Sunday, 2 March 2014

Neiman Marcus attackers set off 60,000 alerts – but went unnoticed

Hackers who stole hundreds of thousands of card details from upscale retailer Neiman Marcus set off more than 60,000 security alerts – but these were all missed by security staff at the company, according to a report by Bloomberg Businessweek.
The report, citing an 157-page analysis by the firm’s security team, also quoted security experts who said that the attack was most likely not the work of the attackers who stole 40 million credit card numbers from Target. Bloomberg’s report says that the Neiman Marcus attackers wrote code to target that specific network, and their methods were not related to those used in the Target Breach.
The malware used in the attack was “self-concealing”, according to PC Mag’s report, but the attackers had to reinstall it in registers every day, which set off hundreds of alarms. But while Neiman Marcus’s systems flagged the behavior, it did not recognize the software itself as malicious.
Hackers penetrated company systems on March 5 2013, according to the report, and four months later began stealing from stores around the country, according to the Atlanta Journal Constitution.
Speaking to Bloomberg Businessweek, Ginger Reeder, a spokeswoman for the company, said that the hackers gave their software a name near-identical to the company’s payment software, so that alerts went unnoticed among the thousands the security team faced daily, “These 60,000 entries, which occurred over a three-and-a-half month period, would have been on average around 1% or less of the daily entries on these endpoint protection logs, which have tens of thousands of entries every day.”
Reeder said that while initial estimates suggested 1.1 million cards might have been exposed in the breach, the real number was likely lower than 350,000, of which 9,200 have since been used fraudulently.
The chain is offering all customers who shopped during the period a year of free credit monitoring and identity theft protection.

Facebook and Whatsapp: Security and privacy after the $19B deal

The announcement of Facebook‘s acquisition of smartphone messaging company WhatsApp for nineteen billion dollars has been the tech news headline of the day. While an analysis of the financial details of this transaction is beyond our remit, ESET’s researchers have experience with both mobile security as well as instant messaging, or chat as it’s more popularly known these days.

What’s up with WhatsApp?

If you are unfamiliar with WhatsApp, do not be alarmed. It is a cross-platform (Android, Apple iOS, Blackberry, Windows Phone and Symbian) instant messaging application that allows you to send text, pictures, video and audio messages to other users of the service. While none of this may be particularly impressive to people who used instant messaging programs like PowWow or AIM in the 1990s, WhatsApp also allows you to share your current location, subject to how well your smartphone is able to determine that, of course.
Also, if you are currently a user of WhatsApp, you may not have used instant messaging back then, since most WhatsApp users were born around that time, according to sources as varied as Forbes, Forrester Research and a report from The Observer, identifying teenagers as the largest demographic for chat apps on mobile platforms as they increasingly turn away from both traditional computers and Facebook, in order to avoid not only their parents and older family members, but also their teachers. So, clearly, Facebook’s acquisition has the effect of returning a large number of departed customers back into the fold.

History of poor privacy practices and security problems

One of the main attractions to users of WhatsApp has been claims of its ability to offer secure, private communications between people. However, if that is the case, security and privacy have gotten off to a slow start in WhatsApp.
Aside from its own claims of security and dislike of advertisements, it is difficult to judge the suitability of WhatsApp’s end-to-end encryption when their Terms of Service prohibit independent examination by tools commonly used by software developers and security researchers, alike. And even assuming that they are using encryption, it does not matter much if the encryption can be easily broken. Whenever a service provides no information about its encryption, concerns about relying on security through obscurity arise. Claims of secure delivery mechanisms and storage of subscriber data are also likewise difficult to assess. As a related issue, claims about not storing messages after they have been delivered may be impossible to confirm independently, or they may be more natural paranoia from security researchers. It is, however, difficult, if not impossible, to evaluate the risk of eavesdropping and storage elsewhere in an era of National Security Letters and bulk metadata collection, as discussed by Ars Technica here.
The WhatsApp service uses phone numbers for the username portion of its addresses, exactly as user names and domain names are combined to make email addresses. This means that in order to communicate, users are, to all intents and purposes, exchanging phone numbers. While this may be considered a non-issue for phone calls and texting, for which you already have to know the recipient’s phone number, instant messaging is a different type of communication, and you may not want to expose your phone number to someone you are chatting with, especially if you do not know them that well. This poor choice for a unique user identifier has caused concern among privacy advocates, and it is not helped by WhatsApp’s behavior of automatically uploading all the phone numbers from customers’ address books to its servers in order to build contact lists. A “feature” which cannot be turned off or even selectively enabled or disabled.
WhatsApp has chosen several password algorithms over the years based on information such as an IMEI or a MAC address, which can easily be obtained from a device. WhatsApp did not change these mechanisms for three years and finally did so in 2012.
Through 2011 and 2012, WhatsApp experienced a plethora of security and privacy holes in its instant messaging service, ranging from sending conversations unencrypted (and potentially making them available for anyone to read) to vulnerabilities allowing accounts to be hijacked and messages to be forged. Even as these were repaired, continued problems with cryptography allowed encrypted messages to be deciphered—it should be noted, though, that WhatsApp has fixed issues as they have been reported, and that some vulnerabilities may have required physical access to the smartphone. Once an attacker has physical access to a device, it becomes increasingly difficult to secure.
Governments on at least three continents, including the Dutch Data Protection Authority, the Office of the Privacy Commissioner of Canada   and the Communications and Information Technology Commission of the Kingdom of Saudi Arabia have taken notice of WhatsApp and have publicly investigated it because of concerns about the privacy of their citizens. While those are the actions of civilian agencies concerned with privacy and telecommunications, it is not unimaginable that other, more covert intelligence and security agencies have taken notice, too, for the opposite reason. Frankly, it is likely that intelligence agencies around the world have taken advantage of the service’s initial lack of encrypted communications—and the low quality of encryption for subsequent communications—for monitoring everything from terroristic threats and dissidents to communications from journalists, conversations between attorneys and clients and perhaps even eavesdropping on foreign governments participating in trade or other delicate negotiations.

A barrel of phish, dripping with malware

Despite past concerns about privacy and security violations, WhatsApp’s usage has continued to skyrocket, growing from nothing in 2009 to having 430 million active users by January 2014. That kind of success has not gone unnoticed, either by Wall Street and Facebook, or by criminals also seeking to capitalize on WhatsApp’s success, but for malicious reasons.
There is at least one hoax being sent by email between WhatsApp users, according to computer security analyst Graham Cluley, which claims that WhatsApp will start charging them for messages sent via the service unless they forward the message to ten of their friends. Hoaxes of this kind are old, and benign when compared to malware, but the tricksters who are create and perpetuate them are responsible for clogging up your inbox with junk email.
On a more malicious note, below is a screenshot captured by ESET Senior Security Researcher Stephen Cobb on a personal computer, purporting to be a voice mail left for him on WhatsApp, and urging him to click on it to listen to the message in his web browser. Had he visited the web site, his credentials could have been stolen and his computer possibly hijacked, as well. While Stephen—like our readers—knows not to click on suspicious emails (especially when claiming to be from services to which they are not subscribed), such phishing attempts are commonplace and, unfortunately, all too often successful.
WhatsApp Phish
This, of course, is just one example of a phishing campaign targeting users of WhatsApp. There have also been numerous campaigns designed to deliver various forms of malware as well, according to multiple reports from Jeff Goldman of eSecurity Planet , Hoax Slayer, Softpedia, The Inquirer and Help Net Security. The malware included—but was certainly not limited to— Win32/Inject.NHN, MSIL/Bladabindi.O, numerous variants from the Win32/TrojanDownloader.Banload and Win32/Spy.Bancos families, and even malware from the ZBot  and the Delf family of trojan horses. ESET detects all of these threats, and in some cases, has done so for years. This widespread use of so many different families of malware is not the result of one criminal gang, but rather an example of how numerous organized criminal groups have responded en masse to the rising ubiquitous of WhatsApp.

Fear of a dystopian future: Will WhatsApp offer up your privacy to Facebook?

Jan Koum, the CEO and cofounder of WhatsApp, has stated in a post on his company’s blog that nothing will change for its users, however, it is hard to imagine any program or service for which the user experience does not change over time, especially after such an acquisition.
Perhaps the closest parallel is Skype. Founded in 2003, the company was acquired by eBay in 2005 and subsequently acquired by Microsoft in 2011. After Microsoft’s acquisition, numerous changes were made (reported by Ars Technica here), ranging from replacing the P2P infrastructure of public supernodes on which the service runs with a cluster of Linux-based servers run by Microsoft, to integrating logins with Microsoft accounts (formerly known as Microsoft Passport and Windows Live ID). Microsoft also shares with the public some of the information about how law enforcement requests for Skype’s users are handled.
Facebook is already notorious for the erosion of its user’s privacy, constantly changing—and, in some cases, removing—privacy controls in order to generate greater revenue by selling ever-increasing details of their customers to advertisers (as reported by Electronic Privacy Information Center,  the New York Times, Matt McKeon and The Washington Post here). And the assimilation of WhatsApp into Facebook’s empire represents an unprecedented opportunity to learn more about people’s daily lives—all with the purpose of targeting them with more and more detailed advertising.
Imagine letting your spouse know you are pregnant over WhatsApp, only to find that the next time you log in to Facebook you are presented with advertisements for baby furniture, diapers and college savings plans. If you think this scenario is far-fetched, remember this is how webmail providers like Google’s Gmail service have been data-mining your emails for several years in order to display advertising relevant to whatever is being discussed in each message (as described by Google itself here).


Facebook’s acquisition of WhatsApp represents a boon to that small company, rewarding not just dozens of employees for their hard work, dedication and perseverance but their customers as well, who chose to trust the company by using their instant messaging software. Trust, however, is not immutable and can be damaged, even lost, when the relationship between a company and its customers is abused. Facebook is known for playing fast and loose with the privacy of its users (who are, after all, not its customers; Facebook’s customers are advertising agencies). It remains to be seen if Facebook’s acquisition of WhatsApp will allow the service to continue to grow, or whether its users will flee from the combined grasp of Facebook and WhatsApp in favor of companies that offer more secure and private instant messaging.
We would be remiss if we did not point out that many of the issues ESET has explored are potential concerns based on what might happen in the future. Or, in other words: Don’t panic. If you are using the WhatsApp or Facebook apps on your smartphone right now, there’s no need to uninstall either program because of concerns about privacy in the future. However, it would be a good idea for you to review their settings as well as terms of use and privacy policies now as well as any time after each app updates to a newer version.
The author would like to thank his colleagues Bruce Burrell, Graham Cluley, Stephen Cobb, David Harley, Lysa Myers and Thomas Uhlemann for their research and contributions to this article.
Aryeh Goretsky, MVP, ZCSE
Distinguished Researcher

References and further reading

Jauregui, Paul. “What’s up with WhatsApp’s Security?” Praetorian.
Levine, Yasha. “The problem with WhatsApp’s privacy boasts: They’re not true.” PandoDaily.
Kurtz, Andreas. “Shooting the Messenger.”
Page, Carly. “Facebook’s Whatsapp buy is a privacy nightmare for users, but it makes sense for the social network.” The Inquirer.
Saudi Gazette. “CITC warns Skype, Viber, WhatsApp.”
Wikipedia. “WhatsApp.”
Williams, Martyn. “WhatsApp could face prosecution on poor privacy.” CSO Online.

Attack ‘bypasses’ Microsoft’s zero-day protection tool

Researchers have demonstrated an attack that completely bypasses the protections offered by EMET – a Microsoft toolkit used to provide safeguards against zero-day attacks, according to Ars Technica, who reported on Bromium Labs’ demonstration this week..
Ars Technica’s Dan Goodin  described it as, “an impressive feat that suggests criminal hackers are able to do the same thing when exploiting vulnerabilities that allow them to surreptitiously install malware.”
The Enhanced Mitigation Experience Toolkit (EMET) is a free download which enhances PC security, and is particularly useful to PC users with older versions of Windows, rather than the latest Windows 8.1, which ships with many of its protections built in, according to Bit-Tech’s report.
The site says that users of older versions of Windows would have been protected, for instance, against last week’s Internet Explorer zero-day by the application.
Researchers at Bromium Labs say that EMET is vulnerable to custom-built exploits – and demonstrated an attack that circumvented all the protections offered by EMET, published as a white paper here. The researchers presented their research to Microsoft before publication.
Describing EMET as, “Standard, basic protection – certainly not perfect, but no software is — but good enough for a number of older attacks and flaws,” ZDNet said that the proof-of-concept exploit code showed, “There are limitations to the free software and [the demonstration] includes real-world examples where damage control functions – sprung after the detection of malicious code – were fully bypassed.”
Bromium’s researchers were keen to emphasise that EMET is by no means irrelevant – but that the free tool has limitations.
“EMET is a viable personal and corporate defense add-on, but given other researchers have found EMET bypasses before, we sought to understand how EMET is vulnerable to the presence of novel exploits,” said Rahul Kashyap, chief security architect and head of security research, Bromium.
In the white paper, Bromium researchers wrote, “”As was seen in our research, deploying EMET does mean attackers have to work a little bit harder; payloads need to be customized, and EMET bypass research needs to be conducted. Thus, EMET is good for the price (free), but it can be bypassed by determined attackers.”
The researchers said, “Microsoft freely admits that it is not a prefect protection, and comments from Microsoft speakers at conference talks admit that as well.
The objective of EMET is not perfection, but to raise the cost of exploitation. So the question really is not can EMET be bypassed. Rather, does EMET sufficiently raise the cost of exploitation? The answer to that is likely dependent upon the value of the data being protected.

Mt Gox exchange ‘disappears’ amid rumors of $350m Bitcoin heist – biggest in history

Trading has been suspended on the Bitcoin exchange Mt Gox and its website has closed, amid rumors that the exchange has lost 744,000 Bitcoins in an online theft – worth around $350 million at Monday’s trading prices, according to Wired. If true, it would be the largest Bitcoin theft in a series of heists which have hit the troubled currency this year.
The company’s website is offline, its founder has vanished, and staff are not answering calls, according to Reuters.
Wired reports that the company may have fallen victim to a prolonged hacker attack, quoting a document by Bitcoin entrepreneur Ryan Selkis, which claims that the exchange is insolvent after a months-long hack, and says, ““The reality is that Mt. Gox can go bankrupt at any moment, and certainly deserves to as a company.” Wired was unable to confirm the report, and says that no spokesman for the company was available to comment.
The document, entitled MtGox Situation: Crisis Strategy Draft, has circulated widely on the internet, and appears to be an internal document, outlining strategies available to the company.  “The current situation will negatively impact everyone who owns or operates in Bitcoin,” it says, blaming, “massive robbery and poor Bitcoin accounting.”
The company’s website was taken offline at noon Tokyo time, shortly after a statement was published online by digital wallet company Coinbase, denouncing Mt Gox, and endorsed by other leading Bitcoin exchanges, according to the FT’s report.
Coinbase said, “ As with any new industry, there are certain bad actors that need to be weeded out, and that is what we are seeing today.  Mtgox has confirmed its issues in private discussions with other members of the bitcoin community.”
News agency Reuters described the exchange – once the world’s largest – as having an empty office, bar protesters angry that they had lost money after investing.
Rumors had circulated that the company faced insolvency after it halted withdrawals earlier this year, according to Bloomberg Businessweek. The company had halted withdrawals after what it described as ‘unusual activity’.
Veteran security researcher and writer Graham Cluley says, “What a colossal mess.  According to some reports, 6% of Bitcoins in circulation have been stolen. These latest developments will send shockwaves through the Bitcoin world, and it remains to be seen if long term confidence in crypto currencies will be damaged.”
If the rumor of a ‘heist’ is true, it’s one of a series to hit Bitcoin sites, including high-profile ‘dark markets’. As reported by We Live Security, a large scale cyber-theft this month drained the relaunched ‘online drug bazaar’ Silk Road 2.0 of nearly all of its Bitcoin reserves – estimated to be worth several million dollars. Site administrators blamed an insider, who used a recently discovered flaw to withdraw money repeatedly, before vanishing.
Forbes Magazine said that it was the latest in a series of hacks targeting ‘black market’ sites – and that of the half-dozen sites which sprung up in the wake of the closure of the original Silk Road, three shut down after insiders ran off with funds, and two after being hacked. Silk Road 2.0’s latest mishap was also due to an insider, the site admin believes.

British Airways e-ticket malware attack launched via email

If you have received an unexpected email, claiming to come from British Airways, about an upcoming flight that you haven’t booked – please be on your guard.
Online criminals are attempting to infect innocent users’ computers with a variant of the malicious Win32/Spy.Zbot.AAU trojan, by disguising their attack as an e-ticket from the airline.
To maximise the potential number of victims, the attackers have spammed out messages widely from compromised computers.
Malware spread via bogus British Airways email
Here’s an example of what part of a typical malicious email spread in this spammed-out campaign looks like:
From: British Airways []
Subject: Your Order #70391830 / 25 feb 2014
Dear Customer,
This is a confirmation that your order has been successfully processed.
Booking reference: 9C1PWF
DEPARTURE DATE & TIME / FEB 28, 2014, 11:30 AM
The flight number and the seat number can be located in the lower part of the ticket.
An electronic copy of the ticket can be downloaded from our website :
For more information regarding your order, contact us by visiting :
Of course, although the email claims to come from British Airways – it is nothing of the sort.
In a classic example of social engineering, criminals are hoping that email recipients will worry that their credit card has been fraudulently used to purchase an air ticket, and click on links inside the email to find out more.
However, if users download the supposed e-ticket and launch its contents, they will be infecting themselves with a trojan horse that can spy on their computer activity and give malicious hackers third-party access to their data.
ESET antivirus products detect the malware as a variant of Win32/Spy.Zbot.AAU.
ESET intercepting malware spread via bogus British Airways email
Users of other anti-virus products would be wise to check that their systems are updated, and protected against the threat.
In this case, the malware has been spread via malicious links after cybercriminals forged email headers to make their messages look like they really came from British Airways’s customer service department. But it’s equally possible for attackers to spread their malware via email attachments, or for other disguises to be deployed if those behind the spam blitz believe that they have a greater chance of success.
Remember to always be suspicious of clicking on links in unsolicited emails, and the social engineering tricks that are frequently used to lure computer users into making unwise decisions.

BlackBerry security revisited: How do the BB10’s stack up?

Following the ground up overhaul of the BlackBerry operating system and accompanying launch of their new flagship smartphones last year, we wondered how they really stack up–security wise–against the other smartphones you might already have in your pocket or purse right now. How do new devices running Blackberry 10–as the new OS is called–compare to last generation BlackBerry offerings which you may have found functional, if slightly dated and clunky.
Long lauded among stiff government security office types for being less security-breakable, the last generation of BlackBerry doo-dads garnered top marks from even some of the topmost brass in the U.S., favoring them over (almost) all else.
But that was several years back (practically decades in tech-years), and now even if you HAVE to have the app du jour with the dancing bunnies, will the new BlackBerry Z10/Q10 platforms fulfill your tech lust and yet securely watch your back?
BlackBerry hoped so, in fact they bet the company that a ground up rethink would tantalize the marketplace to jump back on the BlackBerry (er, Crackberry as addicts admit) bandwagon and have the masses singing their praises in short order.
But in the past years, the other folks in the marketplace have gotten little sleep, swarming to close the gap on security, trying to chip away at the perceived BlackBerry lead. So here’s what BlackBerry really did with this forklift overhaul of the stack, and what it means to you.

Ground up Redux

Betting that a ground up rework should start with a ground up OS rethink, the BlackBerry Limited folks (a rebirthed Research In Motion, or RIM) went to bare metal. Reinvisioning the new BlackBerry 10 operating system from experience gained from the older BlackBerry OS versions 1.0 through 7.1 and the acquisition of QNX, a real-time microkernel based Unix-like construct, they set to work.
Reimagining major chunks of the whole stack is not for the faint-at-heart, and certainly not for those who value sleep anytime soon. Still, aiming the company’s future at a newer, more robust (and arguably more secure) OS seemed a necessary, if difficult, way forward for the company attempting to swashbuckle its way back to center stage of the smartphone vanguard, albeit it with a security leaning in hopes of staying true to its core fan base.
Starting with a microkernel, aside from igniting techno-lust from fellow bare metal kernel freaks, is a nice way to isolate processes into tidy containers that can become pseudo-suspicious of each other, and therefore form the foundation for a stack of compartmentalized processes that follow the same model.
And QNX is no slouch here, a long tested real-time OS platform that has performed well for longer than some of BlackBerry’s engineers have probably been alive. And when an OS has had more than a couple decades to sort itself out and still trudges forward, it’s easy to have faith in the tiny, tested platform.

Shiny buttons = market share

In the North American market at least (and probably much of the rest of the markets BB is interested in re-courting), perception is reality. The average visitor to the mobile phone vendor in the mall doesn’t have the slightest idea if their phone has a kernel at all, let alone a micro one. So then BlackBerry would have to apply shiny blinky lights and buttons that felt amazing to even have a chance of getting this pile of technology in your shirt pocket. So while they redesigned the guts, a parallel group of people sat in other buildings working out how a button should “feel” if it is to become considered “elegant” and “pop”, whatever those terms mean to people who understand what “pop” is. But those people are the ones who buy smartphones and to them, texting and tweeting are as important as isolating mutually suspicious system processes is for us security types.
Somewhere there has to be an intersection of tech whiz-bang and shiny buttons if the platform is to succeed, and so BB attempted to join the two. How did they do? The verdict is still out, though slow sales are certainly the bane of corporate bean-counters and harbingers of the long slog that may be involved. Still, when’s the last headline you’ve seen of the BlackBerry 10 (or other BlackBerry platforms) being hacked? Me neither.

Containerizing your life, BlackBerry style

Admitting that many users lead parallel lives, BB containerized a work and non-work walled garden through “BlackBerry Balance”. Here, BlackBerry built it into the OS, so you don’t have to “bolt something on” to make it work. This feels like a more secure construct than an app-based afterthought.
They did this by separating the presentation and data layers, so while you can view both your work and personal emails on the BlackBerry Hub, you can’t cut-and-paste (for example) between your corporate account and personal email, a handy way to narrow down the leak potential between the two. There’s also a remote wipe feature, so if your employees use their own devices and this feature, you can retain control over sensitive corporate data if needed. And if they leave the company, you can wipe company data only, and leave their other “stuff” in place like friends’ endless LOL chatter. Oh, and there’s a pretty button to help end-users understand the boundary between business/personal data.

App Permissions

While most of the friends and family I know simply click on security warnings on their smartphones until they go away, the BB 10 has a fairly granular system of permissions which you can set, revoke, and tune at will. You also can control what information gets transferred across the Internet, or through Bluetooth communication, which could be very helpful.

Security in General

We talk a lot these days about securing the person, not the device. This is because a well-implemented secure-ish device typically has a wide open front door if there’s no password, weak password, or a host of other user-induced security holes. To that end, BB has a quick summary on their website for how to secure the human, which is nicely de-geekified for the average non-geek human. So make sure you set the correct permissions on yourself before setting to work on your BB 10 device.

Will bad guys attack you still?

Maybe, but scammers typically attack the most high value targets with the least amount of effort required on their part. This value proposition skews scammers heavily in favor of other platforms in today’s market. For instance, the adage that thieves want to “steal A car, not YOUR car” certainly applies here. Scammers can buy attack software suites for other platforms, I don’t know of any specifically targeted at BB 10, do you? If so, there are numerically far more for other target platforms.
Will some shady state-sponsored group this new mobile platform? That’s difficult to say, but again, the mobile ecosystem is much more widely studied for other platforms than the BB 10, so it seems likely you’d be at least slightly safer.


While there are a myriad of external (and internal factors) that may control the trajectory of the BB 10 operating system and its handsets’ future adoption, the security stance seems like a good start. While the winds of the market forces will blow where they may, it’s good to know a company like this had the foresight to revamp the whole stack in a thoughtful, security-focused way, and the guts to go for it. Now it’s your turn to decide. Leave us a comment with your thoughts.

Corkow: Analysis of a business-oriented banking Trojan

In his  blog post last week, Graham Cluley introduced the Win32/Corkow banking Trojan. The malware, which has been in the wild since at least 2011, has demonstrated continuous activity in the past year, infecting thousands of users. Version numbering of the various Trojan modules is another indicator that the malware authors are continually developing the trojan.
The most common infection vector – drive-by downloads – has been used to spread the malware.
This Russian tool for committing bank fraud shares many characteristics with other malware families with a similar purpose, such as Zeus (also known as Zbot), Carberp, Hesperbot, or Qadars, for example, but also contains some unique functionality.
Several features, like enumeration of smart cards, targeting of dedicated banking applications mostly used by corporate customers and looking for user activity regarding online banking sites and applications, electronic trading platform sites and applications and so forth, all suggest that the attackers are focusing their sights on financial professionals and enterprises, whose bank accounts usually hold a higher balance than those of most individuals.
In this post, we expand on the information mentioned by Graham and provide additional technical details.


As is the case with other banking Trojans (for example Win32/Spy.Hesperbot), the architecture of Win32/Corkow is comprised of a main module and several plug-in modules to deliver specific functionality. Each of Corkow’s plug-in modules is implemented as a Dynamic Link Library (DLL). We will refer to the main component as the ‘core DLL’. Most of the other plugins are embedded in the core module but some are downloaded from the C&C server. In either case, the core DLL will load and run these modules, injecting them into various processes in the system. Table 1 presents the different modules seen in all of the Win32/Corkow samples we have analyzed. Note that not all samples necessarily contain every module.
Table 1
Main module responsible for injecting other modules into corresponding processes and for C&C communication. Also takes screenshots, enumerates smart cards and can block applications from running.
Collects information about the system (list of running processes, user name, SID, last user input) and sends it to the C&C.
Web-injections and form-grabbing module based on the leaked Zeus source-code. Corkow mainly uses the form-grabbing functionality to capture data.
Hidden VNC connection that enables the attacker to connect remotely to the victim’s machine.
PuTTY  logger for the putty.exe process. This is able to capture server logon credentials, which are valuable to cybercriminals.
Launches the “3rd party” universal password stealer Pony. ESET detects this trojan as Win32/PSW.Fareit.
Targets iBank2, a Russian banking application.
Targets standalone Windows banking applications of Sberbank, the third-largest bank in Europe.
Searches for finance-related text strings in browser history, installed and last used applications and running processes.
Table 1 – Description of analysed Win32/Corkow modules

While the core DLL is responsible for launching every module and for downloading configuration data from the C&C, each plug-in module contains the C&C URLs as well and uploads collected data directly.
As can be seen in the table above, Win32/Corkow contains functionality that one would expect from a typical banking trojan, including keystroke logging, screenshots and HTTP form-grabbing for intercepting log-in credentials to online banking. However, the last three listed modules have caught our attention. The trojan uses two dedicated modules to target Russian banking clients: one for iBank2, a widely-used banking application used by several banks, and one for Sberbank, Russia’s largest bank. The module called ‘DC’ searches for indicators of user activity relating to various trading platform applications and sites, standalone banking applications, banking sites, Bitcoin sites, and software and Google Play developer activity. We’ll describe these modules and the core module more in-depth in the following text.
But before we get to that, let’s take a look at Corkow’s installation procedure and its ‘hardware-binding’ technique.


Win32/Corkow features an interesting and relatively sophisticated installation procedure. The trojan is usually delivered to the victim by a dropper executable that contains the core DLL in its resources. When the dropper is run, the installation is carried out in the following steps:
Figure 1 – Installation procedure of Win32/Corkow
  • The dropper decrypts the embedded core DLL and calls its DllMain function, passing it one of three paths as a parameter. This path determines where and how the trojan should be installed. The chosen path depends on whether the trojan is being run under a standard user account or an administrator account. The possible values are listed in Table 2.
  • When the code of the core DLL is running, it will seek a host file to infect. For this, Corkow will select a legitimate DLL file from the %SystemRoot%\System32 directory that meets certain criteria (the file has to be unprotected; and some specific file names and DLL imports are excluded).
  • Corkow will then infect the selected DLL file by encrypting itself and writing its encrypted body into the resources section of the host. A decryption stub is also written to the file and added as a new export function, so that the malware’s body will be launchable after installation. The name of the export is also dependent on the installation path.
  • The infected DLL is then saved to the installation path. Note that the host DLL file in the System32 directory remains unchanged.
  • A Registry entry is made to ensure the malware’s persistence on the system. Again, the Registry key depends on the installation path and is listed in Table 2.
 Table 2 – Possible Installation Paths
Registry entry
DLL export
%CommonProgramFiles%\microsoft shared\DW$random$\
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters] ServiceDll = $path_to_malware$
[HKEY_CURRENT_USER\Software\Classes\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InprocServer32] (Default) = $path_to_malware$
%AppData%\Microsoft Corporation\
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] NvCplWow64 = $path_to_rundll32.exe$ “$path_to_malware$”, Control_RunDLL

There are multiple ways to load a DLL and Win32/Corkow will use one of the three methods listed in the table above. Each of the methods loads a different DLL export, hence the different possible names for the decryption stub written into the host DLL during infection.
As stated above, the Corkow core DLL is written in the host DLL’s resources in an encrypted form and also compressed using aPLib, a popular compression library. The encryption used is XOR with the encryption keystream generated by the multiply-with-carry algorithm and derived from the Volume Serial Number of the C:\ disk volume. This way, after installation the Corkow-infected-DLL is bound to the infected machine and will not run on a different computer. This is one way in which Corkow protects itself against malware analysis.

Core DLL, C&C communication

The main module of Win32/Corkow is responsible for extracting the other embedded modules and injecting them into corresponding processes, and for communication with the C&C server.
Corkow contains a list of URLs to which it tries to connect. The initial HTTP requests sent to the server contain some basic system information, the version numbers of individual modules and a generated bot ID. In this way the key for encrypting the communication (consisting of the C&C domain name and the bot ID) is established. The server will then respond with one of a few commands. The supported commands include:
  • Reboot
  • Download and execute arbitrary executable or DLL
  • Update bot
  • Download configuration for certain modules
  • Wipe an arbitrary file on the system (by rewriting it with random data)
  • Uninstall itself, with the option of destroying the system
The last two mentioned commands show that, apart from data theft, Win32/Corkow is also able to cause irreparable damage to the system. When the uninstall command is sent with a specific parameter, the trojan will attempt to delete critical system files and overwrite the Master Boot Record and Master File Table with random data, rendering the system unbootable.
The core DLL also contains the functionality to capture screenshots of the desktop, block specific applications from running and enumerate smartcards installed on the system.
The application-blocking functionality is determined by the bot’s configuration. The trojan iterates through running processes (the standard method with CreateToolhelp32Snapshot is used) in an infinite loop, and if the undesired process name is found, attempts to terminate it. Of course, the chances of success for this method in User Mode are limited. It is most probably used to prevent victims from running banking applications (to check their account balances, and so forth).
Unlike other more sophisticated trojans, Corkow cannot interact with smartcards, only enumerate them. Interestingly, it doesn’t even use common Windows API functions for interacting with smartcards, but instead enumerates all hardware devices (using the SetupDi API) and searches for specific device names.

Targeting dedicated banking applications

The way Corkow targets the iBank2 application is quite interesting. iBank2 is a Java application, so Corkow attempts to capture its data by injecting its own malicious Java class into the Java Virtual Machine running iBank2. To achieve this, the trojan first injects its IB2 module into each newly spawned Java process (java.exe or javaw.exe)
Figure 2 – Corkow code for attaching to a Java Virtual Machine
The injected code then uses Java Native Interface (JNI) functions to get the pointer to the running Java VM, attaches itself to it (Figure 2) and loads its malicious Java class inside the VM. Figure 3 shows part of the decompiled Java class. The class contains methods for getting the current balance of the victim’s bank account and making screenshots, and is able to copy key files used to authenticate the user.
Figure 3 – Corkow’s malicious Java class used against iBank2
Notice that the code supports English, Russian and Ukrainian versions of the iBank2 application.
The Java injection technique described does not exploit any vulnerability in the iBank2 application itself. Other banking trojans that have targeted the Java-based iBank2 platform include Win32/Spy.Ranbyus and Win32/Carberp, although different techniques were used in both those cases.
The SBRF module targets banking applications (Win32 platform) used by corporate customers of Sberbank. Like the iBank2 module, the SBRF module can create screenshots and copy key files for authentication.

DC module

This module scans for user activity by searching the following:
  • Running processes
  • Browser history – Corkow runs the 3rd party utility BrowsingHistoryView in order to read the history of Microsoft Internet Explorer, Mozilla Firefox, Google Chrome and Apple Safari. The Opera web browser history file is opened directly.
  • Installed applications – by enumerating files in common installation directories
  • Last-used applications – by enumerating the corresponding Registry entries
Interestingly, though, the module does not send the full results of the search to the remote server. Instead it parses the data and looks for specific finance-related strings from a defined list. The analyzed sample contained strings relating to banking, electronic trading platforms and stock brokerages, digital currencies (including various Bitcoin software and websites), various payment systems, and Google Play developer activity:
Ūkio Bank
First Ukrainian International Bank (ПУМБ)
Interactive Brokers
WebMoney Keeper
AKB Privatbank
Zuger Kantonalbank
Credit Suisse
CIM Banque
Contact NG
Western Union
Hypo Landesbank Vorarlberg
Digital currencies
Xpress Money
Loyal Bank
Liberty Reserve
Valartis Bank
Danske Bank
Promsvyazbank Cyprus
Jyske Bank
Avangard Bank
Hellenic Bank
Russian Commercial Bank Cyprus
Forum Bank
Alpha Bank Cyprus
Electronic trading platforms, stock brokerages
Bank of Cyprus
Finam Direct II
Bitcoin Armory
Cyprus Popular Bank (Laiki)
Blackwood Pro
DBS Bank
United Overseas Bank
Google Play developer activity
MBT Desktop Pro
Baltikums Bank
Norvik Bank
QIWI payment system
Snoras Bank
various unidentified PoS systems
Rietumu Bank

Table 3 – Various finance-related software and websites referred to by Corkow’s DC module
Apart from Russian and Ukrainian banks and software, the list also includes a wide range of banks based in Switzerland, Singapore, Latvia, Lithuania, Estonia, Denmark, Croatia, the United Kingdom, Austria and Cyprus (including some banks that are now defunct).
The bot will then notify the attacker if any of the above-mentioned strings are found on the victim’s system.


Win32/Corkow is an example of the consequences of leaked source code from other banking trojans. During the analysis of the Corkow code, it proved fairly easy to spot various different programming styles and parts that were written by the malware authors themselves and other parts that were literally ‘copy & pasted’ from other banking trojans. While Corkow may be technically less sophisticated than some other malware that we’ve analyzed, it will get the job done.
Furthermore, the perpetrators operating the Corkow botnets apparently have a well-conceived modus operandi with a focus on corporate banking users. We can confirm that several thousand users, mostly in Russia and Ukraine, were victims of the Trojan in 2013.
We continue monitoring the threat and will keep you informed of further developments.
Thanks to Anton Cherepanov for his thorough analysis of this malware.

List of SHA1s


CIA chief says internet-connected appliances are ‘worrisome’ new threat

CIA Director John Brennan says that connected appliances and networked vehicles will make the agency’s job harder – with more systems to protect, and more platforms which could be used to launch attacks.
Network World reports that Brennan, speaking at President Barack Obama’s Associates Dinner at the University of Oklahoma said that cyber issues were becoming increasingly central to the CIA’s mission, and that Brennan said, “We also are concerned that new vulnerabilities will develop as cars, home appliances, and other physical objects become more integrated into information networks.”
“As we move closer to what some are calling an “Internet of Things,” there will be more devices and systems to protect—and, equally worrisome, more that can be used to launch attacks.”
As part of a wide-ranging speech, Brennan said that the rapid pace of change in technology made the job of the CIA “challenging”. The CIA’s official transcript of the speech can be read here.
“Cyber security was part of my portfolio when I served at the White House, and I must admit that after a while, just hearing the word “cyber” was enough to make my head hurt,” Brennan said.
“Part of what makes cyber so challenging is that technology is changing so rapidly—and society along with it,” Brennan said,. “In many respects, the world is transforming itself before our eyes, as more and more human activity migrates to the Internet.”
“This has profound implications not only for how each of us conducts our daily lives, but also for the way CIA carries out its mission. Terrorists, criminal networks, weapons proliferators, state actors—all of them are entrenched in the digital domain.”
Various cases have shown that devices belonging to the so-called ‘internet of things’ are vulnerable – this month, it was revealed that Belkin’s WeMo home automation systems contained multiple vulnerabilities which could allow attackers to remotely control devices attached to a WeMo system – for instance, blacking out lighting in a home, or remotely monitor devices such as security cameras, as reported by WeLiveSecurity here.
Several security researchers have shown off ‘hacks’ which can remotely take over the software in vehicles – and CNBC described such attacks as potentially forming a new “global cybercrime wave.”
At this year’s Consumer Electronics Show (CES) in Las Vegas, ‘smart homes’ were clearly a big trend on the show floor – and much debate was ignited about their security.
The normally sober BBC warned, “In the future, it might not just be your smartphone that leaks personal and private data, it might be your smart fridge too.”
But ESET Senior Research Fellow David Harley said in a commentary post at the time, “It may be a little early to worry too much about what your fridge or your medicine cupboard is able to reveal to a hacker about your eating habits and the state of your health,” Harley says.
“After all, there are all too many more direct ways for retailers, insurance companies, and pharmaceutical companies to get that sort of information. (And those are issues more people should be worried about.)”

Security researchers warn of airborne WiFi virus that spreads like a cold

Security researchers at the University of Liverpool have warned of the potential for computer viruses to spread over WiFi networks with the same effectiveness as the common cold.
The team in the University’s School of Electrical Engineering, Electronics and Computer Science developed a virus called Chameleon, which is able to move across WiFi networks and avoid detection with ease.
"This attack replaces the firmware of an existing AP [access point] and masquerades the outward-facing credentials. Thus, all visible and physical attributes are copied and there is no significant change in traffic volume or location information," it said.
"Hence, this attack is considered advanced and difficult to detect, as IDS [intrusion detection system] rogue AP detection methods typically rely on a change in credentials, location or traffic levels."
The researchers then ran tests on a simulation of the WiFi networks in London and Belfast and found that Chameleon acted like an airborne virus, as the close proximity of WiFi APs made it easy for the virus to spread.
The virus also easily adapted to its surroundings. If it encountered an AP with good security encryption and passwords, it would move onto another AP that was not sufficiently protected and continue to spread.
Alan Marshall, professor of network security at the university, said the study underlined the risks posed by public WiFi.
“WiFi connections are increasingly a target for computer hackers because of well-documented security vulnerabilities, which make it difficult to detect and defend against a virus,” he said.
“It was assumed, however, that it wasn’t possible to develop a virus that could attack WiFi networks, but we demonstrated that this is possible and that it can spread quickly. We are now able to use the data generated from this study to develop a new technique to identify when an attack is likely.”
The full research paper entitled Detection and analysis of the Chameleon WiFi access point virus is available online.
The research is worrying as public WiFi networks are being rolled out across major cities such as London all the time. The London Underground now has more than 130 stations hooked up while numerous boroughs are offering free services to residents.

UK universities receive £3m to fight Android hackers

Security padlock image
The Engineering and Physical Sciences Research Council (EPSRC) has allocated £3m in funding to academics at Royal Holloway University of London, City University London, Coventry and Swansea Universities, to find new ways to combat mobile malware.
The funding will see the universities set up five cross-university research teams, devoted to creating new anti-malware technologies. Two of the research teams will focus on application security, while the remaining three will work to increase the UK's overall cyber defences.
Information Security lecturer at Royal Holloway University of London Dr Lorenzo Cavallaro will lead one of the application research teams. His team will focus on creating new ways to identify malicious applications running on Android.
Lorenzo said the research is essential as many smartphone users are still ignorant about mobile security threats.
"We're used to considering our phones as a trusted, private channel of communication, and suitable to receive authentication information to access specific online services. Unfortunately, this information can be leaked or abused by colluding malware if the mobile device is infected," he said.
Professor Tom Chen will lead the research teams at City University London, and Swansea and Coventry universities. The teams will focus on detecting and removing colluding apps, which apps are a suite of malicious applications that work together to infect smartphones. Their fragmented nature makes them difficult to spot using traditional security services.
Chen said combating colluding apps is an underexplored area that needs to be addressed. "Currently almost all academic and industry efforts are focusing on single malicious apps; almost no attention has been given to colluding apps. Existing antivirus products are not designed to detect collusion," he said.
Security firm McAfee will help co-ordinate the research teams' efforts. Senior principal architect at McAfee, Dr Igor Muttik said the new research is an essential step in the security community's battle against advanced malware.
"We're up against really sophisticated malware – some even used by nation states for spying. All attackers are well aware of the technology involved in detecting and tracking them," he said.
"These cyber criminals often take an industrial approach to malware: they try to maximise their benefits from it. So, we need to constantly raise the bar by improving the technology and this will make it more complex and less profitable for them to operate."
The funding initiative is one of many to be announced in recent years. Investing in academic research has been an ongoing part of the UK government's Cyber Security Strategy. The UK government invested £7.5m with Royal Holloway University of London and Oxford University in May 2013 to create two new cyber higher education centres.

Boeing launches security-focused Black Android smartphone

Boeing Black phone
Boeing has unveiled the Boeing Black smartphone, claiming its advanced security features make it the perfect choice for governments and intelligence agencies as demand for secure mobile devices continues to grow.
The Black smartphone will run on Android and come with a variety of advanced defence technologies, including Boeing's PureSecure architecture. The technology uses a layered security model to protect the Black smartphone at a hardware and software level.
Boeing explained: "Our architectural foundation is built upon layers of trust from embedded hardware, operating system policy controls, and compatibility with leading mobile device management systems. The device's hardware roots of trust and trusted boot ensure the device starts in a trusted state, enabling maximum security of data."
The Black also features hardware media encryption and embedded configurable inhibit controls, designed to protect data being transmitted by the phone during calls. Boeing has confirmed that the Black smartphone will "exclusively be made in the US" indicating that it has a specific focus on US intelligence agencies, such as the FBI and NSA.
Boeing pushed its "modular design" as a key selling point for the Black. The modular design means agencies can attach a number of customised, mission-specific upgrades to the Black. A video advert by Boeing showed peripherals for everything from fingerprint scanning and extra battery packs, to an unspecified "biometric data collection" upgrade.
At a hardware level the Black will feature a 4.3in quarter HD 540x960 display and run using a dual-core 1.2GHz ARM Cortex-A9 processor. The device will also feature 4G connectivity.
The Black is similar Silent Circle's Blackphone. The Blackphone was debuted by Silent Circle at MWC and is designed to offer similar privacy and security services to the Black.

Worse than Orwell could ever imagine: UK spy drama takes dark twist

An eye in close-up superimposted by a screen of random numbers
Ever since revelations of mass spying, data gathering and web surveillance broke last summer there has been shock and outrage at the government's intrusion into the lives of innocent web users around the world.
However, amid the entirely justified furore caused by the documents leaked by Edward Snowden, there has also been an underlying tone of ‘quelle surprise’.
We all used to joke that governments were spying on us and – hey presto – they were. And as they insisted on telling us, the data they gathered was only metadata, nothing that made citizens identifiable. Yes it was wrong, a bit over the top, but it wasn’t that bad, and after all, it was in our own security interests.
However, things have taken a darker, more insidious twist this week with the news that Yahoo webcam users were spied on by GCHQ and millions of images were taken and stored, many of which caught people in a state of undress.
This isn’t metadata. This is taking photos of people inside their own homes. MP David Davis said the revelations "exceeded even the worst Orwellian nightmares".
"Even in 1984 the citizen was aware that they were being watched,” he added.
It’s worth repeating to really drive this home: the UK government has taken photographs of millions of people inside their own homes, without their knowledge, in order to create a giant mugshot database of innocent citizens.
How on earth did such a system come to be in place? Who devised it, designed it, created and approved it? Who oversaw its operation? Did anyone ever raise a concern that this could be ever so slightly immoral, illegal, outrageous?
To date, the security services have managed to avoid any true scrutiny of their work, hiding behind bland stock statements or the classic ‘that’s a national security issue’ line.
Still, while it is unrealistic to expect spy chiefs to tell all about their efforts to protect us grateful citizens – What would they say anyway? Yes, we take naked photos of you, sorry – there are some with the power to keep the spies in line.
One of these people is the intelligence services commissioner, Sir Mark Waller. His role is to provide “independent judicial oversight” of MI5, MI6 and GCHQ and is appointed by parliament.
So his role should involve monitoring these agencies, and reporting on their work and how it is being conducted whenever he is asked to do so by those in the parliament that appointed him.
But in order to get Waller to do this, a committee of MPs – the Home Affairs Committee – have had to force him to do so, so they can find out more about what it is he’s actually overseeing. It’s positively Kafkaesque, to add to the Orwellian reference earlier.
Not only that, but Waller had tried to palm off the Committee by pointing its members in the direction of a report that covered the work of the services between January and December 2012, published in July 2013.
This was at the same time as the Snowden revelations were just appearing, and the report is no help seven months later, when the world’s understanding of the spying being carried out by governments is still only just being understood.
Waller will now give evidence on the 18 March, in a session that is likely to prove testy, and will no doubt feature the phrase ‘I can’t discuss that’ once or twice.
For the rest of us, we are now living in a world that is ever-reliant on digital communications, but where our own government is monitoring it all, from phone calls and emails, to taking photos of us in a state of undress, while those in charge are seemingly immune to any scrutiny.
Orwell may have been 30 years early in his predictions, but he was right. Terrifyingly right.