Monday, 30 September 2013

New British Cyber defense force will protect industry – and “if needed, strike in cyberspace”

A new cyber defense force is being set up in the UK to protect critical private and government computer networks from attack – “if necessary, to strike in cyberspace,” Britain’s Defense Secretary Philip Hammond has said.
The move puts Britain into line with U.S. policy on cyber defense, where the US Defense Department Cyber Command, moved this year from “cyber defensive measures” into a “fully-operational Internet-era fighting force” with close to 5,000 troops and civilians at its disposal.
Britain’s Joint Cyber Reserve Unit will recruit part-time specialists from across the Armed Forces as well as reservists and civilians. Personnel leaving the Armed Forces will also be invited to apply, with recruitment starting next month.
Hammond said in a statement,“In response to the growing cyber threat, we are developing a full-spectrum military cyber capability, including a strike capability, to enhance the UK’s range of military capabilities. Increasingly, our defence budget is being invested in high-end capabilities such as cyber and intelligence and surveillance assets to ensure we can keep the country safe.”
“The Cyber Reserves will be an essential part of ensuring we defend our national security in cyberspace. This is an exciting opportunity for internet experts in industry to put their skills to good use for the nation, protecting our vital computer systems and capabilities.”
The Ministry of Defense said, it “will recognize the unique attributes of individuals who might otherwise not be attracted to, or able to serve in the reserve forces”.

“One click, then boom”: Spear-phishing could “black out” energy companies, expert warns

Spear-phishing attacks on energy companies are becoming increasingly sophisticated, an expert has warned – and all it takes is one lucky strike to cause devastating damage to the power grid, or to companies which supply oil and gas.
“The way malware is getting into these internal networks is by social engineering people via email,” Rohyt Belani, CEO of anti-phishing training firm PhishMe, told PC World.
The Department of Homeland Security’s ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) documented more than 100 incidents between October 2012, and May 2013. Several involved sophisticated spear-phishing (targeted phishing) emails – using company websites and other data available on the internet, before sending targeted emails.
Belani cited an example of a night-shift worker controlling SCADA systems – the computerised systems which monitor industrial processes – who was targeted with a highly specific and believable spear-phishing attack.
The unknown cybercriminals had researched his name, and the fact he had four children, and sent him an email, seemingly from the company’s HR department, which related to health insurance for workers with three or more children.
“You send them something that’s targeted, that contains a believable story, not high-volume spam,” says Belani. “People will act on it by clicking a link or opening a file attached to it. Then, boom, the attackers get that initial foothold they’re looking for.”
A Congressional survey of electrical utilities earlier this year found that companies faced up to 10,000 attacks per month. Out of 53 companies surveyed, more than a dozen described attacks on their systems as “daily” or “constant”.
One company complained of being under a “constant state of ‘attack’ from malware and entities seeking to gain access to internal systems.”
This April, a spear-phishing attack which targeted an American electrical company was documented in this month’s Monitor report from the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
Again, in that case, the cybercriminals had done their research. The attack used a published list of attendees at a committee meeting to target employees with a malware-infected phishing email. The company site had listed the email addresses and work titles of everyone at a meeting – which was enough information for cybercriminals to craft a convincing-looking tailored attack directed at the company.
ICS-CERT says it has responded to more than 100 incidents targeting the energy sector between October 2012 and May 2013.
“The majority of these incidents involved attacker techniques such as watering hole attacks, SQL injection, and spear-phishing attacks. In all cases, ICS-CERT evaluates the information available to determine if successful compromise has occurred, the depth and breadth of the compromise, and the potential consequences to critical infrastructure networks.”

Britain to recruit IT experts for Cyber Reserves unit in security boost

Toy soldiers on keyboard representing cyber security
The UK Ministry of Defence (MoD) has pledged to recruit hundreds of computer experts for a reserve task force dedicated to developing and, if required, mounting offensive cyber operations.
Defence secretary Philip Hammond announced yesterday that the experts will work alongside regular military forces and government agencies to develop offensive as well as defensive tools and strategies. He said the creation of the Reserves unit is an essential step in the government's ongoing battle to protect itself and businesses from the growing cyber threat facing them.
"In response to the growing cyber threat, we are developing a full-spectrum military cyber capability, including a strike capability, to enhance the UK's range of military capabilities. Increasingly, our defence budget is being invested in high-end capabilities such as cyber and intelligence and surveillance assets to ensure we can keep the country safe," said Hammond.
"The Cyber Reserves will be an essential part of ensuring we defend our national security in cyberspace. This is an exciting opportunity for internet experts in industry to put their skills to good use for the nation, protecting our vital computer systems and capabilities."
The unit's creation comes during widespread reports that Europe is suffering a cyber skills shortage. Numerous government departments and businesses have said recruiting skilled cyber professionals is an ongoing challenge.
Prior to this announcement the National Audit Office (NAO) estimated the gap will last 20 years and will cost the nation £27bn a year.
Last week F-Secure chief research officer Mikko Hypponen uncovered evidence that government agencies such as the GCHQ and NSA are already outsourcing cyber missions to third-party security companies as they do not have enough skilled professionals in-house.
The government will launch a tailored recruitment strategy in October to get around the skills gap. It will look for three types of recruits: regular personnel leaving the Armed Forces, current and former reservists with the necessary skills and a select number of experts with no previous military experience, but with "the technical knowledge, skills, experience and aptitude to work in this highly specialised area."
The strategy has been praised by the wider security community. Royal Holloway University Information Security department head Professor Keith Martin told V3 the focus on creating offensive tools is of little surprise.
“It doesn’t surprise me people would want to build offensive capabilities. The government already all but explicitly acknowledged we do have cyber offensive capabilities, so I think it’s something that already exists now,” he said.

“In terms of knowing what extra capabilities they’re looking for I can’t say, but it’s fairly obvious this is an increasingly important medium where conflicts and diplomacy are going happen.”

However, Martin said even with the strategy the lack of clarity about what specific talents the GCHQ wants its reservists to have combined with the ongoing skills gap may still be an issue.
“I think there is a shortage, in the sense there’s a healthy jobs market with people that require these skills. Regarding whether there is a ready supply of these skills for the government to tap, it’s difficult to say as we don’t know what they want," he noted.
"But, there is a relatively short supply of these security skills within companies. Whether people within companies with these skills would be willing to give up their time, I don’t know, but I imagine there will be an issue,” he said.
Peter Armstrong, director of cyber security at Thales UK, added that he expects the strategy to prove effective and lead to an overall boost in the number of security experts operating in the UK.

"With the advent of cyber espionage and attacks which threaten national critical infrastructure, the need for a holistic approach to national security is long overdue. It's great to see the MoD taking its share of responsibility for this alongside its traditional physical defence remit," he said.
"In addition, and just as importantly, this move will help enormously in positioning public sector cyber security as an attractive career prospect for the next generation."
The UK government announced its Cyber Reserves initiative alongside announcing plans to create a new British Computer Emergency Response Team (CERT) in 2012. These initiatives are part of the government's wider cyber security strategy, which was announced in 2011 when the UK government pledged to invest £650m to help bolster the nation's cyber defences.

Microsoft reveals no Skype call data handed to government agencies

Skype logo
Microsoft has revealed the extent of government requests for data for the first six months of this year, with 66,539 of the company's user accounts requested for scrutiny.
Skype, which is owned by Microsoft, received 3,509 requests worldwide for customer information relating to 10,585 accounts, with 82 percent of those requests resulting in some data being handed over.
However, none of the data released to agencies regarding Skype users related to "content", meaning no information regarding voice calls or chat messages were given away. This is a notable coup for Microsoft, which demonstrates the tough process government requests must go through in order to be successful.
Microsoft as a whole – including Skype – received 37,196 requests for 66,539 individual user accounts. Seventy-seven percent of the requests were accepted, with less than 1,000 overall resulting in content data being handed over. The remaining 28,698 only saw user data such as login IDs, names, IP addresses and physical addresses released.
Requests for enterprise data were far smaller, with just 19 requests made, all in the US. Only five of these resulted in and information being handed over, and in each case but one it was able to notify the customers of the request. It rejected the other requests.
"For all 19 enterprise requests, the legal demands were from law enforcement entities located in the US, and sought data about accounts associated with enterprise customers located in the US. In addition, to date, Microsoft has not disclosed enterprise customer data in response to a government request issued pursuant to national security laws," Microsoft added.
The UK government made 4,404 requests to Microsoft, and no content information was handed over. Authorities in the UK enjoyed a 78.2 percent success rate when asking for user data, with the vast majority of rejections due to a lack of data being available rather than a lack of legal standing.
The first half of 2013 showed no significant change in the amount of data provided when compared with the whole of 2012, in which roughly 75,000 requests for 137,000 accounts were made.
Earlier in September, web firm Yahoo also revealed similar data which showed a 98 percent hit rate for US security agencies, while the UK saw a lower rate of success, with 27 percent of data requests being rejected.
Facebook, Google and Twitter have also released their own similar data in recent months in a push to both increase customer confidence and show transparency and openness within the law. However, all of these web service giants are unhappy with the level of transparency granted to them by the US government, each of them creating petitions in the hope of being able to release more detailed information on the nature of the requests made. The issue is highlighted once more in Microsoft's report, which made it clear that "any national security orders we receive are not included".
Skype releasing no caller data will go some way to vindicate Microsoft, which was one of the companies initially strongly linked with providing backdoor access to its services for government agencies when the PRISM scandal first emerged. Microsoft has always strongly denied the accusations.

Europol nabs cyber crooks behind 21,000-strong hacked server store

Cyber crime key on keyboard
Europol has arrested the hacker masterminds behind a notorious cyber black market, selling access to 21,000 compromised servers.
The European Cybercrime Centre (EC3) reported arresting two unnamed Ukrainians in Madrid as a part of a joint operation with the Spanish National Police, codenamed Operation Ransom II.
"On 9 July, Spanish National Police arrested the two criminals and searched their house. One of them was caught red-handed, running virtual machines and chatting with other cyber criminals," read the report.
Europol said authorities seized a variety of items during the raid, including €50,000 in cash, as the group raked in huge profits from their scams.
"Their sophisticated money laundering facility was processing around €10,000 daily through various electronic payment systems and virtual currencies," Europol said.
The hackers had reportedly managed to compromise 21,000 company servers and had successfully sold access to them to more than 450 criminal groups. "The 21,000 compromised servers of companies located in 80 countries (1,500 of them in Spain) had a common feature whereby access settings were via a remote desktop (RDP)," read the report.
"With this set-up, the cyber criminal could access all information contained on the servers, using full administrator privileges for the system, i.e. absolute control. The criminals ran an online shop where the compromised machines were 'sold' to 450 of their cyber criminal 'customers' who were able to choose the location (country) of their preferred servers."
At the time of publishing Europol had not responded to V3's request for comment on how many servers were located in the UK.
Europol said the takedown was only possible thanks to cross-department and agency cooperation and data sharing. "This Spanish National Police investigation was supported from the early stages by Europol specialists, who organised and hosted a coordination meeting in April 2013," read the report.
"Europol then facilitated the exchange of criminal intelligence with other EU member states, delivered analytical reports and supported the operation on the spot with a mobile office and technical advice. Europol will receive data on the compromised computers so it can be analysed and distributed to law enforcement authorities, who in turn can notify those server owners affected by the criminals' activity."
Increasing cross-national collaboration regarding cyber threats has been an ongoing goal of the European Commission. The EC3 centre is a central part of this strategy. The centre launched earlier this year with a staff of 40 and an annual €7m budget, drawn from Europol's existing €84m funding.
The Ukrainians are two of many cyber criminals found to be running their nefarious operations out of Spain. Before their arrests Spanish authorities detained a man believed to be one of the heads of the notorious Reveton malware gang.

Met Police anti-hacker efforts cost crooks £1.01bn in profits

Metropolitan Police officer on the streets of London
UK law enforcement anti-hacker efforts stopped crooks stealing over £1bn from businesses and citizens in the last two-and-a-half years, according to the Met's Police Central e-crime Unit (PCeU).
The PCeU revealed the figure in its latest Harm and reduction report 2013. As well as the monetary sum the report reveals PCeU operations have led to 126 suspects being charged and the conviction of 89 cyber criminals, with a further 30 awaiting trial.
The operations are also listed as having disrupted 26 national and international cyber-based organised crime groups and secured a total of 184 years imprisonment for the 61 criminals given custodial sentences.
The police force originally pledged to reduce the cost of cyber crime by £504m within four years in 2011. The report highlighted the Allandale and Caldelana operations as key victories that helped it double its projected goal.
Operation Allandale was a sting against a gang conspiring to defraud banks worldwide using a sophisticated phishing scam. The operation resulted in the arrest of three men and is listed as preventing £74m worth of harm in the UK alone.
Operation Caldelana saw police target an organised crime group responsible for a sophisticated phishing scam responsible for stealing vast sums of money from victims' bank accounts. The operation is listed as mitigating £39m worth of harm within the UK.
Commander Steve Rodhouse, head of gangs and organised crime at the Met, said the PCeU was able to exceed its projected goal by collaborating with other countries' law enforcement departments and wider industry.
"The PCeU has exceeded all expectations in respect of making the UK's cyber space more secure. This is due to its innovative partnership work with industry and law enforcement across the globe and its dynamic system for developing intelligence, enforcing the law and quickly putting protection measures in place," he said.
Increasing collaboration with law enforcement and the wider industry when combating cyber crime has been a central goal of the UK government's ongoing Cyber Strategy. The strategy was launched in 2011 when the government pledged to invest £650m to bolster the country's cyber defences.
Since launching the strategy the government has introduced several initiatives to achieve this goal, including the creation of the Cyber Security Information Sharing Partnership (CISP). The partnership is designed to help protect the UK's growing digital economy from hackers by facilitating real-time data sharing between the government and private sector.
Despite the positive development, the £1.01bn figure is only a small chunk of the UK's overall digital economy, which the government currently lists as being worth £82bn.
The news follows widespread reports hackers are developing new, sophisticated ways to increase the monetary yield of their cyber scams. Most recently Microsoft reported the authors of the notorious Sefnit Trojan have resurfaced using advanced infection and click-fraud techniques to earn vast sums of money through bogus advertising.

Hackers-for-hire uncovered using hit-and-run 'Icefog' APT on Mac OS X and Windows systems

cyber-security-man
Kaspersky Labs researchers have linked a cyber mercenary gang to a wave of surgical strikes on military and government agencies, codenamed Icefog.
Kaspersky Lab confirmed uncovering the Icefog campaign in its The Icefog APT: A Tale of Cloak and Three Daggers threat report. The researchers said the campaign has been active since at least 2011 and has hit a number of high profile targets.
"Icefog is an Advanced Persistent Threat that has been active since at least 2011, targeting mostly Japan and South Korea. Known targets include government institutions, military contractors, maritime and shipbuilding groups, telecom operators, industrial and high-tech companies and mass media," read the report.
"There are versions for both Microsoft Windows and Mac OS X. In its latest incarnation, Icefog doesn't automatically exfiltrate data, instead it is operated by the attackers to perform actions directly on the victim's live systems."
Principal security researcher at Kaspersky, Lab Vitaly Kamluk told V3 the attacks are particularly dangerous as they use an atypical, real-time strategy tailored to the victim's systems making. "The Windows machines are infected through ‘hit and run' targeted attacks - a fact that makes Icefog a very unique operation," he said.
"While in other APT campaigns, victims remain infected for months or even years and attackers are continuously exfiltrating data, Icefog operators are processing victims one by one - they locate and copy only specific, targeted information. They set up command-and-control servers, create a malware sample that interacts with it, attack the victim, infect it, and communicate with the victim machine before moving on.
"The nature of the attacks is also very focused - in many cases, the Icefog operators appear to know very well what they need from the victims. The filenames were quickly identified, archived, transferred to the C&C and then the victim was abandoned. Basically, the attackers come, steal what they want and leave."
Kamluk said the attacks hit-and-run nature makes detecting Icefog attacks particularly difficult as it requires them to forensically examine each specific raid on a case-by-case basis, rather than look for general trends.
"While in other cases, victims remain infected for months or even years, and data is continuously exfiltrated, the Icefog attackers appear to know very well what they need from the victims. Once the information is obtained, the victim is abandoned. The shortest amount of time the Icefog attackers spent in the victim's network is a few hours. Before leaving the network, they clean up the system, not to leave traces," he said.
He added the variety of victims indicates the hackers operate on a "for hire" basis, renting their services out to the highest bidder.
"Icefog is a small hit-and-run gang available for hire that attack organisations with surgical precision. Unlike other APT gangs that consist of tens of people (for example NetTraveler which had a team of 50-to-100 people), there are just six-to-12 people in it," he said.
Kamluk said cyber mercenary gangs are a growing problem facing the security community and he expects to see more groups-for-hire mounting similar operations in the very near future. "The discovery of this gang exposes a new trend - the emergence of ‘cyber-mercenaries' - an organised group of people conducting cyber-espionage/cyber-sabotage activities on demand, after order of anyone who pays money," he said.
"This is something new in the area of targeted attacks. And we expect this trend to grow in future, and more small groups of cyber-mercenaries will be available for hire to perform surgical hit and run operations."
He added the hackers' refined attack strategy makes tracking them difficult, but there is evidence to suggest they may be based in China.
"The ‘for hire' nature of the attack makes attribution difficult. Exfiltrated data could be converted into money or used for cyber-espionage purposes. So it may be a nation-state sponsored cyber-espionage/surveillance operation (in cases when attackers were after the budget of Army of one of the countries), or a financially-motivated cyber-criminal operation (in cases when they were after specific blueprints related to design and technologies) -  even both if the gang had several different contractors," he said.
"Based on the list of IPs used to monitor and control the infrastructure, we assume some of the threat actors behind this operation are based in at least three countries: China (the largest number of connections), South Korea and Japan."
State sponsored hacker teams have been a growing problem facing industry, with numerous reports breaking suggesting intelligence are hiring independent groups for cyber offensive operations.
Most recently, F-Secure chief research officer Mikko Hypponen reported uncovering evidence that the NSA's Tailored Access Operations (TAO) unit and GCHQ are outsourcing missions to third-party security companies.

SME fined £5,000 by ICO for failing to encrypt sensitive data

Cash
A sole trader has been fined £5,000 by the Information Commissioner’s Office (ICO) for failing to encrypt sensitive data it held on its customers.
The company, Jala Transport Ltd, provides loans and is based in Wembley, London. A hard drive containing data on around 250 customers was stolen when the owner's car boot was opened while it was in a traffic jam. Cash to the value of £3,600 was also taken.
The data included names, dates of birth, addresses, the identity documents used to support loan applications and details of the payments made. Although the device was password protected, it was not encrypted.
The ICO said this failure to encrypt data was a vital oversight and so it had no choice but to levy the fine, as head of enforcement, Stephen Eckersley, explained.
“If the hard drive had been encrypted the business owner would not have left all of their customers open to the threat of identity theft and would not be facing a £5,000 penalty following a serious breach of the Data Protection Act,” he said.
“The penalty will have a real impact on this business and should act as a warning to all businesses owners that they must take adequate steps to keep customers’ information secure.”
The ICO said the fine would have been far higher, at £70,000, but owing to the limited financial means of the company, as a sole-traded firm, it had no choice but to reduce it. The fact the breach was reported voluntarily was also noted by the ICO.

New TouchID hack by Iranian team works also on iOS 7_0_2

The Iranian group defeated the very basic phenomenon of an iPhone Fingerprinting scanner  which allows them to hack TouchID with multiple Fingerprints also on iOS 7_0_2 .

An Iranian group of iPhone Geeks managing the blog i-Phone.ir defeated the very basic phenomenon of an iPhone Fingerprinting scanner, which allows them to unlock an iPhone device with multiple Fingerprints.  The news has been provided in exclusive by the colleagues at The Hackers News security portal that were contacted by the Iranian group.
The new is embarrassing for Apple firm that known for the reliability of its products and the care of security issues.
The new Apple‘s iPhone 5s was recently presented as a new device that includes a powerful feature, a biometrics-based security system called “Touch ID” that read the user’s fingerprint to unlock the phone.
Fingerprint is one of the best passcodes in the world. It’s always with you, and no two are exactly alike,” according to the Apple’s website.
The feature was immediately criticized, many security experts and advocates consider it a violation of user’s privacy, but the troubles were just began. The TouchId features were soon compromised, Germany Hackers of Chaos Computer Club demonstrated how they were able to deceive Apple’s security feature into believing they’re someone they’re not, using a well-honed technique for creating a latex copy of someone’s fingerprint.
The same fate befell the popular iOS 7 just released, the lockscreen feature in reality was not properly working allowing an attacker with physical access to the handset to make calls and access to the user’s data. Too much for a company like Apple!
The company promptly proposed an upgrade for its popular iOS 7, but while all the iPhone users are celebrating for the efficiency of Appleanother tile strikes on their heads.
As remarked by THN post another interesting fact is that, Touch ID is not only designed to scan the fingerprints of your fingers, it works with various human body parts and appendages which are also not fingers.
The concept behind the hack proposed by the Iranian group (Bashir Khoshnevis , Mohsen Lotfi , Shayan Khabazian and other members of i-Phone.ir support team) is that “No two Fingerprints are exactly alike”.
In the following video a proof of concept provided to The Hacker News in which the Group set up a mixed Fingerprint scan of 5-6 people for an iPhone 5S handset that allowed all of them to unlock the device with their individual fingerprints.


TouchID bug iOS 7_0_2
  The curious data is that Apple  officially declared that TouchID technology will misread 1 finger every 50,000, this is because Touch ID is designed to unlock the device with partial part of the scan, this means that providing a merged thumbscan of multiple users to the unlock settings of an iPhone it will be able to read at least some partial scan of an individual user.
Does the newest iOS 7_0_2 firmware  fix the issue?
Apple released a couple of days ago the new iOS 7_0_2 firmware release to fix the security issues discussed, but the hack proposed by the Iranian Team works also on the iOS 7_0_2 as demonstrated by researchers at the THN  ”Wang Wie” and “Jiten Jain“.  The researchers tested the hack procedure on iOS 7_0_2 firmware and it worked successfully.
ios 7_0_2 -update-20130927
Concluding, it is clear that Apple released too hastily the new patch for the security issues affected its new iOS 7, it is curious that bugs like this last one works on a system just patched. In the specific case it’s clear that Apple hasn’t implemented properly biometric authentication … meantime I suggest the use of old passcode to protect the user’s device.

Senator Feinstein Admits the NSA Taps the Internet Backbone

We know from the Snowden documents (and other sources) that the NSA taps Internet backbone through secret-agreements with major U.S. telcos., but the U.S. government still hasn't admitted it.
In late August, the Obama administration declassified a ruling from the Foreign Intelligence Surveillance Court. Footnote 3 reads:
The term 'upstream collection' refers to NSA's interception of Internet communications as they transit [LONG REDACTED CLAUSE], [REDACTED], rather than to acquisitions directly from Internet service providers such as [LIST OF REDACTED THINGS, PRESUMABLY THE PRISM DOWNSTREAM COMPANIES].
Here's one analysis of the document.
On Thursday, Senator Diane Feinstein filled in some of the details:
Upstream collection…occurs when NSA obtains internet communications, such as e-mails, from certain US companies that operate the Internet background [sic, she means "backbone"], i.e., the companies that own and operate the domestic telecommunications lines over which internet traffic flows.
Note that we knew this in 2006:
One thing the NSA wanted was access to the growing fraction of global telecommunications that passed through junctions on U.S. territory. According to former senator Bob Graham (D-Fla.), who chaired the Intelligence Committee at the time, briefers told him in Cheney's office in October 2002 that Bush had authorized the agency to tap into those junctions. That decision, Graham said in an interview first reported in The Washington Post on Dec. 18, allowed the NSA to intercept "conversations that . . . went through a transit facility inside the United States."
And this in 2007:
[The Program] requires the NSA, as noted by Rep. Peter Hoekstra, "to steal light off of different cables" in order to acquire the "information that’s most important to us" Interview with Rep. Peter Hoekstra by Paul Gigot, Lack of Intelligence: Congress Dawdles on Terrorist Wiretapping, JOURNAL EDITORIAL REPORT, FOX NEWS CHANNEL (Aug. 6, 2007) at 2.
So we knew it already, but now we know it even more. So why won't President Obama admit it?

Iran hacked US Navy Computers

US officials revealed that Iran hacked unclassified Navy computers in recent weeks in an escalation of cyber attacks against US infrastructures.

The Wall Street Journal reported that Iran hacked unclassified US Navy computers, the allegations were made by US officials that consider the attacks of most serious intrusion within Government Network made by foreign states.
“The U.S. officials said the attacks were carried out by hackers working for Iran’s government or by a group acting with the approval of Iranian leaders. The most recent incident came in the week starting Sept. 15, before a security upgrade, the officials said. Iranian officials didn’t respond to requests to comment.”
US officials sustained that Iranian hackers working for the government of Teheran have repeatedly violated computer systems within an unclassified Navy computer network for cyber espionage purpose.
Despite no sensitive information has been leaked the event is considered very concerning for US Intelligence, similar attacks could expose confidential information such as blueprints of a new cyber weapon, but could also compromise an architecture of the Defense.
Iran’s cyber abilities have increased gradually reaching a concerning level, Teheran has sufficient cyber abilities to attack the US causing serious damages to the critical infrastructures of the country. Iranian state sponsored hackers could hit critical infrastructure using malicious code and tools free available on the internet and purchased in the underground.
The study “Iran: How a Third Tier Cyber Power Can Still Threaten the United States”, published by the Atlantic Council sustains that despite the Iranian cyber capabilities are considered modest, they could be sufficient to launch attacks against the U.S.that would do more damage to public perceptions than actual infrastructure.
“Their ability to also play in this [cyber] sandbox compounds that concern,” a US official said.
US officials added that Congress has been briefed on the attack, Defense Secretary Chuck Hagel and Chairman of the Joint Chiefs of Staff Gen. Martin Dempsey discussed on the necessity further improve government network security.
“The Pentagon wouldn’t confirm the alleged Iranian hacks. A department spokesman said its networks are attacked daily. “We take these attempts seriously and work to learn lessons from every one of them,” the spokesman said.

Iran hacked
“The series of Iranian intrusions revealed a weakness in the Navy network and a shortcoming in the service’s defenses compared with other unclassified military networks, according to U.S. officials.
Once the intruders got into the Navy computer system, they were able to exploit security weaknesses to penetrate more deeply into the unclassified network, the officials said.”
Iranian state-sponsored hackers already hit US in the past, the US major banks were hit by a series of powerful DDoS attacks and energy industry computer networks were hacked, but if the event is confirmed there is the concrete risk that the cyber conflict may escalate.
Between US and Iran there is a dangerous tension that has repercussions in the cyber space while US President Barack Obama and Iranian President Hassan Rouhani are trying to define a diplomatic conduct to reach an agreement on the development of Iranian nuclear program. The two leaders spoke on Friday, from the White House Friday afternoon, Obama announced he just got off the phone with Iranian President Hassan Rouhani and discussed “our ongoing efforts to reach an agreement over Iran’s nuclear program.” 
“I believe we can reach a comprehensive solution,” Obama said, adding that he has asked US Secretary of State John Kerry to continue pursuing a deal with Iran that would prohibit Tehran from pursuing the development of nuclear weapons.
“I do believe that there is a basis for a resolution,” Obama said.
“Rouhani has indicated that Iran will never develop nuclear weapons,” Obama said, hailing that sentiment as a “major step forward in a new relationship between the United States and the Islamic Republican of Iran.”
The cyber war between US and Iran started a long ago, one of most debated event is the sabotage of Iranian uranium enrichment facilities made with cyber weapon known as Stuxnet.
Cybersecurity experts are not concerned only by Iran, most dangerous players in the cyberspace like China and Russia that have more sophisticated hacking capabilities than Iran.
The conflict between US and Iran is ongoing in the cyberspace and could have serious repercussions on the diplomatic dialogue established between the two governments, a cyber attack could have the same effect of a conventional strike … this could be just the beginning.

Saturday, 28 September 2013

DIY commercial CAPTCHA-solving automatic email account registration tool available on the underground market since 2008

With low-waged employees of unethical ‘data entry’ companies having already set the foundations for an efficient and systematic abuse of all the major Web properties, it shouldn’t be surprising that new market segments quickly emerged to capitalize on the business opportunities offered by the (commercialized) demise of CAPTCHA as an additional human/bot differentiation technique. One of these market segments is supplying automatic (email) account registration services to potential cybercriminals while on their way to either abuse them as WHOIS contact point for their malicious/fraudulent domains, or to directly embed automatically registered accounting data into their Web-based account spamming tools. This takes advantage of the clean IP reputation/white listed nature of these legitimate free email providers.
In this post, I’ll discuss a commercially available (since 2008) DIY (do it yourself) automatic email account registration tool capable of not just modifying the forwarding feature on some of the email providers it’s targeting, but randomizes the accounting data as well. The tool relies on built-in support for a CAPTCHA-solving API-enabled service, and can also activate POP3 and SMTP on some of these accounts thus making it easier for cybercriminals to start abusing them.

Sample screenshots of the tool in action:
DIY_Commercial_Email_Automatic_Account_Registration_Tool_Application_Software_Buy_Purchase_Sell_CAPTCHA DIY_Commercial_Email_Automatic_Account_Registration_Tool_Application_Software_Buy_Purchase_Sell_CAPTCHA_01 DIY_Commercial_Email_Automatic_Account_Registration_Tool_Application_Software_Buy_Purchase_Sell_CAPTCHA_02 DIY_Commercial_Email_Automatic_Account_Registration_Tool_Application_Software_Buy_Purchase_Sell_CAPTCHA_03 DIY_Commercial_Email_Automatic_Account_Registration_Tool_Application_Software_Buy_Purchase_Sell_CAPTCHA_04 DIY_Commercial_Email_Automatic_Account_Registration_Tool_Application_Software_Buy_Purchase_Sell_CAPTCHA_05 DIY_Commercial_Email_Automatic_Account_Registration_Tool_Application_Software_Buy_Purchase_Sell_CAPTCHA_06 DIY_Commercial_Email_Automatic_Account_Registration_Tool_Application_Software_Buy_Purchase_Sell_CAPTCHA_07 DIY_Commercial_Email_Automatic_Account_Registration_Tool_Application_Software_Buy_Purchase_Sell_CAPTCHA_08 The multi-threaded tool “naturally” supports direct syndication of “fresh” Socks4/Socks5 malware-infected hosts, as well as randomization of the user agent, in an attempt by its users to anonymize their malicious account registration activities. The tool also has a built-in support for two of the market leading commercial CAPTCHA-solving services, ensuring that the CAPTCHA challenge will by successfully bypassed thanks to the introduced API on behalf of these services.
What would a cybercriminal do with all of these automatically registered bogus accounts? Plenty of (fraudulent) options.
  • Web-based spam relying on the DomainKeys verified/trusted network infrastructure of the providers – over the years spammers have realized the potential of a DomainKeys trusted (internal) network, and therefore, quickly adapted to its adoption, largely thanks to the demise of CAPTCHA, allowing them to efficiently register hundreds of thousands of rogue accounts to be later on used in spam campaign.
  • Automatic activation and abuse of related account services – certain free email service providers, also automatically enable FTP and Web hosting services, allowing the cybercriminals behind the campaign to multi-task by abusing each and every activated service, of course, in an automated fashion, just like the initial account registration process
  • Sell access to the bogus accounting data to fellow (novice) cybercriminals – novice cybercriminals look for ways to obtain automatically registered accounts to be later on used as a foundation for their fraudulent campaigns, are the prime market segment targeted by customers of such tools, who take advantage of the fact that novice cybercriminals are still building their capabilities, and remain unaware of the existence of such type of tools, meaning the’d be even willing to pay a premium to get hold of such type of rogue accounts
We’ll continue monitoring the development of this DIY tool, and post updates as soon as new “innovate” features get introduced.

Top Ten Tips For Keeping Kids Safer Online

kids_title_EN
There are also specific dangers that children face. These include obviously undesirable content like pornography, violence and drugs, but also sites focused on self-harm or even suicide.  Sadly, inappropriate material can be just a few clicks away:  objectionable content can be displayed alongside search items as innocuous as ‘Peppa Pig’, ‘Dora the Explorer’, ‘Fireman Sam’ or other items that we’re happy for our children to view.
Children can also be exposed to banner ads on pages they visit. You may wonder what fraudsters hope to gain by delivering context-sensitive advertisements to children.  But a lot of children use their parents’ credit cards and this makes them a prime target. It’s less a problem of fraudsters peddling bogus products and services than it is about children looking to pay for online goods like computer games, books, films and in-app purchases inside games on laptops, tablets and smartphones.
Parents are more worldly-wise, but they’re often less tech-savvy. Children have no trouble driving the technology, but are often blithely unaware of the potential dangers.
Hide nothing, share everything
There’s another aspect to online safety too. Our children are growing up in a culture of ‘share everything’.  Social networks allow them to treat the web like the notice-board in the family kitchen – and they do. They post information about where they are, who they’re with, what they’re doing – with pictures to illustrate this narrative of their lives. But while the notice-board in the kitchen is accessible only to family and friends, what’s posted on a social network could be shared with the whole world. Personal information could be used by an online predator to profile a child or teenager, get their trust and then try to arrange to meet them in the real world.  Shared pictures can be used by their peers to bully or coerce them.  Adults are more likely to see the inherent problem in the ‘share everything’ culture, but children don’t – until something goes wrong.

Technology generation gap
Unfortunately, we face a technology generation gap. Parents are more worldly-wise, but they’re often less tech-savvy.  They don’t always understand what’s possible with today’s technology. Children have no trouble driving the technology, but are often blithely unaware of the potential dangers.
Children need to know that there’s good and bad online – just as, when a child is old enough we introduce road safety and the importance of staying close to us.
Monitor and mentor
That’s why it’s so important for parents to involve themselves in their children’s online activities from a very young age, so they can ‘mentor’ their children and help to shape and inform their online experiences.  Of course, the online safety message needs to be tailored to the age of a child. We can’t expect a young child to understand the intricacies of online threats.  But they need to know that there’s good and bad online – just as, when a child is old enough to walk around town with us, we introduce road safety and the importance of staying close to us.  It’s also important explain the online safety equivalent of road crossings too – using Internet security software to block harmful code, the need to protect things that belong to us with a password, the danger of disclosing personal information, and so on.  These messages need to be reinforced and developed as a child gets older.  But if they’re ‘on board’ with security from an early age, they’re less likely to see security measures as an encumbrance.
Here’s our list of top tips for keeping your children safe online.
  1. Talk to them about the potential dangers.
  2. Involve yourself in your childrens’ online activities from an early age so this is the established norm, and so you can ‘mentor’ them.
  3. Encourage them to talk to you about their online experience and, in particular, anything that makes them feel uncomfortable or threatened.
  4. Today’s ‘share everything’ culture is pervasive. Children are less likely to instinctively recognise the inherent dangers in oversharing, so it’s important to spell out the potential problems.
  5. Set clear ground-rules about what they can and can’t do online and explain why you have put them in place. You should review these as your child gets older.
  6. Use parental control software to establish the framework for what’s acceptable – how much time (and when) they can spend online, what content should be blocked, what types of activity should be blocked (chat rooms, forums, etc).  Parental control filters can be configured for different computer profiles, allowing you to customise the filters for different children.
  7. Encourage your children to be vigilant about their privacy and settings on social media sites so that posts are only visible to selected friends and family.
  8. Wordly-wise vs tech savvy: you may be more aware of the potential pitfalls of the internet, but the chances are your children are more technologically clued up. Encourage an exchange of information so that you can both learn from each other.
  9. Protect the computer using Internet security software.
  10. Don’t forget their smartphone – these are sophisticated computers, not just phones.  Most smartphones come with parental controls and security software providers may offer apps to filter out inappropriate content, senders of nuisance SMS messages, etc.

Students Find Ways To Hack School-Issued iPads Within A Week

Los Angeles Unified School District started issuing iPads to its students this school year, as part of a $30 million deal with Apple. But less than a week after getting their iPads, hundreds of students had found a way to bypass software blocks meant to limit what websites the students can use.

Thousands of hacked WordPress sites used in global scale attacks

Thousands of WordPress based websites have been hacked to compose a global scale botnet that is performing powerful DDOS attacks.

I start the post with recommendations, if you are a blogger using WordPress don’t waste time and update it and all installed plugins to the latest versions!
Have you done it? OK, now I can explain you what it is happening.
Thousands of WordPress blogs have been hacked to compose a global scale botnet that is performing powerful DDOS attacks.
We read in the past of a massive cyber attack coordinated with a huge botnet against millions of websites based on the popular CMS WordPress, around 100000 servers were successful compromised fueling the malicious architecture used for the attack.
The news was reported by CloudFlare and HostGator that on April alerted the WordPress community on the ongoing massive attack launched against WordPress blogs all over the Internet, the alert was related to a massive brute-force dictionary-based attack conducted to expose the password for the ‘admin’ account of every WordPress site.
In August, 2013 researchers at Arbor Networks have discovered a botnet dubbed Fort Disco  that was used to compromise more than 6000 websites based on popular CMSs such as WordPress, Joomla and Datalife Engine.
My colleagues at TheHackerNews received a DDOS attack logs report from ‘Steven Veldkamp‘ that highlights that the victim’s website was under heavy DDoS attack recently, originated from numerous compromised WordPress based websites. It is highly probably that the ongoing attack is linked to the events occurred in April that allowed attackers to take control of a high number of vulnerable WordPress Hosts.
The attacks are very concerning due to the botnet extension and the high performance of bots. The offensive is conducted on a global scale and appears highly distributed in nature and well organized, for these reasons it is very difficult to block malicious traffic.
WordPress Massive DDoS attack
The attack logs from timing 23/Sep/2013:13:03:13 +0200 to 23/Sep/2013:13:02:47 +0200 revealed that just in 26 second attacker was able to perform a powerful DDOS attack from 569 unique compromised WordPress.
The list of sources used by attackers includes blogs of Mercury Science and Policy at MIT,  Stevens Institute of Technology and The Pennsylvania State University.
According to statistics proposed by WP WhiteSecurity, from 40,000+ WordPress Websites in Alexa Top 1 Million, more than 70% of WordPress installations are vulnerable to hacker attacks.
 WordPress vulnerability statistics
Following other shocking statistics based on the analysis of  42,106 WordPress websites found in Alexa’s top 1 million websites.
  • 74 different versions of WordPress were identified.
  • 11 of these versions are invalid. For example version 6.6.6.
  • 18 websites had an invalid non existing versions of WordPress.
  • 769 websites (1.82%) are still running a subversion of WordPress 2.0.
  • Only 7,814 websites (18.55%) upgraded to WordPress 3.6.1.
  • 1,785 websites upgraded to version 3.6.1 between the 12th and the 15th of September.
  • 13,034 websites (30.95%) are still running a vulnerable version of WordPress 3.6.
It is important to remark that the availability of automated vulnerability assessment tools and DIY attack tools on the black market is causing a meaningful increase in the number of cyber attacks.
Owners of Website based on WordPress CMS must improve at least basic security settings and implement best practices such as the use of robust passwords and the accurate management of  ”admin” accounts.
Within the WordPress community are also already available interesting plugins that could help site managers to improve the security of their WordPress instance.
If you believe that the security of a WordPress based site has a limited impact on the Internet community you are wrong, the crocks could use the hacked platforms for various illegal activities …. we must stop them!

Friday, 27 September 2013

The 'world's biggest cyber attack' swoop

A British schoolboy has been arrested over the “world's biggest cyber attack” as part of an international swoop against a suspected organised crime gang.
The 16-year-old was detained by detectives at his home in south-west London after “significant sums of money” were found to be “flowing through his bank account”.
He was also logged on to what officials say were “various virtual systems and forums” and had his computers and mobiles seized as officers worked through the night to secure potential evidence.
The boy's arrest, by detectives from the National Cyber Crime Unit, followed an international police operation against those suspected of carrying out a cyber attack so large that it slowed down the internet.
The “distributed denial of service” or “DDoS” attack was directed at the Dutch anti-spam group Spamhaus which patrols the web to stop prolific spammers filling inboxes with adverts for counterfeit Viagra, bogus weightloss pills and other illegal products.
Details of the arrest, which happened in April, had been kept secret, but were disclosed to the Evening Standard, The Independent's sister paper, ahead of the formation of the Government's new National Crime Agency. It will take over the National Cyber Crime Unit as part of a drive against offending carried out over the internet, now seen as one of the most serious crime-fighting challenges.
More than half of the 4 000 officers who will form the new agency next month will be trained in combating cyber crime. The arrest of the schoolboy, whose identity has not been disclosed, came during a series of coordinated raids with international police forces.
Others detained included a 35-year-old Dutchman living in Spain.
A briefing document seen by this newspaper on the British investigation, codenamed Operation Rashlike, states that the attack was the “largest DDoS attack ever seen” and that it had a “worldwide impact” on internet exchanges.
The document says services affected included the London Internet Exchange and that although the impact was eventually “mitigated” it managed to cause “worldwide disruption of the functionality” of the internet.
Giving details of the schoolboy's alleged involvement, the briefing note states: “The suspect was found with his computer systems open and logged on to various virtual systems and forums. The subject has a significant amount of money flowing through his bank account. Financial investigators are in the process of restraining monies.”
The boy has been released on bail until later this year.
The disclosure of his arrest follows two cyber attacks on banks. Four men have appeared in court over the first, involving an alleged plot to take over Santander computers by fitting a device during maintenance work.
Another eight were arrested over a £1.3m theft by a gang who took control of a Barclays computer. - The Independent

Chinese behind hacking of PM's mail box

In May, it turned out that the hackers had succeeded in gaining access to the private email account of Prime Minister Elio Di Rupo and the email system of the Belgian Foreign Office.
An investigation was started, and Foreign Minister Didier Reynders now confirms that there are indications that the case has a Chinese link.
Investigators say their research leads to Hongkong. However, it is not clear whether the hacking could be organised by a private Chinese organisation or company, or whether the Chinese government could be behind it. For the moment, there is no evidence that the Chinese government is behind the cyber attack.
Last week, Mr Di Rupo announced that extra cash will be earmarked in the 2014 budget to better protect the government's ICT systems against cyber attacks. It is estimated that this could cost the Belgian tax payer 20 million euros in the next four years.

Icefog cyber espionage campaign exposed

Kaspersky Lab’s security research team discovered Icefog, a small yet energetic Advanced Persistent Threat (APT) group that focuses on targets in South Korea and Japan, hitting the supply chain for Western companies.
The operation started in 2011 and has increased in size and scope over the last few years.
“For the past few years, we’ve seen a number of APTs hitting pretty much all types of victims and sectors. In most cases, attackers maintain a foothold in corporate and governmental networks for years, smuggling out terabytes of sensitive information,” said Costin Raiu, Director, Global Research & Analysis Team.
“The ‘hit and run’ nature of the Icefog attacks demonstrate a new emerging trend: smaller hit-and-run gangs that go after information with surgical precision. The attack usually lasts for a few days or weeks and after obtaining what they were looking for, the attackers clean up and leave.
In the future, we predict the number of small, focused ‘APT-to-hire’ groups to grow, specializing in hit-and-run operations; a kind of ‘cyber mercenary’ team for the modern world,” he added.
Main Findings:
  • Based on the profiles of identified targets, the attackers appear to have an interest in the following sectors: military, shipbuilding and maritime operations, computer and software development, research companies, telecom operators, satellite operators, mass media and television.
  • Research indicates the attackers were interested targeting defense industry contractors such as Lig Nex1 and Selectron Industrial Company, ship-building companies such as DSME Tech, Hanjin Heavy Industries, telecom operators such as Korea Telecom, media companies such as Fuji TV and the Japan-China Economic Association.
  • The attackers hijack sensitive documents and company plans, email account credentials, and passwords to access various resources inside and outside the victim’s network.
  • During the operation, the attackers use the Icefog backdoor set (also known as “Fucobha”). Kaspersky Lab has identified versions of Icefog for both Microsoft Windows and Mac OS X.
  • While in most other APT campaigns, victims remain infected for months or even years and attackers continuously steal data, Icefog operators process victims one by one, locating and copying only specific, targeted information. Once the desired information has been obtained, they leave.
  • In most cases, the Icefog operators appear to know very well what they need from the victims. They look for specific filenames, which are quickly identified, and transferred to the C&C.
The attack and functionality
Kaspersky researchers have sinkholed 13 of the 70+ domains used by the attackers. This provided statistics on the number of victims worldwide. In addition, the Icefog command and control servers maintain encrypted logs of their victims together with the various operations performed on them. These logs can sometimes help to identify the targets of the attacks and in some cases, the victims.
In addition to Japan and South Korea, many sinkhole connections in several other countries were observed, including Taiwan, Hong Kong, China, the USA, Australia, Canada, the UK, Italy, Germany, Austria, Singapore, Belarus and Malaysia.
In total, Kaspersky Lab observed more than 4,000 unique infected IPs and several hundred victims (a few dozen Windows victims and more than 350 Mac OS X victims).
Based on the list of IPs used to monitor and control the infrastructure, Kaspersky Lab’s experts assume some of the players behind this threat operation are based in at least three countries: China, South Korea and Japan.

Massive Cyber attack hit Three major U.S. data providers

Three major U.S. data providers said on Wednesday they were victims of cyber attacks, after a cybersecurity news website linked the breaches to a group that sells stolen social security numbers and other sensitive information.
An FBI spokeswoman said the bureau was investing the breaches but declined to elaborate.
The disclosures, by Dun & Bradstreet Corp, Altegrity Inc's Kroll Background America Inc and Reed Elsevier's LexisNexis Inc, came after website KrebsOnSecurity first reported the breaches.
The site said the attacks were masterminded by a cybercrime ring that sold stolen data such as credit reports through the website ssndob.ms, or SSNDOB.
The ring offered social security numbers, birthdays and other personal data of U.S. residents for between 50 cents and $2.50 per record, KrebsOnSecurity reported. Credit reports and background checks cost between $5 and $15, the cybersecurity site reported after a seven-month investigation into SSNDOB.
KrebsOnSecurity said the group placed malicious software on servers at LexisNexis as early as April 2013, suggesting that the attackers had access to its internal networks for at least five months.
SSNDOB administrators operated a small botnet, or group of infected computers remotely controlled by hackers, that was in direct communication with computers inside several large U.S. data brokers, the KrebsOnSecurity report said.
Five hacked servers were identified by examining the web interface used to control the botnet. Two of them were inside LexisNexis, two at D&B, and one at Kroll Background America.
"There are grave implications here from a privacy perspective," said Alex Holden, a cyber forensics expert who served as a consultant to the publication during the investigation.
Two of the victims declined to comment on the potential theft of data, saying they were investigating the attacks to find out exactly what happened. A third, LexisNexis, said it has so far found no evidence of theft.
"To date (we) have found no evidence that customer or consumer data were reached or retrieved," a LexisNexis representative said in a statement.
D&B spokeswoman Michele Caselnova said her firm was "aggressively investigating" the attack.
"Data security is a company priority and we are devoting all resources necessary to ensure that security," she said.
Kroll Background America spokesman Ray Howell said the company was working with external forensics experts to investigate the source and "impact, if any," of malicious software found on web servers at a Nashville, Tennessee data center.

Android Remote Access Trojan AndroRAT is Cheaper and More Dangerous Than Ever

Android Malware
Back in July, we told you about AndroRAT—a remote access Trojan for Android devices that let hackers remotely control every aspect of your phone or tablet. Coupled with another piece of software called a binder, injecting the malicious AndroRAT code into a legitimate app and then distributing the Trojanized version was a snap. Now AndroRAT is back: bigger, more dangerous, and cheaper than ever.
Everything Is Free Now
Originally, AndroRAT was an open-source proof-of-concept that became an actual remote access Trojan. That's bad, but it could be worse. At least it was hard to deliver to victim's phones and notoriously unstable. Bitdefender's senior threat analyst Bogdan Botezatu explained that it was the introduction of an APK binder that truly weaponized AndroRAT. "After you used the APK binder you got a perfect copy for cybercrime," said Botezatu.
Once the malicious code was injected into an app, the resulting infected apps were smaller and more stable than the original AndroRAT. Plus, the Trojanized apps used to deliver AndroRAT—usually cracked games—still worked perfectly.
AndroRAT has always been free and open-source, but the APK binder originally cost $35. Two months ago, Symantec reported only 23 installations of AndroRAT. That is until someone else cracked the binder and posted it for free online. "Look at the irony," said Botezatu. "This tool also got cracked by some other guys who posted it for free."
Infections of AndroRAT sharply increased after the binder application was released for free. Since July, Bitdefender says they've seen 200 infections on devices running Bitdefender's mobile security software. That's only a fraction of the Android using populace, concedes Botezatu. However, he told me that he's seen individuals bragging on forums about AndroRAT botnets with 500 infected phones.
Easy Like Sunday Morning
In addition to being free, AndroRAT is extremely easy to use. In a demonstration, Botezatu showed me the simple point-and-click interface for creating Trojanized apps and for controlling infected devices. With just a few clicks, he showed me all of the data he could access remotely. With a few more clicks, he used an infected device to send SMS messages. I asked him if it was possible to capture video and audio and, sure enough, there was a pull down menu for that.
"Now that these tools are publicly and freely available, we're going to see a huge number of AndroRAT infections," said Botezatu. He expects to see script kiddies, or people with no technial understanding of the tools they're using, driving the spread of infections for now. Mostly, he thinks, to spy on their friends, spouses, and bosses.
Making Money
Most malware has a money-making angle behind it, but right now AndroRAT hasn't been monetized on a huge scale. That's usually the end-goal for Android malware; to exploit the victims in a way that earns the bad guys some cash.
Thankfully, we're not there yet with AndroRAT. "I believe that they are now just experimenting with how well they can spread the malware," explained Botezatu. We've seen similar rumblings with malware like SpamSoldier, which has a lot of potential but hasn't yet taken off. "[I assume] they are doing small time fraud by sending premium SMS, just enough to make money to make money but fly under the radar."
While Botezatu believes that AndroRAT will mostly remain a toy, it is possible that pieces of the software could be broken apart and repackaged into more targeted tools. In fact, Bitdefender experimented with this, creating smaller, stealthier applications that just did one thing—monitor phone calls, for instance. Botezatu said that because AndroRAT is written with Java it could be "easily integrated into basically anything," perhaps even combined with the notorious Android Master Key exploit.
But that's not the future he sees for AndroRAT." For guys who actually know how to code a piece of malware, they're going to go for their own in-house application."
Staying Safe
Though AndroRAT is scary, it's pretty easy to avoid getting infected. Even though AndroRAT can be bound to any application, victims still have to enable sideloading on their device, download the Trojanized app, and install it.
And while being available for free has meant that just about anyone can churn out Android malware, it also means that AndroRAT is extremely well understood and documented by security companies. Using either avast! Mobile Security & Antivirus, our Editors' Choice for free Android anti-malware, or Bitdefender Mobile Security and Antivirus, our Editors' Choice for paid Android anti-malware, should keep you safe.
Despite this, people will still get infected. Botezatu chalked at least part of this up to Android's cryptic warnings about app permissions. After years of developing for Android, he said that even he doesn't understand what some of those warnings mean.
But most infections will be people who are willing to download cracked versions of for-pay apps—generally games, which are the most popular method for spreading malicious software on Android. "AndroRAT works only because people do not take the same approach on security on their mobile phone as they do on their computer," said Botezatu.
Malware still isn't as prevelant for mobile devices as it is for desktops, but AndroRAT is a sobering reminder that the dagers are out there.

Win32/Napolar – A new bot on the block

There is a new bot on the block. ESET identifies it as Win32/Napolar while its author calls it solarbot. This piece of malware came to our attention mid-August because of its interesting anti-debugging and code injection techniques. It recently attracted general attention when it was discussed on various reverse engineering forums.
This malware can serve multiple purposes. The three main ones are to conduct Denial of Service attacks, to act as a SOCKS proxy server, and to steal information from infected systems. The malware is able to hook into various browsers to steal information that is submitted in web forms.
We have uncovered many details about this bot since it became active at the end of July, with in-the-wild infections starting mid-August. There have been reports of thousands of infections, many of them in South America. The countries with the most infections are Peru, Ecuador, and Columbia. More information on the geographical distribution for this threat can be found on virusradar.
The author of Win32/Napolar uses a website to promote it. The website looks very professional and contains detailed information about the bot, including the cost ($200 USD for each build) and even a complete change-log of the evolution of the code.
Although we have not yet directly seen Win32/Napolar being distributed in the wild, it seems likely that this threat has been spread through Facebook. Since malware has the ability to steal Facebook credentials, its operator can reuse those credentials to send messages from compromised accounts and try to infect the victim’s friends. Below is a list of filenames we have seen used by this malware family:
  • Photo_032.JPG_www.facebook.com.exe
  • Photo_012-WWW.FACEBOOK.COM.exe
  • Photo_014-WWW.FACEBOOK.COM.exe
Interestingly enough, the use of doubled file extensions (*.JPG.EXE, *.TXT.EXE and so forth) to obfuscate a file’s true extension is an old trick, dating back to Windows 95, but apparently still in use. What is funny about the usage in this particular instance is that the author of Win32/Napolar does not seem to realize that .COM is a valid, if somewhat old, extension for executable files and that these filenames would have allowed their execution without the added .EXE extension. A very recent blog by our colleagues at AVAST confirms they have also seen similar infection vectors.
In this blog post, we will show some of the anti-debugging tricks used by Win32/Napolar. These tricks were seen in early versions of this malware family. Most recent variants also use third party packers to evade antivirus detection and slow down manual reverse engineering.
We will then explain the Win32/Napolar command and control (C&C) protocol. Finally, we will show some of the information that was retrieved from the promotional website before it was taken offline.

Anti-debugging Techniques

When analyzing Win32/Napolar binaries, the first thing to notice is that there is no valid entry point in the PE header, as shown in the figure below.
01_original_entrypoint_to_0
The first instructions that are executed when the binary is started are saved in the Thread Local Storage (TLS) functions. There are two TLS functions registered.  The first TLS function does not do anything. The second function decrypts more code using the RC4 encryption algorithm and the key 0xDEADBEEF. The decrypted code is registered as a third TLS function before the second function returns, as shown in the code extract below.
02_inserting_third_tls
The third TLS function decrypts the rest of the code before calling the main body of the malware.  The malware uses other tricks to make itself harder to analyze:
  • All imports are resolved at runtime using hashes instead of the import names.
  • Interactions with the operating system are mostly done by directly calling undocumented functions of the NTDLL library instead of using the standard APIs.
  • All the code is position-independent.
To find the offset of its own code that will be decrypted, Win32/Napolar searches through its memory for the opcode 0×55. This opcode represents “push ebp”, the first instruction of the current function in assembly language. If this instruction is replaced by 0xCC, the opcode for a software breakpoint, the decryption of the code will not work. This is a clever way of altering the behavior of the malware if it is being analyzed with a debugger and if a software breakpoint is put on the first instruction of the TLS.
Win32/Napolar has more anti-debugging tricks. To make dynamic analysis harder, Win32/Napolar will create a sub process of itself and will debug this new instance. The screenshot below shows the call to CreateProcess.
05_create_process_debug_only
The software protection technique of self-debugging has been seen before but in the case of Win32/Napolar, the trick happens in the main body of the malware, not in the packer.
Once the debugged process is started, Win32/Napolar will enter a loop that handles debugging events returned by the function WaitForDebugEvent. Pseudocode for the loop handling debugging events is presented below.
04_pseudo_code_debug_loop
The first event handled by this code is CREATE_PROCESS_DEBUG_EVENT. This event takes place when the debugged process is started. In this case, the main process will parse the MZ and PE header of the debugged process in order to retrieve the offset and size of the position-independent code. It will then allocate another area of memory in the debugged process in which to inject the code. This creates two copies of the same code in the same process.
The next event is EXCEPTION_DEBUG_EVENT. In this second event, the main process overwrites the first TLS function of the binary so as to redirect execution at the beginning of the executable, using a push – ret instruction. This, once again, decrypts the main body of the malware and lets it execute within the child process. It is the code of the child process that then proceeds to inject itself into all the processes running sub-processes and hooking various functions to hide its presence on the system and capture desired information.
Finally, the main process receives the EXIT_PROCESS_DEBUG_EVENT event; it stops debugging by calling the function DebugActiveProcessStop and terminates its own process using NtTerminateProcess.
chart
One of the main characteristics of Win32/Napolar is its ability to steal information when a user fills a web form in a web browser. Trusteer’s browser protection probably stops the malware from capturing this information. This is why the malware has specific checks for Trusteer products. It will iterate through all the running processes and specifically kill any process that has the string “trusteer” in it. We did not perform any test to confirm whether or not this attempt at disabling Trusteer’s product is successful or not.

Network behavior

When communicating with its command and control server, Win32/Napolar uses the HTTP protocol. The first query sent by the bot to the command and control server contains the following information:
  • Version of the bot
  • Current windows username of the infected user
  • Computer name
  • A unique bot identifier
  • Version of the operating system
  • System type, which can be 32 or 64 bit.  Indeed, this bot supports both types of architecture.
The server then responds with commands the bot needs to execute. These commands are encrypted using RC4, The bot unique identifier is used as the encryption key. The bot supports a variety of commands, from information stealing and SOCKS proxying, to denial of service, download, execution and update. Each command has a unique identifier stored as a single byte and the information following this byte contains the command parameters. The following figure shows a traffic dump of the communication between a host infected by Win32/Napolar and its command and control server.
06_napolar_POST
The following figure shows the decryption of this command using the proper key. The first byte of the received content is 0xC, and this instructs the bot to sleep. The parameter is a string, “600”, which represents the number of seconds that the bot needs to sleep.
07_decrypted_cnc_nop
We have seen at least seven different command and control servers used by Win32/Napolar. Most of them only stayed online for a couple of days before the operator moved them to a new network. This might indicate that this bot is being actively used in the wild. Below is a list of domain names where we have recently observed command and control servers:
  • dabakhost.be
  • terra-araucania.cl
  • xyz25.com
  • yandafia.com
  • elzbthfntr.com
  • alfadente.com.br
There are some references to TOR in the malware code. Most precisely, some configuration lines and references to the configuration file for TOR. During our analysis of the malware, it didn’t seem to make any usage of this data. This could be some dormant feature that has not been activated in the samples we have analyzed.

Promotional website

The author of Win32/Napolar seems very frank about wanting to sell his new malware. He has put together a very professional-looking website where he boasts that his bot is a “professional shellcode based bot”, referring to the fact the malware is position-independent.
08_solar_website1
The website also provides information for potential customers.  For example, the complete code for the command and control server can be found there, a php script running with an SQL database backend. The code of the command and control server confirms of our analysis of the network protocol used by the Win32/Napolar malware.
The promotional website also provides multiple examples of plugins that can be used by malware operators. The plugins must be written using the Delphi programming language. The example plugins show how one can display a message on an infected victim system, find which version of the antivirus is installed on the victim system, and even how to steal Bitcoin wallets.
Finally, the website even presented a complete log of the changes made to the bot’s source code, including information on new features and bug fixes. The website shows the first changelog entry made on July 14th.  This fits our timeline since we saw the first instances of this bot in the wild in the beginning of August. The registration date for the domain name where the content is hosted is the first day of August, another indication that the beginning of the promotion is recent.
09_solar_website2

Conclusions

Win32/Napolar is a new bot that surfaced in July and started to be observed in the wild in August. It has interesting techniques for countering reverse engineering. The most notable point about this malware is how openly it is being promoted on the web by its creator. The advertisement is probably the same that was identified by Dancho Danchev at webroot in July. We have seen many messages on different forums promoting this bot, in addition to the existence of a publicly-accessible website. As it was previously discussed in the Foxxy case, this is another good example of the specialization of cybercrime operations where we now clearly have authors that create malware and sell it to other gangs who will operate it.
Although this bot has functionalities similar to other families like Zeus or SpyEye, it might gain in popularity because its author is actively maintaining it, and because of its ease of use and the simplicity with which plugins can be created.

Analyzed files

The following are MD5 hashes of the analyzed files:
  • 85e5a0951182de95827f1135721f73ad0828b6bc
  • 9c159f00292a22b7b609e1e8b1cf960e8a4fa795
  • a86e4bd51c15b17f89544f94105c397d64a060bb
  • ce24ae6d55c008e7a75fb78cfe033576d8416940
  • dacfa9d0c4b37f1966441075b6ef34ec8adc1aa6
Author: Pierre-Marc Bureau
Security Intelligence Program Manager