Home malware

ExpensiveWall Affects Millions

Google has been battling malicious apps throughout the year, most recently malware was packed in an app called “Lovely Wallpaper”. This new strain of malware was titled “ExpensiveWall”, and hid in the wallpaper application while stealthily racking up premium SMS fees. It further propagates by sending out text messages on your behalf, inviting others to download the same compromised app.

The malware was compressed and encrypted within an SDK used by roughly 50 different apps without being detected by Google. It is still undetermined how much money was actually generated from this SMS scam.

How it Works

ExpensiveWall uses JavaScript along with the enhanced permissions on the infected device to orchestrate the attack. It creates an interactive interface between the app downloaded and a web interface called WebView. This action allows the malware to run in-app controls through this WebView interface including but not limited to sending SMS messages and registering the user devices to premium paid services without notice. The only way for this malware to work is if the user allows full SMS control and communication to its command and control server. This communication will send data about the infected device including IP address, MAC address and Geolocation data.

What can you do to Prevent it?

Simply put, be aware of what permissions you are granting applications when you install them. The fact that millions of other people have downloaded an app and given it good reviews does not mean that it is safe. This app is clear cut proof to that effect. Below are some things that should throw up red flags when installing an application.

• Make calls or texts on your behalf
• Receive SMS
• Read contacts or sensitive device logs
• Communicate with other applications
• Control/disable the keyboard
• Kill processes
• Write secure settings
• Have the ability to authenticate accounts
• Create system services
• Control in-app billing/services
• Accessing GPS data

Some of these may actually be needed in order for certain applications to function properly, but be cautious. If you don’t think that flashlight app needs to make calls on your behalf, don’t install it. Lastly, a solid antivirus with web-browsing and application scanning is a necessity for your mobile device.

More Mac Malware Thus Far in 2017 Than Any Other Year

More Mac Malware Thus Far in 2017 Than Any Other Year

With more than 4 months to go before the year ends, this year has already seen more Mac specific malware than any other. Is this finally the end of Mac OS’s reputation as relatively virus-free?

Obviously, Macs have never been totally virus-free. Compared to Windows malware however, the amount of Mac targeted malware has always been minimal. This has largely been due to the substantially smaller market share of Mac OS X. With far fewer users to target compared to Windows, malware creators didn’t have enough incentive to develop as many viruses for Apple’s personal computing platform.

Interestingly, this year has been quite different in regards to Mac malware activity. According to Malwarebytes, not only was there a 230% year-on-year increase in Mac malware last July, the first half of 2017 has already seen more Mac malware than all of 2016 or indeed, any other year. While we’re accustomed to seeing more malware year after year, Mac focused malware is a bit different.

Could the significant uptick in Mac malware due to a corresponding increase in user base? Not really. In fact, OS X market share hasn’t changed significantly since last year.

Malware in the App Store

What makes this surge even more alarming is that a significant amount of malware has managed to invade even the App Store. Apple is known to be very thorough in screening the applications that make it to the Mac App Store.

They review each app for objectionable content, acceptability, app completeness, hardware compatibility, intellectual property, spam, ability to inflict harm, and a host of other criteria. Apple has even been quick to pull apps from the store if they’re later found to be problematic.

Apple touts the App Store as the safest place to download apps and many users believe that to be wholly accurate. This false sense of security leaves them more vulnerable to attacks as they are perhaps not as vigilant or discerning as they might be on another platform.

Proton RAT leads off 2017 surge

One of the biggest threats to emerge this year was a RAT (Remote Access Trojan) known as OSX.Proton.B or simply Proton. Being a RAT, Proton takes the form of a legitimate application accompanied by a back door that provides administrative control to a victim’s system.

During one campaign, Proton handlers were able to modify Handbrake, an app built to convert video files. Proton’s handlers infiltrated one of Handbrake’s download mirrors, enabling them to replace the app’s DMG file with a modified version infected with Proton code.

Once the compromised application is installed onto a victim’s device, the Proton RAT kicks in. Proton can carry out several malicious acts, including: recording keystrokes, stealing passwords, controlling the webcam, allowing remote access, and gaining access to the user’s iCloud account.

Proton can be installed surreptitiously because the malware uses genuine Apple code-signing signatures. This allows it to bypass Apple’s Gatekeeper, an OS X feature that blocks apps if they aren’t digitally signed using a valid Apple Developer ID.

Proton’s existence was uncovered when researchers from cyber security firm Sixgill chanced upon a post on a notorious Russian cybercrime message board. The post introduced Proton as the “Newest and only macOS RAT in the market.” Originally priced at approximately 100 BTC (bitcoin), which was equivalent to about $100,000 at the time, Proton was out of reach for most.

Findzip Ransomware

Another piece of Mac malware that emerged this year is Findzip. Ransomware has been gaining a lot of notoriety lately, so people in the Mac community were rightly alarmed upon learning that one of the the biggest malware threats in the world today is now right on their doorstep.

Findzip is usually disguised as a crack for either Adobe Premier Pro or Microsoft Office. Being a crack, it doesn’t go through the normal Mac application installation process. People who use cracks typically employ workarounds to bypass Apple’s security measures meant to prevent the installation of malicious programs. Of course, the use of these workarounds plays right into the hands of Findzip’s operators.

Unlike Proton, Findzip isn’t digitally signed using an Apple-issued certificate. As such, it will be considered as coming from an unidentified developer, marked with a ‘quarantine’ flag, and ultimately denied installation. Well and good, but that doesn’t stop Findzip from getting through.

Normally, apps that aren’t downloaded from the App Store, are downloaded through a Web browser. Some popular web browsers are designed to identify the quarantine flag as well as invalid signatures- so if a user attempts to open such a DMG file, the system will prevent the file from being opened.

Alas, people who want to install cracked applications and other pirated software don’t go down that route. Instead, they download files through alternative means, usually torrents. Torrent clients don’t set the quarantine flag when they download a file. Thus, when the user opens the DMG file, the system won’t be able to do anything about it.

It’s comforting to note however that 1) Findzip will not be able to affect users who download apps through legitimate means and 2) it’s now easy to find tools or methods for decrypting files encrypted by Findzip. In fact, if you google for ‘findzip ransomware’, the first search results actually point to removal/remediation solutions, and not just information about the malware itself.

Flashback to Flashback?

The last time there was a surge of Mac malware activity of this magnitude was in 2011-1012, when the Flashback Trojan struck. Flashback was said to have infected about 600,000 Macs then. That number amounted to more than 1% of the total number of Macs at that time.

Taken individually, none of the Mac malware detected this year appear to have infected as many devices as Flashback. The Flashback outbreak remains the largest Mac-based malware outbreak in history, but 2017 shows a disturbing trend that all Mac users should pay close attention to.

Shadow Puppets – Domain Shadowing 101

Earlier this year (2016), WordPress sites were attacked by a massive malvertising campaign that employed an evasion technique known as domain shadowing. Domain shadowing is becoming increasingly popular among cybercriminals who employ exploit kits because of its superior ability to avoid detection. In this post, we explain what domain shadowing is, how it’s employed, why it’s so effective, and some of the ways to counter it.

What is domain shadowing?
Domain shadowing basically refers to the cybercriminal exercise of infiltrating multiple domain registrant accounts in order to spew forth several subdomains for malicious purposes.

Cyber criminals are able to acquire login credentials to these registrant accounts through methods like phishing and keylogging. Once they’ve gained access, these malicious individuals then create a large number of subdomains. These subdomains could then allow the crooks to carry out attacks behind perfectly legitimate domains, which make the attacks both hard to detect and counter.

domain_shadowingIn the exploit kit campaign discovered by Cisco’s Talos Group during their initial encounters with domain shadowing, the hijacked subdomains were set up in two layers. The first layer of subdomains, mostly third level subdomains (e.g. letters.somedomain.com), received traffic from the malicious ads served on legitimate web pages and then redirected the traffic to the second layer.

This second group of subdomains, now mostly fourth level subdomains (e.g. abcfsaa.letters.somedomain.com), in turn hosted exploit kit landing pages. The exploit kit then scanned the victim’s system for vulnerabilities and infected it with malware that would in turn set the system up for more nefarious acts. The number of subdomains on this group is much larger than the first and are rotated rapidly.

Why domain shadowing is so effective

One of the reasons why this technique is so effective is that registrant accounts are rarely checked. Perhaps the only times they’re ever opened are when they’re created, i.e. when the owner registers his/her first domain, and when the owner adds new domains.

Thus, these accounts are only accessed by their real owners about once or twice a year. This gives the attackers ample time to create illegitimate subdomains without getting noticed.

Another reason is that when the subdomains are finally called into play in an attack, they’re rotated rapidly. In fact, each subdomain may not stay active for more than an hour, depriving security groups the time to gather enough information and come up with any meaningful analysis about the attack.

Thirdly, domain shadowing is immune to many of the countermeasures being used today. For instance, domain reputation systems, which assign scores to known domains and block or allow traffic from certain domains based on their scores, can have limitations when used against domain shadowing. If the malicious subdomains are built off of reputable domains like say cisco.com, they can easily slip through.

Some people are suggesting that since the fourth level subdomains used in domain shadowing are usually made up of random alphanumeric characters, these kind of subdomains might be used as a basis to issue red flags. Unfortunately, several cloud based services also use such random naming conventions for the subdomains they generate, so using this characteristic as a filter can cause problems with false positives.

Clearly, any effective way of countering domain shadowing would require a combination of several approaches. First of all, domain registrants’ accounts must secured. Strong authentication, preferably 2FA, must be required in order to access these accounts to prevent them from being compromised. Reputation-based systems can also help in detecting malicious subdomains but, as stated earlier, must not be the only method.

Defence Intelligence solutions can help you prevent, detect or counter domain shadowing. To learn how, contact us today.

Blackshades Breakdown

Photo: FBI.gov
The last couple of weeks has been dominated by talk of Blackshades and the FBI crackdown on those using it.  We did a number of media interviews around Blackshades and here’s what we think people should really be focusing on:
The price:  At $40.00, Blackshades was a bargain.  Such a low entry point is great for mass adoption and a quick payday.  Mass adoption however, stirs up attention from law enforcement.  While the FBI managed to make almost 100 arrests, I doubt that any of those are what we would consider high value targets.  
The Response:  The FBI has made a lot of noise about this operation, and rightly so.  The scale of the operation was huge, involving 300 searches in 19 countries.  With almost 100 arrests, it’s clear that the FBI has gotten better at working with their counterparts around the world.
Sadly, while the FBI is bringing justice to those using the Blackshades malware, the NSA is busy doing the exact same thing that the people arrested were.  I think it’s safe to say that their software cost a lot more than $40 though.
Blackshades gives people something to be scared of:  
Let’s face it, the general public just doesn’t care about their privacy as much as we might like them to.  If their credit card info is stolen, the bank picks up the tab.  Someone might read their emails or gain access to their social media accounts?  They’re already posting most of their personal lives for all to see anyway.

What people are scared of is someone posting naked pictures of them online.  The webcam functionality of malware is usually of little concern to security folk.  It is, however, a big concern for the average citizen.  Having to replace your credit card is an annoyance.  Naked pics of you being passed around your school or workplace is something that might actually elicit a change in behaviour.

Cyber Risk No. 3: Direct Loss From Malicious Acts

English: Outside the fence, Menwith Hill Spy B...
English: Outside the fence, Menwith Hill Spy Base This photo was taken on the ‘Foil the Base’ demonstration in March 2003. Founded in the 1950s (RAF) Menwith Hill has been operated since 1966 by the United States’ National Security Agency (NSA), and has grown to become the world’s largest intelligence-gathering ground station outside the US. (Photo credit: Wikipedia)
In previous posts, we’ve covered how loss or theft of confidential information and loss of reputation can affect the cyber security of a 21st Century business. Today, we turn our attention to direct loss from malicious acts (i.e. hackers, malware).  
So many businesses are open to this risk because they don’t know how to protect their security, leaving them vulnerable to malware threats that can quickly cause advertisers, partners, and customers to abandon ship. 
Perhaps scariest of all, is that no business is immune.
Take the recent case of Tor, the encrypted web security browser designed to allow businesses and privacy-concerned users to browse the Internet without fear of reproach.  Tor had given so many people peace of mind until a recent malware attack, which many are attributing to the National Security Agency (NSA), toppled user confidence.
Researchers claim that malware responsible for bringing down Freedom Hosting, the biggest service provider on the anonymous Tor network, was hard-coded to send information to the NSA, reported TechWeek europe.  In one fell swoop, the product became forever in question.
According to Verizon’s 2012 Data Breach Investigations Report, 69% of data breaches in 2012 were attributed to malware infections. 174 million data records were lost in 855 separate incidents.  The rate of infection grows each year. McAfee, in a The State of Malware 2013, reported they cataloged 100,000 new malware samples each day.  
So what does data theft malware really cost us? Globally, the cost of a data breach averaged $136 per compromised record, up from $130 the previous year (2013 Cost of a Data Breach: Global Analysis, Ponemon Institute and Symantec). With even 120 million data records (69% of the total) from 2012, that’s over $16 billion in loss from malware data breaches.
Here are two things to consider as you attempt to bring security to your business. 

  1. There are many types of malware that can threaten your system’s security, and they’re constantly evolving. You must invest your cyber security dollars with a company that is constantly aware of the changing landscape. Defence Intelligence’s Nemesis 2.0 uses advanced network behaviour analysis in conjunction with real time intelligence to prevent and detect system compromise on your network.
  2. Attacks are inevitable.  Security experts like to say that there are now only two types of companies left in the United States: those that have been hacked and those that don’t know they’ve been hacked.  The news is full of stories of large and small companies that are compromised. Don’t be one of them.

Related articles

Enhanced by Zemanta

Cyber Risk No. 1: Loss Or Theft Of Confidential Information

Image representing Dropbox as depicted in Crun...
Image via CrunchBase
Cyber risks are a growing concern for every company, no matter the industry. The storage and transfer of data have become necessary parts of doing business, and “putting it out there,” so to speak, increases the chance of a hack-attack. 
File sharing in particular is a major concern for organizations concerned about their sensitive or proprietary data.  With services like Dropbox, Google Drive and Microsoft’s SkyDrive gaining traction daily, IT professionals need an effective way to manage and monitor the flow of their data.  It’s for this reason that both our Harbinger and Nemesis services include a dedicated file sharing category, giving you the ability to control the transfer and integrity of your data.
This month we’ll be looking at three cyber risks most often identified by companies open to disclosure. The first risk is loss or theft of confidential information, which has become even more of a concern for companies and individuals in this post-NSA PRISM world. 
Each year, security threats continue to be more costly and require greater vigilance as evidenced in a recent settlement that cost Sony more than $383,000 in UK-based fines for a 2011 breach of its PlayStation Network. Nintendo also faced similar issues in June of this year with more than 15 million hacking attempts resulting in 24,000 breaches in a single month, according to CBR Online.
The average cost of a breach lasting 3-5 days for a small company is $35,000 – $65,000.  For a large company, that number grows to a staggering $400,000 – $840,000.  If at first glance those figures seem high, consider the cost of the following: time spent responding to incident, lost business, lost assets, reputational damage, and that’s before any compliance issues or fines.
The more your business grows, the more likely it will attract the interest of cyber-attacks. So what can you do to protect yourself? 
1. Pinpoint the associated risks for the types of data that are important to your business. 
2. Define your security policy. 
3. Implement.
4. Review and revise.
Final word of warning: don’t think this is one-size-fits-all. Prevention is dependent on your company’s needs, and could involve establishing Internet use protection or safeguards against intrusion or remote access safety measures for backing up and accessing data. 

Know what you need, and make sure you get it.  For more information about our Harbinger and Nemesis services, visit us at defintel.com

Related articles

Enhanced by Zemanta

Thinking twice about shopping online and BYOD

Image representing Cisco as depicted in CrunchBase
Image via CrunchBase

Cisco has recently published their annual security report that has some interesting and significant security findings for both security
companies and executives.
The study reports that “the majority of web
malware encounters actually occur via legitimate browsing of mainstream
websites. In other words, the majority of encounters happen in the places that
online users visit the most and think are safe.”
This means the assumption that malware
infections commonly result from bad sites like counterfeit software is a delusion.
Online shopping sites were identified by Cisco as being 21 times more likely to
deliver malicious content than counterfeit software sites. The Cisco report
also states that large organizations are 2.4 times more likely to encounter web
malware.
The Symantec Internet Security Threat Report volume 17,
which was also recently published, reports that “advanced targeted attacks are
spreading to organizations of all sizes and variety of personnel, data breaches
are increasing, and that attackers are focusing on mobile threats.”
Both reports identify a significant increase in mobile, specifically Andriod, malware from
2011. This indicates mobile devises are a tangible threat to all organizations.
Symantec clarified that the malware was being created for activities such as
data collection, sending content, and user tracking.
The increase in mobile attacks creates a
higher demand on security companies and security executives to protect these vulnerable
areas on networks.
Many security executives have added an
extra layer of protection to their security plan with Defence Intelligence’s Nemesis.
 Nemesis is able to protect all mobile
devices that are within a network, and can identify and sever malware
communications on legitimate sites, which have been compromised. This provides
security teams and traditional tools the time needed to respond and remediate.   
Contact Defence Intelligence
today for a free presentation on  how
easily and effectively Nemesis can fit into your current security plan.

Enhanced by Zemanta

Mind the Security Gap

London 2012 banner at The Monument.
London 2012 banner at The Monument. (Photo credit: Wikipedia)

The dangers of the games are not limited to those in attendance. For those watching and following at home, Olympics related spam, phishing, and malware distribution will be in abundance. See one email example reported here by TrendMicro that actually presents itself as a safety advisory about emails promoting sites selling fake Olympics tickets.

Spam or virus email campaigns with special Olympic news or a special deals can include an infected attachment or link as in the example above. These are designed to fool you into installing malware onto your systems. If you don’t recognize the sender address or the email seems out of character (spelling errors, no content other than a link, unsolicited attachments) don’t click it. If you get an email saying you won tickets but you don’t recall entering a contest, you didn’t win. Sorry. If you are interested in buying tickets for the Olympics or just getting information on the Olympics, go to http://www.london2012.com/. When searching for videos or information on the Olympics, many new sites are going to be dedicated to malware distribution. Stick to the official Olympic website or your favorite news site. Don’t venture out into unfamiliar territory.

A great FAQ for Olympic related online safety is offered by TrendMicro here. It explains things well for any reader and talks about scams and threats to expect before, during, and even after the London 2012 Olympics.

Be safe and you’ll enjoy the Games even more.

Enhanced by Zemanta

Cloudy Skies

Before the StormImage by premasagar via Flickr

Storm talk is thundering across the security blog horizon. Despite the consensus that this spam monster is indeed a Storm relative, there is some argument over just how NEW this new Storm is.

Several people have taken a look at the spam spewing samples, digging into the malware’s functionality as well as its communication, and the templates used for generating the various spam emails. They have found major similarities between several aspects of the new and old Storm fronts, including filename usage and user-agent typos (Windoss instead of Windows), but the more recent version has excluded the peer to peer portion of the code.

Atif Mushtaq at FireEye writes that these are all details he observed on a Storm variant back in 2008. So is this old news? Nothing about what is being called Pecoan (another name in the long list: Nuwar, Peacomm, Zhelatin, Dorf) is really more sophisticated than its predecessor and the samples I ran only connected with one static IP, so I don’t think this Storm will be as violent as the last. The creators of the original Storm have had enough time to code a better botnet so perhaps this is just a rediscovery of a forgotten remnant.

Right now compromised systems are sending out online pharmacy, adult dating, and nude celebrity emails. The template design allows for a wide array of sender names, subjects, message content, and destination URLs. The malware harvests email addresses from the victim machines and sends Base64 encoded POSTS to pass information and report in to its C&C.

As always, be cautious while online and when in doubt, don’t click.

Matt Sully
Director
Threat Research & Analysis

Reblog this post [with Zemanta]

Bitdefender Gets a Bit Too Defensive

BitDefenderImage via WikipediaBitdefender antivirus unwittingly released a signature update to its users on March 20th that detected and quarantined key Windows system files as malware, causing general OS failures.

Bitdefender had this statement on the news portion of their site:

“Saturday around 8:20am PST, an update that we were working on was uploaded prematurely in our servers. This update affected only products running on Windows 64-bit systems.”

The premature update caused various .exe and .dll files to be quarantined for both the Windows software and the Bitdefender software, each file detected as Trojan.FakeAlert.5.

“Consequently, for some systems, BitDefender did not run anymore, applications did not work or Windows could not start.”

This caused quite an uproar among the AV’s users as well as Bullguard antivirus users, whose software relies on Bitdefender’s engine and signatures. Though both companies have offered assistance in remediating the situation, many customers are outraged, especially when the only compensation offered to users so far has been free usage of the very software that caused the problem. A blunder like this also does nothing for the image of AV whose credibility and effectiveness has been in question for the last few years.

Detection rates by some AV groups is often low and the gap between release of new malware and its detection by AV is currently too significant, allowing for the growth of large botnets like Mariposa. False alarms, especially when automatically quarantined, can disrupt or severely damage home user and business systems, as it has with this update mishap.

I’m sure many of the Bitdefender/Bullguard users will be jumping ship, scouting alternative antivirus software, but how will they know which one to choose and which one to trust? A lot of AV company blogs end with something like, make sure you are completely updated with the latest signatures or software versions to ensure your protection.

Well, that’s not working for Bitdefender. What are they going to say now?

Bitdefender’s help page:
http://www.bitdefender.com/site/KnowledgeBase/consumer/#638

Bullguard’s help page:
http://bullguard.com/support/system-status.aspx

Matt Sully
Director
Threat Research & Analysis

Reblog this post [with Zemanta]