Search the Community
Showing results for tags 'trojan'.
-
Symantec Hackers utilizing the Triton malware have managed to close down industrial operations in the Middle East, researchers have warned. On Thursday, cybersecurity researchers from FireEye's Mandiant revealed that threat actors deployed malware capable of manipulating emergency shutdown systems at a critical infrastructure firm in the Middle East. The new form of malware, dubbed Triton, is one of only a handful of malware families known to have been developed for the purpose of attacking industrial processes and core infrastructure we all rely upon for supplies such as gas, oil, and electricity. Stuxnet was one of the first indicators that such malware exists after the worm was used against industrial players in Iran in 2010, and in 2014, a South Korean nuclear facility was targeted. In 2016, Ukraine's capital Kiev had a power outage after malware took down a power grid. The new Trojan, which Symantec researchers say has been active since at least August this year, has been designed to communicate with a specific type of industrial control system (ICS), namely safety instrumented systems (SIS) controllers produced by Triconex. Triton is an attack framework built to tamper with such controllers by communicating with them through computers using the Microsoft Windows operating system. According to Symantec -- while it is early days into the investigation -- the malware appears to inject code which modifies the behavior of SIS devices, leading to threat actor control and potential damage. In the case of the victim company, Triton was used to target emergency shutdown capabilities. However, the security researchers believe Triton was intended for use in "causing physical damage," but the plant was shut down inadvertently during the attack instead. The malware was deployed in order to reprogram the SIS controllers but some of the devices entered a failed safe state which closed the plant down and alerted operators to the scheme. The majority of cyberattackers have money in mind when they deploy malware or infiltrate systems, whether it be to clear out customer accounts or to steal valuable corporate data. However, in this case, there was no clear financial goal -- but the groups' persistence, skill, the targeting of core infrastructure, and what appears to be resources at their disposal all points towards state sponsorship. In October, the FBI and US Department of Homeland Security (DHS) warned that energy companies are now under constant attack by threat actors seeking to steal information related to their control systems. Firms in the energy, nuclear, water, aviation, and critical manufacturing sectors are at risk, according to the agencies, from hackers which target small firms as stepping stones towards more valuable companies. Via zdnet.com
-
First spotted in December 2016, the attack is tied to the EITest compromise chain, and has been observed distributing the Fleercivet ad fraud malware and ransomware variants such as Spora and Mole. Initially targeting only Chrome, the campaign was expanded earlier this year to target Firefox users as well. The attack relies on pop-ups being displayed in the Chrome browser on Windows devices, claiming that users need to install a so called HoeflerText font pack. Code injected into compromised websites would make the visited pages look unreadable, thus making the fake popup seem legitimate. Fingerprinting capabilities included in the injected code trigger the attack if certain criteria are met (targeted country, correct User-Agent (Chrome on Windows) and proper referer). If the social engineering scheme is successful and the user accepts to install the fake font pack, a file named Font_Chrome.exe is downloaded and executed, and their system is infected with malware. Starting in late August, the malware distributed via these fake Chrome font update notifications is the NetSupport Manager remote access tool (RAT). According to Palo Alto Networks’ Brad Duncan, this should indicate “a potential shift in the motives of this adversary.” The most recent versions of Font_Chrome.exe are represented by file downloaders designed to retrieve a follow-up malware that would install NetSupport Manager. This commercially-available RAT was previously associated with a campaign from hacked Steam accounts last year. While analyzing the recent attack, Palo Alto’s researchers discovered two variants of the file downloader and two instances of follow-up malware to install the RAT. Although the RAT is already at version 12.5, the version Chrome users are targeted with is at version 11.0, the researchers discovered. Chrome users on Windows systems should be suspicious of any popup messages that inform them the “HoeflerText” font wasn’t found. Affected users aren’t expected to notice a difference in their system’s operation, given that this is a backdoor program, but that doesn’t mean they weren’t compromised. He also points out that RATs give attackers more capabilities on an infected host and also provide more flexibility compared with malware that has been designed for a single purpose, and that the recently observed change in the EITest HoeflerText popups might suggest that ransomware is slightly less prominent than it once was. Via http://www.securityweek.com/fake-chrome-font-update-attack-distributes-backdoor
-
- 3
-
- font_chrome.exe
- hoeflertext
-
(and 2 more)
Tagged with:
-
The Zero Access trojan (Maxx++, Sierief, Crimeware) has affected millions of computers worldwide, and it is the number one cause of cyber click fraud and Bitcoin mining on the Internet. Once the trojan has been delivered into the system, it begins to download many other types of malware that can each cause a great deal of damage to an organization. The trojan’s primary infection vector is spam mail and exploits kits, but it can also be distributed by P2P file sharing services and fake cracks and keygens. The trojan is unique in the fact that it connects to a P2P botnet chain that makes it very difficult to dismantle the botnet as a whole. Zero Access is a trojan root kit that uses advanced cloaking mechanisms to evade detection and capture. It has the ability to hide itself from several types of antivirus software and its presence in the system is extremely difficult to ascertain. It leaves no trace evidence indicating a data breach, and the network communications continue to occur as from a legitimate system process. Usually the executable file will reside in the %TEMP% directory of the workstation, and the traffic to external websites will be encoded HTTP GET and POST requests. Zero Access, once in the system, can carry out a wide variety of tasks, including: Use the infected computer for click fraud and Bitcoin mining Open the door to many other types of malware infecting the system Hide itself within the system without being detected Extract victim information including name, hostname, machine name, account name, etc. Analysis Zero Access malware can be downloaded form kernelinfo.com. In this case, the malware was downloaded intentionally for analysis. As in all analysis, the first step is to isolate the affected system. After this, the entire system is scanned for malicious content. At first glance, nothing concrete was found, but on further analysis a file is found in the %TEMP%directory of the infected workstation. An another suspicious file is also found within the %SYSTEM% directory on the workstation. This file appeared to be a configuration file of some kind, and it was protected using ACL permissions. The executable is extracted and run on a sandbox and comes up with confirmation of network indicators. The results also clearly indicate that the file was the dropper component for the Zero Access trojan. The name of the file is found to be fvshis.sav, and the contents of the file are encrypted. The strings of the executable were extracted from the memory and several artifacts were found that confirmed that the dropper received was the 32 bit version of the Max++ dropper component. Later, the dropper component of the trojan was analyzed, and at first glance the file appears to be unpacked. owever, during static analysis it is found that the file is packed using a complex custom packer. The executable also employs a complex anti-debugging scheme to further complicate analysis. The INT 2 signal is an operating system interrupt that allows the program to be debugger aware, i.e the program can detect if it is being analyzed by a debugger and kill itself. This can hinder analysis of such executables. The packing scheme employed by this particular trojan is also very complex, as it makes use of several layers of crypting and packing. It is found that the dropper component makes use of a complex packing scheme. The unpacking scheme works in chunks, with each chunk having a line of anti-debugging code. The dropper will continue to unpack itself in this manner until the entire file has been unpacked. If an analyst tries to break into the cycle with a debugger, the executable will crash the debugger. On much greater efforts, the sample was unpacked, and it was found that the sample attempts to access several directories on the host computer. From the usage of the INT 2 instruction in the code, we realize that the sample is a Ring zero rootkit, i.e it runs in kernel mode. Memory analysis was done on the sample and found that it creates a Mutex in memory. Such Mutexes are used by malware to ensure that the system is not re-infected with the same sample again. It is found that the trojan has injected itself into a legitimate process (explorer.exe) and is using this process to execute its payload. Later, kernel mode artifacts in memory were looked for, and it was found that the malware sample has hidden itself in the system as a kernel module. The trojan disguises itself as a device driver in the kernel memory. The driver is called B48DADF8.sys. Dump this module for further analysis. During preliminary analysis, the suspicious network traffic leaving the infected system was found, and this is analyzed in greater detail. HTTP requests to one domain in particular are also seen. The dropper is clearly trying to contact the above domain to download other malware samples into the infected system, and the domain name was analyzed. The resolved C&C IP address appears to be in Zurich, Switzerland. Swiss law protects the privacy of its citizens to a great extent. This makes it a very popular location for bulletproof hosting providers. Bulletproof hosting is very popular with cybercriminals for hosting their C&C servers. Further analysis into the domain shows that the domain actually maps to 3 different IP addresses including the one given above. All of the domains are in locations with strong privacy laws. We found that all three IP addresses have been blacklisted as malicious: 141.8.225.62 (Switzerland) 199.79.60.109 (Cayman Islands) 208.91.196.109 (Cayman Islands) Although this particular trojan does not steal user information, we found that it generates a large amount of traffic from its click fraud and Bitcoin mining modules. Recommendations Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world. Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application. Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack. Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files. Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media. Do not click suspicious advertisements and banners while browsing the web. Make use of log analysis tools (SIEM) for greater visibility against file and network changes within your organization. Ensure that your antivirus solution is up to date with the latest virus definitions. Ensure that your systems are up to date with the latest available patches, particularly the following vulnerabilities, as this trojan makes use of them to infect systems. CVE-2006-0003 CVE-2008-2992 CVE-2009-0927 CVE-2009-1671 CVE-2009-1672 CVE-2009-4324 CVE-2010-1885 Ensure that your organization uses email gateways to filter spam messages and mails with malicious attachments. Do not click on links in email from unknown sources Do not allow any P2P file sharing software in your corporate network environment. Block traffic to the following addresses in your perimeter devices such as Firewalls and IDS/IPS solutions. 141.8.225.62 208.91.196.109 199.79.60.109 References www.symantec.com Source
-
In this article, I would like to show how an analysis is performed on the Beta Bot trojan to identify its characteristics. The Beta Bot trojan, classified as Troj/Neurevt-A, is a dangerous trojan. This trojan is transferred to the victim machine through a phishing email, and the user downloads the files disguised as a legitimate program. This malicious file, when executed, drops a file in the victim machine, then changes system and browser behaviors and also generates HTTP POST traffic to some malicious domains. Beta Bot has various capabilities, including disabling AV, preventing access to security websites, and changing the settings of the browser. This trojan was initially released as an HTTP bot, and was later enhanced with a wide variety of capabilities, including backdoor functionality. The bot injects itself into almost all user processes to take over the whole system. It also utilizes a mechanism to make use of Windows messages and the registry to coordinate the injected codes. The bot also communicates with its C&C server through HTTP requests. The Beta Bot trojan spreads through USB drives, the messaging platform Skype and phishing emails. Analysis Walkthrough Now let’s see how we can do a detailed analysis on the Beta Bot trojan. First step is to isolate the infected system and analyze the system to find any suspicious files. Upon analysis, we found a suspicious file, crt.exe. The crt.exe file was then uploaded into our automated malware analysis system for deeper analysis and it was able to find malicious traffic to several malicious domains. (DNS request to malicious domains) A list of file manipulations was revealed during automated malware analysis. A malicious file named ‘wfwhhydlr.exe’ that was dropped by Beta Bot was revealed during this analysis. (File creation and modification) Mutexes that were used by the malware were also found during the automated analysis. (Mutex list of Beta Bot Trojan) After that, the analysis was carried out on our dedicated malware analysis machine. This machine consists of all the core tools needed to carry out both the static and dynamic analysis. As the first step of manual analysis, static analysis was carried out to find the time stamp of the malware. We were able to find the compile date of the malware sample. The malware was compiled on March 14th, 2013, and a GUI is also associated with this sample. File properties of the Beta Bot trojan) Later, static malware analysis was carried out, and as a first step the malware was checked to find whether it was packed or not. On analysis we found that the malware was packed with UPX packer. (Packer detection of the malware) A manual unpacking process was carried out to unpack the packer using a user mode debugger. Then we dumped the unpacked malware, and Import Address Table was reconstructed. (Debugger view of the malware before UPX unpacking) After the IAT reconstruction, the malware was analyzed using the debugger and found that there is no data available and the all the strings are functions are obfuscated. Thus it has to be suspected that the malware was multipacked, and we found that it was packed with a sophisticated crypter called VBCrypter. Then we came to a conclusion that this Beta Bot malware was multi-packed with a combination of UPX packer and VBCrypt crypter. VBCrypter is written in Visual Basic and it is more sophisticated that usual packers. During the execution of the packed malware, it creates the unpacked code as a child process itself and executes that code in the memory. Thus this type of packed malware will be very difficult to unpack. Crypter detection of the malware) Then a process of steps was carried out in order to decrypt the malware encrypted with VBCrypt. A user mode debugger was used for this process and by following a series of steps; the malware was decrypted up to an extent and thus the obfuscated code was retrieved for further analysis. Debugger view of the Beta Bot trojan after UPX unpacking) After decrypting the VBCrypt, it showed up with strings and functions that reveal the activity of the malware. The Beta Bot malware tries to find out the Network Interface Card in the infection machine, in order to find out the network adapter device name. The malware also looks for the computer name of the infected machine. (Debugger view of the decrypted Beta Bot trojan) Also using the debugger analysis, it came to an inference that the Beta Bot trojan also has the capability of deactivating the Task Manager of the infected machine. (Debugger view of the malware) The malware was analyzed through a disassembler, and several multi-language strings were retrieved. This reveals the multi-language capability of the Beta Bot trojan. This malware has the ability to configure and behave according to the geo-location of the victim machine. (Disassembler view of the Beta Bot trojan) Dynamic analysis was carried out by executing the malware within our isolated virtual malware lab. On executing the Beta Bot malware was dropped another executable named vuxrwtqas.exe. This file was dropped in the highworker folder under the Program files folder in C drive. (Files dropped by the Beta Bot trojan) Then registry analysis of the Beta Bot trojan was carried out, and on analysis we found that the malware manipulates the Windows registry setting of the infected machine. Registry values are added in order to carry out the debugging of the major security products like MalwareBytes Spybot, Trendmicro Housecall and Hijackthis. This registry setting can used to debug the startup code of the applications and thus the malware can bypass these security applications and thus can execute in the machine. (Registry values added by the Beta Bot trojan) Then packet sniffers were used to study the network behavior of the malware, and we were able to list out several malicious IPs on which the malware were trying to connect. Malicious IPs on which the malware connects) Then the memory analysis of the malware was carried out by executing the malware and taking the dump on the primary memory. On analysis, a large number of trampoline hooks was found. The malware, when executed, hooks almost all the processes in the victim machine and thus takes control of the whole machine. The Beta Bot trojan inserts a trampoline hook on the wuauclt.exe file, and this is a Windows Update AutoUpdate Client which runs as a background process that checks the Microsoft website for updates to the operating system. Thus it can assumed that the malware updates itself or downloads other malicious software by hooking this process. (Trampoline hook by the malware) The Beta Bot trojan, on execution, creates a sub-folder named ‘highworker.{2227A280-3AEA-1069-A2DE- 08002B30309D}’ under %PROGRAM FILES%\ COMMON FILES and creates a file named ‘vuxrwtqas.exe’. The first part of the folder name, ‘highworker’, is obtained from the configuration of the bot. The rest of the strings in the folder name is a special GUID which makes the folder link to the ‘Printers and Faxes’ folder in Windows Explorer, and this folder will act as the initializer when malware restarts. The crt.exe then creates a new file and it exits and this newly created file creates a process of a system application and starts to inject the process. (Folder in which malware is dropped) The dropped file is digitally signed with Texas Instruments Inc., is an American company that designs and makes semiconductors, which it sells to electronics designers and manufacturers globally. Thus we can assume that the file is not genuinely signed. (Metadata of the dropped file) Recommendations Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world. Block peer to peer traffic across the organization. Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application. Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack. Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files. Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media. Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Ensure that your Anti-Virus solution is up to date with latest virus definitions. Ensure that your systems are up to date with the latest available patches. Isolate the compromised system immediately if the malware is found to be present. Block traffic to the following domains in your perimeter devices such as Firewalls and IDS/IPS solutions: highroller.pixnet.to sbn.pxnet.to cpstw.santros.ws ccc.santros.ws Eradication The following products can be used to remove the Beta Bot trojan from the infected machine: Symantec Power Eraser Kaspersky’s TDSSKILLER Microsoft’s Malicious Software Removal Tool (MSRT) Malwarebytes Anti-Malware Login through the victim machine in Safe Mode and manually remove the process crt.exe and vuxrwtqas.exe related to the Beta Bot trojan. Manually delete the registry entries associated with the Beta Bot trojan. Delete the malicious file dropped by the malware in the highworker.{2227A280-3AEA-1069-A2DE- 08002B30309D}’ under %PROGRAM FILES%\ COMMON FILES\vuxrwtqas.exe. References Endpoint, Cloud, Mobile & Virtual Security Solutions | Symantec Source
-
salut! platesc daca ma poti ajuta sa fac un keylogger sub forma pdf jpg mp3 eu am facut una jpg dar este detectabila!! platesc pe cineva sa mil faca cap coada sau pe cineva sa imi cripteze doar acea poza ce o am eu sau mp3`ul! ma intereseaza un keylogger 100% nedetectabil sa imi vina in mail sau intr-un ftp doar text-ul! din 1-2-3-4 ore nu conteaza!
-
Da, ce imaginatie bogata...
-
Peste 500.000 de conturi bancare online si carduri de credit si debit ale unor companii din mai multe tari ale lumii, inclusiv din Romania, au fost compromise de un troian. Rusii sunt principalii suspecti. RSA, firma ce securizeaza retelele companiilor din topul Fortune 500 (clasamentul celor mai mari companii publice americane dupa cifra de afaceri), detecta in februarie 2006 troianul Sinowal, caracterizat drept "unul dintre cele mai avansate instrumente de infractiune create vreodata", arata un comunicat de pe blogul firmei. De atunci, virusul a infectat si a furat datele de login a 270.000 de conturi bancare online si ale altor 240.000 de carduri de credit si debit ale unor institutii financiare din numeroase tari ale Americii de Nord, Europei, Asiei si Americii Latine. Rata sa de atac a crescut considerabil din martie pana in septembrie anul acesta, timp in care troianul a afectat mai mult de 100.000 de conturi. Potrivit BBC, in aprilie 2007, cercetatorii de la Google au descoperit sute de mii de pagini virtuale suspecte in acest sens, in timp ce firma antivirus Sophos a raportat pentru 2008 peste 6.000 de pagini noi infectate zilnic sau o data la 14 secunde. Printre statele europene afectate de Sinowal se numara si Romania, insa chiar si numarul companiilor-victima autohtone este confidential. "Putem confirma ca unele afaceri romanesti au fost tintite si ca au fost capturate informatii. Cu toate acestea, nu putem furniza cifre, pentru a proteja securitatea si intimitatea celor afectati", a specificat intr-un mail pentru Cotidianul David Seuss, unul dintre responsabilii cu presa ai RSA. Firma americana subliniaza in comunicat ca, dupa aproape trei ani de investigatii, se stiu foarte putine in legatura cu sursa acestui troian, dar ca exista unele presupuneri cum ca ar izvori din Europa de Est sau de la "infamul Russian Business Network" (RBN - grup de crima organizata pe Internet), bine pitit prin ungherele webului. "Informatiile noastre confirma faptul ca Sinowal a avut legaturi puternice cu RBN in trecut, insa cercetarile arata ca gazda acestuia se poate sa se fi schimbat si sa nu mai aiba legatura cu RBN", continua comunicatul. Troianul cu pricina infecteaza computerele victimelor fara urma. El foloseste limbajul HTML pentru a injecta efectiv pagini web sau campuri de informatii in browser-ul de Internet al victimei. Aceste pagini ii apar ca fiind legitime utilizatorului afectat. Ca un exemplu, Sinowal poate pacali o victima care nu este suspicioasa sa-i ofere informatii precum codul de securitate sociala si alte detalii pe care banca a garantat anterior ca nu le va cere niciodata online. Creatorii sai lanseaza periodic noi variante ale virusului si ii asigura mii de domenii de Internet pentru resursele sale de comunicare. Astfel, avand in spate infrastructuri puternice de comunicare, Sinowal a reusit sa fure si sa transmita informatii timp de aproape trei ani, acestea fiind organizate in mod sistematic intr-un "depozit" impenetrabil. "RSA lucreaza cu fortele de ordine si organizatiile afectate pentru a le returna acestora datele pierdute si a-si putea satisface clientii. Pe langa solutiile antivirus, organizatiile de specialitate ar trebui sa reanalizeze metodele anti-troian si sa-i invete pe utilizatori cum sa evite infectarea", ne-a mai spus David Seuss. Cu toate acestea, a incheiat el, multe programe antivirus nu vor putea sa-l detecteze, probabil, pe Sinowal, din cauza variatiei sale rapide, iar inlaturarea acestui virus de pe computer ar putea necesita reformatarea sistemului de operare si stergerea datelor inmagazinate pe el. Sursa: Cotidianul (Ionut Dulamita)