Hacking & Security

‘VENOM’ Flaw in Virtualization Software Could Lead to VM Escapes, Data Theft

Threatpost - 13 Květen, 2015 - 15:34
Researchers have uncovered a vulnerability in an obscure component of many virtualization platforms that they say can allow an attacker to escape from a guest virtual machine and gain code execution on the host, as well as any other VMs operating on that machine. Experts say the bug affects a wide variety of virtualization software […]
Kategorie: Hacking & Security

Microsoft, Adobe and Mozilla issue Critical Security Patch Updates

The Hacker News - 13 Květen, 2015 - 14:46
This week you have quite a long list of updates to follow from Microsoft, Adobe as well as Firefox. Despite announcing plans to kill its monthly patch notification for Windows 10, the tech giant has issued its May 2015 Patch Tuesday, releasing 13 security bulletins that addresses a total of 48 security vulnerabilities in many of their products. Separately, Adobe has also pushed a
Kategorie: Hacking & Security

Interview: Bill Andrews, CEO of ExaGrid

InfoSec Institute Resources - 13 Květen, 2015 - 14:15

Bill Andrews has spent nine years growing ExaGrid from a concept to a visionary player in backup storage. With over 28 years of IT data center infrastructure experience, he has proven success in technical sales and marketing. Bill’s work has impacted numerous high-growth companies, including Pedestal Software, eDial, Adero, Live Vault, Microcom and Bitstream. Bill […]

The post Interview: Bill Andrews, CEO of ExaGrid appeared first on InfoSec Institute.

Kategorie: Hacking & Security

Anatomy of an APT Attack: Step by Step Approach

InfoSec Institute Resources - 13 Květen, 2015 - 14:00

This article will explore the technique, design and the inner workings of an APT (Advanced Persistent Threat) attack. It will also relate various stages of attack with a few attacks that were custom-created to penetrate enterprises for extraction of internal data, trade secrets, and sensitive business information. Introduction APTs are designed to gain access to […]

The post Anatomy of an APT Attack: Step by Step Approach appeared first on InfoSec Institute.

Kategorie: Hacking & Security

Spam and Phishing in the First Quarter of 2015

Kaspersky Securelist - 13 Květen, 2015 - 14:00

Spam: features of the quarter New domain zones

In January 2014 the New gTLD program of registration for new generic top-level domains designated for certain types of communities and organizations was launched. The main advantage of this program is the opportunity for organizations to choose a domain zone that is clearly consistent with their activities and the themes of their sites. The new business opportunities provided by the New gTLD program were enthusiastically endorsed by the Internet community, and active registration of new domain names is still ongoing.

Spammers and cybercriminals were quick to react: for them new domains are an excellent tool for promoting illegitimate campaigns. As a result, new domain zones almost immediately became an arena for the large-scale distribution of advertising spam, phishing and malicious emails. Cybercriminals either registered domains to spread spam mass mailings, hacked existing sites to place spam pages, or used these and other web resources in chains that redirect users to spam sites.

According to our observations, email traffic in Q1 2015 saw a considerable increase in the number of new domains that sent out spam of different content. In general there wasn’t much connection between the theme of the spam and the domain name, but in some cases there was an evident logical connection between them. For example, emails sent from the .work domains contained offers to carry out various types of work such as household maintenance, construction or equipment installation. Many of the messages from the .science domains were advertising schools that offer distance learning, colleges to train nurses, criminal lawyers and other professionals.

Q1’s spam traffic also featured many emails sent from color domains like .pink, .red, or .black. Basically they were used to advertise Asian dating sites. At the same time, the top-level domains used in mass mailings exploiting the dating theme were generally empty and did not contain any content related to this subject. They were only used in the chain of redirects leading to the main sites. It should also be noted that the first-level domains of the main sites were created recently and are constantly changing, in contrast with their content, which is still designed according to the same typical spam patterns.

The second- and lower-level domains in such messages are usually generated automatically and appear in the form of a random combination of alphanumeric characters. Meanwhile we are still seeing well-known .com, .org, .info, etc. used as domain zones as well as ones from the New gTLD program.

New domains, old themes

As for spam categories on new domains and Q1 spam in general insurance was one of the hottest topics, both in terms of the number of messages and the number of changing domains seen in mass mailings. This covers all types of insurance – life, health, property, cars, animals, and funeral insurance. Spam offering insurance services used newly-created top-level domains as well as compromised or expired ones. And even though the domains were new, spammers continued to use their old tricks, for example, they substituted domains of well-known organizations such as @ amazon.com or @ ebay.com in the From field.

The emails we came across generally followed the same template:

  • very little text (the email generally contains a typical header consisting of several words which is exactly repeated in the body of the message)
  • one or more links which load a brightly decorated picture (sometimes in parts) with all the necessary advertising data (a more detailed advertising text plus contacts: website address, phone number, company name)
  • another long link that leads to a resource that corresponds to the content of the email
  • additional ‘white noise’ text to bulk out the email

The latter consists of random phrases or single words in any language which may not be the same as the language of the mass mailing. This text is generally invisible to the reader of the email as it is written in white or pale color on a standard white background. This technique is used in many types of mass mailing.

The source code of a page containing a random set of words to ‘noise’ an email

Spammer tricks

To bypass antispam filtering scammers often noise emails with the large pieces of text written in white lettering on a standard white background to create the illusion of a non-spam text message.

In Q1 spammers exploited yet another technique, deliberating distorting spammer site addresses by writing them separately or adding extra characters. At the same time the message text always contained the name of a second-level domain where the spammer site is hosted, as well as instructions about how to use it with the domain zone: for example, “remove all the extra characters, and copy to the address bar” or “enter in the address bar without spaces”. In fact, the addressee of the email is encouraged to create the address of spam site of his own and enter it in the address bar.

Macros in malicious spam

Spam is getting more and more dangerous for Internet users. Cybercriminals are coming up with new tricks and are also reverting to the well-known but now forgotten methods. Thus, in the first quarter of 2015 the fraudsters used spam to distributed macro viruses, programs written in the macro languages built into data processing systems (text and graphic editors, spreadsheets, etc.).

In the Q1 2015 Trojan-Banker.Win32.ChePro.ink was the malicious program most often distributed via email

Tweet

Malicious emails contained attachments with a .doc or .xls extension. These launched the VBA script when the attachment was opened. This script downloaded and installed other malicious programs, such as the banking Trojan Cridex, in the system. The micro viruses registered by Kaspersky Lab belong to the Trojan downloaders: Trojan-Downloader.MSExcel.Agent, Trojan-Downloader.MSWord.Agent and Trojan-Downloader.VBS.Agent.

Basically, malicious attachments imitated various financial documents: notifications of a fine or a money transfer, unpaid bills, payments, orders and complaints, e-tickets, etc.

Among these fraudulent notifications were fake messages written on behalf of public services, stores, hotel, airlines and other well-known organizations.

One interesting example of a fake notification was the confirmation of payment sent allegedly on behalf of the employee of the leading British supplier of water coolers for offices. The design of the fake message was a perfect imitation of an official email containing full contact details, logos and legitimate links.

Earlier this year, we came across a mass mailing that contained malicious attachments in Microsoft Word or Excel. Instead of the promised detailed information, the attachment contained a Trojan downloader (Trojan-Downloader.MSExcel.Agent or Trojan-Downloader.MSWord.Agent) that downloaded and ran other malicious software. The emails in the mass mailing were based on a single template; only the sender address and the amount of money specified in the subject and the body of the message varied.

The content of the document with a macro virus may look like a set of random characters similar to an incorrect display of coding. Fraudsters use this technique as a pretext: under the pretense of correcting the coding they tried to convince their potential victims to enable macros because back in 2007 Microsoft disabled the automatic activation of macros in files for safety reasons.

In addition to the mass mailings in which the malicious script had been inserted as macros we came across emails in which the script had been inserted as an object. The authors of one of these emails informed recipients they should pay a debt within a week or face legal action that would bring additional financial expenses.

The attached file was also in Microsoft Word while the malicious VBS script (according to the Kaspersky Lab verdict – Trojan-Downloader.VBS.Agent.all) had been inserted into it as an object. To deceive the user the inserted script was displayed as an Excel file: the scammers used the icon of this program and added.xls to the name of the file.

The first macro virus was registered in August 1995 in MS Word “Concept” documents and quickly infected tens of thousands of computers around the world. Despite its 20-year history, this type of malware is still popular largely due to the fact that the VBA language developed to create macros is one of the most simple and accessible, but at the same time functional, programming languages.

The Top 3 countries most often targeted by mailshots: Great Britain, Brazil and USA

Tweet

Most macro viruses are active not only when opening or closing the infected file but as long as the user is working with the editor (text or table). Macro viruses constitute a threat because they infect not only the initially opened file but any other files that are directly addressed.

The active distribution of macro viruses via email is aided by the simplicity with which they can be created and by the fact that users are constantly working with text and spreadsheet applications – often without being aware of the potential danger of macro viruses.

Malicious email attachments

Top 10 malicious programs sent by email, first quarter of 2015

In the first quarter of 2015 Trojan-Banker.Win32.ChePro.ink was the malicious program most often distributed via email, according to our ranking. This downloader, which was as low as the sixth position in last year’s ranking, is a CPL applet (a Control Panel component) that downloads Trojans designed to steal confidential financial information. Most malicious programs of this type are aimed at Brazilian and Portuguese banks.

Next came Trojan-Spy.HTML.Fraud.gen. As we have written before, this program is a fake HTML page which is sent via email, imitating an important notification from a large commercial bank, an online store, a software developer, etc.

In Q1 2015, the proportion of spam in email traffic was 59.2%, which is 6 p.p. lower than in the previous quarter

Tweet

Trojan-Downloader.HTML.Agent.aax and Trojan.HTML.Redirector.ci are in fourth and seventh positions respectively. Both are HTML pages which, when opened by users, redirect them to a rigged site. There, a victim is usually faced with a phishing page or is offered to download Binbot — a binary option trading bot, which has lately been popular on the net. The two malicious programs spread via email attachments and only difference between them is the link which redirects users to rigged sites.

Sixth comes Trojan.Win32.VBKrypt.sbds. It is just a common Trojan downloader designed to download a malicious file to the victim’s computer and run it.

Eighth and ninth places are occupied by downloaders from the Upatre family – Trojan-Downloader.Win32.Upatre.fbq и Trojan-Downloader.Win32.Upatre.fca, respectively, which are usually disguised as PDF or RTF documents. Their main task is to download, unpack and run additional applications.

It should be noted that if popular malware families rather than specific malicious programs are ranked, Upatre heads the Q1 rating. In most cases, malware from the Upatre family downloads the Dyre (aka Dyreza, Dyzap) banker, as a result of which this family also leads our rating of most widespread banking threats.

The Andromeda family, which headed last year’s rating, moved down to second position in Q1 2015. As we have mentioned before, these malicious programs allow cybercriminals to secretly control infected computers, which are often made part of a botnet.

The MSWord.Agent family occupies third position in the Top 10. These malicious programs are.doc files with an embedded macro written in Visual Basic for Applications (VBA), which runs on opening the document. It downloads and runs other malware, such as malicious programs from the Andromeda family.

In the Q1 2015 the USA remained the biggest source of spam, sending 14.5% of all unwanted mail

Tweet

Malware from the ZeuS/Zbot family, which are among the most popular and readily available programs used to steal banking information and therefore users’ money, came only seventh in Q1.

Countries targeted by malicious mailshots

Distribution of email antivirus verdicts by country, Q1 2015

In the first quarter, there were major changes in the Top 3 countries most often targeted by mailshots. Brazil unexpectedly moved up to second place with 7.44% (compared to 3.55% in 2014), pushing Germany down in the ranking. Britain tops the rating (7.85%). The USA is in the third place (7.18%). Germany, which headed the rating for a long time, dropped to fourth position (6.05%).

It is also worth mentioning Australia: it climbed to sixth place in the first quarter with 4.12%.

As for Russia, on the one hand, it dropped two positions in the rating (from 8th to 10th), but on the other hand, the percentage of malicious programs targeting the territory of Russia increased in Q1 (from 3.24% in 2014 to 3 36% in the first quarter of 2015).

Statistics Proportion of spam in email traffic

Proportion of spam in email traffic, October 2014 – March 2015

In Q1 2015, the proportion of spam in email traffic was 59.2%, which is 6 percentage points lower than in the previous quarter. The share of spam gradually decreased: the largest amount of spam was sent in January (61.68%) and the smallest in March (56.17%).

Spam sources by country

Countries that were sources of spam, Q1 2015

In the first quarter of 2015 the USA remained the biggest source of spam, sending 14.5% of all unwanted mail. Russia was in second place with 7.27%. Ukraine came third with 5.56% of the world’s spam.

Vietnam (4.82%), China (4.51%) and Germany (4.39%) followed the leaders of the rating. India brought up the rear in the Top 10 with 2.83% of all spam distributed worldwide.

Spam email size

Spam email size distribution, Q4 2014 and Q1 2015

The distribution of spam emails by size remained stable. The leaders were very small emails of up to 2 KB (73.99%), which are easy to handle in mass mailings. The proportion of such emails decreased by 3.28 percentage points.

The proportion of emails in the size range of 2 KB — 5 KB increased by 5.4 percentage points, reaching 16.00%, while the percentage of spam in the 5-10 KB range decreased by 2.28 percentage points to 2.20%. The share of emails sized 10-20 KB saw hardly changed from the previous quarter.

Phishing

In the first quarter of 2015, the Anti-Phishing system was triggered 50,077,057 times on computers of Kaspersky Lab users. This is 1 million times more than in the previous quarter.

For several quarters in a row, the largest percentage of users affected by phishing attacks was in Brazil, although in Q1 of 2015 the number (18.28%) was down by 2.74 percentage points.

Geography of phishing attacks*, Q1 2015

* Number of users on whose computers the Anti-Phishing system was triggered as  a percentage of the total number of Kaspersky Lab users in the country

Top 10 countries by percentage of users attacked:

  Country % of users 1 Brazil 18.28 2 India 17.73 3 China 14.92 4 Kazakhstan 11.68 5 Russia 11.62 6 UAE 11.61 7 Australia 11.18 8 France 10.93 9 Canada 10.66 10 Malaysia 10.40

There was a noticeable increase in the proportion of users attacked in India (+1.8 pp). At the same time, we registered a slight decrease in the number of users attacked in Russia (-0.57 pp), Australia (-2.22 pp) and France (-2.78 pp).

Organisations under attack

The statistics on phishing attack targets are based on the heuristic component of the Anti-Phishing system being triggered. The heuristic component of Anti-Phishing is triggered when the user follows a link to a phishing page information on which is not yet included in Kaspersky Lab databases, regardless of the way in which the page was reached – as a result of clicking on a link in a phishing email, a message on a social network or, for example, as a result of a malicious program’s operation. When the component is triggered, it displays a banner in the browser, warning the user of a possible threat.

Although the share of the “Email and search portals” category in the rating of organizations attacked by phishers diminished considerably in Q3 2014, the category (25.66%) still occupies the top position in the rating in 2015. The share of this category increased by a mere 0.40 percentage points from Q4 2014.

Distribution of organizations affected by phishing attacks, Q1 2015.

In the first quarter of 2015 the share of “Online shops” (9.68%) increased by 2.78 pp. Although the percentage of the “Online games” category (3.40%) rose by 0.54 percentage points, it yielded its place to the “IMS” category (3.92%), which saw its share grow by 1.69 pp.

In Q1 2015, we included a new category, “Delivery companies”, in our rating. Despite the fact that currently the contribution of this category is only 0.23%, it has recently demonstrated a growth (+0.04). In addition, DHL, one of the companies in this category, was among the Top 100 organizations most often attacked by phishers.

Distribution of phishing attacks on delivery companies, Q1 2015

In a number of emails the scammers offer users to purchase goods with delivery provided by a well-known logistics company. If you agree, they require an advance payment for delivery and provide fake invoices with the logo of the relevant delivery company. Having received the money, the fraudsters disappear.

Additionally, phishing messages sent on behalf of logistics firms often contain malicious attachments. Generally, an email includes a delivery notice; to receive the goods the recipients are expected either to open the attachment, which turns out to be malicious, or to go to the website and enter their personal data. The latter method is used to collect valid email addresses and other personal information of users.

Phishing email sent on behalf of FedEx

Phishing page imitating a DHL personal account login page

Phishing page imitating UPS personal account login page

Phishing page imitating FedEx personal account login page

Top 3 organizations attacked

The Top 3 organizations most often attacked by phishers remained the same as in the last quarter of 2014.

  Organization % of phishing links 1 Facebook 10.97 2 Google 8.11 3 Yahoo! 5.21

The top three organizations targeted by phishers are Facebook (+0.63 pp), Google (+1.51 pp) and Yahoo! (5.21%). The percentage of attacks on the latter continues to slowly decrease (-1.37 pp).

Conclusion

The share of spam in email traffic in the first quarter of 2015 was 59.2%, which is 6 percentage points less than in the previous quarter. The percentage of spam gradually declined during the quarter.

Spam traffic in Q1 of 2015 included a large number of mass mailings with Microsoft Word or Excel attachments containing macro viruses. Fraudsters tried to lure users into opening malicious files by disguising them as various documents, including financial. The fake messages often imitated notifications from well-known organizations and services.

In Q1 of 2015 the results of the New gTLD program of registration for new generic top-level domains launched in 2014 became especially noticeable. The new domains are registered daily but not always for legitimate purposes. We expect further growth in the number of new top-level domains used in mass mailings. The increase in the volume of mass mailings sent from new domains which have evident logical connection between the type of goods and services advertised and the domain name is also possible, although this can hardly be considered a trend.

The three leading source countries for spam sent across the world are the USA (14.5%), Russia (7.27%) and Ukraine (5.56%).

In the Q1 2015 the Anti-Phishing system was triggered more than 50 mln times

Tweet

In the first quarter of 2015 Trojan-Banker.Win32.ChePro.ink was the malicious program most often distributed via email, according to our ranking. The Upatre downloaders, which are used to download the Trojan banker Dyre/Dyreza, became the most popular malware family of Q1. Britain tops the rating of countries most often targeted by mailshots with 7.85% of all mail antivirus detections.

In Q1 2015, the Anti-Phishing system was triggered on the computers of Kaspersky Lab users 50,077,057 times. The largest percentage of users affected by phishing attacks was in Brazil.

Pizza Hut steganography - hostage embeds hidden message in pizza order

Sophos Naked Security - 13 Květen, 2015 - 13:31
How do you call 911 while doing nothing more suspicious than placing your regular pizza order?

Woman sues employer for firing her after she disabled 24x7 monitoring app

Sophos Naked Security - 13 Květen, 2015 - 12:51
Having her location monitored was OK while she was clocked in, she said. But she uninstalled it when she found it was spying even when she had quit the app.

DDoS Botnet Leverages Thousands of Insecure SOHO Routers

The Hacker News - 13 Květen, 2015 - 11:47
Small office and home office (SOHO) routers are an increasingly common target for cybercriminals, not because of any vulnerability, but because most routers are loosely managed and often deployed with default administrator credentials. A new report suggests that hackers are using large botnet of tens of thousands of insecure home and office-based routers to launch Distributed
Kategorie: Hacking & Security

Peeing robot spoils the fun as Google temporarily unplugs map-editing tool

Sophos Naked Security - 13 Květen, 2015 - 11:36
Map Maker's offline until Google sets up moderation that will quash what it says is escalating map vandalism. Happy now, maker of weak-bladdered Android image?

How to Share Sensitive Files Instantly and Securely

The Hacker News - 13 Květen, 2015 - 11:05
Last week, I have to communicate with my friend overseas in China. We both were aware that our email communications were being monitored. So, we both were forced to install and use a fully-fledged encrypted email system. Although it appeared to be very secure, it was quite cumbersome to handle. If you are ever faced with the same situation, I am here to introduce you a very simple and
Kategorie: Hacking & Security

Upozornění na podvodné e-mailové zprávy

CSIRT.cz - 13 Květen, 2015 - 10:50

CSIRT.CZ dnes obdržel vzorek aktuální phishingové zprávy rozesílané uživatelům v ČR. Cílem této aktivity je získat přístupu do e-mailové schránky adresáta. Zpráva je naštěstí snadno rozpoznatelná již kvůli jazykovám chybám.

Ukázka phishingové zprávy:

Kategorie: Hacking & Security

Tor Cloud Shut Down Amid Lack of Support

LinuxSecurity.com - 13 Květen, 2015 - 10:03
LinuxSecurity.com: The Tor Project has shuttered its cloud proxy service citing security vulnerabilities, usability bugs and a lack of resources. Tor offers its users the capacity to surf the Web anonymously, bouncing traffic through a series of relay servers so that no observer at any point can tell where that user's traffic is traveling to or coming from. The Tor Cloud Project essentially offered a platform for creating network bridges within Amazon's Elastic Cloud Compute in order for users to evade censorship.
Kategorie: Hacking & Security

Elasticsearch Honeypot Snares 8,000 Attacks Against RCE Vulnerability

LinuxSecurity.com - 13 Květen, 2015 - 10:01
LinuxSecurity.com: Hackers have taken an interest in Elasticsearch, a popular enterprise search engine. A researcher based in Texas, whose own Elasticsearch server was hacked, today published results collated from a honeypot he built to get a sense of how widespread attacks are against the vulnerability that did in his server.
Kategorie: Hacking & Security

DDoS Botnet Relies on Thousands of Insecure Routers in 109 Countries

LinuxSecurity.com - 13 Květen, 2015 - 09:57
LinuxSecurity.com: Cybercriminals take advantage of tens of thousands of insecure home routers distributed by ISPs (Internet Service Providers) and manufacturers to create large botnets for distributed denial-of-service (DDoS) attack purposes.
Kategorie: Hacking & Security

Microsoft security updates May 2015

Kaspersky Securelist - 13 Květen, 2015 - 01:40

Microsoft released a set of thirteen Security Bulletins (MS015-043 through MS015-055) to start off May 2015, addressing 46 vulnerabilities in a wide set of Microsoft software technologies. Three of these are rated critical for RCE and the rest of the May 2015 Security Bulletins are rated Important. Two of the critical Bulletins (043 and 044) are especially risky and address critical RCE vulnerabilities across all versions of supported Windows platforms.

  • Internet Explorer (MS015-043) critical
  • GDI+ drivers handling fonts (MS015-044) critical
  • Windows Journal (MS015-045) critical
  • Microsoft Office
  • Sharepoint Server
  • Silverlight
  • .NET Framework
  • JScript and VBScript Scripting Engines
  • MMC file format
  • Schannel (Microsoft’s network crypto libraries)

Most likely, your Windows systems are running at least a couple of those software packages, and will require a reboot after updating.

This round of IE memory corruption vulnerabilities enable remote code execution across all versions of the browser and supported Windows OS, IE6 – IE11. Even Internet Explorer 11 on Windows 8.1 maintains the flawed code, leading many to anticipate Microsoft’s new approach to web browser security in the upcoming Microsoft Edge: Building a safer browser.

Another issue enables RCE in Windows Journal, a note-taking application first written for XP Tablet associated with .jnt files. To disable the app, it seems that you can simply disable the “Tablet PC Options Components” Windows Feature on Vista or Windows 7, but you are without the Control Panel option on Windows 8.x. On Windows 8 and above systems, it looks like you can remove the .jnt file association in the registry, or, you can deny access to journal.exe with a couple of shell commands:

takeown.exe /f “%ProgramFiles%\Windows Journal\Journal.exe”
icacls.exe %ProgramFiles%\Windows Journal\Journal.exe” /deny everyone:(F)

And finally, another couple of font handling GDI+ vulnerabilities are patched, this time in the DirectWrite library handling for both OpenType (cve-2015-1670) and TrueType (cve-2015-1671) fonts. It’s 1671 that enables RCE on Windows systems running SilverLight, Lync, Live Meeting, Microsoft Office 2007 and 2010, supported .Net framework versions, and all the supported Windows operating system versions, including Windows 2008 and 2012 R2 Server Core. Depending on your OS, the patches can touch on a set of files, not just win32k.sys driver code:

Win32k.sys
Gdiplus.dll
D2d1.dll
Fntcache.dll
Dwrite.dll
D3d10level9.dll
D3d10_1.dll
D3d10_1core.dll
D3d10warp.dll

According to Microsoft, “When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers”. Which may be mincing words, because Microsoft’s cve-2015-1671 vulnerability acknowledgement listed the Threat Research Manager at FireEye. That disclosure detail may add urgency to updating this vulnerability for some organizations.

TeskaLabs: Češi, které se vyplatí sledovat

Zive.cz - bezpečnost - 13 Květen, 2015 - 00:00
V Praze roste velice zajímavá společnost TeskaLabs. Aktuálně nabízí technologii pro zabezpečení mobilních aplikací a od léta plánuje nabrat až desítky lidí.
Kategorie: Hacking & Security

Another look at Niteris : post exploitation WMI and Fiddler checks

Malware don't need Coffee - 12 Květen, 2015 - 23:41


In this post we'll see some of the improvements that have been brought to Niteris.
Disclaimer : Few configuration were tested, so most probably some added/replaced CVEs are missing.

The infection chain (should be clean now) :
Infection chain leading to Niteris
2015-05-07 (probably 5 months old)
is the same as the one that has been used on eHow

You'll notice that the actors registered 20min .eu for the first redirect of traffic from 20min .ch,
v5-static.ehowcdn .biz to mimic v5-static.ehowcdn .com, etc...

VT Pdns from first redirector in the infection chained

Compromised eHow redirection chain to Nuclear Pack pushing Dyre - 2015-05-05

and on LiveStrong recently :

Compromised LiveStrong redirecting to same infection chain/payload as eHow - 2015-05-06


which are probably compromised since at least end of 2013 and where CVE-2013-5330 was first encountered...


Obviously Niteris has evolved  on the Exploit integration side.

CVE-2014-0569 :

Niteris  firing code to exploit CVE-2014-0569Flash Sample : 22ea8dd623c0f44e352ac7f3618a918b1f52a14552eec6c2d10ce0ff744bb66f

CVE-2014-6332 :

Niteris firing code to exploit CVE-2014-6332

Sent code : http://pastebin.com/raw.php?i=2hU1kDi6
Code after js deobfuscation : http://pastebin.com/B5ihgFgv
Code after vbs deobfuscation : http://pastebin.com/wrBeGxzM

CVE-2015-0311 :
Niteris successfully exploiting CVE-2015-0311 to push Ursnif
2015-05-07
Flash Sample : d438be33030b2ed20a3db52031e110034119111cb116ab58bd393da49d6d0efe

CVE-2015-0336 :

Incomplete pass of Niteris Firing CVE-2015-0336
2015-05-04Flash Sample : d3a08acd97ee8f9d9fe0e530e34c42bb7d6e78c89021725393116bd5b5907df2

but here are some less expected stuff  :

CVE-2013-1710 &  CVE-2012-3993 (Firefox Exploit - seems to be an implementation of this metasploit module)

Niteris sending code to exploit CVE-2013-1710 &  CVE-2012-3993
2015-05-07Post exploitation AntiVM / Fiddler :


Niteris call for post exploitation checks
Note fake user agent.
2015-05-07
Sent code : http://pastebin.com/mCu7AzGh
Code after js deobfuscation : http://pastebin.com/UV51KECp
Code after vbs deobfuscation :  http://pastebin.com/VE4L48cz

So after exploitation some WMI checks are made to gather data on the system (Security Center, running processes...)

Niteris Checks based on WMI query and read of Fiddler default error on non resolving domains
2015-05-07
If Niteris spot that you are running Fiddler or inside a VM, you'll be dropped before gathering the payload.

Here you can see a Virtualbox using Fiddler as proxy sending data to the EK

Niteris after close() function post Data showing that it has  spotted
both VirtualBox and Fiddler (outside of the VM)
2015-05-07Fiddler Side note :
Looking at the customrules.js you'll read that this function "OnReturningError(oSession: Session)" executes just before Fiddler returns an error.
This is where the Niteris check can be defeated by modifying the response.

In the deofuscated code,we can see the decoding routine :

Payload decoding routine
Xor (key [g_xk] : 97dc6e7aaa9c089d0ed82ebfd9fca4fe)
skipping 0 and matching bytesThe script is also using WMI to ensure the payload has been properly executed


Niteris routine to ensure payload is running as expected
2015-05-07Once done a call back (with post data ) is made to the EK
(contains Model and Security products. They should be able to figure out when an Antivirus Vendor is catching them, the same way Antivirus Vendor are able to figure out when they miss an EK : no more hits in the telemetry :D)

Files: Niteris_2015-05-12.zip.

Thanks to @UnicornSec for the working Referer
Special thanks to @DarienHuss for the impulse and help!
Thanks to @TimoHirvonen (F-Secure)  for flash CVE identification.

Read More :Meet Niteris EK (formerly known as CottonCastle) - 2014-06-09
Kategorie: Hacking & Security

Adobe, Microsoft Push Critical Security Fixes

Krebs on Security - 12 Květen, 2015 - 23:33

Microsoft today issued 13 patch bundles to fix roughly four dozen security vulnerabilities in Windows and associated software. Separately, Adobe pushed updates to fix a slew of critical flaws in its Flash Player and Adobe Air software, as well as patches to fix holes in Adobe Reader and Acrobat.

Three of the Microsoft patches earned the company’s most dire “critical” rating, meaning they fix flaws that can be exploited to break into vulnerable systems with little or no interaction on the part of the user. The critical patches plug at least 30 separate flaws. The majority of those are included in a cumulative update for Internet Explorer. Other critical fixes address problems with the Windows OS, .NET, Microsoft Office, and Silverlight, among other components.

According to security vendor Shavlik, the issues address in MS15-044 deserve special priority in patching, in part because it impacts so many different Microsoft programs but also because the vulnerabilities fixed in the patch can be exploited merely by viewing specially crafted content in a Web page or a document. More information on and links to today’s individual updates can be found here.

Adobe’s fix for Flash Player and AIR fix at least 18 security holes in the programs. Updates are available for Windows, OS X and Linux versions of the software. Mac and Windows users, the latest, patched version is v. 17.0.0.188. 

If you’re unsure whether your browser has Flash installed or what version it may be running, browse to this link. Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, should automatically update to the latest version. To force the installation of an available update, click the triple bar icon to the right of the address bar, select “About Google” Chrome, click the apply update button and restart the browser.

The most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

If you run Adobe Reader, Acrobat or AIR, you’ll need to update those programs as well. Adobe said it is not aware of any active exploits or attacks against any of the vulnerabilities it patched with today’s releases.

Kategorie: Hacking & Security

Default Credentials Lead to Massive DDoS-For-Hire Botnet

Threatpost - 12 Květen, 2015 - 22:44
Tens of thousands of home and office-based routers have been hijacked over the last several months to stage a distributed denial of service attack campaign.
Kategorie: Hacking & Security

Firefox 38 Fixes 13 Flaws, Ships With DRM Support

Threatpost - 12 Květen, 2015 - 21:39
Mozilla has fixed 13 security flaws in Firefox 38, including five critical vulnerabilities. The new version of the browser also includes a feature that enables the use of DRM-enabled video content in Firefox, a decision that comes with some controversy. DRM (digital rights management), the generic name for technologies that are used to restrict the […]
Kategorie: Hacking & Security
Syndikovat obsah