HTML 5 Has Vulnerabilities Too


In our last post, we talked about the imminent demise of Flash and how it’s eventually going to be replaced by HTML 5. One of the reasons why Flash is getting axed is its propensity for vulnerabilities. But before you start letting your guard down, you should know that HTML 5 isn’t totally secure either. Today, we’ll talk about some of the HTML 5 vulnerabilities you need to be aware of.

PostMessage vulnerabilities

One of the major vulnerabilities found in HMTL 5 affects cross-origin communications. These types of vulnerabilities can enable hackers to carry out cross-site scripting attacks or lead to unintentional, unauthorized disclosures.

One problem lies in postMessage; an HTML 5 API that allows data to be exchanged between two pages even if they have different origins (i.e. they don’t use the same protocol, port, and hostname). Normally, cross-origin communications aren’t allowed by the web application security model’s Same Origin Policy (SOP). In theory, postMessage is supposed to provide a controlled way of circumventing the SOP. However, if not implemented properly, this API can expose web applications to critical vulnerabilities.

A web application can be exposed to cross-site scripting if the developer of the receiving page allows the page to receive data sent via the postMessage() method but fails to validate the origin of that message. If the message comes from a malicious source and the receiving page processes the message, the receiving page can be compromised.

On the other hand, unauthorized disclosures can happen if the developer of the sending page uses the postMessage() method but doesn’t specify a particular target/receiver for that message. That is, the developer might simply use the wildcard “*”, which, in effect, allows the message to be sent to any receiver regardless of origin. If the message contains sensitive information, that information could end up in a malicious receiving page.

CORS (Cross-Origin Resource Sharing) vulnerabilities

Another way to circumvent the Same-Origin Policy and enable cross-domain requests (i.e. between different origins) is through the use of CORS. CORS enables cross-domain requests (typically, XMLHttpRequest AJAX requests through JavaScript) in a controlled manner. It does this by employing the following headers, among others:

● Access-Control-Allow-Origin
● Access-Control-Allow-Credentials
● Access-Control-Allow-Methods

There are instances, however, when the Access-Control-Allow-Origin and Access-Control-Allow-Credentials headers are used insecurely.

The Access-Control-Allow-Origin header specifies which origins are allowed to make requests to and read responses from a CORS-enabled server. When that server receives a request, it checks the value of the request’s Origin header and then validates it against a list of allowed domains/origins.

The validation process can vary. Some processes look for a particular string, others use regular expressions, and so on. If the submitted Origin value passes the validation process, the server replies with an Access-Control-Allow-Origin header that contains the submitted value. This is where the problem lies. If the validation process is flawed, the server could end up unintentionally allowing access to a malicious domain.

Just like in the case of postMessage(), vulnerabilities can also occur if the server returns an asterisk (*) for the Access-Control-Allow-Origin header, which basically means the server allows all domains to read the response.

The Access-Control-Allow-Credentials header, on the other hand, defines whether cookies will be sent. Cookies will only be sent if this header’s value is set to True.

Almost all cases of CORS-based attacks require that the Access-Control-Allow-Credentials be set to True. That’s because attackers will need cookies to redirect sensitive information from legitimate sites to the sites they (the attackers) own.

Web Storage Vulnerabilities

HTML 5 supports a nifty performance-enhancing feature known as Web Storage. This feature, which also goes by the name “Local Storage” or “Offline Storage”, allows web applications to take advantage of a client-side database. The web application can, for example, use the database to (persistently) store and access often-used data in order to speed up certain processes. Unfortunately, this local storage, which is accessed via JavaScript, can be subjected to XSS or injection attacks.

For example, if a web application is vulnerable to XSS, like when entries in a text field are not properly sanitized, an attacker may inject malicious script through the text field and that script will be stored in web storage. That malicious code would then be executed each time the user loads the browser and accesses the same site.

What’s more, the contents of localStorage can always be viewed by anyone who has access the same browser. So if you’re using a shared computer, access to any sensitive data stored in localStorage will not be restricted to you.

Because of this vulnerability, it’s never safe to store sensitive information in these local storage databases. This includes login credentials (i.e. usernames and passwords), credit card information, personally identifiable information, and others. In other words, any type of information that you wouldn’t normally store or transmit in plaintext should never be stored in web storage.

WebSockets Vulnerabilities

HTML 5’s WebSocket protocol enables persistent, bidirectional (i.e. full duplex) connections between a client and a server. This capability allows developers to create applications that require real-time data exchanges between client and server. The usual applications include online games, live streaming, chat/messaging, and reporting systems.

Here’s one issue that’s been dubbed the Cross-Site WebSocket Hijacking (CSWSH) vulnerability. The WebSockets protocol doesn’t have any built-in capability for authentication and authorization during handshake. When a client requests a WebSocket connection, the server can carry out client authentication through typical HTTP authentication mechanisms, including cookies, HTTP authentication, or TLS authentication.

The problem is that WebSockets is not governed by the Same Origin Policy. So if an end user is logged in to a WebSockets-enabled application that’s running on the same web browser as a malicious site, that malicious site can potentially take advantage of the authentication credentials (e.g. a session cookie) and then send them along with a handshake request to the WebSocket URL of the application.

Once authenticated, the malicious site will have established a separate WebSocket connection with the same level of privileges as the original connection. Meaning, the malicious site could potentially have read/write capabilities.

Other areas in HTML 5 that are also afflicted with vulnerabilities include geolocation, web workers, sandboxed frames, and offline applications. Of course, most – if not all – of those vulnerabilities can be avoided through secure coding practices.

For instance, in the case of CORS and postMessage vulnerabilities, the developer simply has to be careful in crafting origin validation. But until all web developers are able to adhere to those practices, there will always be HTML 5 web sites that can be exploited.
The rise of HTML 5 as the de facto standard for multimedia and rich web applications is inevitable. Major browsers are starting to ditch programs like Flash and Silverlight in favor of it. The same reception is expected from end users and IT admins, who will no longer have to install and maintain crash-prone third party plug-ins.

As more and more developers write web applications in HTML 5, people must bear in mind that – like all other technologies – HTML 5 also has its fair share of vulnerabilities and that the bad guys are bound to exploit them whenever they can.

The End of Flash on Chrome

For those who haven’t seen the writing on the wall, it’s finally being read aloud for you. Google is removing Flash from Chrome, and they’ve laid out a timetable for doing it.


Timeline of the Flash Phase out

When Chrome 53 rolls out tyoutube flashhis September, it will start blocking tiny Flash-enabled content. This is what is responsible for things such as page analytics. Although running  in the background, Flash-based page analytics can drag down a web page’s load time and responsiveness while also draining precious battery life.

But that’s just a prelude to what will happen before the year ends. When Chrome 55 arrives in December, that iteration of the world’s most widely used web browser will feature HTML5 as the default enabler for all web media. When that happens, it will signal the end of Adobe Flash’s lengthy reign as the de facto platform for web animations, games, videos, and interactive content.

Many people saw this coming. Back in September 2015, Chrome 42 was released with a default setting that paused Flash-enabled animations that were smaller than 400 x 300 pixels. That default setting did not include content 5×5 pixels and below. The main reason? There was no other way to detect viewability then. With the introduction of Intersection Observer, that is no longer an issue

Chrome isn’t the only browser distancing itself from Flash. The makers of Edge, Firefox, and Safari have all announced similar plans. Like Google, they plan on starting with click-to-play settings before eventually blocking  Flash content by default.


Security Implications

Although what most people notice are the browser crashes, the battery drain, and the sluggish webpage responses, Flash has one more weakness that’s making it even more difficult for companies to justify supporting it. Flash has too many vulnerabilities. Adobe releases security updates quite often,yet the vulnerabilities just keep popping up.

This onslaught of vulnerabilities is the primary reason why Flash is a constant target of exploit kits and other attack packages that pave the way for ransomware, viruses, malware, rootkits, trojans, and a host of other malware. When malware infects systems through drive-by downloads, it’s usually through Flash plugin vulnerabilities.

Flash can put businesses at even greater risk when system admins and users fail to patch or when a zero day vulnerability emerges. A zero-day is a vulnerability that’s initially unknown to the vendor (in this case, Adobe). Until the vendor is informed of the vulnerability, and more importantly, releases a security update, that vulnerability can be exploited.

Because Flash is used in a wide range of Web elements, attackers can get quite creative in crafting an exploit. An attacker can gain access into a system by tricking users to:

  • Launch a PDF
  • Play a video
  • Visit a website (drive-by downloads)
  • Install the “Flash plugin”
  • Or even install a “critical Flash update”

When the time comes for Flash to finally bow out, it will be taking along with it the security holes that attackers have long been taking advantage of.

So does that mean the Web will now be a safer place? Hopefully. HTML5, Flash’s designated successor for browser enhancement and rich internet applications, is considered to be more secure – at least for now. But to clarify, HTML5 is no panacea. It hasits own share of vulnerabilities (e.g. XHR, tag, fat client, and DOM vulnerabilities, to mention a few). We’ll talk about those HTML5 vulnerabilities in a later post. In the meantime, if you’re looking to enhance the security of your organization, give us a trial run today.

A Closer Look at Apple’s Bug Bounty Program

apple bug bounty programAt the recently concluded BlackHat conference in Las Vegas, Apple announced that it was finally launching its own bug bounty program. The program will initially cover five categories.

According to Apple’s head of security engineering and architecture, Ivan Krstic, the bounty program will initially consist of the following five categories:

  1. Vulnerabilities and proof-of-concept code in secure boot firmware components.

Maximum payout = $200,000

  1. Extraction of confidential material protected by the Secure Enclave Processor.

Maximum payout = $100,000

  1. Execution of arbitrary code with kernel privileges.

Maximum payout = $50,000

  1. Unauthorized access to iCloud account data on Apple servers.

Maximum payout = $50,000

  1. Access from a sandboxed process to user data outside that sandbox.

Maximum payout = $25,000

Clearly, Apple sees these 5 as critical areas and hence has given them top priority. Let’s take a closer look to understand why.

Vulnerabilities and proof-of-concept code in secure boot firmware components

iOS security starts the moment the device is switched on. In what is known as the secure boot chain or chain of trust, key components involved in the start-up process (which include bootloaders, kernel, kernel extensions, and baseband firmware) undergo a series of verification steps. Each step can only proceed to the next if certain components have been verified as having been digitally signed by Apple. The components involved, arranged in the order they are loaded, are: the BootROM → LLB (Low Level Boot) Loader → iBoot → Kernel.

This secure boot chain is supposed to ensure that iOS can only run on a valid “iDevice” and, conversely, an Apple mobile device can only boot into iOS. It also helps ensure that only trusted code and apps can run on an Apple device. However, as with all chains, if one link is broken, the rest of the chain will give way. Being the device’s first line of defense, it’s imperative that any vulnerabilities in it are be identified.

Extraction of confidential material protected by its Secure Enclave Processor

Secure Enclave is a coprocessor that’s been fabricated into Apple’s A-series processors since Apple A7. It’s best known as the place in an Apple device where Touch ID fingerprint information is processed and stored in encrypted form. In fact, it’s where all cryptographic operations for Data Protection key management take place.

Data Protection is a proprietary Apple technology responsible for encrypting user data for system apps like Messages, Mail, Contacts, Photos, and Health, as well as in third-party apps installed on the device. If confidential material protected by Secure Enclave can be extracted, the data in these apps can be compromised.

Execution of arbitrary code with kernel privileges

Arbitrary code execution refers to an attacker’s ability to execute commands in a computer system by exploiting vulnerabilities. Since the kernel is the heart of iOS (or any OS for that matter), any arbitrary code execution vulnerability in it can have serious repercussions. Some iOS kernel vulnerabilities that have been exploited in the past include arbitrary memory overwrites, uninitialized kernel variables, stack-based buffer overflows, and heap-based buffer overflows, to mention a few.

Unauthorized access to iCloud account data on Apple servers

I imagine you recall “Celebgate” or “The Fappening” iCloud photos leak involving celebrities like Jennifer Lawrence, Kate Upton, Kirsten Dunst, and many others. No further explanation needed.

Access from a sandboxed process to user data outside that sandbox

In iOS, all third-party apps are placed in a “sandbox” environment, which prevents them from gaining access to files stored by other apps or even making changes to the device. They’re also restricted from system files and resources. And although they are granted access to user information as well as to features like iCloud, their access privileges are highly controlled.

Unfortunately, like its other security features, iOS’ sandbox mechanism can still have vulnerabilities. Last year, for example, a vulnerability involving MDM (mobile device management) solutions put enterprise credentials at risk.

Security experts have long been urging Apple to offer a bug bounty program and Apple has long been ignoring them. The tech giant prides itself on having top notch security, and are well known for doing things their own way. It speaks to the general state of security and the sheer volume of threats that Apple has finally made this step.

If an organization with Apple’s expertise and resources needs help finding vulnerabilities, do you? Contact us to find what your other security tools may have missed.

Understanding the Drive-By Download

Understanding the Drive-By DownloadMost malware infections now originate from the Web and the majority of those come from drive by downloads. Because it works in the background and doesn’t require human intervention, the drive-by download has become one of the most preferred methods for spreading malware.

With this method of infection, the victim need only visit a malicious website in order to get infected. You don’t even have to click anything to initiate the download. But how is this possible? Wouldn’t this mean no one can ever be safe on the Web? Well not really.

A drive-by download usually relies on what are known as exploit kits. These are installed on malicious sites and scan each visitor’s Web browser for vulnerabilities to exploit. Once a browser or browser plugin vulnerability is found, the download, which takes place in the background, commences.

Because exploit kits (which pave the way for drive-by downloads) work by exploiting vulnerabilities, you can counter them by addressing those vulnerabilities. How? By keeping browsers, Java and Adobe Flash installations, and other add-ons up-to-date. Software updates usually include security patches. The problem is, most users simply don’t take time to update. That’s why exploit kits and drive-by downloads are so prevalent.

Given that drive-by downloads are web-based, they can be used to attack any platform that connects to the Internet and has a Web browser. That means, it doesn’t matter if you’re using Windows, Linux or Mac OS X. The Flashback Trojan for example, managed to herd 600,000+ computers into a botnet, attacked Mac OS X.

Similarly, desktops and laptops aren’t the only devices at risk. Smartphones and tablets are at risk as well. Just last month (July 2016), millions of Android devices were infected with malware that allowed attackers to gain root access. Known as Hummingbad, it infected Android-powered mobile devices mainly through web pages that initiated drive-by downloads.

A web page that initiates a drive-by download is typically hosted on either a malicious site or a legitimate site that redirects to a malicious site. In order to redirect visitors, attackers insert malicious code in the legitimate website, i.e. through an insecure form or iframe.

These malicious items are rarely detected. Few organizations keep a close watch on their pages for threats, and even if they do, the attackers attempt to stay hidden using various obfuscation techniques. Obfuscation basically renders malicious code unreadable while preserving the code’s functionality. Most obfuscation techniques are applied to JavaScript (not related to Java). Not surprisingly, JavaScript is the most common type of script that’s processed by web browsers.

Attacks that take advantage of legitimate websites and domains (such as domain shadowing) are particularly hard to counter. Blacklisting and domain reputation solutions are problematic as you could end up blocking a reputable or business critical domain. For many, the trade-off is not worth the risk.

Drive-by download payloads can vary. Ransomware is the most popular of late, but they can also include rootkits, worms, viruses, spyware, trojans, keyloggers, and a host of others. Any of which can wreak havoc on your systems or your network.

So how do you protect your users from drive-by downloads? First and foremost, proper update and patching protocol. Secondly, user training and awareness is key. Lastly, you need a security solution that can block both malicious sites as well as the compromised components of legitimate sites.  Feel free to learn more about how our solution addresses drive-by downloads.






Cyber Threats Exploiting Pokemon Go Popularity

pokemon threat up aheadLike most popular software, Pokemon Go has quickly become a magnet for cyber criminals. Within just a few days of its launch, the hottest mobile app today has already become the target of DDoS and malware attacks.

For those who have been living under a rock, Pokemon Go is an augmented reality game that runs on iOS and Android. Using the phone screen and camera as its main tools, Pokemon Go allows players to search and capture virtual critters – known as Pokemon – in the real world in real time. Once captured, Pokemons can be trained and brought into battle.

The game’s innovative use of augmented reality, which blends elements of a virtual world with the real world, has enthralled millions of users. Sadly, this extremely high level of activity also attracts individuals with malicious intent. There have been reports of players being robbed when they have wandered off to catch Pokemon or engage with other players.

Since Pokemon Go is first and foremost an app, threats are not limited to the brick-and-mortar world. There are cyber threats too. Two threats that have gained considerable attention are a DDoS attack and a malware attack.


DDoS attack on Pokemon Go servers

A DDoS (Distributed Denial-of-Service) attack was targeted at Pokemon Go login servers on the weekend beginning July 16. This prevented users from logging in to play the game. Two hacking groups have already claimed responsibility for the attack(s). The first group calls themselves OurMine, while the second is known as PoodleCorp. The latter was even bold enough to tweet about the event right before it happened:



While some people believe the server crashes were simply due to the overwhelming influx of users, PoodleCorp has already issued a threat that seems to imply a bigger attack on August 1:



That’s just right around the corner, so we’ll see what happens.

The folks at Niantic (Pokemon Go’s developers and publishers) have ample time to set up contingency measures, so if some considerable downtime still takes place on that date, PoodleCorp must be on to something.


Pokemon Go Malware

Cyber crooks are hitting Pokemon Go on both the server and client fronts. Earlier this month (July 2016), Google removed a fake Pokemon Go app known as “Pokemon Go Ultimate” after researchers at ESET flagged the malicious app.

Pokemon Go Ultimate was capable of locking your phone’s screen after starting up. The app wasn’t designed to be ransomware, but because there was no way to unlock the phone. Users were forced to remove their phone’s batteries in order to restart. The problem was, that upon rebooting, the app would continue running; this time in the background. While running, the app would simulate user clicks on porn ads in a manner similar to Hummingbad.


Possible impact on business cyber security

While DDoS attacks on Pokemon Go servers might have little to zero impact on business’ cyber security, the possible impacts of Pokemon Go related malware are worthy of attention. Some employees might become too enthusiastic with the game and start downloading apps or visiting websites that appear related to the game.

If those apps or websites turn out to be malicious, the phones used to download them could end up getting infected. Those phones can then be a threat as soon as they connect to your network.

Learn more about mobile threats and how to prevent them from invading your network. Contact us now.

Android Malware Hummingbad Infects Millions of Devices

hummingbad android malwareMillions of Android devices (about 10 million to be more exact) are infected by Hummingbad, a piece of malware that gains root access, installs malicious apps, and dupes users and ad networks in an elaborate fraud campaign. This is what researchers from Check Point discovered after a 5-month long study. While ad networks are currently the main victims, the level of sophistication of these attacks can potentially threaten a lot of businesses.


Infection and attack

Hummingbad primarily uses a drive-by download attack to infect devices. That means, your device can get infected if you happen to visit one of the attackers’ malicious websites even if you don’t intentionally download anything.

The attack consists of two main components:

  1. One that utilizes a rootkit designed to exploit a wide selection of vulnerabilities in order to ultimately gain access to the system
  2. One that’s called into play if the first component fails. This one displays a fake system update notification in order to deceive the user into granting the malware access to the system.

Even if Hummingbad fails to gain system-level access, it is still able to download several malicious apps. These apps display ad banners and force users to click on them. Because the ads actually belong to legit ad networks like Mobvista, Cheetah, the attackers are able to collect their share of the ad revenues from those clicks. It’s believed that the attackers earn about $300,000 per month from this exercise alone.


How Hummingbad can affect your business

The fact that Hummingbad can gain root access and install other malicious apps makes it a serious threat to enterprises. With most everyone bringing smartphones and/or tablets to work, either unofficially or through a BYOD (Bring Your Own Device) program, it’s likely that there is work-related data on their devices.

With the level of access Hummingbad is capable of acquiring, it’s not a stretch to imagine the malware operators – or even copycats – to eventually introduce features for exfiltrating sensitive information stored in the victim’s device. The stolen data can then be sold to fraudsters and identity thieves.

Attackers may also sell access capabilities similar to the way server login credentials were sold at online marketplace xDedic. Other possibilities include putting together all these compromised devices (we’re talking millions) into botnets or using some of them to carry out targeted attacks on people with sensitive positions (e.g. system admins or C-level executives).

Any of these attacks can cause considerable harm to your organization.

While most of the victims are located in Asia, Android users in the United States haven’t been spared completely, with about 286,800 victims in the US.


Upgrading to the latest version mitigates the risk of infection

According to the study, a combined 90% of all infected devices were running on Jelly Bean (40%) and Kitkat (50%). These are old Android versions that were first released in July 2012 and October 2013, respectively. By comparison, only 1% of those infected were running Marshmallow, the latest version.

This underlines the importance of upgrading to the latest version. Upgrades may include security updates designed to patch known vulnerabilities. Such updates are especially critical in devices running the Android OS, where vulnerabilities abound. Early this month alone (July 2016), Google released its largest ever security update for Android. That single update addressed an astounding 108 vulnerabilities.

For more information about this malware and how to avoid getting infected, contact us now.

Your Server Could be for Sale – For Only $6


What can hackers do to a server once they’ve broken into it? A lot. Some install malware and make it part of a botnet. Others steal valuable data stored within. Still others, like those mentioned in this post, sell login credentials at shady marketplaces in the Dark Web.

Hot Offer

Thousands of servers for sale

Earlier this month, researchers at Kaspersky revealed yet another alarming discovery in the field of cybercrime. Login credentials to over 70,000 hacked servers were being sold at an online marketplace known as xDedic. Like many underground online marketplaces where tech-savvy crooks trade illicit goods, xDedic can only be reached through the Dark Web.

Apparently, hacked servers are very affordable. Prices for hacked servers were found to go as low as 6 USD. Most of the servers were located in Brazil, China, Russia, India, Spain, Italy, France, Australia, Republic of South Africa, and Malaysia.

Launched in 2014, xDedic gained its reputation as a leading source of compromised server login credentials when 3,000 servers were added to its inventory sometime in 2015. Business has boomed since then.


Tools of the trade

xDedic not only provides a platform for buying and selling hacked servers. It also offers both buyers and sellers tools they can use in finding servers that suit their specific objectives as well as carrying out remote administration via RDP.

One example is a tool used by sellers to scan a hacked system and obtain relevant information such as the Windows version, size of RAM, type of CPU, whether ports 25 and 80 are open, type of VM used, antivirus installed, upload/download speeds, and so on. The same profiling tool is used to search for an RDP service on the server and then to patch it if any is found.

The patch modifies the RDP settings to allow multiple user logins, which would enable a buyer to access the server without alarming the server’s legitimate administrator. The buyer could then access the hacked server through xDedic’s own RDP client.


What can buyers do with a hacked server?

A hacked server can open up a lot of opportunities to a buyer, especially one who operates in the cybercrime industry. Because most of these servers have not yet been blacklisted by blacklisting engines and web reputation sites, they’re perfect for a variety of cyber attacks, including ransomware, malvertising, DDoS, phishing, and many others.

Of course, if a server also happens to store or provides access to storage systems that contain sensitive data, a buyer who specializes in identity theft could have a field day.

The Kaspersky researchers observed a marked interest for servers containing accounting, tax reporting and point-of-sale (POS) applications. Apparently, buyers need these applications for carrying out fraudulent operations. By making use of existing software, attackers can avoid arousing attention.


What countermeasures can help?

Servers that end up at xDedic acquire certain characteristics that can help cybersecurity specialists determine whether a server has been hacked. For instance, the profiling tool mentioned earlier, which is installed on a hacked server after the server is compromised (usually through brute-force attacks), communicates with certain Command-and-Control locations.

In addition, it has been found that the hacked servers are also infected with other pieces of software, including a certain Trojan, bitcoin mining software, and a wrapper for a proxy tool, among perhaps others. For more details about xDedic and these malicious tools, refer to the Kaspersky report on the subject.

Of course, prevention is always preferable to treatment. Once you’ve determined that your servers are safe, you should carry out server hardening to prevent future compromises.

Need help in determining whether your servers have been compromised? Contact us now for a free Harbinger network risk assessment.

The Secrets Behind Ransomware’s Surging Notoriety


Ransomware and the interest around it is surging. A quick look over time at Google Trends reveals an astounding visual representation of the growing interest…


The first ever malware that could be classified as ransomware emerged way back in 1989. Known as the AIDS Trojan, that particular piece of malware hid directories and encrypted filenames, in turn causing its victim’s computer to be unusable (just like today’s CryptoLocker, Locky, Teslacrypt, Cryptowall, and CTB-Locker). To regain control of their PCs, victims had to send money to a Post Office box.

As the graph above shows, ransomware has never before achieved the level of notoriety that it enjoys today. So why are we seeing this growth now?

In this post, we take a closer look at the key drivers fuelling this rapid ascent to infamy. But first, let’s briefly discuss what ransomware is.


What is ransomware?

Ransomware is a piece of malware that, as it name implies, involves ransom money. Once it gets installed on your computer, the malware holds digital assets (in most cases, files) captive and prevents you from retrieving or viewing them. Just like your typical kidnap-for-ransom criminal, it then declares an ultimatum – either you pay a ransom or your files go kaput.

This malware will usually block access to files by locking the screen or encrypting the files themselves. To regain access, you need to pay. Ransom payment is typically done through bitcoins or other electronic payment methods like Ukash, Paysafecard, or MoneyPak. Most systems get infected with ransomware when their users inadvertently download trojans through either phishing emails or malicious websites.

Some ransomware can infect entire establishments, which is what happened to a large hospital in Hollywood. The entire network of the Hollywood Presbyterian Medical Center was locked down by ransomware whose controllers demanded payment in exchange for the “freedom” of the locked patient files.

So why is ransomware fast becoming so popular?


Technology has arrivedransomware1

Back in 1989 (specifically as depicted by the AIDS Trojan) the idea of ransomware was clearly ahead of its time. It spread through floppy disks and encrypted files through symmetric encryption. Floppy disks had to be distributed by hand (literally), while symmetric encryption suffered from the necessity of having decryption keys accompany the trojan files themselves.

Today, trojans that carry the ransomware payloads can spread much faster through the Internet and other connected networks. Encryption is also now asymmetric, which allows the attacker to tuck the decryption key away in a safe location.

Last but not the least, payment can now be done without the hassles of having to deposit to a physical location. Electronic methods like bitcoins and Ukash allow ransom payment to be delivered in just a few clicks.

There’s also a psychological aspect to it.


Instant pain = instant gratification

For the victims, the impact of a ransomware infection can be felt instantly. They can no longer use their computer and they can no longer access important files. Those effects are different from a data breach wherein, although the potential legal repercussions and damage to reputation are known, they’re not felt immediately.

What’s more, the solution to the problem is clear and easily achieved. To get out of their predicament, victims simply have to pay. If they can afford it, many of them will pay. This reaction of course plays into the hands of the crooks responsible for these attacks because it makes these operations highly lucrative.


$$$RANSOM$$$ = funding for R&D

So then it becomes a vicious cycle. The more victims pay, the faster these cybercrime syndicates get their ROI. The crooks then have enough to invest into research and development. That’s why ransomware like CryptXXX are getting updated and acquiring additional malicious functions.


Countering ransomware

Ransomware infection can be prevented through a combination of proper education and the right malware detection and prevention solutions. For example, users must be trained how to identify suspicious email attachments as well as who to contact in the event that one is encountered. In conjunction with that, your network must be secured by advanced anti-malware solutions that are capable of detecting malicious activity.

Vulnerabilities in ImageMagick Library



A large majority of the applications running on the Web today rely on free, open-source libraries. These pieces of software are responsible for many of the features that we often take for granted. While these software suites enable developers to build web applications quickly, they can also be problematic.

When these libraries have vulnerabilities, all he servers that depend on their code become sitting ducks until a patch is made available. That’s what’s happening now with ImageMagick, which has been found to have multiple vulnerabilities.


What is ImageMagick?

ImageMagick is a commonly used library that enables applications to manipulate images in bulk. It supports a wide range of image formats (at least 200) including png, jpeg, bmp, cgm, ico, and many others. Through this library, applications can, for instance:

  • Convert images from one format to another;
  • Create thumbnails of uploaded images;
  • Reduce the number of colors in an image through color quantization or posterization;
  • Carry out dithering;
  • Resize, rotate, flip, and crop images; or
  • Generate animated GIFs out of a series of images

These are just the basics. It can also perform discrete Fourier transformations, morphology, pixel distortions, color management, and many other complex image-manipulation tasks.


Where is it used?

Because of its versatility, several major programming languages have implemented bindings for the ImageMagick library. For example, Java has JMagick, C++ has Magick++, Python has PythonMagick, PHP has IMagick, and so on.

Consequently, it has become ubiquitous and is usually the underlying code responsible for image-manipulation features in:

  • Content management systems like WordPress and Drupal (that means, over half of the blogs out there rely on it for image processing);
  • Social media sites;
  • Forums (e.g. phpBB); and
  • Wikis

Possible exploitsbad-bug

There are currently a handful of known vulnerabilities in ImageMagick. But the two most alarming are CVE-2016-3717, which allows remote attackers to read arbitrary files through a crafted image and CVE-2016-3714, which allows remote attackers to execute arbitrary code in a crafted image.

The latter, now dubbed ImageTragick, is the more serious of the two. In layman’s terms, that particular vulnerability, once successfully exploited, would allow attackers to remotely control a compromised web server.  The attackers could, for instance, gain access to all system files, spread malware, steal sensitive information, or cut the entire system off the network. In other words, they would be able to do practically anything they want to on a compromised system.

Early this month, a bug bounty hunter discovered the CVE-2016-3714 vulnerability on one of Yahoo’s domains and was awarded a $2000 bounty for it. If this security flaw managed to go unnoticed at one of the largest Internet companies in the world, how do smaller organizations fare?.

Even when the vulnerability was first discovered, security researchers already believed that it had already leaked to other individuals. And because the exploit is rather basic, the number of threat actors were expected to multiply quickly.

The developers at ImageMagick have released multiple patches, now the onus is on admins and security teams to make sure that their systems are up to date.

BillGates – The Botnet That Spares Windows Machines

Gone are the days when Linux machPenguin-ID11834-640x427ines had that reputation of being immune to malware. Today, Linux systems, like their Windows counterparts, can even be ensnared into botnets that launch highly disruptive DDoS attacks. One such botnet family has been gaining considerable attention of late, largely in part because of its name – BillGates.

Much to the chagrin of Linux zealots, the BillGates malware is designed to infect only Linux machines. BillGates, which is based on the Elknot’s malware source code, is believed to be aimed at the same targets as XOR DDoS, a trojan that gained notoriety in 2015 but was eventually subject to a takedown by the authorities.

Like XOR DDoS, BillGates infects Linux systems and then allows attackers to control the infected machines through one or more C2 (command-and-control) servers. In most cases, the zombie computers are directed to conduct DDoS attacks. This particular toolkit supports a variety of attack vectors, including: ICMP flood, TCP flood, UDP flood, SYN flood, HTTP Flood (Layer7), and DNS query-of-reflection flood.


How BillGates infects and attacks

Unlike most botnet malware, BillGates doesn’t use phishing to infect. Instead, its attackers carry out brute force attacks on Linux SSH services in order to acquire root login credentials. Once they’ve acquired the passwords and gained access, the attackers then execute a bash script that would in turn download and run the malware on the compromised machine.

As soon as the malware is installed, it then performs a handful of functions that include the following:

  • Carry out persistence mechanisms. This is to ensure that it’s able to infect the host for as long as it needs to;
  • Replace system tools with corrupted versions. BillGates replaces tools like /bin/netstat, /bin/lsof, /bin/ps, and others that may be used for checking the integrity of the system. If, for example, /bin/ps is replaced, you won’t be able to view the actual processes running on your system.
  • Check its own health and integrity. If it discovers that something’s amiss, BillGates re-executes the main program and re-infects the host.
  • Contacts its C2 and executes commands. Once everything is in place, the malware communicates with its C2 server, receives commands from the server, and then executes the commands, which range from launching DDoS attacks to executing shell commands.

Like many nefarious kits these days, BillGates comes with a “builder” which allows just about anyone to create their own version of the malware. Thus, several botnets running their own variations of BillGates could be attacking their own separate targets around the globe as we speak.

More details can be found in Akamai’s threat advisory


Countering botnets

Because botnets pose such a serious threat to business, it’s important to prevent, detect, and act on botnet infections. We can help you in that regard. Our deep understanding of botnets has enabled us to assist businesses in countering some of the deadliest botnets ever. Please visit us online for more details and to register for a free online session.