Friday, 2 August 2013

Java adverts can be used to create million-strong botnets for just $500

Fake adverts could be used to “remote control” internet browsers on a massive scale – allowing for cheap DDoS attacks, where millions of unwitting web users “attack” target sites.
Simply by buying adverts through legitimate ad networks, researchers from White Hat Security were able to swamp a test website, using adverts which included JavaScript instructions to repeatedly access an image on a target site. For just $2, the researchers were able to knock a server offline with 130,000 connections, in a demonstration at the Black Hat security conference in Las Vegas.
“Online advertising networks can be a web hacker’s best friend,” White Hat said in a statement. “For mere pennies per thousand impressions there are service providers who allow you to broadly distribute arbitrary javascript – even malicious javascript!”
Many ad networks allow JavaScript to be inserted into adverts, White Hat’s Jeremiah Johansen says – and those that do do not inspect the code closely.
“We did not hack anybody; we used the way the Web works and brought down our own server,” said Johansen, in an interview with MIT’s Technology Review.“We’re just loading images as quickly as possible.”
 Johansen said such attacks are cheap, and easily scalable. At current prices – 50c per 1,000 views, according to Johansen – a million browsers can be “bought” for just $500.  “It’s really not that much money to do real damage to real sites on the internet,” he says.
“So why not just do a traditional denial-of-service attack? It’s not persistent. It goes away,” Johansen said in an interview with Dark Reading. “There’s no trace of this – we put the money in the machine, the JavaScript gets served up, and then it goes away. And it’s very, very easy”
Johansen and his colleagues aim to move on to using such adverts to farm out the job of cracking encrypted passwords stolen in data breaches. Johansen says that getting such code in an advert would be “easy”.

Black Hat: Is Your Android Device Defended Against Untrusted App Sources?

Bluebox OneRoot Scanner
Early reports on the Android Master Key bug discovered by researchers at Bluebox claimed that as high as 99 percent of all Android devices could be vulnerable. Later reports backtracked substantially, noting that only users who turned off the feature that prevents installing apps from untrusted sources could possibly be affected. Nobody does that, right? In his Black Hat presentation, Bluebox's Jeff Forristal explained that it's not that simple.
The main thrust of Forristall's presentation involved explaining the Master Key vulnerability in great detail. He also reported on several other related bugs that could allow modification of apps without affecting the Android verification process. Most of these involved disparities between different ZIP file parsing modules within Android.
Common Wisdom?
At the end of the presentation Forristall addressed the contention that almost all users are protected by the setting that prohibits installing apps from untrusted sources. "'Everyone knows' that no users change the 'allow untrusted sources' setting," said Forristall. "Really? Where'd this data come from?" Those reports don't cite a source.
The Bluebox Security Scanner reports totally anonymous telemetry data back to Bluebox each time someone runs a scan. One of the items included in the telemetry is whether or not the device is set to allow apps from untrusted sources.
Forristall challenged the audience to guess how many users turned off protection against untrusted sources, in 25 percent increments. I guessed from 50 to 75 percent, and I scored. "How many users allow untrusted sources?" asked Forristall. "69 percent of the people flipped the switch!"
Black Hat 2013 Bug
He noted that the sample was just a quarter of a million users. "I feel the 69 percent figure is high," said Forristall, "probably due to our sampling population. I'd love to see this on 10 or 100 million. Even if it was closer to 20 percent, it's still big, way bigger than those 'experts' think."
Why So High?
"There are a lot of reasons motivating users to disable this protection," noted Forristall. "It's not just for pirated applications. Amazon Appstore, for example, they do a lot of work to ensure it's malware-free, but if you put it on your non-Amazon device, step one for installation is to allow apps from sources other than Google Play. Enterprises need to have that setting off for their BYOD and MDM solutions, and to distribute in-house apps."
"There are a number of compelling reasons to change that setting," concluded Forristall, "and once they change it, it won't get put back." Of course, that's the same argument some experts used to predict that no users would make the change in the first place—it's just too much work.
That setting is theoretically irrelevant if you never go anywhere for apps but Google Play, but why take chances? If I were an Android user, I'd definitely enable the ban on untrusted app sources.

PRISM: GCHQ receives £100m from NSA and told to ‘pull its weight’

GCHQ Cheltenham
The US government has contributed at least £100m to the budget of the UK's GCHQ in the last three years in a bid to make sure the intelligence agency "pulls its weight", according to information revealed to the Guardian by NSA whistleblower Edward Snowden.
The paper cited a GCHQ strategy meeting in which attendees were told: "GCHQ must pull its weight and be seen to pull its weight."
It has already been revealed that the UK played a large role in American surveillance tactics, allegedly tapping Atlantic internet cables in order to keep track of web traffic, emails and phone calls originating from the European continent in an operation known as Tempora.
It said that at least £22.9m was handed to GCHQ in 2009, with a further £39.9m contributed in 2010 in a bid to assist its Mastering the Internet project.
It was also revealed that GCHQ has seen a 7,000 percent increase in the amount of mobile web traffic it is able to keep tabs on. The Guardian also alleges that GCHQ places the blame for the majority of cyber attacks against the UK squarely on China and Russia, and is now working with the NSA to create a cyber warfare strategy.
A senior Whitehall security source told the Guardian, however, that the close relationship isn't quite as co-operative as it has been portrayed. "The fact is there is a close intelligence relationship between the UK and US and a number of other countries including Australia and Canada. There's no automaticity, not everything is shared. A sentient human being takes decisions."
Edward Snowden was yesterday granted temporary asylum in Russia, sparking a diplomatic spat in which the White House said it was "extremely disappointed" with the decision.
Earlier this week the software behind the PRISM campaign was revealed, showing the full extent of the USA's surveillance methods and the alleged lack of justification required to do so.
The revelations come despite foreign secretary William Hague saying that UK citizens should have "confidence" in GHCQ, arguing its work is vital for national security.

UK FM W.Hage : UK citizens should have ‘confidence' in GHCQ

Foreign secretary William Hague has said UK citizens should have complete “confidence” that the GHCQ spy agency operates in “full accordance with our laws and values”, despite revelations of huge internet spying programmes and seemingly working at the behest of the US.
Hague issued a rallying cry about the importance of the agency after visiting the Cheltenham-based organisation as part of a routine visit on Thursday, the Foreign Office announced.
While there he was briefed by staff on cyber security and intelligence operations at the centre and met some of the new apprentices at the agency.
Commenting on their work, Hague said it was easy to forget just how vital the agency is to help keep the UK safe, as it tackles a wider range of ever-evolving threats to the country.
“Those who threaten our national security through terrorist acts, organised crime and cyber attacks, should be aware that this country has the capability, skills and partnerships to protect its citizens against the full range of threats in the 21st century,” he said.
“Our adversaries’ approach and techniques are constantly changing and our intelligence agencies are faced with a tremendous challenge to keep pace."
Hague added that while the organisation deals with these challenges, it never acts outside the scope of its authority. "They are responding to this challenge with commitment, creativity and integrity: they act in full accordance with our laws and values," he said.
However, Hague’s comments come amid mounting criticism of the agency, in light of revelations the agency was involved in a huge data-gathering exercise called Tempora, in which it was found to be tapping into global telecoms networks to siphon data.
It was also accused of working with US spy officials at the NSA to share data under the wide-ranging PRISM programme.
The Intelligence and Security Committee (ISC) dismissed claims that this was illegal after a report into these activities came to light.
Despite the report clearing GHCQ of any wrongdoing and the praise from Hague, fresh revelations this week have said that the US paid the agency £100m. This money was given to help build listening posts, such as those in Bude, Cornwall, and to secure influence over the work being carried out.

Beijing hacking combine exposed

A Beijing-based hacking combine that has broken into hundreds of company networks — and continues to do so with near impunity — may have a tougher go of it from here on out.
That¹s because here at the Black Hat Conference researchers from DellSecureWorks disclosed evidence that helps fingerprint the handy work of one of the top two cyber espionage gangs operating out of China.
Dell SecureWorks calls them the Beijing Group, , so-named for the location of the IT infrastructure they use to pull off their hacking campaigns.
The Beijing Group's quirks and one of their most successful pieces of malicious software, called Comfoo, have been painstakingly flushed out by Don Jackson and Joe Stewart, veteran researchers at Dell SecureWorks¹ Counter Threat Unit, as well as other researchers, for the past 18 months.
Jackson and Stewart told CyberTruth they were taking the uncommon step of sharing these details publicly to help their fellow forensic experts worldwide more easily find and eradicate the Beijing gang¹s systemic spying.
"It¹s clear that this is an adversarial force with tremendous resources and capabilities," Jackson says. "They¹re responsible for setting up a vast network of listening posts to try to shift the strategic advantage from one party to another."
The Beijing Group was one of two hacking groups behind the 2010 deep hack of RSA SecureID, in which they stole the keys to decrypting one-time password tokens sold by RSA and used widely by defense contractors and others to limit access to sensitive accounts and databases.
In fact, this gang is one of two major China-based hacking combines that are widely tracked by security researchers and are known to have infiltrated hundreds of private companies and government organizations in the U.S., Europe and Asia.
Much of the Beijing Group's capers have been aimed at organizations in Japan, India and South Korea. The attackers target trade organizations, telecommunications firms, think tanks, news media and even audio and videoconferencing manufacturers.
"This is more evidence of ongoing attempts to gather information from
sensitive places," says Stewart. "They are getting into really important networks and monitoring and gathering information over a period of years."

Companies 'not aware' of being hacked

Most companies are not aware that they have been compromised and their intellectual property stolen, a cyber security firm has said.
"Most organisations who we actually end up doing forensics investigations for didn't figure out for themselves that they'd actually suffered a compromise - that they'd been hacked," John Yeo EMEA director at Trustwave told News24.
Trustwave division Spiderlabs specialises in penetration testing or ethical hacking.
Yeo said that the overall majority of clients the company handled were unaware that they had been compromised.
"Of all the forensics investigations that we did last year in only 25% of cases did the victims figure it out for themselves that they’d been hacked."
While most companies rely on antivirus solutions to prevent malware from intruding, Spiderlabs' research shows that attacks on corporations have become targeted.
"Of those 415 investigations we conducted last year, the vast majority we saw in each of those cases was bespoke so it wasn't something that was off the shelf or that was used in many different organisations - it was written with a very specific purpose in mind and was only used once," said Yeo.
He said that hackers who conduct attacks usually have a long period of access to company servers before they are detected.
"Intuitively you’d think that if an organisation gets hacked, they’d know about it and they’d know about it pretty quickly. But the reality is that they don’t figure it out for themselves and on average it takes about 210 days before the detection actually takes place."
Antivirus solutions that rely on virus definitions do not readily register malware that has been specifically designed to target a computer if that malware has not been identified previously.
This implies that hackers - whether they be corporate or state - can harvest data from companies without their knowledge or setting off alarms.
"Signature-based antivirus hasn't got a hope of being able to detect it and any organisation that thinks 'I've got antivirus deployed on my mission critical systems and if the worst case scenario happens, I'm going to detect it,' that's not going to happen," said Yeo.
Older software
Despite the release of so-called secure operating systems, Spiderlabs said that their experience shows that there is usually a fair number of systems running older software that can be exploited in medium to large firms.
Hackers typically gain entry into these older systems and quietly steal intellectual property.
"Attackers basically have free reign to a large extent. They manage to penetrate an organisation and they manage to harvest data for long periods of time before anyone figures out that anything it wrong," said Yeo.
He said that it was easier to go after "low hanging fruit" when looking to compromise a company and configuration errors and legacy systems were ideal targets for hackers.
"An attacker only needs to find the weak link in the chain, the chink in the armour. They're not going to go with a sledgehammer after the most secure system in the environment."

Dragon Lady: An Investigation Into the Industry Behind the Majority of Russian-Made Malware

Today at DEF CON 21, we presented an in-depth investigation of Russian SMS fraud code-named “Dragon Lady,” referencing U2 reconnaissance aircrafts that were used during the Cold War to monitor the Soviet Union. Starting in December 2012, this investigation brought together vast amounts of data from multiple channels to uncover a pervasive and organized cottage industry built around the distribution of Android premium SMS fraud. We’ve enumerated ten “Malware Headquarters” accounting for over 60 percent of the Russian malware Lookout has observed in the wild.
We discovered several distribution channels through sources such as Twitter, then followed a digital path back from those distribution channels to identify several ‘start-up like’ organizations. These Malware Headquarters (Malware HQs), handle business logistics, management of SMS shortcodes and offer an easily configurable Android SMS fraud malware platform. Affiliate marketers then customize the malware apps and distribute them through channels like Twitter to drive mobile users to fraudulent affiliate websites. Unwitting victims are tricked into downloading malicious apps that charge a fee through toll fraud. We’ve seen evidence that these affiliate marketers have earned between $700/month to $12,000/month from these scams, and estimate that there are thousands of individual distributors and potentially tens of thousands of affiliate websites promoting these custom SMS malware in the same manner as traditional affiliate web marketers. Many of the malware organizations, affiliates and campaigns remain live, however all Lookout users are protected from known threats.

Key Findings

  • Organized groups of Android malware authors are operating like startups: tapping multiple individuals or organizations for specialization in different business areas, leveraging online tools for promotion and developing affiliate programs. At least one Russian malware “startup” has been discovered earning tens of thousands of dollars per month and operating thousands of websites through their affiliates.
  • Many of the malware families have regular code release cycles every few weeks similar to agile software development organizations.
  • Twitter is a major tool for distribution by these affiliates. They are using Twitter as a vehicle to distribute tens of thousands of links to malicious apps in an effort to leverage the social media platform to drive more traffic to their download pages. While promoting malware is nothing new, this demonstrates how rapidly they are adjusting to mobile and experimenting with new media formats for campaigns.
  • The organizations offer “Easy-Bake” Android SMS fraud malware where affiliates can configure their options, and the code is compiled automatically each time a victim downloads it. The link is attached to a unique piece of malware that the affiliates can then distribute as they see fit in an effort to maximize download numbers. This process makes it very simple for anyone to execute a malware campaign.
  • Russian malware affiliates are experimenting with various distribution tactics, which range from straight-up distribution of malware links, to more “grey-area” borderline ad networks that distribute bad stuff. We’ve witnessed Android advertising libraries as alternative distribution channels for malware campaigns. Specifically, our discovery of BadNews in April was an example of a malicious advertising library which was primarily used to send victims links to sms toll-fraud malware.
  • The malware authors are employing several malware anti-detection techniques in their distribution points as well as their code. Although most of these evasion techniques are basic individually, when combined, the distribution points and code are more challenging to track the new versions of the malware.

The Malware HQ: An Organized Operation

Lookout followed the trail of Russian SMS fraud malware back to several well organized distribution hubs which we’re calling a Malware HQ. We enumerated ten Malware HQs accounting for over 60 percent of the Russian malware Lookout has observed in the wild. These organizations handle many of the logistics and business services required to manage an SMS fraud campaign, then offer these pre-packaged services to “affiliates” who can focus on running campaigns and driving additional traffic without needing to handle the low-level technical and business requirements. These Malware HQs entice new affiliates with a common message: “We’ll make it easy for you to _monetize_ your mobile web traffic” Of course this _monetization_ is accomplished by the predatory practice or promising victims a useful Android application under false pretenses and instead covertly charging them through premium SMS messages. Below are examples of the websites operated by the Malware HQs.

[Caption: Websites operated by Malware HQs that demonstrate how easy it is to make your own malware.]
Some of the services offered by Malware HQs are:
  • Development and maintenance of the Android SMS fraud apps
    • On average new code updates are released every 1-2 weeks
    • Many of the Malware HQ use multiple levels of code and data obfuscation techniques to avoid detection
  • Registration of SMS short codes and dissemination of resulting funds
    • Each of the Malware HQ organizations have up to 100 individual short codes, which target users in a specific set of countries.
    • Most Malware HQs include these SMS short codes in encrypted or encoded configuration files which are regularly updated along with the code and are included in the latest release.
Below are examples of gamification of affiliate earnings managed by a Malware HQ.

  • Affiliate marketing programs
    • Gamification of earnings and contests for the biggest winners
    • Affiliate communications including newsletters and regular blog posts about new features
Below is a newsletter by Malware HQ with posts about a competition, maintenance and payout schedule:

Easy Bake Malware: Customized SMS Fraud

The core function of a Malware HQ is to provide affiliates with a custom-built Android application which will charge victims through premium SMS messages and funnel the resulting funds back into the affiliate’s payment account. Although some Malware HQs have a few special features, all of them follow the same basic recipe. A simple step-by-step guide takes even the most novice of affiliates through the process of creating customized Android SMS fraud applications. Affiliates can either create a custom template or choose a pre-packaged templates, often portraying popular apps such as Google Play, Adobe Flash, Skype, games like Bad Piggies, MP3s, or pornography. The templates are highly configurable, allowing the affiliates to change the application’s title, icon, look and feel, and even how much the victims will be charged. Affiliates then use this tracking system to monitor the number of “impressions” and “conversions” for a particular campaign, allowing the more advanced affiliates to optimize and iterate campaigns.
6 Step Process to Easy-Bake Malware from one Malware HQ:
Step 1: Create your campaign

Step 2: Choose your target operating systems

Step 3: Select your mobile template with extra details including conversion rate

Step 4: Code to copy and paste into your website to redirect your visitors to download pages

Malvertising: Affiliates & Distribution

A significant amount of money and effort is invested in affiliate campaign management and distribution. We discovered at least one affiliate investing $1k-$2k in operating expenses over three months, and claiming $12,000 in profit. Based on the investigation of the sites involved, we estimate that there are thousands of marketing affiliates and potentially tens of thousands of affiliate websites involved in promoting these pieces of malware.
Similar to traditional marketing campaigns, a greater volume of web traffic and more intuitive process will lead to higher conversion. Once an affiliate has created their customized SMS fraud application at Malware HQ, their goal is to entice mobile users to visit the campaign, hosted on a mobile web page and install the malicious application. Affiliates are experimenting with the latest marketing techniques, like social media and mobile ads. The tactics for driving traffic include:
  • Destination Landing Pages: Affiliates are responsible for creating their own destination landing pages that redirect users to download the malicious app hosted by the HQ. These landing pages are often designed to be enticing to mobile users, advertising popular downloads such as Angry Birds, Skype, Opera, or Flash updates.
Below are samples of affiliate landing pages.

  • Twitter: Twitter is a primary distribution channel for malware affiliates because search engines assign a high value to indexed tweets which means higher ranking in the search results. When searchers seek out free songs, apps or porn, a high search ranking promotes the affiliate content. Lookout combed through 247,863 unique twitter handles and over a million tweets. Nearly 50,000 of the unique handles and nearly 25 percent of all tweets identified were confirmed linking to malware. While many of the accounts were still active, Twitter’s security team appeared disable accounts which they identified as malicious.  We reported the remaining malicious accounts, their behavior, and our findings to Twitter in May 2013.

[Caption: Malvertising by an affiliate that links to landing pages that host malicious apps]
  • Mobile Ad Networks: Lookout recently reported on a new malware, BadNews, which was found to be a new technique to drive mobile traffic to SMS fraud campaigns. BadNews was designed to look like an advertising library in legitimate Android applications, but the advertisements that it displayed linked directly to SMS fraud malware hosted by top HQs.

[Caption: The blurred URL in this string of code—sampled from BadNews—links to a landing page promoting malware hosted by a Malware HQ]

Victims of SMS Fraud

The typical victim of this malware scheme is a Russian speaker searching for popular applications such as Skype or for free porn, videos, pictures and MP3s. The landing pages that the affiliates build are tuned to filter out any visitors from outside their targeted countries, or are not coming from a mobile device. A victim might search for a free version of “Bad Piggies” and stumble on a website that looks like an official Russian download page, but is actually a specially crafted affiliate landing page. When a victim clicks to download what they believe to be the Bad Piggies app, they will be charged a fee via premium SMS messages without their consent. There are often terms of service (TOS) included in the app when the user downloads, but they are not well presented to the users. Often, the TOS is intentionally buried or hidden from sight, such as white text on a white background or forcing the user to scroll down for two minutes before the TOS appears. To add insult to injury, even after being charged by the malicious application, they’re only provided a link where they may be able to download the actual (free!) application they were looking for originally.

Anti-Detection Techniques

Both the affiliates and the Malware HQ organizations are sensitive to the fact that anti-virus companies and network operators are constantly observing their operations in attempt to curb their success. In fact, we know they specifically attempt to evade Lookout:

To avoid detection and maximize their success they use several layers of common evasion techniques, including:
  • Android SMS Malware Obfuscation
    • Code Obfuscation
      • Package, class, and method naming randomization
      • Encrypted strings
      • Injected dummy code
      • Reflection
    • Encryption
      • Configuration files and assets are encrypted
    • Affiliate Landing Pages
      • Traffic is filtered based on a victim’s:
      • Country
      • This is determined based on their IP address and is typically limited to Russia and the surrounding region.
    • Device Type
      • This is typically based on the User-Agent string, but we have also begun to see a rise in landing pages when use run-time JavaScript tests to verify that they are in fact using a mobile device.
    • Twitter Distribution
      • Affiliates will generally use a “low and slow” approach by registering a large number of accounts to spread the landing page advertisements evenly across all of them and tweeting them out at a slower rate.


Lookout has been actively tracking SMS fraud malware that targets Android users since the first example was found in the wild in August 2010. Three years later, we’ve seen significant advancements in sophistication and evasion techniques, however the primary purpose remains unchanged: make financial gains by enticing users to download a malicious application under false pretenses, then secretly making charges to their phone bill via premium SMS messages. Early on we were able to determine that this type of malware was being hosted on custom websites, designed to lure victims in with enticing themes such as pornography or games.
Over time, this collection of malware samples which targeted Russian users with SMS fraud, became the largest percentage of our total Android malware collection. Over 50% of Lookout’s total malware detections in the wild for the first half of 2013 were Russian SMS toll fraud applications. By reviewing each new version of code, we saw a few patterns emerge:
  • The code became more complex and structured over time, resembling professionally developed code.
  • The code was highly configurable and reduced the amount of hard-coded information such as SMS short code numbers and messages, replacing them with XML configuration files.
  • The malware authors made a significant effort to obfuscate their code and encrypt their configuration files to evade detection.
  • The code was updated on regular release cycles, every 1-2 weeks in most cases.
These factors, combined with the dramatic increase in the number of detections, seemed to indicate not only that there were significant efforts behind some of these malware families, but they are also well organized operations.
We began to monitor a live Twitter stream to look for users advertising links to Android downloads that fit the common themes, such as popular games, apps, or pornography. Within minutes of monitoring tweets fitting these descriptions, we quickly realized that we were on to something as we noticed clusters of tweets in Russian advertising popular game titles like the ones below.

[Caption: Clusters of Russian tweets advertising popular game titles]
Note that many of the authors of these tweets are using Twitter’s default egg profile pictures, which we confirmed is a key indicator for malware distribution accounts.
Over the next months, we monitored the incoming tweets and identified nearly 50,000 Twitter accounts used for the advertisement and distribution of Android SMS fraud malware. These tweets contained links to malware advertising landing pages on over 200 domains, which we began to investigate deeper. Once the malicious link from a Tweet is clicked, the victim is directed to the malicious landing page then redirected (often automatically) to a download URL hosted on a domain operated by the Malware HQ containing their affiliate ID. The affiliate then receives credit for the download from the malware HQ hosting their campaign. Since the malware has to be dynamically compiled with the latest code and configurations, the affiliate can’t simply download and redistribute the malware on their own, they must direct each victim to a service operated by the Malware HQ which will build a unique malware application “on the fly” once a download request is made.
Based on this insight, we were able to follow each of the 50,000+ malicious URLs back to identify a handful of custom download servers operated by different Malware HQs. Since we believed these download domains were operated by the Malware HQs, we set out to find other related domains which may lead to the main Malware HQ website. We cross-referenced the download domains against passive DNS records to get a list of all IP addresses that that domain had ever resolved to, then cross-referenced those IPs against passive DNS records to find all domain names that ever resolved to them. Passive DNS operates by using a distributed sensor network to archive DNS name resolutions each time they are resolved.  We use this historical data set to discover all of the IPs that a DNS name has pointed to over time, even if the domain is no longer active. Using this technique, we discovered the Malware HQ for several download servers, since they once shared the same IP address, even if they didn’t at the time of discovery. Although this bottom up approach was often fruitful, we were also able to identify Malware HQs using more traditional methods such as forum postings and Google searches.
This report was prepared and written by security researcher and engineer Ryan Smith.

What do a banking Trojan, Chrome, and a government mail server have in common?

In recent weeks, ESET researchers in Latin America have been working on the analysis of, and research into, and banking Trojan targeting Brazilian computer users. The criminals perpetrating this particular threat came up with an interesting structure to deceive users and modify their systems to stealing people’s private data. In order to achieve its goal the malware uses a malicious Chrome plugin to sniff users’ activities and send the stolen credentials to the criminals via email using a Brazilian government website.
Banking Trojans are one of the most common threats in Brazil, and one of the most profitable kind of attacks that cybercriminals use in this country. The objective of this kind of malware is to steal users’ bank account credentials in order to get their money while remaining undetected by accessing them sparingly.
As one example of this kind of malware, the threat detected by ESET products as MSIL/Spy.Banker.AU was spread through a spam campaign, infecting users’ computer and installing a malicious Google Chrome Plugin to spy on the victim’s Internet activities.
The main executable associated with the spam campaign acts as a dropper, installing a set of DLLs and JavaScript files at specific places inside the system, including the Google Chrome Plugin.
Malware resources
When the malicious plugin is installed, it will monitor all the websites visited by the potential victim and triggers its malicious payload if certain Brazilian financial entities are accessed. Once the user logs into her account the malware will log her banking credentials and send them to the attacker.
Some of the files dropped by the executable are detected as:
File Detection
Microsoft.js JS/Spy.banker.G
Service.js JS/Spy.banker.G
Skype.js JS/Spy.banker.G
In order to achieve its goal sthe plugin requests certain kinds of permissions as listed in the plugin manifest file (Manifest.json), but as the user is not aware of this she will never find out that her activities are being tracked.
We note that use of this technique is on the rise because modifying the victim’s browser or installing malicious plugins gives cybercriminals a better success rate when their goal is to steal private information including email, bank account or social network credentials. For additional insight into the capabilities of a malicious Google Chrome plugin I invite you to review Aleksandr Matrosov’s post about Win32/Theola using a Chrome plugin to commit bank fraud.
Once that the plugin is set, it will need to extract the stolen data and send the information to the attacker. In order to achieve this goal and remain anonymous the attackers came out with a rarely seen technique using a design flaw i in the configuration of a Brazilian government website.
This misconfiguration allowed the attackers to use a email account to forward the data to two different email accounts hosted by one of the most commonly-used mail services.
Email sent
Two different kinds of email were sent, the first email was triggered at every new infection and the second one would be sent when the victims logged into their bank accounts. For this purpose the malicious scripts are structured to query what URL the user is visiting and if it matches with the any of the targeted financial institutions it will grab the form’s data and store them into a cookie in order to be sent lately.
As can be seen in the Manifest.json image, scripts are triggered every time that the users visits a URL: the common structure of Chrome plugins is such that on every tab the file called Service.js will be executed. The combination of the permissions requested and the method included in each of the JavaScript malicious files are responsible for parsing and fetching the form fields and user data.
Thanks to the collaboration of CERT.BR we have been able to disable this attack and block the email accounts related to this threat, having been able to inform the affected institutions and organizations about the attack. The affected web site has already been patched the vulnerability in their server invalidating any further attempt by the cybercriminals to use this government website for malicious activities using that vulnerability.
For a detailed explanation about the techniques used and analysis of this thread we suggest you read the white paper (.pdf).
Fernando Catoira, Security Analyst
Pablo Ramos, Security Researcher
Sebastian Bortnik, Education and Research Manager
File hash
MulheresPerdidas.exe f7d63175ff8b4959c425ad945e8e596e
Microsoft.js 6a944a7da3fc21b78f1a942ba96042a0
Service.js 6c1daaccd036cd602423f92af32cdc14
Skype.js 28174674f60ce4d3fb1ac8a74686b3ca
Vaio.dll c9e20bdec9264bbb6de34c5dd7be0c79

Tragedy and controversy fail to slow innovation at Black Hat

V3 reporter Shaun Nichols 
As dawn broke on the 2013 Black hat security conference, attendees and organizers alike had heavy hearts and plenty of apprehension.
Just days prior, news had broke of the death of iconic security researcher Barnaby Jack. The master hacker had made headlines at previous conferences for demonstrating high-profile hacks such as a cash-spitting ATM machine and, more importantly, had no shortage of friends and admirers within the security industry.
Jack had been scheduled to demonstrate at the conference, showing off hacking techniques which could have left implantable biomedical devices vulnerable to attacks. As the show kicked off, many were still in mourning, and Black Hat general manager Trey Ford Solemnly kicked the conference off with a moment of silence.
Further complicating matters was a sense of tension caused by the conference's keynote speaker. NSA chief General Keith Alexander had long been scheduled to open the conference with his address. In the weeks leading up to the speech, however, news broke about the NSA's secret PRISM surveillance programme and the saga of Edward Snowden left many in the security community with a less than stellar opinion of the NSA.
Even with the tension and heartbreak, however, the Black Hat community endured.
Alexander kicked off the show with a surprisingly candid explanation of the NSA surveillance programme which included screenshots and a detailed explanation of the surveillance tools themselves. Despite the occasional outburst from hecklers in the audience, Alexander's keynote went off with minimal interruption and, despite the obvious tension in the air, his keynote drew applause from the thousands in attendance.
With the keynote out of the way, Black Hat's numerous presenters were able to do what they do best: hack stuff.
Among the most fascinating presentations was a demonstration by iSEC researchers which showed how an aftermarket femtocell unit could be modified to become a surveillance and espionage kit. While previous demonstrations had been able to intercept SMS messages, the iSEC researchers took things a step further by intercepting audio from a call live on stage and showing how hansets connected to the femtocell could effectively be “cloned.”
The phone hacking fun continued when a group of researchers from Georgia Tech University exploited flaws in Apple's iOS platform to craft a malicious “charger” system which could take over the device and use an uploaded developer profile to install malware and then hide the applications as otherwise legitimate iOS apps.
In the weeks leading up to Black Hat 2013, the big security story was the high-profile Android flaw which left an overwhelming majority of devices prone to attack. That flaw, discovered by Jeff Forristal of BlueBox, exploited a weakness in the way Android applications are compressed and installed on a handset. According to Forstall, the flaw only came to light when he tried to input coordinates onto a mapping application.
Later in the week, the security community gathered at the room and time slot in which Barnaby Jack would have given his presentation. At the request of the family and Black Hat, press were asked not to record the event or directly quote any of the speakers at the session.
Even amidst the heartbreak and turmoil, Black Hat went on. The show, which started under a dark cloud of grief and suspicion, would go on to celebrate the ingenuity and creativity of the research community, while still paying tribute to one of its fallen heroes. The hackers may have been heartbroken, but they were not halted.

Google Apps for Business security boosted with email alerts

Google Apps graphic
Google has announced a new function for its Google Apps for Business suite of products, designed to offer improved security awareness for IT managers.
The update brings the ability for administrators to set email alerts for any notable activity on their networks. The tool offers two types of alerts: user alerts and settings alerts.
User alerts relate to activities such as if a new user is added, a password is changed or if there is suspicious login activity.
The settings alert covers any changes made by administrators to applications, device management options and service settings. The image below shows examples of issues that can be set up for email alerts.
Image showing new Google Alerts by email functions
Google said this would help admins stay informed from any location by receiving information directly that they can respond to, rather than having to find issues themselves.
Google Apps product manager, Rishi Dhand, said the firm had added the functionality at the request of its growing numbers of customers in order to ensure staff remain "secure and productive".
“Now, admins can elect to receive customisable email alerts when certain events of interest occur. By subscribing to alerts, admins can stay informed and, when needed, take prompt corrective action,” he wrote in a blog post.
“These alerts are also helpful when multiple admins work together and want to stay informed on these changes."
The new capability can be accessed via the Admin console under the Reports section, where the Alerts tag is found.
The update comes amid wider security concerns for Google as it was revealed earlier this week that hackers are using its Google Code site to spread malware.

UK to ban Google Glass for motorists

girl lookign silly wearing Google Glass
The Department for Transport (DfT) will ban Google's augmented reality Glass headwear in cars before it goes on sale, and is "in discussion" with police to make sure road users do not use Glass while driving.
It is already illegal for drivers to use mobile phones at the wheel, with punishments including a fine of £60 and three penalty points. Offences also exist for motorists driving without due care and attention.
A DfT spokesman said: "It is important that drivers give their full attention to the road when they are behind the wheel and do not behave in a way that stops them from observing what is happening on the road.
"A range of offences and penalties already exist to tackle those drivers who do not pay proper attention to the road including careless driving, which will become a fixed penalty offence later this year. We are aware of the impending rollout of Google Glass and are in discussion with the Police to ensure that individuals do not use this technology while driving."
However, many modern cars are fitted with central console screens, allowing drivers to use technologies such as satellite navigation and music functionality. The DfT did not explain where the difference lies in this case, other than pointing towards offences which already exist.
Google Glass is currently only available in the US via its Explorer programme, which allowed adopters access to the technology for $1,500.
A Google statement said: "We are thinking very carefully about how we design Glass because new technology always raises new issues. Our Glass Explorer programme, currently only launched in the US, reaches people from all walks of life and will ensure that our users become active participants in shaping the future of this technology."
The search giant did not elaborate as to whether it was trying to find a solution to the driving issue, a problem which has come to the fore in recent months. The US state of Virginia has already implemented a bill that bans wearing computer equipment while driving.

NSA Leaker Snowden Wins Black Hat Pwnie for 'Epic 0wnage

Michael Kerner
Michael Kerner

Michael Kerner
Michael Kerner LAS VEGAS—For as many years as I've been coming to Black Hat, one of my favorite activities has been sitting in the Pwnie awards.
The Pwnie Awards is a set of awards that are given out in different categories symbolizing the triumphs of security researchers and the failures of security product vendors or corporate IT security organizations. The actual award is the My Little Pony figure for children.
This year, two categories were most interesting to me personally. The first is the Pwnie for Epic 0wnage.
The official Pwnie Awards sitedescribes the category as the "0wnage, measured in owws, can be delivered in mass quantities to a single organization or distributed across the wider Internet population. The Epic 0wnage award goes to the hackers responsible for delivering the most damaging, widely publicized, or hilarious 0wnage."
This year it's an award that went to none other than man-on-the-run Edward Snowden. Snowden of course is the former Booz Allen Hamilton employee, working as a contractor for the National Security Agency (NSA), who revealed secret intelligence about the NSA's electronic surveillance program, known as PRISM. Coincidentally, the director of the NSA, General Keith Alexander was actually at Black Hat on Wednesday talking about his agencies programs, though sadly he was not in the room for the Pwnie Awards on Wednesday night.
Neither was Snowden.
HD Moore, renowned hacker and creator of the open source Metasploit penetration testing framework, had the honor of announcing the award. With a clear and serious voice, Moore spoke into the microphone and said, "Ed, if you're here, please come up!"

Remembering Barnaby

While the Pwnie awards have always had a somewhat comedic tone, this year that was tempered by the untimely passing of Barnaby Jack. Jack was posthumously awarded a Pwnie Lifetime Achievement Award.
In a toast to Jack, Pwnie judge, Chris Valasek suggested to the crowd to "drink all the booze, and hack all the things."
Those who knew Barnaby Jack are sure he would have strongly endorsed that advice.

Behind the Firewall: Government

More often than not, malware stealthily infects systems and lifts valuable data long before it is ever detected, let alone eliminated.
That said, it’s not surprising that some of the most pernicious threats often go underestimated, or are dismissed altogether. But what happens when the opposite is true, when fear and panic surrounding malware come to a dramatic crescendo - so much so that users place valuable resources and security dollars into fighting a costly, but non-existent, threat?
That was a hard lesson to learn for one Commerce Department agency, which spent nearly $3 million and more than a year combating a malware infection that didn’t exist, CNN Money reported.
This most recent gaffe was attributed to the EDA, a small agency focusing on job growth and economic development. And like many agencies, the EDA was wary about becoming the next victim of a malicious threat.
But how did a minor security hiccup get blown so wildly out of proportion? The agency’s technological meltdown began almost two years ago, when it received a warning from the Commerce Department about the possibility of malware within its network.
A follow up alert indicated that the problem only affected two computers. But it was too late. Thanks to a series of misinterpretations - and what an audit report described as lack of appropriate IT skills on the part of the staff – the EDA believed it was under widespread attack and went nuclear on what would otherwise have been considered an insignificant problem.
What transpired was generally what occurs when an organization allows fear and panic to override logic and strategic planning: the agency launched an all-hands-on-deck response, among other things, trashing $170,000 worth of computers and other equipment believed to be infected.
It also commissioned a third-party security contractor and shut down its entire e-mail network. But perhaps what flummoxed auditors the most, in this bizarre series of missteps, is that the agency dismissed the contractor’s assessment contending there was no real threat. Instead, the agency’s chief information officer promptly ordered the physical destruction of all of the agency’s technological equipment, including TVs, cameras, computers, keyboards and mice.
When all was said and done, the clean-up effort lasted around 15 months and totaled approximately $2.7 million. Now, to ascertain that the EDA was victim of ignorance would be nothing short of a serious understatement. What’s more, the EDA’s gross overreaction and unnecessary expenditures could easily have been avoided at numerous intersections throughout the ordeal. So where exactly did the EDA go wrong? Lots of places.
For one, the EDA should have been paying much closer attention to the initial Commerce Department alert, questioning in particular the nature of the malware, its source, and how many computers could potentially have been affected. If malware was indeed discovered on the network, the organization needed to first run specific assessments to discover precisely which machines or systems were affected.
From there, the agency would likely be required to invest in software designed to eradicate the virus, or perhaps conduct OS reinstallations or extensive system reboots, as opposed to destroying thousands of dollars worth of technology that could have remained in use.
If the agency still determined that an outside audit was necessary, the agency should have been paying rapt attention to the final conclusion, and consulted on how to minimize expenses during the clean-up process. Granted, most organizations that fall victim to malicious attacks face different challenges, often failing to respond appropriately due to ignorance or lack of budget and IT staff. In addition to lack of awareness, that response paralysis is driven largely by fears about major damage to the organization’s reputation and brand.
That said, going to the other extreme is often just as destructive when dealing with a perceived threat. In the case of the EDA, government watchdogs got wind of the agency’s panic and nixed a $26 million request to further fund its recovery efforts. And down the road, it’s unlikely that the agency will be taken seriously should it actually encounter a real malware attack - a turn of events that could thwart future security efforts and represent a major setback in the ongoing struggle to keep users safe from malware.

Pets’ names and partners’ names remain top password choices, says Google

One in six adults use the name of a pet as the basis of their password, according to a new survey commissioned by Google. Two-thirds of adults use the name of a partner – and half of adults admit to writing down passwords to help remember them.
The word “password” also remained popular – with 3% of users still employing it.
One in ten of those who answered the British survey claimed to have been able to guess a colleague’s password in order to access their computer – possibly helped by the fact that 3% of those surveyed write down passwords on a Post-It note on their desks.
The survey, of 2,000 adults, was conducted on behalf of Google Apps, and found that wedding anniversaries, birthdays and children’s names were also common. More than two-thirds (67%) of those surveyed used a partner’s name, and a fifth (19%) continued to use an ex-partners name.
The survey, commissioned by Google Apps, also found that nearly half of users (48%) had shared passwords with others.
“Worryingly, 3% of people still use ‘password’ as their password. Our approach to passwords also leaves us exposed to security breaches – two thirds (67%) of us only change them when we have to,” the company said in a statement. “The findings also reveal wider issues when it comes to online security. In 2013, one in five (21%) people admit to having clicked on spam links and only 41% have updated their antivirus software this year. Almost one in five  (19%) have left their computer without logging out of a service, with one in seven (15%) Brits taking advantage of this lax approach to online security and perusing their partner’s emails.”
Eran Feigenbaum, Director of Security, Google Apps, said, “People often leave their information open to online security breaches without even realizing it. Lax attitudes to online security can lead to serious consequences if strangers access your information.”
“Simple steps such as choosing more complicated passwords, always logging out of services and considering two-factor authentication, which requires more than just a password to access your account, can make a real difference to your security online.”
ESET Senior Research Fellow David Harley says, in a detailed guide to making stronger passwords, that phrases can be better passwords than actual words, “Using a passphrase in combination with other techniques such as interleaving, character substitutions, special characters and so on, does make a difference.”