News Archive June 2014
Written by Karolis Liucveikis on (updated)
Table of contents:
- Social Media Privacy Continues to Disappear
- The End of Gameover?
- Ransomware is Evolving Quickly
- Dangerous New Banking Trojan Written From Scratch
- New Banking Trojan Not Related to Zeus Malware Family
- A Trojan with Built-in Antivirus?
- New WordPress Vulnerability Opens Up Thousands of Sites to Hackers
- Havex Malware Targets Industrial Organizations
Social Media Privacy Continues to Disappear
For many readers of this blog, social media has become synonymous with government intrusion. Others, unfortunately, do not truly believe many of the claims made in recent months by the likes of Edward Snowden and countless computer security websites around the world. This article is for those people… The Secret Service recently released a Request for Proposals (RFP) – officially known as Solicitation No. HSSS01-14-Q-0182 and entitled Computer Based Annual Social Media Analytics Subscription – that was posted publicly for everyone to read. The RFP specifically states that the Secret Service is interested in a software platform capable of synthesizing social media postings and associated data.
Specifically, the software should be able to both define and discover the individuals, businesses and other media outlets who influence social media at its core. In other words, the Secret Service wants software that can figure out who people are paying attention to on social media sites and what exactly they are saying. And all this should happen at the push of a button, 24 hours a day and seven days a week. In addition to scouring social media data in general, this new software also needs to have a specific functionality that may surprise you.
The Secret Service is requesting that all potential solutions also include the “ability to detect sarcasm and false positives.” The request is real. One only needs to look at the news to see the effects that social media can have.
For example, a British man was recently arrested because he posted a comment on Twitter stating that he would blow up the local airport if it wasn’t cleared of snow. His comments were purely sarcastic and he was later found innocent of any crime, but not before being arrested as a suspected terrorist and losing his job.
A spokesman for the Secret Service stated that "Our objective is to automate our social media monitoring process. Twitter is what we analyze. This is real time stream analysis. The ability to detect sarcasm and false positives is just one of 16 or 18 things we are looking at."
Not only is the United States government admitting that it closely monitors social media events, but that it also wants to automate the process. It wants to identify influential social media presences whenever they occur and even wants to differentiate between sarcasm and a real threat.
Social media is not safe. In fact, it never will be and should be avoided at all costs if you value your privacy at all. The fact that government organizations are now publicly announcing these domestic espionage programs is a testament to the nature of current affairs around the world as it relates to Internet privacy – or perhaps more appropriately – a lack thereof.
The End of Gameover?
The United States Justice Department recently announced that international law enforcement – working together in a joint effort – have successfully seized control of the notorious Gameover Zeus botnet. Estimated to have infected well over one million computer systems around the world, Gameover is a dangerous variation of the ‘standard’ Zeus malware kit used to harvest sensitive personal and financial data from victims. Other uses include renting out the botnet to elite hacking groups for online extortion attempts, spam campaigns and other illegal activities. Gameover is based on the Zeus Trojan which has involved to include an entire family of derivative malware including the Citadel banking Trojan. While Zeus was typically sold as a botnet creation kit which anyone could purchase and deploy, Gameover has been exclusively controlled by a cybercriminal syndicate hailing from Russia and Ukraine.
This group of hackers has been using the Gameover botnet to takeover high-value corporate targets around the world. Often, the attack would be accompanied by a massive Distributed Denial of Service (DDoS) attack designed to distract potential victims until the theft attempt was successfully completed. At the time of this writing, Gameover is responsible for more than $100 million in thefts with victims ranging from individuals to large corporations. Recent evidence also suggests that the hackers responsible for the widespread dissemination of Gameover have been renting out sections of this powerful botnet to other cybercriminal organizations. This blog recently reported on the rise of ransomware – software designed to lock a victim’s files until a ransom is paid.
Apparently, Gameover was used extensively to spread one of these ransomware programs known as Cryptolocker. According to information from Dell SecureWorks, Gameover is primarily spread using Cutwail – the world’s largest spam botnet.
Email campaigns posing as legitimate businesses attempt to lure potential victims by including invoices, order confirmations or notifications of unpaid bills that prompt users to click on a link. Unfortunately, these links send victims to compromised websites that look for outdated web browser plugins and other security vulnerabilities that can be used to install Gameover without the knowledge or consent of the victim.
What makes Gameover even more dangerous is that it relies on a P2P networking structure that has made it nearly impossible for law enforcement or security experts to dismantle the botnet. Although the botnet has not been completely dismantled at this time, the Justice Department has issued a warrant for the author of the original Zeus Trojan – Evgeniy Mikhailovich Bogachev; a man with ties to Gameover as well.
As authorities move in on the criminals behind Gameover and attempt to dismantle one of the most prolific malware campaigns of this century, the hope is that this dangerous malware variant is removed from existence. Unfortunately, the P2P nature of the botnet – coupled with the fact that many of the criminals involved are still unidentified – means that the Justice Department and international law enforcement cooperatives likely still have a long way to go in their quest to destroy Gameover.
Until the day when Gameover is officially decommissioned, never click on email links from companies you do not expressly do business with. Unsolicited phishing emails are one of the primary tactics used by Gameover creators to lure unsuspecting victims to malicious sites loaded with drive-by malware downloads.
Ransomware is Evolving Quickly
Ransomware has become a hot topic lately as more and more criminal organizations realize the profit potential of this lucrative – albeit destructive – form of malware. There have been numerous variations spreading across the Internet in the last few months. Some have been mildly successful while others are impossible to remove without the decryption key. Cryptodefense is a good example of a ransomware variation that could have been much more dangerous. As it turns out, the developer of Cryptodefense accidentally left the decryption keys hidden in an application data folder on the user’s computer. While the average user probably wouldn’t be able to locate this information, security experts quickly learned how to avoid paying the ransom and losing their files forever.
But, as is usually the case, hackers learn quickly and ransomware has now evolved into an impermeable form of malware that literally forces users (both novice and advanced) to pay up or lose their important files and folders permanently. The same developer responsible for Cryptodefense has created a much more dangerous version known as Cryptowall and an improved version of Cryptodefense that are both impossible to decrypt without paying the ransom fee in return for the encryption key.
Both of these malware versions rely on the extremely robust RSA 2048 encryption standard which is impossible to break without the use of massive botnet or the super computers reportedly operated by the NSA to spy on the American public.
Cryptowall is distributed using the RIG Exploit Kit, a threat first detected on the Internet in April that has infected millions of machines worldwide since discovered. RIG uses malvertising (advertisement links infected with malware) to draw unsuspecting victims to malicious websites where the exploit can be run undetected. Most of the exploits found in RIG target Flash, but Microsoft Silverlight exploits are increasingly detected as well. Not surprisingly, there are very few Java exploits found in RIG as the use of Java has decreased exponentially in the wake of numerous security issues that were left unaddressed by Oracle for months at a time.
What makes RIG especially dangerous is that it relies on advertising to lure victims. These advertisements can be located on any website and usually appear on reputable, well-known sites; a tactic that usually makes Web surfers less wary of clicking on off-site links. Once successfully exploited, RIG drops Cryptowall on the victim’s machine. Within a matter of minutes, the entire hard drive is encrypted using RSA 2048 and the user is prompted to pay a ransom ranging from $300 - $600 to receive the decryption key or risk losing all information on the infected computer.
Cryptowall even penalizes victims who do not pay promptly by increasing the ransom amount after a period of time and warning them that if payment is not received in a certain amount of time the decryption key will be destroyed and no longer available for purchase.
The prompt provides instructions for paying the ransom using various payment methods including Bitcoin and wire transfer. The addition of wire transfer as a payment method definitely suggests a Russian and/or Ukrainian connection to this malware, but at this time security experts have not been able to locate the organization(s) behind Cryptowall or the improved version of Cryptodefense. This threat is easily avoided if all browser plugins (such as Flash and Silverlight) are properly updated, but if a new zero-day vulnerability were released the hackers could update and infect thousands of computers that haven’t updated their machines yet.
Dangerous New Banking Trojan Written From Scratch
This blog has covered numerous banking Trojans in the past including the notorious Zeus Trojan and its variants such as Citadel and Carberp. These threats are usually available as a kit that can be purchased by just about anyone through well-known underground websites for a small fee. In some cases, the source code is leaked across the Internet for free. Zeus source code was leaked in this manner and allowed for the creation of more powerful variants including the Gameover Zeus botnet (which was recently taken down by a global law enforcement task force).
The point is that these variations – although dangerous – are almost always based on existing code that is easily detected by most antivirus software. That is exactly why a new threat, known as Pandemiya, is so dangerous. Recently discovered by RSA Security’s FraudAction team, Pandemiya is being marketed throughout various hacking forums as a powerful alternative to Zeus and its variants. Pandemiya is being sold for as much as $2,000 for a single license.
The malware offers hackers many of the same features inherent to other banking Trojans such as encrypted communication with C&C servers. Pandemiya also boasts a modular design that can load external plugins (available for an additional fee from the developer). These plugins include a reverse proxy, FTP stealer and a portable executable injector that can inject the malware at machine startup.
A reverse hidden Remote Desktop Protocol (RDP) plugin is reported to be available soon as is a Facebook plugin capable of using stolen Facebook credentials to spread malicious links across the popular social media outlet. According to RSA security experts, it took the hacker responsible for Pandemiya – an individual who has not been identified at the time of this writing – over one year to write the code for this Trojan from scratch.
Currently, Pandemiya has approximately 25,000 lines of original code all written in C. What makes Pandemiya uniquely dangerous is that it was written completely from scratch. This means it will not be detected by end-point based security solutions. Since the code for this Trojan is completely unique it is unlikely that most modern antivirus software is capable of detecting the threat until antivirus manufacturers create a malware definition for the threat and provide an update to current customers. It is for this reason that Pandemiya can fetch such a high price tag compared to more well-known banking Trojans.
Pandemiya is being spread by common exploit kits at this time (such as Blackhole) that look for known vulnerabilities in browser plugins such as Flash, Silverlight and Java. Once downloaded and installed on a machine, Pandemiya is capable of injecting malicious code into every new process that starts on the infected computer – a tactic that is unique among currently known banking Trojans.
The fact that this malware does not resemble existing threats at the code level means antimalware companies have a long road ahead as they attempt to identify this threat and create a suitable definition to recognize and block its behavior. And the recent takedown of the Gameover Zeus botnet means there are a lot of hackers looking to capitalize on this new threat while machines are vulnerable.
New Banking Trojan Not Related to Zeus Malware Family
Recent months have revealed a host of banking Trojans with one thing in common: all of them have been based (in whole or in part) on the infamous Zeus source code leaked last year. While hackers have attempted to mask the now well-known signature of this once extremely dangerous malware family, the shutdown of the Gameover Zeus botnet earlier this month most likely signifies the end of the “reign of Zeus.” But just as the sun sets on Zeus, a new banking Trojan has already emerged that could be much more dangerous than the last few Zeus variants combined. The new banking Trojan, known as Dyreza, uses a man-in-the-middle attack to intercept unencrypted web traffic. Dyreza does share some similarities with Zeus but security experts around the world agree that this is not just another Zeus offshoot.
Using a technique called browser hooking, Dyreza is able to view unencrypted web traffic by fooling users into thinking that a Secure Sockets Layer (SSL) connection has been established. Authentication credentials appear to be sent to a legitimate online banking session but Dyreza actually redirects these login credentials to its own servers. The victim never has any idea what is happening – at least not until it’s too late.
At the time of this writing, the malware is only programmed to intercept authentication credentials when a victim attempts to connect with specific banks including Bank of America, Citibank, NatWest, Ulsterbank and RBS.
Although this limits the victim pool, it also makes Dyreza much more difficult to detect. Furthermore, the hackers behind this new strain of banking malware (who are still unidentified at this time) could add additional banks to the list at any time. This malware is currently distributed primarily through spam messages. Many of these messages contain a .ZIP file designed to look like an invoice. Once opened, the .ZIP file quickly installs Dyreza where the Trojan remains undetected by the victim or most antivirus software. Only when an infected machine tries to securely connect with one of the banks mentioned above does the malware become active.
To make detection of Dyreza even more difficult, the hackers responsible have been distributing the Trojan through legitimate domain names. Using these “trusted” domain names means the spam email messages are less likely to get flagged as spam. In the past, the Dropbox domain has been compromised and used to distribute Dyreza and more recently, Cubby.com (LogMeIn’s file storage service) was exploited for distribution as well. It’s no secret that the purpose of a banking Trojan is to obtain authentication credentials and secretly drain victims’ bank accounts into usually untraceable foreign financial systems. The group responsible for Dyreza has taken the money transferring infrastructure one step further by setting up a system of money mules to make tracing the stolen funds nearly impossible.
A money mule is someone who briefly holds stolen funds in an account before transferring the funds to another account for a small fee. This system makes tracking stolen funds and the people behind this malware extremely difficult – if not impossible.
At this time, it is unclear if the hackers behind Dyreza are using it themselves or renting it out to other cybercriminals as was so common with Gameover and other Zeus variants. The only way to protect yourself from this threat is to avoid opening any suspicious or unsolicited attachments as most antivirus companies have not updated their definition libraries to account for Dyreza’s signature yet.
A Trojan with Built-in Antivirus?
The Tofsee Trojan is a dangerous malware variant spreading quickly through social media sites including Facebook, Twitter and Skype. Unlike most Trojans; however, Tofsee is equipped with a robust set of antivirus tools designed to eliminate any other malware threats on the machine at the time of infection. Tofsee is spread primarily via social media sites but it has also been observed spreading via removable drives (such as USB flash drives and SD cards). Once a machine is infected, it automatically authenticates itself with any social networks frequented by the victim using cookies stored in system memory.
Once authenticated, the Trojan starts posting on the user’s behalf – essentially spamming all known contacts, friends and associates with messages embedded with malicious links supposedly showing “shocking videos” or embarrassing photos.
If users follow the malicious link, they are immediately prompted to download a DivX plugin to view videos or a fake photo viewer application in the case of photos. This download is actually Tofsee and it immediately begins the same cycle on the newly infected machine.
The malicious page users land on is designed to spoof a legitimate Facebook environment although some versions of Tofsee also rely on the promise of a gift or prize after the victim completes surveys (surveys which never end and generate additional revenue for the hackers).
In addition to sending spam messages and scanning for and eliminating competing malware from the system, Tofsee can download 17 plugins from a remote server that are integrated into the system as dynamic link libraries (DLLs). Some of these plugins include:
- A plugin for executing DDOS attacks (both http and syn flood)
- The ability to log data from Internet Explorer
- A plugin that acts as a Bitcoin mining program on the infected machine
- A program that generates and sends emails using a proprietary scripting language to generate realistic messages
This Trojan is designed for complete autonomy while still generating income for the hackers behind Tofsee thanks to the Bitcoin mining program installed shortly after initial infection occurs. This Bitcoin mining program – Trojan.Bitcoin.148 – consumes large amounts of processing power and electricity while severely impacting the performance of the machine.
The criminals responsible for this Trojan are also able to generate income using Tofsee as a spam botnet capable of sending millions of emails which can be configured differently for every “job” thanks to each plugin having a unique configuration file which can be altered in a matter of minutes and distributed from the remote C&C server.
While most antivirus companies are aware of the existence of Tofsee, only a handful of them have updated virus definitions to include this dangerous Trojan at the time of this writing. Never download plugins to see “shocking video or photos” as these plugins are usually nothing more than malware in disguise and Tofsee is so new that it may not be detected by your current antivirus solution (even if it is fully up-to-date).
New WordPress Vulnerability Opens Up Thousands of Sites to Hackers
Earlier this week a zero-day vulnerability was discovered that affects thousands of WordPress-powered websites currently using the TimThumb image resizing library. WordPress is a free, open source Content Management System (CMS) commonly used with blogs and even business websites. It is easy to use thanks to an intuitive back-end user interface and provides hundreds of customization options by default. In addition to the built-in customization options, WordPress users have access to over 30,000 third party plugins that provide support ranging from search engine optimization to E-commerce shopping cart functionality. One of these popular plugins, known as TimThumb, has a vulnerability that can be used by hackers to delete the contents of anything hosted on the compromised server.
TimThumb is an image resizing tool commonly used to resize large images into smaller thumbnails that can be displayed on the WordPress site. This vulnerability was first discovered by security expert Pichaya Morimoto and appears to only affect version 2.8.13 of TimThumb. The vulnerability appears to target a specific feature of TimThumb called “Webshot.” This feature allows users to take screenshots of websites rather than resizing existing images.
Once exploited, an attacker can remotely execute arbitrary PHP code on the affected site. After the initial code has been entered, the hacker can use standard SQL injection techniques to take over the website, delete files or modify configuration settings.
According to Morimoto, the vulnerability can be exploited by entering the following simple command in any web browser:
This specific command can be used to delete a file from the affected site. Similar commands exist for creating new files or modifying existing files within the WordPress site. Essentially, any valid PHP command can be used to alter the compromised site. This is especially dangerous if sensitive information is contained on the server where the WordPress site is hosted. At this time, WordPress sites using the TimThumb 2.8.13 plugin are vulnerable.
Many free and premium WordPress themes include TimThumb functionality by default and sites using these themes are also vulnerable. Specifically, all themes from the popular theme resource Themify contain this vulnerability. Also, WordThumb 1.07, the WordPress Gallery Plugin and the IGIT Posts Slider widget are affected. Keep in mind that these vulnerability specifically targets the Webshot functionality built-in TimThumb and related themes. By default, the Webshot feature is turned off – meaning the site cannot be compromised by this method.
However, sites with Webshot enabled are vulnerable to attack until a patch is released or Webshot is disabled from the WordPress menu. Webshot can be disabled by accessing the TimThumb file inside the WordPress theme directory and searching for “WEBSHOT_ENABLED”.
It the results show (‘WEBSHOT_ENABLED’, true) it needs to be changed to “false”. Keep in mind that it should be set to false by default but the few seconds it takes to double check could save your WordPress site from irreparable damages. At this time, the developers of TimThumb have not released a security patch for this vulnerability. If your site uses this plugin, check the TimThumb support site regularly and install the security patch as soon as it becomes available.
Havex Malware Targets Industrial Organizations
Although never officially confirmed by government officials, the Stuxnet Worm was a type of malware designed to sabotage the Iranian nuclear project as part of a joint effort between the United States and Israel. More recently, the Havex Trojan was discovered and it appears to act in a fashion that is very similar to the famous Stuxnet Worm Havex has already been used to compromise major energy providers in the United States and Europe. This included the United States Department of Energy website which was infected with a version of Havex that spread to legitimate applications that were downloaded unknowingly by visitors of the site.
Many of the computers infected with Havex were tied to the nuclear program and had the malware gone undetected, hackers could have caused serious damage to this country’s nuclear infrastructure. Now Havex, a generic Remote Access Trojan (RAT), has been discovered by security firm F-Secure and hackers controlling the program appear to be using the malware for the purposes of corporate espionage. Havex is designed to infect Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS). These systems are used extensively in manufacturing industries as a way to control various aspects of the operation autonomously and/or remotely. Once a target website has been infected, Havex silently spreads to legitimate applications. Once downloaded, the infected application installs a file called mbcheck.dll. This file is actually Havex.
Once installed, the Trojan immediately contacts a Command & Control server to download additional software plugins that are too large to sneak into the initial download. One of the new components that makes Havex especially dangerous is a plugin designed to gather information about the network and connected devices of an infected system using the Open Platform Communication (OPC) standard.
OPC is used extensively in the manufacturing environment as a way for Windows-based SCADA applications to interface with hardware involved in the manufacturing process. Havex is able to scan the network for any devices responding to OPC requests. This information can be used to map out all industrial control devices on the compromised network.
This malware variant is also capable of stealing user passwords stored on web browsers, collecting operating system related information and downloading additional configuration files from various C&C servers around the world. Although names of the specific companies recently compromised by Havex haven’t been released, F-Secure stated that most of these attacks affect European companies – specifically an industrial machine manufacturer and two educational organizations in France as well as some companies in Germany.
F-Secure also pointed out that it found at least one manufacturing company in California with a server that was communicating regularly with one of Havex’s C&C servers. In addition to the obvious security implications of a system becoming infected with Havex, it appears the hackers have designed this Trojan to actually take control of industrial control equipment.
While the exact purpose of the malware are not clear at this time, there is evidence to suggest Russian (possibly even Russian government) involvement in the creation and deployment of Havex.
▼ Show Discussion