Senator Wyden’s Questions About Crypto-Ransomware

On December 15th, US Senator Ron Wyden sent a letter to FBI Director James Comey regarding crypto-ransomware. The reported costs are quite surprising.

Victims of ransomware attacks are reporting payments between $200 and $10,000 to get their personal or business-related data back.

$10,000? My guess is that this is due to multiple computers being hit rather than one overall fee.

Here are Wyden’s questions.

Wyden's questions to the FBI.

Hopefully the FBI will provide a detailed reply sooner than later.


Update: you can find the reply here.



SEE: Sandboxed Execution Environment

Available from F-Secure GitHub: SEE

Introduction:

Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments.

The Sandboxes, provided via libvirt, are customizable allowing high degree of flexibility. Different type of Hypervisors (Qemu, VirtualBox, LXC) can be employed to run the Test Environments.

Plugins can be added to a Test Environment which provides an Event mechanism synchronisation for their interaction. Users can enable and configure the plugins through a JSON configuration file.

Link: https://github.com/F-Secure/see



The Online Arms Race

The Online Arms Race

Mikko at Web Summit 2015.



Did iOS 9 Really Improve Passcode Security?

I’ve been doing some password research and was recently reminded of this iOS 9 feature.

Apple: “The default for passcodes on your Touch ID–enabled iPhone and iPad is now six digits instead of four. If you use Touch ID, it’s a change you’ll hardly notice. But with one million possible combinations — instead of 10,000 — your passcode will be a lot tougher to crack.” (Emphasis mine.)

iOS 9 Improved Security

Six digits instead of four? Translation: there’s now room for your year of birth, too! So instead of “1101” it’s now “110160”. (Tim Cook was born November 1, 1960.)

It’s entirely anecdotal, but I’ve already met somebody doing this. And I have little doubt that many others are doing so as well.

But at least a six digit passcode discourages the use of certain four letter words…

5683 = LOVE on a telephone keypad.

Recommendation: change your passcode to a “Custom Alphanumeric Code” and create a good passphrase. On your iOS device, go to: Settings > Passcode > Change Passcode > Enter Old Passcode > Passcode Options.



The Case Of A Flash Redirector From A Brute Force Password Attack

We noticed an unusual spike in “Flash redirector” detection hits during October. The source was compromised websites.

RedirectorHits

Figure 1. Flash Redirector Detection Hits

The compromised websites had an injected code which loaded a malicious flash object that attempted to redirect users to the Angler exploit kit.

InjectedCode

Figure 2. Injected Code

This flash redirector is not a new thing. It was written about by MalwareBytes a year ago. However, the sudden spike we observed during October got our attention and prompted us to look at it a bit closer.

It was interesting to see that the URL pattern didn’t change much from what MalwareBytes saw, except that we didn’t see the use of the URL shortener us.to. The actors behind the attacks take advantage of free domains and unusual Top Level Domains.

RedirectorURLs2014

Figure 3. Flash Redirector URLs from 2014

RedirectorURLs2015

Figure 4. Flash Redirector URLs from 2015

While looking into how the websites were compromised, we noticed that all of them were built using WordPress. Our initial thought was that these websites were attacked via a vulnerable plugin.

Further investigation on the compromised servers revealed that one of the attacker’s tactics was a simple brute force password attack. The attacker attempted to enumerate WordPress usernames by accessing URLs such as these.

http://www.samplewebsite.com/?author=1
http://www.samplewebsite.com/?author=2
http://www.samplewebsite.com/?author=3

Below is a snippet of the access log that shows the author scanning.

accesslog1

After obtaining the username, the only thing that the attacker would need to figure out is the password. The tool used by the attacker attempted around 1200 passwords before it was able to successfully login.

accesslog2

After gaining access to an admin account, the attacker proceeded to upload malicious scripts onto the server. Such scripts included a backdoor, and even a spammer component.

accesslog3

The compromising of websites is one of the most effective ways for cybercriminals to deliver malware. Being creatures of habit, users typically visit their favorite websites without any thought that their machines might get infected. And so the owners of these websites have an important role in making this threat less prevalent. One of the things that has always been advised is to make sure that all tools running on your server are up-to-date to lessen the possibility of being attacked via vulnerabilities. However, in the case of this particular attack, we cannot stress enough how important it is to protect your username and the importance of using a strong unique password. Furthermore, in order to defend against this kind of WordPress attack, you should not use a WordPress admin account for publishing anything. You can also add this code in .htaccess to block author enumeration attempts.

# Stop wordpress username enumeration vulnerability
RewriteCond %{REQUEST_URI} ^/$
RewriteCond %{QUERY_STRING} ^/?author=([0-9]*)
RewriteRule ^(.*)$ http://yoursite.com/somepage/? [L,R=301]

You can find more information here: Block WordPress User Enumeration, Secure WordPress Against Hacking



Wonknu: A Spy For The 3rd ASEAN-US Summit

In the era of APT’s, it feels like something is amiss when there is a forum of governments and no malware arises. But the 3rd ASEAN-United States Summit on 21 November 2015 did not disappoint.

A few days before the Kuala Lumpur summit, a subdomain under asean.org for the ASEAN Secretariat Resource Centre (ARC) was compromised. Malicious code was appended to the compromised script file, which redirected a visitor to 43.240.119.35. (At the moment, this malicious script is not accessible.)

Redirection Traffic

Redirection Traffic

While still compromised, the ARC website also hosted an archive with the filename: the 3rd ASEAN Defence Ministers’ Meeting.rar. This contained malware that we detect as Backdoor:W32/Wonknu.A.

Wonknu is signed by Awarebase Corp., an information management solutions company whose customers include those from the Defense sector.

Wonknu Cert

Wonknu Cert

The malware drops a copy of itself to the system as c:\programdata\kav.exe. It then connects to 43.240.119.40:443 and functions as a backdoor that is able to accept the following commands:

  • GetsSysteminfo – Retrieve version information.
  • GetDiskInfo – Retrieve disk drive information.
  • GetFileList – Retrieve directory listing.
  • DownloadFile – Download file.
  • UpFile – Upload file.
  • RunExeFile – Run an executable file.
  • FileData – Write data to file.
  • DelFile – Delete a file.
  • NewDir – Create a directory.
  • CmeShell – Run a command from the shell.
  • Terminate Process
  • Enumerate Process

We tried to search for similar samples and found another one that used the same certificate.

Signed downloader

Signed downloader

This malware was first seen sometime around early August of this year. During that time, it could be downloaded from sft.spiritaero.com (Spirit AeroSystems is one of the largest producers of commercial aerostructures).

This malware pretends to be a Java file, Javaw.exe Version 6.0.0.105 to be exact. The original Java file was modified to include malicious code that downloads a file from 178.79.181.246. The downloaded file will be saved as Java_Down.exe on the affected machine. This URL is also currently inaccessible.

Downloader Code

Downloader Code

In addition, we’ve also found that this particular IP hosted Jquery.js, similar to the case above, but at the moment we are unable to obtain a copy of it as well.

URLs and IPs:
43.240.119.40:443
http://arc.asean.org/the%203rd%20ASEAN%20Defence%20Ministers'%20Meeting.rar
http://43.240.119.35/arc/Jquery.js
http://178.79.181.246/microsoft/Java_Down.exe
http://178.79.181.246/microsoft/jquery.js
https://sft.spiritaero.com/java/javaws.exe
Filenames:
the 3rd ASEAN Defence Ministers' Meeting.rar
the 3rd ASEAN Defence Ministers' Meeting.exe
c:\programdata\kav.exe
Java_Down.exe
Hashes:
a096a44aee0f0ff468c40488eab176d648b1c426
068fa495aa6f5d6b4e0f45c90042a81eecdaec2c
Detections:
Backdoor:W32/Wonknu.A
Trojan-Downloader:W32/Wonknu.B


Oops!… Dell Did It Again

Bad news: Dell has installed a rogue root CA on customer PCs.

Why is it bad? Because it’s trivial to perform man-in-the-middle attacks against any computer with the cert installed. Dan Goodin has an excellent writeup here.

Dell explained late yesterday evening that the cert “was intended to provide the system service tag to Dell online support”.

Response to Concerns Regarding eDellroot Certificate

Wait… where have we heard something like that before?

Back in April. Regular readers of News from the Lab will recall that Dell had some remote code execution issues via “Dell System Direct” in April 2015.

Here’s the (somewhat) good news: Dell Foundation Services appears to be far less prevalent than Dell System Direct.

Want to check if you have eDellRoot installed?

As Dan Tentler suggests, hit this site: https://edell.tlsfun.de/



Paper: C&C-As-A-Service

Artturi Lehtiö, a researcher on our Threat Intelligence team, recently presented a paper on abusing third-party web services as C&C channels at VB2015.

C&C-As-A-Service: Abusing Third-Party Web Services As C&C Channels

Here’s the abstract:

A secure, reliable and undetectable method of communicating with and controlling malware is essential for modern malware operations. But designing, implementing and maintaining your own communication infrastructure isn’t an easy task. Coincidentally, malware operators aren’t the only ones interested in secure and reliable communication. Popular web services also want to provide their customers with a secure and reliable service. Add to that the fact that popular web services generate large amounts of indistinguishable web traffic to blend into and it starts to sound irresistible. Unsurprisingly then, recent years have seen a growing trend among malware operators of abusing third-party web services such as Twitter, Facebook, and Gmail as command and control channels.

This paper explores the multitude of ways in which modern malware abuses third-party web services as command and control channels. Through real life examples – from common cybercrime to targeted nation-state espionage – the paper provides a comprehensive overview of both the methods employed by malware and the web services most commonly abused. This paper further analyses the benefits and disadvantages that are provided to malware operators when they abuse third-party web services as command and control channels. Finally, this paper also examines the challenges that such methods pose to the detection and prevention of malware.

Slides from Artturi’s presentation can be downloaded at Virus Bulletin.

And the paper from here: C&C-As-A-Service. [PDF]



Security Cloud White Paper: How Do We Handle Customer Data?

How F-Secure Labs handles customer data is of the utmost importance for those of us who work here. We would therefore like to invite you to read our latest white paper which details our back end technology a.k.a. “Security Cloud” [PDF].

Security Cloud: F-Secure Labs Security Technology White Paper

The paper explains the purpose, function and benefits of our technology and explains the safeguards taken when processing customer-sourced information.

F-Secure Security Cloud Purpose, Function and Benefits.



Linux.Encoder.1: We Are Accept Only Bitcoins

There’s a new crypto-ransom scheme currently in-the-wild targeting Linux-based systems. It’s called “Linux.Encoder.1” by the folks at Dr.Web. Basically, instead of setting up phishing sites or exploit kit redirects on vulnerable web-servers, the Linux.Encoder.1 extortionists are targeting the web-server owners directly by encrypting their content.

As a consequence, Google is indexing numerous victims.

Here’s a copy of the extortion note via Google’s cache.

README_FOR_DECRYPT.txt

Nice FAQ.

We are accept only Bitcoins. - http://memegenerator.net/instance2/2810855

“Can I pay another currency?”

“No.”

So, hopefully victims of Linux.Encoder.1 have backups… or else they’ll be forced to acquire a Bitcoin. No word yet on whether or not the extortionists will honor payment with an actual decryption key. And their Tor hidden service is currently offline. Which is less then promising.

Edited To Add:

Daavid Hentunen, a researcher on our Threat Intelligence team, estimates the extortionists have made €11934 in 1 month.



Halloween RAT: NanoCore Served Via PageFair Service

Over the weekend, PageFair, a counter ad-block solutions provider, was compromised via a spearphishing attack. The attackers performed a password reset which gave them access to PageFair’s account on a Content Distribution Network (CDN) service. The attackers then replaced PageFair’s Javascript to a malicious one: This is what was shown to visitors of websites that used this PageFair service: […]

2015-11-02

The Contents Of This CryptoWall Zip File Cost $1,000

“Payment is made successfully.” This is CryptoWall’s Decrypter Service after ransom has been paid. And this (decrypt.zip) is what you get for your money Bitcoin. It’s really not much to look at. But without a copy of your keys… you’ll never decrypt your files. Which is probably why the FBI says: “To be honest, we […]

2015-10-28

SLocker Versus Marshmallow

Android ransomware SLocker recently began taking advantage of Android Lollipop flaws in a very serious (and devious) way. But how does SLocker fare against Android Marshmallow? First, let’s take look at SLocker versus Lollipop. Malvertising is typically used to bait men (yeah, probably just men) into downloading an app called “Porn Droid”. Typically all-too-common sorts […]

2015-10-22

Dridex Takedown

The UK National Crime Agency together with the FBI and the US Department of Justice recently filed charges against the author of Bugat/Cridex/Dridex. Andrey Ghinkul was arrested on August 28, 2015 in Cyprus and the US is now seeking his extradition. Dridex has reportedly caused multi-million dollar losses to financial institutions and businesses globally. Dridex […]

2015-10-15

Marshmallow Moves Android Towards iOS-like Permissions

Android 6.0 a.k.a. “Marshmallow” is now rolling out and its best new feature, from my point of view, is the introduction of a new permissions model. Well-crafted applications can now ask for permissions as they are needed, rather than all at once during installation. Apps designed for older versions of Android will still ask for […]

2015-10-06

VB2015

Mikko missed VB2015 this year… allegedly. I've been to every Virus Bulletin conference since 1993 but missed #VB2015. Except according to this video I didn't… http://t.co/elfsizCn9B — Mikko Hypponen (@mikko) October 2, 2015

2015-10-05

CISA Q&A

On September 10, 2015 the US House (Select) Intelligence Committee held a hearing on World Wide Cyber Threats. In his opening statement, ranking member Adam B. Schiff commented on the purpose of the Protecting Cyber Networks Act – the US House’s version of CISA. Here’s the full relevant text.   So there you have it, […]

2015-09-29

CryptoWall’s “Customer Journey” Sounds Like A Real Nightmare

The latest episode of Radiolab has what is without a doubt the best malware victim interview I’ve ever heard. Inna Simone’s computer was infected by CryptoWall late last year and based on her telling of it, the worst part of the experience was trying to buy the Bitcoin she needed to pay off the extortionists. […]

2015-09-28

The Dukes: 7 Years Of Russian Cyber-Espionage

Today we release a new whitepaper on an APT group commonly referred to as “the Dukes”. We believe that the Dukes are a well-resourced, highly dedicated, and organized cyber-espionage group that has been working for the Russian government since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes […]

2015-09-17

Another LinkedIn Sockpuppet

According to LinkedIn, 11 of my connections can introduce me to someone who “knows” Anna. I’m not so sure about that. According to IMDb, Anna Sentina is really Anna Akana. Maybe LinkedIn should start charging to “verify” recruiter accounts? At the moment, there’s zero overhead when creating a recruiter sockpuppet. Adding at least some amount […]

2015-09-15