the United States, Europe, Australia, India, Singapore, and Hong Kong. When federal agents led Microsoft officials into the data centers located in New Jersey and Pennsylvania, both data and other evidence were seized from the botnets.

The FBI has since reported their findings to foreign law enforcement agencies in the hopes of bringing down some of the international data centers hosting this malware.

Keep in mind that the two servers were responsible for managing almost 1,500 botnets.  The actual number of bots, or infected machines, that are protected from further damage as a result of the seizure was not disclosed but the number is most likely in the millions in the U.S. alone. Hopefully international agencies that are now armed with knowledge shared by the FBI will be able to take down command servers around the world to end the expensive destruction that this malware epidemic has caused.

Back to Top

Zeus Virus Still a Threat to Facebook Users

09.06.13

Zeus is a well-known Trojan that is capable of stealing bank account information.  Although Zeus and Facebook have crossed paths before, new reports from Symantec state that the number of infected machines accessing Facebook is on the rise thanks to a Russian cybercrime ring. Originally discovered in 2007, the virus has been silently spreading throughout the Internet and is often associated with online banking fraud.  In 2009, the malware had compromised over 74,000 FTP accounts across the web including Bank of America, NASA, and Amazon among others.  Current estimates report that the wide reaching Zeus botnet has control of millions of computers in the United States alone. Like many other Trojans, Zeus is installed using a payload dropper such as the Blackhole exploit kit.

This kit is commercially available in the hacking underground and searches millions of possible exploits until it finds a vulnerability in the target machine.  Once a vulnerability has been detected, Blackhole drops its payload and in this case Zeus installs itself onto the local machine. The malware relies on a keylogging method known as “man in the browser.”

Zeus monitors and records every keystroke entered while the Internet browser has the focus and sends this information back to the criminals.

It also uses a technique called “form grabbing” where it displays a message to users asking them to re-enter their login information.  The form the user is presented with is fake and the input is recorded and sent back to the attackers.  Once the criminals have the banking credentials they are able to log into the account and transfer money to other accounts where it can be laundered.  Identity theft is also a serious concern with this type of attack considering that online banking portals typically house lots of personal information that is valuable to criminals.

Zeus Virus Still a Threat to Facebook Users The malware is spreading across Facebook in epidemic fashion with a new phishing scheme that is reported to be the work of the Russian Business Network. a Russian crime ring.

Once a Facebook account has been compromised it immediately starts sending messages to every person in the “Friends” list of the compromised account.

Usually the message asks recipients to check out a link or video which redirects them to a phishing site where the Blackhole kit can run its magic. Not only can Zeus record the keystrokes of users but it is advanced enough to spoof popular online banking sites on the fly to use form grabbing techniques.  Currently, Zeus only affects Windows based computers.  OS X and Linux machines are safe for the moment.  Once a Windows machine has been infected, it becomes very difficult to remove.  Worse yet, even major antivirus manufacturers admit that although their products may stop some attacks, the number of Zeus variants means that some attempts are still likely to be successful.

Reports suggest that Facebook is aware of the issue but has not taken any clear action to prevent future attacks from occurring.

This is in spite of recent warnings from security experts and the release of Zeus variants for the Android operating system.  Currently this mobile OS is responsible for a large portion of Facebook traffic and new iterations of Zeus that target this mobile OS could be next for international cybercrime rings.

Back to Top

Bootkits Are Making a Comeback

24.06.13

Malware aimed to infect the Master Boot Record (MBR) of a Windows machine is making a comeback.  Known as bootkits, this malicious technique has received more attention as a viable option for hackers in an effort to bypass Windows security measures such as Windows PatchGuard and kernel driving signing.  Both of these security measures were introduced with the launch of Windows Vista and have been included in all releases since.  Some bootkits attempt to overwrite the MBR completely while others change values and ultimately hijack the boot process.

Guntior is a bootkit of Chinese origin that has been making the rounds for quite some time.

Current versions of the dropper used by Guntior have been around since at least 2010 and instances of it are still found with regularity worldwide.  Although bootkits in general are nothing new, the Guntior dropper uses some different techniques to bypass standard Windows security features.

Guntior bootkit
The dropper consists of two branches that work together to trick Windows.  A dynamic link library (DLL) and an executable file.  Once the dropper kicks into action, it copies itself into the System32 folder and creates new versions of HelpCtr.exe and msimg32.dll.  Both of these are legitimate files that Windows relies on to launch the Help Menu.  Both of these files are housed in a Temp folder and the dropper ensures that the Temp folder is embedded in the path ensuring that the malicious file versions are loaded instead of the legitimate ones. 

Similar techniques have been used to exploit the digital signature of NVIDIA to inject malware into a system.

The malicious program is then called by simulating the hotkey combination (Win+F1) that a user would typically press to start the Windows Help Center.  The path variable is then reset which makes detection of the bootkit that much more difficult. Unlike many other bootkits that hijack the I/O path by residing within the miniport driver, Guntior hides in the disk class drivers.  Although this technique does not result in as deep of an infection, the malware is still able to manipulate the storage filter drivers which adversely affects the abilities of installed security software to read and write to the disk.

As consumers become more aware of malware infections, MBR hijacking is one of the most effective ways for criminals to hide malware on an infected machine for longer periods of time.

When a bootkit loads, it does so before any Windows security features have been activated.  The malware essentially has free reign to read and write to the hard disk without interference.  Although many antivirus programs are capable of detecting the installer and preventing the infection, once the MBR has been compromised it becomes much more difficult to remove or even detect.  The TDL rootkit is another example of how difficult it can be to eliminate this invasive type of malware from a machine.  The antivirus company Kaspersky even went so far as to create a special removal tool for the TDL rootkit.  Similar techniques are often required to effectively and permanently remove Guntior.

The best way to prevent Guntior or any other boot exploit is to avoid downloading the dropper.

This means keeping antivirus software and Windows itself updated to prevent drive-by download attacks.  These infections are also known to pop up on P2P sites such as FrostWire frequently.  Although not impossible, removal is certainly more difficult and the effects on a system can be devastating.

Back to Top

Google Chrome Exploit Allows Access to Webcam

24.06.13

Webcam hacks aren’t really anything new.  Remote administration tools have allowed criminals to monitor web cameras remotely once an exploit has been used to install malware on a computer.  Even the newest webcam threat isn’t really new but it has been gaining popularity with hackers once again thanks to a security flaw in the Google Chrome browser plugin that handles Adobe Flash requests. Originally patched by Adobe in late 2011, the flaw is allowing hackers to control both audio and video channels of any attached webcam if users are browsing the web using the very popular Google Chrome browser.

The exploit relies on click jacking techniques that have been used by hackers for years.  A transparent Flash element is placed somewhere on a webpage.

Once a user inadvertently clicks on the transparent element, control of both the microphone and webcam are handed over to the criminal often without the knowledge of the user.

Flash does not have dialog boxes that pop up outside of the browser.  Instead, any Flash dialogs are part of the current browser window making it very easy for hackers to overlay the dialog with opaque elements making it impossible to see prompts warning a user that his or her webcam has been activated by the web page.

Google Chrome Exploit Allows Access to WebcamUnlike many malware epidemics that are targeted at a specific operating system (usually Windows), this threat affects all operating systems running the Chrome web browser.  Mac OS X and Linux are just as easily affected by this flaw because it preys on a vulnerability in the way Chrome handles transparent elements rendered on a page.

Other browsers such as Firefox, Opera, and  even the often targeted Internet Explorer are not affected by this threat.

What makes matters worse for the Internet giant Google is that it recently challenged all vendors working with the company to fix all discovered vulnerabilities within one week of discovery.  Unfortunately for Google, this vulnerability was originally released earlier in the month by a Russian security expert but was not proven in the United States until days later.  This means that it has already been over a week and the vulnerability has yet to be patched by Google although the company is promising a fix by the end of this week.

Until the vulnerability is fixed, the only way to truly prevent falling victim to this threat is to disable the webcam when it is not being used.

If it is integrated hardware such as in most newer model laptops, the webcam can be disabled from the Device Manager console.  If it is an external webcam powered by USB, unplugging the hardware is the simplest way to thwart attack.  Many newer webcams are equipped with a LED indicator that illuminates when the webcam hardware is in use.  This can be a tell-tale sign that the webcam may be under the control of someone else although not every webcam is equipped with an indicator.  Even users who cover their webcam with tape when not in use would be unable to prevent a criminal from listening in until this vulnerability has been patched.

Back to Top

Malware Sales are Going Mainstream

24.06.13

It’s no secret that cybercriminals have been selling Malware as a Service more frequently.  Entire botnets can be rented or purchased and used by the buyer for any number of illegal activities.  Most of this buying and selling activity is limited to underground chatrooms and other places not typically accessible by an average Internet surfer.  This trend is beginning to change, however, as more e-retailers are opening their doors to the general public by selling malware-infected machines to anyone who feels the need to control someone else’s computer.  Some of these companies are even offering bulk discounts depending on how many machines are purchased.

This trend attests to the epidemic spread of botnet malware across the Internet.  As many as 1,000 infected host computers can be purchased from these types of sites for a mere $60.  One such website is also selling U.S. based machines.  These machines command a much higher price than their international counterparts with 1,000 U.S. based hosts available for $120.  Even this figure is small considering the amount of damage that can be done with 1,000 individual bots.

The infected machines usually have remote administration software already installed.

This means that the criminals can load additional malware onto the machines easily. This might include keylogging software or even the notorious Zeus malware capable of hijacking and clearing out a bank account in a matter of minutes.

The more recent retailers selling this type of commodity are even going so far as to guarantee that once purchased, the infected machines will not be sold to any other customers.

One site’s homepage acknowledges the frustration felt by cyber criminals when they purchase bots only to have the botnet be discovered and shut down shortly thereafter. Recent estimates have reported that the number of infected bots in the United States alone is well into the millions and these machines are now available to anyone with a little bit of cash to spend.

Malware as a Service

Most of these sites list Perfect Money and Web Money as the preferred payment method.  Both of these services are heavily used by the majority of Russian and other Eastern European cyber criminals.  Many of the most recent and devastating phishing scams have come out of this area.  New variations of Zeus also tend to have ties to the area.

Obviously the sites are targeting a customer base outside of the U.S. but machines within the U.S. are the prime targets for these expansive criminal gangs.

Some experts are attributing the increase in these blatant sales tactics to more widespread adoption of the P2P based e-currency Bitcoin service.  Although this certainly plays a factor in the recent surge, it seems that this trend is gaining popularity because of the increased reliance on technology being experienced worldwide. The sheer volume of consumers conducting sensitive transactions online makes for easy money in the hacking underworld and it is a threat that is likely to become more serious especially with the introduction of sites that make becoming a cyber criminal as easy as shopping for electronics online.

Back to Top

Facebook Bug Leaks User Information

24.06.13

As many as 6 million users have had their personal information compromised as a result of a glitch in the Facebook programming interface.  Email addresses and phone numbers were released to other Facebook users inadvertently because of a bug in the “Download Your Information” tool. Serving as yet another reason why you should refrain from adding unnecessary personal information to social media sites, your email address and phone number could now be possessed by people who you do not know at all.  At the very least, Facebook “Friends” could have downloaded this information whether you intended them to have it or not.

A Facebook spokesperson stated that the bug was patched within 24 hours of being discovered by a freelance security analyst. The official explanation for the data breach is that Facebook uses contact lists and address books to match similar data to other Facebook users. This is how the social media site is able to recommend people that you may know or be friends with. The programming also differentiates between people who are already using Facebook versus those who do not have active accounts.  This allows the website to recommend inviting people to sign up for Facebook if they are not members and sending friend requests to those who already frequent the site.

The software glitch stored some of the personal information used by Facebook to make these determinations in files associated with individual contact information for each user.

What this means is that when you use the “Download Your Information” tool (designed to keep a local copy of your personal information) you also download the extra data relating to people you may or may not actually know.  

Facebook Bug Leaks User Information Although the likelihood of this bug having any serious consequences is minimal at best, the leaked information is another instance of social media sites mishandling private information and consumers posting more information than is probably necessary for their social media experience.

Facebook reports that they have not had any user complaints regarding information falling into the wrong hands yet but has already notified regulators of affected areas including the United States, Canada, and Europe.

The company also plans to send emails to all affected users that include specific details about the information  that was inadvertently shared. Despite the minimal amount and type of data that was compromised, Facebook could face consequences in the form of increased scrutiny from privacy advocates or investigations from the Federal Trade Commission.  The social media mogul and the FTC have had unpleasant run-ins in the past and this one (if it occurs) would surely be no different. As usual, the best course of action to mitigate potential losses due to social media blunders is to refrain from posting unnecessary information on the site.  A small amount of vigilance can protect your information whenever these events occur and prevent the potential for further losses as a result.

Back to Top

Carberp Source Code Leaked

29.06.13

Carberp is a botnet creation kit created by a team of hackers who used it to steal over $250 million from banks.  The kit has been available for some time in the hacking underworld but it has always come with a price tag that was typically too high for cyber criminal wannabes.  Now that the source code has been leaked across the Internet, the fear is that anyone can begin making dangerous hybrid releases previously unseen to once again siphon money from banks around the world.


The leak started as a one-time sale in a cybercrime forum known as Lampeduza.  The seller claims to have been helping out one of his friends who helped develop the botnet kit.

The code was listed for sale for $25,000 and within two weeks of its sale the entire source code was freely available on multiple forums.

A Russian blogger was quoted as saying that “leaking the source code was not like the leaking of a weapon, but more like the leaking of a tank factory.”  In other words, the source code aids in the creation of a variety of malicious tools; many of which are probably yet to come as the hacking community is just getting its hands on the code.

Carberp Source Code LeakedThe kit contains multiple components most of which have already been used in large scale criminal heists.  The Carberp bootkit is a component that is capable of bypassing the Patchguard protection built into Windows 7.  This means that the malware is loaded into memory long before any Windows security measures have been activated by the OS.  Fortunately, the bootkit is not currently working on Windows 8 machines although this could be fixed quickly with the release of the source code.  Other components include a Trojan called UrSnif and and the notorious Citadel botnet. With download mirrors popping up all over the Web it is only a matter of time before new variants of the Carberp botnet are released. This event is very similar to the leak of the Zeus malware in 2011. Shortly after that leak, the Citadel botnet started showing up and is currently one of the top online threats in the world.  Many people believe that Citadel is a product of the Zeus source code leak and feel that new threats will emerge quickly following the latest leak. Although the original sale stated that the code was being sold for a friend who needed cash, the amount of personal information found within the leaked code suggests otherwise.

Skype names, addresses, and other information about the hackers who created the kit were found in the leak.

This means that either the code was stolen or as some experts are surmising, there was a dispute among the creators and the end result was leaking the kit to the world.  In either case, the information obtained will aid law enforcement in the never-ending task of tracking down these criminals. Security experts have been combing through the code since its release hoping to gain a better understanding of the cybercrime underworld and the possible variants that could come of this botnet kit being released to the public.

Back to Top

Glazunov Exploit Kit

29.06.13

Although the Glazunov exploit kit was discovered almost two years ago, the kit has recently been used with more frequency as hackers try to find new ways to bypass security measures.  Since Glazunov is not considered mainstream, it gets less attention from software developers as an imminent threat and has the potential to be detected less often than other, more notorious exploits. Similar to most of the other kits in use today, Glazunov relies on drive-by downloading to infect machines quickly and easily.

Although cyber criminals have been trying different methods to avoid detection, the favorite is to inject iframes into legitimate websites. This type of attack preys on a vulnerability inherent to all web browsers that allows one website to be embedded in another site using the iframe html tag.  Using iframes is a great way to display the contents of another site within a page.

Unfortunately, the iframe has a parameter that allows it to be 0 pixels in size.

In other words, the iframe exists, the second web page loads, but the user does not see anything because the iframe itself is 0 pixels.

Glazunov Exploit Kit A hacker first exploits a vulnerability in a known website and then embeds the iframe tag somewhere within the page.  The iframe points to a malicious site that relies on javascript to deliver its payload to the unsuspecting user.  Most browser will pop up a security warning about active content on the page but many users are not familiar with the danger and allow scripting; inadvertently downloading whatever payload the javascript dictates. In this case, Glazunov delivers some form of malware to the machine. The exploit designers have recently been using new techniques in an attempt to make detection more difficult. Specifically, they have been fragmenting the injected scripts into three separate parts.  Although the payload can vary greatly, the most common payload delivered by Glazunov has been ransomware.  These are programs that are designed to make a computer practically unusable because of popups and other alerts insisting that the user purchase some software product.  Even if the user does purchase the “solution,” there is often no relief from the malware.  In fact, many times the payment information is also stolen making the threat of identity theft a serious concern as well.

One feature that makes Glazunov unique among current exploit kits is that the malicious landing page is injected directly into the compromised site instead of redirecting the user to a malicious landing page.

This makes detection by average Internet surfers much less likely.  The exploit also seems to favor Apache based web hosts which means that another malicious Apache module may be making the rounds and compromising  web sites as it goes.  Finally, the exploit shares many similarities with other current exploits including Sibhost and Flimkit.  Although only speculation at this point, security experts think this points to a common criminal group that is behind all three of these exploits.  At the very least a few groups are working together and sharing information.

Attacks like this are unlikely to be eliminated anytime in the near future but one action that can dramatically decrease the chances of becoming a victim is making sure that Java is fully updated.

With all the latest Java patches, Glazunov will not work.  However, in light of all the recent zero-day exploits being released, users may also want to consider uninstalling Java from their machines completely.

Back to Top

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal