The term cyberwar pops up almost every day in public media. Regardless of its wide use, the term has been poorly explained. What does it mean? What are the principles framing and governing it? How does it fall within the way we think about war? We will answer these questions, among several others, in a five-part “cyberwar series”—starting with this post.

Cyberwar is a form of confrontation taking place in the cyber-physical reality we live in. The means of this warfare reside in cyberspace, yet its effects are felt in both cyber and physical worlds. The merger of cyberspace and the kinetic world adds new aspects to warfare: It can be waged with armed codes, through information bombing, from far away, and at an accelerated speed. The decisive factor is often a skilled individual rather than material resources (though resources can still make a difference).

However, not every malevolent or otherwise undesirable move in cyberspace is an act of war. Cyberwar takes place only in the wider context of an armed conflict or as preparation for it. Purely virtual “war” without material consequences is merely an overinterpretation of activities taking place in cyberspace.

Cyberwar blurs the line between peace and war

It is human nature to organize the world through dichotomies. If there’s no war, peace prevails. If you don’t need to worry about insecurity, you feel safe. If you didn’t initially attack, you’re acting in self-defense, and “you’re either with us or against us.” Cyberspace—and cyberwarfare taking place in it—blurs many of the conventional borders used for making such distinctions.

The cyberdimension of warfare brings war close to our everyday lives. The attack surface is something we all are very familiar with and dependent on: our computers and other smart devices, networks and, eventually, us as human beings. Hence acts of cyberwar target the same objects as the numerous cyberattacks every organization and individual needs to protect in times of peace, too. Unlike in conventional warfare fought between state armed forces, the legitimate target of cyberwar does not need to be military in nature.

Cyberconflicts also tend to spill over. Activities are not solely targeted at the opponent but at anything that can raise enough attention and further one’s cause. Due to the networked nature of cyberspace, the effects are under nobody’s control. Cyberwar spills over to other countries and into the networks of bystanders, which may complicate the process toward peace. This, as well as the continuous intelligence and propaganda activities that take place outside the conflict yet contribute to war preparations and security maintenance, make the differentiation between war and peace in cyberspace impossible. We live in a gray zone between the two.

Cyberwar blurs the line between military and civilian

It is not merely the border between peace and war that has become blurred. War is now waged in and against entire societies. The main object to be protected in every highly networked nation is its critical infrastructure, which is primarily privately owned. Critical infrastructure is the backbone of a modern society; thus paralyzing or destroying its critical nodes would cripple the target society. The effects would be felt in both military and civilian sectors.

Moreover, cyberspace is a multipolar order inhabiting numerous actors with different interests. The state is only one of them and does not hold a monopoly on destructive or threatening force. Due to relatively low barriers of access, wide availability of malicious code, seeming anonymity, reduced emphasis on material resources, and ambiguity revolving around the term cyberwar, many actors are intentionally or unintentionally both offenders and targets in cyberconflict. Because the state cannot provide everyone’s security, organizations and individuals alike have become responsible for their own cyberdefenses. This necessity enhances the role of companies in contributing to national security, which has become a growing asset ranging from individual to transnational efforts to enhance cybersecurity. The current debate includes whether companies should be granted a legal right to offensive operations, too.

How do we organize the world around us when conventional borders are in flux?

The decisive challenge we face in the coming years is how to live and create order in a multipolar, cyberinfused world. We are likely to remain in the gray zone between war and peace; yet the border between military and civilian realms will become more porous and renegotiated. The decisive question may well be “Who controls whose actions?” In this process the state will find its place in the emerging multipolar (cyber) world order as one of the producers of national security.

All contemporary conflicts—and future crises even more so—contain a cyber element. Building and maintaining national security without taking cyberspace into consideration is now impossible. Ignoring it constitutes reckless behavior—equal to disregarding, for example, the security of a state’s coastline. No decision maker would get away with that.

The post What Is Cyberwar? First in a Series appeared first on McAfee.

As a supplement to the next McAfee Labs Threats Report, which will appear next month, we offer this timeline of leading cybercrime events that made news in the first quarter of 2014.

• January 2: A systems administrator at the Monju fast breeder reactor facility in Japan notices suspicious connections emanating from a machine in the control room, coinciding with what was meant to be a routine software update to a free media player.[1] Context names the attack, based on a Gh0st RAT variant, the Monju Incident.
• January 6: McAfee Labs describes a new Pony botnet variant (Backdoor-FJW) that attempts to steal Bitcoin wallets from infected systems.[2]
• January 16: Unknown hackers breach the Orange French website. Details of up to 800,000 customers of the multinational telecommunications company are compromised.[3]
• January 17: Researchers at Qihoo 360 Dr.Web announce the first Android bootkit.  Android.Oldboot modifies a device’s boot partition and booting script file to launch a system service and extract a malicious application early in a system’s startup. Intended for Android devices in China, 92% of victims are located in this country.[4]
• January 22: Romanian authorities arrest Guccifer, a 40-year-old hacker suspected of breaching the social media and email accounts of several high-level individuals, including members of the Bush and Rockefeller families, officials of the Obama administration, former US Secretary of State Colin Powell, and George Maior, the head of the Romanian Intelligence Service SRI.[5]
• January 28: McAfee Labs reminds mobile users that scammers still target Japanese smartphones using apps (Android/BadPush, Android/OneClickFraud) that lead their owners to malicious one-click-fraud websites.[6] Other adult-oriented apps (Android/PhimSms) target Vietnamese users.[7]
• February 4: Adobe releases an out-of-band security update addressing a critical remote code execution vulnerability, CVE-2014-0497, being exploited in the wild.[8]
• February 4: German prosecutors arrest three suspects in the Netherlands. The alleged criminals are said to have stolen US$45 million from ATM machines in 27 countries between December 2012 and February 2013 by embezzling prepaid MasterCard debit card numbers.[9]
• February 10: Kaspersky Labs announces the discovery of a large number of malware infections across large parts of the globe.[10] McAfee Labs also details the attack, called Careto.[11]
• February 11: A new unpatched vulnerability, CVE-2014-0322, in Microsoft Internet Explorer 10 is found in the wild. FireEye announces it is actively exploited in a watering-hole attack (Operation SnowMan) targeting visitors to the official website of the US Veterans of Foreign Wars.[12]
• February 13: FireEye identifies a zero-day Adobe Flash exploit, CVE-2014-0502, that affects the latest version of the player. The exploit is used in Operation GreedyWonk, which affects several nonprofit and research organizations.[13]
• February 17: First discovered by Xylitol on January 15, researchers at Malwarebytes analyze a new variant of the banking Trojan ZeusVM. The crimeware uses the steganography to disguise its configuration code in a digital photo. The image contains data encrypted using Base64 encoding and RC4 and XOR encryption algorithms. The variant targets popular financial institutions including Barclays, Deutsche Bank, and Wells Fargo.
• February 28: Security experts at G Data say they have discovered a very complex and sophisticated rootkit designed to steal confidential data and exfiltrate them from targeted organizations. Uroburos takes its name from a mythical serpent or dragon that ate its own tail and from a sequence of characters concealed deep within the malware’s code: Ur0bUr()sGotyOu#. The authors appear to speak Russian and are from the same group that performed a cyberattack against the United States in 2008.[14]
• March 3: A McAfee Labs researcher describes Android/BadInst.A, a suspicious app on Google Play that almost automatically downloads, installs, and launches other apps from Google Play without user interaction.[15]
• March 3: Researchers at Team Cymru publish a white paper about a pharming attack hitting thousands small office/home office wireless routers around the world. Exploiting various vulnerabilities in more than 300,000 routers (Asus, D-Link, Cisco, Linksys, Micronet, Netgear, Tenda, TP-Link) to overwrite the DNS settings, the attackers redirected traffic to their sites and domains.[16]
• March 8: Cybercriminals take advantage of the disappearance of Malaysia Airlines Flight 370 to infect users with malware in scam messages.
• March 11: Russian-Moroccan hacker Farid Essebar, known online as Diabl0, is arrested in Bangkok.[17] He is suspected to have compromised computer systems and websites belonging to Swiss banks, causing damage of more than US$4 billion. Essebar was arrested in August 2005 for offenses related to the creation and distribution of W32/Zotob and was sentenced to two years in prison.[18]
• March 20: Microsoft warns of a zero-day vulnerability, CVE-2014-1761, in Word that is being actively exploited in targeted attacks and was discovered by the Google security team. This remote code execution vulnerability can be exploited via a malicious rich text format file.[19]

The post Cybercrime ‘Highlights’ of First Quarter 2014 appeared first on McAfee.

Online scammers are always seeking to trick victims into paying money. Sports betting is a common lure for online scams to attract those who enjoy the thrill of gambling on sports. Usually these scammers use email or SMS messages to invite careless victims to such services. McAfee Labs has recently found many suspicious Android apps on Google Play that try to trick Korean users into registering on the scam websites. The apps claim to be part of a Google-powered service, but this is just a lie, of course.

Figure 1: Examples of the sports betting scam apps found on Google Play.

After launch, the app shows a login screen with a Google logo that claims to be “Google Sports Betting,” which is certainly not provided by Google. A user can “sign up” with the service by providing username, password, nickname, mobile phone number, email address, bank name, bank account number, and so on. The site has a page for users to pay to use its betting feature, but there is no description about the site owner or operating company on the site. Would a legitimate sports betting service disguise itself as a Google service? There’s no doubt that this is a scam site.

Figure 2: The scam service’s login screen and main screen of the app.

To our surprise, the bold app developer illegally employs the Google logo and copyright notice on the description page on Google Play. This step easily suggests a malicious scam app at first glance.

Figure 3: The scam uses screens with the Google logo and copyright notice.

In our investigation, we found some apps disguised as a Google service and others not, but they all share almost identical application code and website structure. The apps simply load the existing scam sites, which are hosted on the same or other servers. The scammers also offer sites to trap desktop PC users. Thus the potential victims are not limited to Android users, but also include users of PCs and other mobile devices.

Figure 4: The PC version of the scam sites disguised as”Google Sports Betting.”

We have discovered more than 30 apps of this kind on Google Play. The total download count stands between 13,000 and 45,000. We have also found many other sites hosting similar services with almost the same site structure, under the same or different server domains.

The actual damage depends on how users spend their time and money on these services, but at the least the scammers get personal information such as mobile phone number and perhaps email address, bank name, and bank account number. Some careless users might have also provided their Google account usernames and passwords on the service’s Google “login screen.” Any login attempt to the real Google account fails, but the information can be stored on the malicious service.

Sports fans, especially those who are looking forward to the upcoming FIFA World Cup in June, should be careful about this kind of sports betting scam. Don’t believe that Google will offer such a fantastic gambling experience for you.

McAfee Mobile Security detects these suspicious apps as Android/ScamBet.A, and also blocks browser access to the related sites.

The post ‘Google’ Apps for Sports Betting Target Korean Users appeared first on McAfee.

The trend of attackers using stolen digital certificates to disguise their malicious executables is on the rise. The Shiqiang group is known to employ spear-phishing attacks against nongovernmental organizations along with a history of using stolen digital certificates in their campaigns. One of the malicious signed binaries comes as part of a doc file that exploits the CVE-2012-0158 vulnerability. 

The graph below highlights the timeline of the attack, ordered by the compiler-generated time stamp of the binary. The first known binary is identified as a prototype and the similarity is calculated based on the assembly code of all the variants. It is interesting to observe the trend and the modifications that have gone into the variants.

The group has been very active since July 2013 and is known to use two valid digital certificates as part of their campaign.

• Zhengzhou hanJiang Electronic Technology Co., Ltd. Expires 9/1/2013
• Jiangxi you ma chuang da Software Technology Co., Ltd. Expires 12/14/2014

Valid digital certificate

These certificates were issued by Thawte and Versign, respectively. Although the first certificate expired in September 2013, the second certificate is still valid and actively used in the campaigns.

The threat vector is a doc file that exploits the CVE-2012-0158 vulnerability and contains a decoy document. Upon execution in a vulnerable environment, the doc file drops an embedded executable (kav.exe) that is digitally signed, which in turn drops another DLL file that is signed by the same digital certificate.

Kav.exe drops two files in %Allusersprofile%\Application Data\Microsoft\Network:

• Msnetwork.dll
• Encrypt.dat

Msnetwork.dll is registered as a layered service provider (LSP). By inserting itself to the LSP chain, the dll can be loaded whenever an application uses winsock. Once in the stack, an LSP can intercept and modify inbound and outbound Internet traffic. Msnetwork.dll checks the host process it is being loaded into and injects aesen.dat and desen.dat into explorer.exe.

Encrypt.dat is an XOR-encrypted file that contains the list of control servers. If the malware can connect to any one of the control servers mentioned in encrypt.dat, it receives additional commands from the server. 

The malware injects pskyen.dat into the skype.exe process to monitor communications. It can also clean up the infection to erase any traces.

Some of the other known remote server addresses in this campaign:

• 61.128.110[.]137
• tibetcongress.oicp[.]net
• 60.13.176[.]25
• 220.171.94[.]50
• newyorkonlin[.]com

McAfee Advanced Threat defense provides zero-day protection against the malicious doc file based on its behavior.

I would like to thank Saravanan Mohankumar for his assistance in this research.

The post Targeted Attacks, Stolen Certificates, and the Shiqiang Gang appeared first on McAfee.

Verizon’s recent release of the 2014 Data Breach Investigations Report (DBIR) provided its usual valuable insights into the state and scale of cyberattacks. But those of us who spend our waking hours enhancing and fine-tuning cybersecurity defense tend to watch for one measurement in particular in such reports: the breach discovery gap.

The breach discovery gap is the time it takes IT security practitioners to discover a data breach after they have been breached by a cyberattack. As an industry, we strive to constantly improve the detection capabilities of our products to stop attacks before breaches occurs or, when they aren’t stopped, to narrow the breach discovery gap to zero. Ideally, the enterprise’s security infrastructure detects attacks in progress, immediately alerts enterprise security teams, and takes steps to mitigate and deflect the attack.

Unfortunately, Verizon’s research showed that more than 90% of attacks are successful in a day or less, but attacks are discovered in a day or less only 25% of the time. Further, this breach discovery gap actually widened in 2013.

Stopping attacks before they breach and narrowing the breach discovery gap requires the ability to detect threats at multiple points of attack across the enterprise. High cross-product detection effectiveness stops more attacks before they breach and shortens time to breach discovery and containment. It reduces false positives, which frees up IT security practitioners to focus on real issues, in-progress or imminent.

By reducing the time criminals have to operate, superior malware and threat detection reduces theft of intellectual property and customer data. It also reduces remediation costs, business risk, and the potential damage done to reputation, financial prospects, and operations.

In the first quarter of 2014, third-party testing organizations AV-TEST Institute and NSS Labs gave McAfee endpoint security, network security, and mobile security products premium grades for detection effectiveness.

• Consumer endpoint security. McAfee received our highest-ever protection score and overall ranking in the AV-TEST Consumer Endpoint test, and the highest malware block rate and top ranking in the NSS Labs Consumer EPP Comparative Analysis Socially Engineered Malware test.

• Enterprise endpoint security. We achieved our highest-ever overall score in the AV-TEST Enterprise Endpoint test, and the highest malware block rate and top ranking in the NSS Labs Enterprise EPP Comparative Analysis Socially Engineered Malware test.

• Data center IPS. McAfee’s data center intrusion prevention systems scored highest in its class for security effectiveness and scored a top ranking in the NSS Labs Data Center IPS Comparative Analysis Security Value Map (SVM).

• Mobile security. McAfee scored a perfect 6 for protection, and a perfect 13 score overall in the AV-TEST Mobile test.

A summary, bringing together all these great results, is available here.

McAfee has invested heavily to integrate its products within the Security Connected platform, allowing them to exchange real-time data on in-progress attacks, learn from external intelligence sources (such as McAfee’s cloud-based Global Threat Intelligence service), and become stronger with each attack in a way similar to that of an immune system strengthening itself with each disease it fights off.

Ultimately, there are as many optimal security strategies as there are enterprises, but detection effectiveness is truly the foundation of every one of them.

The post Narrowing the Breach Discovery Gap appeared first on McAfee.

We are in the middle of the biggest arms race since the Cold War, one that could lead to cyberwar, which we discussed in a recent post. Massive amounts of money are globally put into building cybercapabilities for defense, offense, and intelligence. This development is part of a large on-going trajectory: the strategizing of cyberspace and its movement into the national security sphere. Curiously, it is not the amount of weapons that serves as the defining factor in the race. It is the skills that people have and the level of technology they are able to develop.

A cyberweapon needs to be up to date on the target system, capable of exploiting a vulnerability that the defenders are not aware of, and able to create the desired impact. This makes cyberweapons products that cannot be stockpiled and shelved for a long period or used when needed. They need to be constantly built, modified, and developed. Thus skill becomes the decisive factor in the cyber arms race. And currently it is a scarce commodity.

Buildup in cyberspace

Last week in Geneva we talked a great deal about the current cyber situation with a multinational audience. There was a clear conclusion: Everyone is looking for talented individuals to succeed in cyberspace.

Because it is the skill of the people, and not the amount of weapons or their lasting technological features, that make the difference in cyberspace, how does one prepare? First, money must flood into the research and development of cyberweapons. The effort put into R&D can produce the cutting edge that maximizes one’s security in cyberspace. Second, education systems must be restructured so that they provide everyone with basic cyberskills and promote the excellence of the most gifted and committed. University scholarships can help those with good IT skills to develop them further.

Third, recruitment needs to be successful. People are recruited from a global workforce, and states around the world compete for the limited amount of experts. In addition, the private sector draws from the very same pool. The number of people matters because there simply is so much to do: Cyberspace is huge and continuously grows. Fourth, contracts have to be appealing and worthwhile for both employees and partners. People are motivated by factors ranging from freedom of action to interesting tasks and from difficult problems to solve to high salaries. In the cyber arms race patriotism plays a role, too. National cybersecurity can be maintained only in cooperation with the private sector. There’s a need for mutual respect and open communication channels.

Restraining the cyber arms race

At the end of March, US Secretary of Defense Chuck Hagel announced that the Pentagon is revamping its cyberforce. CYCOM will grow into a unit of 6,000 employees by 2016, which under the current conditions is a tall order. A few days later, FBI Supervisory Special Agent Charles Gilgen said his agency’s cyberdivision plans to hire 1,000 agents and 1,000 analysts in the coming year. And it is not just the United States that plans to boost its cybercapabilities.

The logic driving any arms race is the fear that others will get there first (even if there is no clear idea of what “there” may entail) and with enhanced capabilities. Losing the cyber arms race would increase the threats we face—because we already recognize the high level of vulnerability. This destabilizing logic has increased calls for arms restrictions and disarmament in cyberspace.

Restraining the on-going arms race through negotiating restrictions on quantities of cyberweapons is hardly sensible because we’re not stockpiling bombs. A more likely development would be a treaty limiting the capabilities that can cause certain kinds of effects. This could begin with bilateral negotiations and practical cooperation between the strongest actors—and to spill-over. Restraining skill, again, would mean limitations to such basic rights as freedom of movement and right to education or human curiosity. What is currently missing is the political will to even address the question of cyber arms limitations. Yet in the long run negotiating some kinds of rules of the game is both advisable and desirable.

The post Time to Limit the Cyber Arms Race appeared first on McAfee.

McAfee Labs has recently come across a number of malware samples that drop Zbot and Necurs rootkits. These use a discreet technique to intentionally crash Windows XP. Interestingly, the malware achieves its OS awareness without using any standard Windows API functions. Instead, it relies on the differences in default register values as well as its own entry point for Windows XP and Windows 7.

It is unclear exactly why the malware does this but it may be for one or more of the following reasons:

• Preventing the detection of operating system awareness by static malware analysis systems that look for GetVersion() or Version Helper calls.
• Preventing behavioral analysis of samples replicated on Windows XP, which isn’t uncommon. After all, several public malware analyzers–Malwr.com, VirusTotal, Anubis, and others–use Windows XP by default. We can see that the sample fails to replicate on those systems. You can see the result of this technique thanks to Joe Security’s public listing of a sample’s execution results on both Windows XP and Windows 7, in which it’s clear that the sample replicates on Windows 7 but fails to do so on Windows XP.
• The packaged Zbot and Necurs rootkit were not designed for Windows XP.
• The malware distributors have no interest in infecting Windows XP systems.

The Windows XP detection method is spread out across functions to make it difficult to (automatically or manually) identify its intention. The technique depends on the default values of registers EDI and EDX as well as on the sample entry-point address, which was probably conceived using information from Ange Albertini’s research on the subject.

Static analysis of the anti-Windows XP approach

At 0x40179C the samples push the default value of EDI as one of the arguments to an inner function.

In the inner function, ESI is set to the value of EDI and EDI is set to zero, after which the next inner function is called.

A hardcoded DWORD 0x6573E2BF (deceptively stored as a string) is pushed as an argument to the next inner function.

At this stage the hardcoded DWORD is set in EAX while the value of EDI (stored in ESI) is pushed on the stack as an argument to the has_antiXPCode() function.
It uses a well-known but nifty trick to fool smarter disassemblers into thinking that it’s an argument for the is_never_called() function, even though that function is in fact never called. It is actually an argument to the has_antiXPCode() function.

After all the variables are set up, the sample is finally ready to perform the OS check.

The samples first restore the original value of EDI (using the instruction: mov edi, esi). EDI appears to be subtracted by another value but is just an obfuscation. When executed, this value (at ECX + 0xC) is always zero and does not change the original value of EDI. ECX is then modified as follows:

ECX = EAX + 0×144 + f(EDI) (where f is a function of a sequence of subtraction, right-shifts, and multiplication functions on EDI).

The function f itself is irrelevant and is present only to obfuscate. What is important, though, is that ECX now has a value of at least 0x6573E403 (the hardcoded constant + 0×144). This value is then assigned to EBX like so: EBX = ECX + (original_EDI_value – 4). This causes EBX to also have a large value and is necessary for the sample to crash if Windows XP is detected.

The next bit sets the zero flag by decrementing ECX and checking if its least significant bit (LSB) is set (using the instruction: test cl, 1). The hardcoded constant and the function f() is specifically chosen such that the LSB of ECX is never set, causing the zero flag to be set by the test instruction. However, just in case the numbers don’t work out, the malware author has added a sanity check to confirm that the zero flag has been set by exiting the function immediately if it isn’t.

Finally, the sample checks if the LSB of the EDX register is set. If it is, the test instruction unsets the zero flag causing the jump at the JNZ instruction to be taken to the location that calls the maliciousCodePath() function. If it isn’t, the jump is not taken and is likely to cause an access violation when [ebx + 4] is read as EBX contains a large value (at least 0x6573E403) that is probably not accessible by the process.

To make sense of this process, let’s look at the default values of the EDX and EDI registers on Windows XP and Windows 7 (at entry point):

Windows XP

Since the LSB of EDX is not set, the zero flag will be set by the instruction test dl, 1. This ensures that the jump to the location where the real malicious code is executed is never called and instead moves to a part of the code where the value at the address stored in EBX is read. But as EDI is set to 0x7C910208 on Windows XP, EBX eventually attempts to read the value (0xE3FB0E8E), which exists in system memory and is inaccessible from user mode, thus guaranteeing an access violation.

Windows 7

On Windows 7, EDX is always set to the entry point of the process being executed. The samples in question have been crafted such that their entry point is at an address whose LSB is set to 0x40424D. Due to this, the test instruction will unset the zero flag causing the jump to take place and execute the malicious code.

Even though the sample uses a convoluted technique to achieve OS awareness, at its heart it simply checks the default value of EDX as demonstrated by this C program:

When compiled with the /ENTRY:xpcheck linker switch, the resulting binary can detect Windows XP.

McAfee detects these malware variants as PWSZbot-FQC. The Necurs rootkit can be removed using Rootkit Remover.

Samples that use this technique (MD5)

e3399b629fcd534726739fc8792d1a2a
074d8bb5443cd0640fb8ec3896106baa
6c7cb0625df7b4a8a76168ce26cce7d1
220516c214afc9aa340c145937f299b4
2e1c10912ef4a578160414616400fca3
a5923e1efd90be7542c779184f4a7843
5eda655aa0dfacf975e20b52f64073c6

The post Necurs, Zbot Droppers Use Obfuscated Windows XP Detection to Bypass Automated Analysis appeared first on McAfee.

Well that did not take long.  Only weeks after Microsoft issued the end of life for Windows XP, a vulnerability surfaces that is also reported as being used by a “known gang of malicious hackers.”   Of course for many users the task of patching will be relatively straightforward, but for many the reason to migrate from Windows XP will only get stronger.

Dubbed Operation Clandestine Fox researchers have observed attacks actively targeting Internet Explorer versions 9, 10, and 11 luring users onto malicious websites.  The use of this vulnerability within an active campaign should come as no surprise, as the attackers are simply seeking a return on investment on the time and money spent researching, and exploiting the vulnerability.  In our whitepaper entitled Cybercrime Exposed we exposed the service based nature of some cybercrime, and if you have the odd $80,000 available you can purchase the next zero-day for IE.  Or for that matter iOS, Adobe, Android, or indeed any other Operating System or Application.

What this means is that there is a thriving market for zero-day vulnerabilities, and whilst the manner in which attackers learned of this vulnerability is currently unknown, the sale of such research invariably brings more players to the table.  Further, based on simple economics, those that are acquiring these vulnerabilities will look for a return on investment.  As we stated in our recent whitepaper (Jackpot! Money Laundering through Online Gambling) money is driving the growth of cybercrime and there are very large numbers at play here.

Whereas in the past a relationship would have likely be a pre-requisite to facilitate an acquisition (for example the Zotob worm), today there are zero-day vulnerability brokers with a client list of willing participants with huge sums of money to acquire these vulnerabilities.

The net result is that there will be many more of these vulnerabilities being exploited in the wild, and whilst for some users the ability to patch is one way to mitigate the threat for most this is simply not an option.  Equally one further consideration is that many critical infrastructure providers, many command and control systems and many ATMs are based on Windows XP.  That is why for many critical infrastructure providers the end of life of Windows XP is being referred to as the equivalent of Y2K.

The post IE 0-Day, More Like Every Day appeared first on McAfee.

Targeted attacks have several stages, sometimes called the APT kill chain. At McAfee Labs we prefer the model described by Lockheed Martin:

As part of the weaponizing phase, attackers often put a payload into a file that, once installed, will connect in the C2 (command and control) phase to the attacker. A very common payload used by many password-stealing malware is a keylogger. The purpose of keylogging is to capture the users’ keystrokes, and gather credentials and links to internal and external resources. The stolen credentials can later be used to weaponize another file or serve as part of the actions phase of the APT kill chain.

One example we recently ran into is the malware Marmoolak, an Iranian keylogger with the MD5 F09D2C65F0B6AD55593405A5FD3A7D91.

We traced the first appearance of this keylogger to a Middle-East forum:

Although some keyloggers may capture keystrokes for legitimate purposes, this one misleads its victims by including a hidden payload. By placing this keylogger on this forum, we believe the developer intended to attack other members of this forum, a popular tactic in that region.

To prevent detection, malware authors often use cheap and easy packer’s, which modify the malware witha runtime compression or encryption program. In this case the files were hidden by a modified version of the well-known packer UPX.

On execution, the file adds a copy of itself into the System32 folder as Mcsng.exe. The malware also launches a process that drops and writes the file 1stmp.sys in the %system32%\config folder:

Although the file extension suggests it is a .sys (system) file, it is not. Its purpose is to function as a log file that contains the encrypted keystrokes of the user. Every time a key is pressed, the process records the keystroke, encrypts it and appends it to 1stmp.sys. The next screen shows a section of encrypted strings:

Although the encryption algorithm is simple, it uses “selective encryption,” with two techniques: Each byte is encrypted by technique 1 if it is odd and technique 2 if it is even. Here is an example of a log after decryption:

After decrypting we can see not only keystrokes, but also the time stamps when they were logged. After the keystrokes are logged and encrypted, the malware mails its content to its author. The malware also sends computer name and user name data to its master.

After cleaning up the standard Visual Basic obfuscation we can see the malware uses Sendmail:

In this case the encrypted log is sent to the email address Marmoolak@red-move.tk. This address is hosted on a domain that is very popular in Iran for hosting malware. The McAfee Labs reputation engine has flagged this domain as malicious: http://www.mcafee.com/threat-intelligence/domain/default.aspx?domain=red-move.tk

After deobfuscation, we observed strings in Persian that contain the word marmoolak, a frequent derogatory term in Persian to describe their Arabic neighbors.

McAfee detects this Trojan keylogger and its variants as Keylog-FAG! To avoid infection from this and other keyloggers, keep your antivirus system updated and do not download content from untrusted sources. Be especially careful of hacker forums. Some members pretend to be helpful and offer their tools. However, these tools are often backdoor malware and exist solely to access systems and abuse them for various malicious ends.

The post Iranian Keylogger Marmoolak Enters via Backdoor appeared first on McAfee.

Weapons and the skills to use them are not the only decisive elements in warfare. Rhetoric and imagery are important, too. They are essential for constructing the good and the bad, legitimatizing one’s actions and influencing the events and the result of a conflict. The cyber era has only just begun to highlight the importance of perception management as a part of war.

Perceptions matter enormously: perceptions of us, our opponent, the environment, and the situation on our side, on the opponent’s side, and among the wider public. Perceptions determine how each actor chooses to act. If you can affect the opponent’s policy goals or convince your own following by manipulating perceptions, you can have a great influence over the battlefield. The cyber era has widened the battlefield to cover entire societies, and has made the global public into the audience.

Information operations, the vector for manipulating perceptions, are integral to cyberwarfare. Propaganda and disinformation campaigns can both deceive the opponent and influence what is accepted as true. Think, for example, how Russia fought (and won) an “information war” during the run-up to the Crimean vote. Subtle information operations try to persuade the target audience to view this information in a positive light. For example, the idea behind the recent “Hearts and Minds” operations has been to make the US and American values appealing to the target audience.

In addition to spreading information, denying access to information is a tool in cyberwar. Information operations exist not only to advance one’s own message, but also to block or disrupt the flow of opposing ideas. However, in the cyber era, controlling information flows is complicated, maybe even impossible. Even if the former Egyptian regime managed to take the country offline for a while, people found ways around the maneuver and managed both to receive and disseminate information differing from the official truth.

The pervasive presence of mass media in conflict zones gave us “media wars” in the 1990s. Governments have learned the importance of perception management the hard way. Technological advancement in the new millennium has turned today’s conflicts into something that are present all of the time around the world. Opportunities provided by social media and other forms of citizen journalism have made all of us producers and intermediates as well as targets of information operations. Any form of information—whether fact or rumor—spreads quicker and more freely in the cyber era.

Keep in mind three more points about information operations and cyberwar. First, drawing the line between preparations for cyberwar and the actual fighting is difficult. We live in the gray area between war and peace.

Second, active cyber operations may inflame any conflict. Cyberspace has been a battleground in all recent major conflicts, yet it is difficult to say how and to what extent this activity influences the conflicts’ logic or results. For example, Israel has lately put a lot of effort into social media. “Social media soldiers” have advanced national goals on platforms usually associated with the free exchange of information among private citizens. What influence this has had in the on-going conflict or how it will change the nature of social media in the long term remains to be seen.

Third, intelligence communities actively use cyberspace to collect and manipulate information. Information operations not only influence public opinion; they also influence what we hold as true in any relationship that involves information exchange. The higher the level of political decision making using information, the more substantial the effect of information manipulation will be. In today’s operations, manipulating perceptions is already combined with intelligence and cyber espionage, military deception, and disruptive or destructive cyber operations. Thus the cyberwar information front is key to advancing a nation’s or organization’s goals.

Thanks to the complex connections of information production and dissemination in the cyber era, in principle all information from any source may be compromised, manipulated, or even blocked. Whether to believe a source is a question we all must answer. We need not doubt everything, but we must critically investigate arguments and claims that influence how we perceive the world around us. War is waged on the mental front—to a greater extent than ever before.

The post Information Operations an Integral Part of Cyberwarfare appeared first on McAfee.

Under Operation Tovar, global law enforcement—in conjunction with the private sector and McAfee—has launched an action to dismantle the Gameover Zeus and CryptoLocker infrastructure. Disrupting the criminal infrastructure by taking control of the domains that form part of the communications network provides a rare window for owners of infected systems to remove the malware and take back control of their digital lives.

If you, or anybody you know, receive a notification from your Internet service provider, then please do not ignore it. Use the removal tool to delete the malware from your system, and ensure you have appropriate protection to prevent future infections.

The removal tool is available at the following URL:

http://www.mcafee.com/stinger

We anticipate the criminal infrastructure of both Gameover Zeus and CryptoLocker will re-establish operations as quickly as they can. Thus you need to take action quickly.

What do Gameover Zeus and CryptoLocker do?

The two are in fact very different. Once Gameover Zeus finds its way onto a victim’s computer, it attempts to steal information from the victim. It has been used successfully by cybercriminals in all manner of attacks. From the theft of online banking credentials, credit card numbers, and even the login credentials for online job boards, the trail of destruction behind Gameover Zeus has netted criminals millions of dollars. For example, in August 2012 alone one estimate suggests that more than 600,000 systems were infected, many of these in Fortune 500 firms.

Gameover Zeus is based on the original Zeus, but works differently in that it decentralizes the control system and creates a peer-based network. The malware injects itself into legitimate Windows processes to maintain persistence, and also hooks system and browser functions to inject “fake” content into a user’s browser to conceal fraudulent activity.

This method is highly effective when the criminal wants to wire out large sums of money from a business account, but needs to conceal the activity for as long as possible until the funds are gone and have posted to the criminal’s account. Variants of Gameover Zeus operate in a peer-to-peer manner, getting their updates and configurations from available hosts on the peer network—making it much more difficult to disrupt. Gameover Zeus also has a function to dynamically update the configuration file that contains the payload usually designed to steal funds from a user’s bank account.

The functionality of Gameover Zeus ranges from simple credential stealing to advanced methods that involve hijacking a victim’s bank account in real time, enabling the criminal to wire out large amounts undetected.

Victims are typically infected via spear phishing campaigns that use various browser- and web-based exploits to deliver the malware onto the target system. The actors behind Gameover Zeus are interested in financial gain; thus they target consumers and businesses with this malware.

CryptoLocker, on the other hand, is not as sneaky, and warns users that unless they hand over a sum of money the malware will encrypt the data on the system. Such ransomware provides only a short window for the user to transfer the funds to the criminals, and failure to do so will result in the files being encrypted and unusable. If your system has files that are encrypted, the Stinger removal tool will not be able to retrieve them.

CryptoLocker encrypts the files on the system and generates a pop-up demanding that the victim pay a ransom to get the private key to decrypt the files. The malware uses public key cryptography algorithms to encrypt the victim’s files. Once the victim’s machine is infected, the key is generated and the private key is sent to the criminal’s server. The malware typically gives the victim 72 hours before the CryptoLocker server is supposed to destroy the private key, making the files unrecoverable and unusable. Victims are also infected via phishing emails and botnets.

Combining global law enforcement, including the National Crime Agency (United Kingdom), the FBI, and Europol, as well as partners in the private sector, this operation will provide a unique opportunity for those who are infected to remove the infections. Victims of these malware need to take advantage of this opportunity because the criminals will attempt to re-establish their communications infrastructure as quickly as they can to continue stealing your data and money.

The post It’s ‘Game Over’ for Zeus and CryptoLocker appeared first on McAfee.

Deterrence is an important part of warfare, often the most effective form of defending. Therefore, in the next couple of years we expect to see states reveal some of their offensive cyber capabilities more openly than they are doing today. The goal of deterrence is to make our opponents abstain from attacking, yet if the deterrence is too strong it may lure us into lowering our own attack threshold. The complex logic of cyber deterrence deserves a closer look.

Effective deterrence convinces our opponents that it is too costly to attack us. This evaluation is based on both material facts and perceptions about our skills and motivation. We can achieve deterrence through a strong defense, a convincing ability to turn the opponent’s potential success into a Pyrrhic victory, or a vast capability for retaliation. The strength of our deterrence can be backed up by vigorous information campaigns. However, in cyberspace virtually every system is breachable, attribution is difficult if not impossible, weapons are often used only once, and verifying anyone’s capabilities is challenging. Building effective deterrence requires applied ways of thinking.

Deterrence through strong defenses

The idea behind the majority of cybersecurity solutions is to build defenses that no attacker can break through. Smart defenses do not try to protect everything but concentrate on safeguarding the most essential assets in all circumstances. The success of this endeavor is difficult to estimate because most advanced attacks can camouflage themselves. They are often found only after a long period or not at all. Nevertheless, establishing a strong defense is worthwhile because defenses known to be solid will turn some potential attackers toward easier targets. Alongside technical aspects, a strong defense includes a workforce that knows how to act in a smart way.

Unfortunately, strong defenses motivate some cyberattackers. With enough resources and time, every system is penetrable. Victory tastes the sweeter the harder it is to achieve. In addition, gaining control—whether of military communications or SCADA systems in critical infrastructure—gives the attacker a powerful edge. The ability to demonstrate a strong defense, again, increases deterrence.

Deterrence through performance and action

Traditionally, effective perceptions of our capability, which contribute to deterrence, rise from military and other verifiable actions. Parading the equipment has been a way of convincing opponents as well as our own people about military might.

In cyberspace parading the equipment is not a good idea. The effectiveness of cyber weapons is always tied to context, and showing them may reveal systemic weaknesses to opponents. Concealing our weaponry is a better choice. Even if we use cyber weapons, we can plausibly deny their existence because of the difficulty of attribution. Parading the equipment has been left to hacktivists or criminals. States have only recently begun to acknowledge their involvement in cyberattacks.

Observable capabilities to prevent and preempt attacks may constitute a part of deterrence. However, it is challenging to prove that an event was prevented—because it presupposes that something that would have happened otherwise did not take place. Both strategies require extremely good intelligence and know-how to prevent attacks. If our opponent is unknown, for example, preemption attempts can turn against us: Hitting the wrong target creates a new enemy and can escalate the conflict.

Deterrence through retaliation

If we cannot build a strong defense, many choose to build a strong capability for retaliation. Even if the opponent can get through our defenses, we will hit back—and hit hard. Creating a credible offensive capability requires a different kind of thinking and investment than building defenses; ideally they support one another. In cyberspace, retaliation is restricted by our ability to recognize the opponent and know its systems. Yet just knowing that our capability exists may deter some potential opponents. Moreover, cyberattacks may be answered by physical actions, too.

Cyberspace is omnipresent in our society. Therefore, we can build deterrence only in cooperation with all levels of society. Ideally, up-to-date technology combined with skilled people creates credible deterrence—but the capability must be demonstrated. This need increases the importance of offensive capabilities. Due to the high number of cyberattacks we face each day, it is difficult to estimate when, against whom, and for how long cyber deterrence remains effective.

The post Deterrence in Cyberspace Helps Prevent Cyberwar appeared first on McAfee.

Comme souvent avec l’arrivée des beaux jours, l’actualité cinématographique en France est riche et les comédies françaises cartonnent en salle. En parallèle, la recherche de ces films en téléchargement illégal ou en vision streaming est un jeu dangereux que nombre d’internautes semblent régulièrement expérimenter.

L’une des méthodes les plus usitées pour tenter de récupérer des films qui ne sont pas encore disponibles dans le commerce, ou pour lesquels l’internaute ne désire pas payer, passe, sans surprise, par Google. L’apprenti pirate tape le nom du film qu’il désire visionner, associé à un terme de type « streaming », « téléchargement » ou, pour notre exemple, « torrent » (terme désormais générique faisant référence au protocole BitTorrent pour le transfert de données en mode Pair à Pair (P2P) à travers Internet).

Voici ci-dessous l’exemple pour le dernier film d’Audrey Dana sorti le 4 juin 2014.

Pléthore de choix se proposent à l’internaute ravi, pour le moment… car tous ces liens se révèlent en fait être des arnaques.

Une autre méthode très simple passe par Facebook. Après une recherche ou un message d’invite reçu d’un ami trop confiant, l’internaute est invité à cliquer sur un lien:

Il existe en effet des pages soi-disant spécialisées dans le téléchargement sur Facebook. Elles apparaissent et disparaissent aux fils des actualités cinématographiques. Celle-ci (image ci-dessous), malgré ses 4747 « likes », ne contient que des liens piégés dirigeant le visiteur vers des sites plus que douteux.

Et la même chose existe sous Dailymotion…

… là encore une arnaque.

Arrêtons les exemples pour étudier plus avant les arnaques en question.

Dans certains cas, le cinéphile télécharge directement un imposant fichier compressé qui est annoncé contenir son film. A son ouverture un message lui indique qu’il doit suivre un lien pour récupérer le mot de passe lui permettant d’ouvrir une seconde archive compressée dans la première.

Dans d’autres cas il est entraîné vers un site de téléchargement.

Et pour finir, tous se retrouvent devant une offre préalable qu’ils doivent accepter avant de pouvoir poursuivre. Celle-ci est déclinée, en français ou en anglais. Il en existe de nombreuses variantes dont la suivante :

Et c’est là que l’affaire devient douteuse… L’achat s’effectue par saisie de son numéro de téléphone mobile qui permettra non pas de recevoir l’application (il est dit que celle-ci sera envoyée par mail), mais de payer un droit d’accès, par débit direct, sur la facture de son opérateur mobile.

Exemple avec cette application lampe torche indispensable:

Mais avez-vous bien remarqué la petite phrase sous le bouton « télécharger » ? Il ne s’agit pas d’un paiement unique, mais d’un abonnement à la semaine.

Cela vous est confirmé dans l’une des fenêtres suivantes, qui, de plus, indique que les modalités de résiliation sont à effectuer auprès votre opérateur mobile, dans votre espace client web et non pas avec la société avec laquelle vous traitez maintenant.

Et les exemples similaires sont légion. La multiplication de ces offres (j’ai pris ici l’exemple du film « sous les jupes des filles » mais tous les films français récents font l’objet de ce genre de trafic) vient du fait que ceux qui les propagent sont rémunérés. Ils reçoivent une commission à chaque fois qu’un « pigeon » se fait avoir. Revenons en effet sur certaines des URL qui nous amènent aux offres telles que celle de notre fameuse lampe torche. Elles se terminent toutes par un identifiant permettant la rémunération de l’affilié (l’intermédiaire qui a permis la vente).

Ajoutons, au passage, aussi que les opérateurs, sans être activement complices, s’y retrouvent indirectement car ils perçoivent mécaniquement un pourcentage des abonnements souscrits.

Le seul perdant dans l’histoire, c’est l’internaute qui ne verra jamais son film car, bien entendu, celui-ci n’est même pas au rendez-vous, le fichier compressé ne contenant, au mieux, que la bande annonce : ne dit-on pas que bien mal acquis ne profite jamais?

NOTA: Dans ce blog, j’ai volontairement flouté tous les liens qui pourraient conduire à reconnaître les sociétés qui gagnent beaucoup d’argent en n’étant pas regardantes sur les méthodes des affiliés qu’elles recrutent.  Le président d’une de ces sociétés ne vient-il pas en effet d’indiquer, en janvier dernier, lors du salon Web2Business 2014, que son chiffre d’affaire avoisinait les 100 millions de dollar!

Car ces pratiques semblent étonnamment légales. Pour s’en prémunir, vous pouvez souscrire au blocage d’achat des services Internet+.

Par exemple, chez Orange, il s’agit de l’option de « blocage des achats multimédia et SMS+ ». Elle est gratuite. On y souscrit sur demande, en points de vente, par téléphone ou sur son espace web client.

Cette option bloque le paiement des achats de types contenus ou services tels que:

• Personnalisation du mobile (sonneries, logos,…)
• Vidéos
• Achats de livres à travers l’application Read an Go par exemple
• Jeux
• Services SMS+ de téléchargement (pour la personnalisation du mobile par exemple…)
• Services de charme (sous la forme de vidéo ou chat)
• Achats de contenu sur Google Play

Elle ne bloque pas:

• les services SMS+ de votes, dédicaces et jeux TV antennes et des services communautaires (chat).
• l’envoi d’un SMS et la facturation de cet envoi (hors surtaxe) vers des numéros SMS+.

Si vous souhaitez garder cette option, pensez néanmoins à aller vérifier que vous n’avez pas d’abonnements indésirables.

The post “Sous les Jupes des Filles” il y a des Arnaques appeared first on McAfee.

Taking the cyberwar challenge seriously requires thinking outside our comfortable technology or national security boxes. Unfortunately—regardless of the lip service many decision makers pay to cybersecurity—this ability is a rare quality. What the world needs is strategic leadership in navigating the murky waters of cyberspace. The digital world, as well as the threats and opportunities in it, is not “out there,” but part of our making.

The value of cyberspace arises from its close connection to the physical world. The Gains we achieve through the digital realm—efficiency, near simultaneity, global reach, cost reductions, new opportunities for business and civil society—are meaningful only when they improve the quality of our lives. Unfortunately, owning anything valuable also encompasses the fear of losing it. We are afraid of losing the functions that cyberspace enables, as well as the functions controlled by it. Because we are not sure how different functions relate to one another or affect the physical world, confusion prevails.

Moreover, we do not really know our potential enemies, their capabilities and vulnerabilities, logic, or willingness to do harm. We don’t know what to defend against, which makes us concentrate on the technologically possible instead of the politically feasible. By designing, constructing or acquiring, disregarding, and using technological capabilities, we build the future operating environment and the future world. This responsibility is huge and should not be carried out technology in the lead. Strategic thinking and the skill to effectively use our current capabilities have often proven to be the key to success.

Thus far technology has prevailed in cyberspace while our strategies have been reactionary. The voices of warning have existed for years. Still, we seem to take steps only after we see a disaster. For enhanced security we should learn to make decisions based on sensory information other than visibility—and not only on tactical and operational levels, but also on a strategic level. In addition, we must plan, build, and execute on the assumption that we can never reach perfect visibility.

The basic problem in strategic thinking about cyber-physical reality is that we try to apply concepts and logic drawn from the physical world to the digital world without modification. Thus we expect to recognize our opponents (or construct them in fierce naming and shaming campaigns), count stockpiled cyber weapons (and verify their existence), attribute attacks (and possibly retaliate), and deter (though effective deterrence requires a known enemy). We also try to conduct information operations in the era of Web 2.0 as if we were living in a world in which major media companies or national news broadcasts control the information sphere.

The aforementioned are only a few examples of flaws that dominate security thinking. Old-fashioned ideas prevail in public and private sectors alike. Both participate in contemporary security production and are stakeholders in cyberwar. The tendency to rely on familiar frameworks in the face of something unexperienced is understandable, yet it may hinder our attempts to scrutinize cyber-physical reality as it is and learn to live in it. The contemporary world is our creation, but it may not suit preexisting security frameworks.

How about starting with our cyber-physical reality? We must learn its basics and conceptualize it without prior frameworks, and learn to live in a multiphase reality in which we may not be able to know our enemies, build a strong security posture alone, or enjoy unambiguous truths. We cannot control cyberspace (although we try to) and must learn to live with its malleability and unpredictability. Absolute security is unattainable. Thus resilience should become the prime driver in security thinking. And that warfare should remain only a feature of politics.

Cyberspace and the changes it has brought about in warfare and security production do not represent a revolution. They cannot be addressed by those currently in decision-making positions. Rather, they are a phase in our normal evolution and should not be deferred to future generations who might better understand them. By then it may be too late.

The post Thinking About Next-Generation Security and Cyberwarfare appeared first on McAfee.

Lately, we have seen a number of communications through our automated framework from the Neutrino botnet. While analyzing this botnet, we found that it has a number of anti-debugging, anti-virtual machine, and sandbox-detection techniques that we have seen before. The botnet looks to be at an early stage, based on factors such as no obfuscation/packer used in the botnet binary, a couple of hardcoded strings, and old anti-analysis techniques. The most interesting part of the botnet is the deliberate “404 Not Found” response from its control server that contains base64-encoded malicious commands. The botnet supports malicious commands such as distributed denial-of-service attacks, keylogger, download and execute, etc. You can learn more about the Neutrino botnet at this site hosted by Kafeine.

The botnet binary we analyzed is written in Visual C++ and uses no packer or obfuscation techniques. The binary immediately calls a function that will check if the binary is being debugged or run under any virtual machine. If the malware finds any of these, it terminates. Here are the checks implemented in the binary:

Once bypassed, the binary creates a mutex under the name n3nmtx, which is hardcoded in the binary. Then the malware performs a series of operations by calling different functions as below:

The binary gathers system information as we see above, retrieves hardcoded control server URLs, and then checks if the control server responds by sending a GET request, shown below:

As shown above, a few things are hardcoded in the malware, and we can easily look into the strings of this binary. The binary creates a directory under %APPDATA% and copies itself into that directory with different system filenames. It next adds a registry entry under Software\Microsoft\Windows\CurrentVersion\Run. The collected system information is then sent to its control server, as we see below:

The “404 Not Found” response is sent by the server to hide another malicious command, which is hidden inside the comment section of the HTML response. The hidden command, which starts with NCMD, is base64 encoded. When we convert the base64 response, it turns into:

“1400833546611328#keylogger Western#1399621409275851#rate 1#”

The command tells the botnet binary to start a keylogger on the infected system. The keylogger functions retrieve clipboard data and write it to the file _clipbrd.txt, under %APPDATA% in the directory LOGS, which is created by the binary in the following format:

The botnet then informs its control server about the task it executed in the POST request shown below:

The control server sends additional commands to the infected system and executes them. The string from the binary contains all the supported commands by this botnet. Here is the list:

The hardcoded strings and plain communication over the network make this botnet easily detectable. McAfee customers are already protected from this threat.

The post A Glance Into the Neutrino Botnet appeared first on McAfee.

It has been two weeks since the announcement by multiple global law enforcement agencies regarding the takedown of the communications infrastructure for the Trojans GameOver Zeus and Cryptolocker. Judging by the number of downloads for the McAfee Stinger utility, thousands of systems worldwide no longer provide money to Evgeniy Mikhailovich Bogachev and his associates.

However, managing the cleanup across multiple systems can be an onerous task. For those responsible for managing many systems, running the McAfee Stinger in a systematic fashion across all devices is simply not an option. Infected systems that connect to one of the sinkholes will also make a connection to the following IP address: 72.52.116.52:4643.

McAfee recommends that system managers not block or filter this address because it acts as a useful indicator for infected devices, and connecting to this address does not introduce any risk.

With this information, it is possible to configure your security products to alert you should any of your systems attempt to connect to this IP address and port number. McAfee Enterprise Security Manager (see Figure 1) provides real-time visibility into all activity across systems, networks, databases, and applications. McAfee Enterprise Security Manager provides real-time situational awareness, and this rule allows organizations to respond intelligently and efficiently in mitigating GameOver Zeus and Cryptolocker infections.

Figure 1: McAfee Enterprise Security Manager.

In order to detect whether any systems are attempting to connect to this lighthouse IP address, an alert can be created that will generate an alarm when the rule is activated (see Figure 2):

Figure 2: A McAfee Enterprise Security Manager alarm.

When activated, the alarm will inform the system administrator which system is likely infected. This provides an opportunity to focus your removal efforts using an efficient means to address GameOver Zeus and Cryptolocker infections. For detailed guidance on the steps required to generate this alarm, please read our document McAfee Enterprise Security Manager Setup.

Thanks to Martin DeJongh, Enterprise Technology Architect, for his assistance with this post and guidance.

The post GameOver Zeus/Cryptolocker: Am I Still Infected? appeared first on McAfee.

McAfee product coverage and mitigations for malware or indicators associated with the recent attacks (a.k.a. Dragonfly, Energetic Bear, Havex/SYSMain) on industrial control systems (ICS’s) are listed below.

The Havex remote access tool is common across these associated attacks or campaigns–including Dragonfly. We have seen Havex in ICS-specific targeted campaigns. It can detect and affect ICS- and SCADA-specific services, such as OPCServer (OLE for Process Control).

McAfee Product Coverage and Mitigation

• McAfee VirusScan (AV):  Known, associated, malware samples are covered by the current DAT set (7486).   Updated coverage will be included in the July 2 DAT set
• McAfee Web Gateway (AV): Same as VirusScan coverage.
• McAfee Application Control: Provides coverage via whitelisting.  Nonconforming executables will not run.
• McAfee Next Generation Firewall: Partial coverage (for malware artifacts) is available via built-in McAfee AV  inspection of  mail, web and file transfers.

Please check back often for updated technical details and product coverage.

The post Product Coverage and Mitigation for ICSA-14-178-01 (Havex/ICS-Focused Malware) appeared first on McAfee.

Recent headlines (here and here) may have struck fear into those living near major energy installations due to references about the Stuxnet malware. In 2009, this particular strain of malware caused significant damage to the Nantanz nuclear facility, reportedly destroying a fifth of Iran’s nuclear centrifuges. Recent reports about Operation Dragonfly, however, appear to be focused on espionage (at least for now), and the scope of the attack appears to be considerably broader than that of Stuxnet.

The various elements associated with Operation Dragonfly draw comparison with Operation Shady RAT; in which at least the first phase targeted specific individuals via email. Beyond the specifics of the operation, however, Operation Dragonfly raises very significant concerns regarding the safety of systems that comprise our critical infrastructure, and in particular regarding the ever-growing supply chain.

This threat was covered in detail in the recently published book “Applied Cyber Security and the Smart Grid: Implementing Security Controls into the Modern Power Infrastructure,” coauthored by Raj Samani and Eric Knapp, and edited by Joel Langill. The espionage from Dragonfly could lead to another attack. In the book the authors write: “the SCADA and automation systems within the grid also provide a blueprint to the inner workings of the grid operations. This is valuable intellectual property that could be used for malicious purposes ranging from the influence of energy trading to the development of a targeted, weaponized attack against the grid infrastructure or against the grid operator.”

One of the primary tools leveraged in Operation Dragonfly is Havex. The Havex remote access tool (RAT) can be traced back to (at least) mid-2012 and is not necessarily exclusive to this attack or campaign or actor. Havex is closely related to the SYSMain RAT, and may even be a derivative. We have also observed them used in conjunction. The Trojan is distributed via spear phishing, watering-hole attacks, and by inclusion in exploit kits (such as LightsOut). This family takes advantage of OLE for Process Control (OPC) servers.

The method by which the Havex RAT targeted industrial control systems owners was clever. In addition to spear phishing, the control system vendors’ websites were used as watering holes, ensuring that the delivery of the RAT was highly focused. The next stage, the enumeration of OPC servers, is also clever and very concerning. The malware focuses enumeration on OPC Classic, which lacks the security features of newer OPC variants, and indicates that the attacker is knowledgeable about industrial security—a niche that, to some, benefited from “security through obscurity.” The biggest concern, therefore, is that once again we’re seeing malware targeting an industrial protocol.

In “Applied Cyber Security” the authors wrote, “Industrial protocols in and of themselves represent a challenge to cyber security. … Because most of these protocols provide command and control functionality to the system, an interruption could result in the failure of [a variety of critical systems].

“Industrial protocols in and of themselves represent a challenge to cyber security. … Because most of these protocols provide command and control functionality to the system, an interruption could result in the failure of substation automation, dynamic load management, fault isolation, and even protection systems.”

By specifically targeting OPC Classic, the attacker is likely to discover more vulnerable legacy systems. OPC is extremely common, and can interface with a variety of key systems within almost every industrial environment, from almost every sector. From a network design perspective, OPC uses a wide range of ports; unless OPC is tunneled, firewalls allowing OPC are as open as Swiss cheese. Although there’s still a lot to learn about Havex, this event should inspire asset owners to harden OPC servers, and to assess their networks with this type of attack in mind. Inspection and enforcement of OPC using application-layer firewalls is a good start. Without an industry-wide effort to stem the inherent vulnerabilities in OPC, Havex could prove itself to be another devastating “industrial” RAT—alongside DisktTrack (a.k.a. Shamoon), Duqu, Stuxnet, and Gauss—capable of remote command of control systems. That is something that no one wants to see happen.

For more information, please refer to “Applied Cyber Security and the Smart Grid.”

The post Operation Dragonfly Imperils Industrial Protocol appeared first on McAfee.

Last month many Internet users were suddenly forced to trade in Bitcoins. This was not for general purposes–they were paying to get their data back. Their systems had been hijacked by ransomware.

Ransomware is a type of malware that infects a machine, locks data files or the entire system, and demands payment to free the information. What’s worse, sometimes the hijackers take the payment and still don’t unlock the data.

Law enforcement recently celebrated a major shutdown of ransomware, but no sooner does one strain of malware suffer a setback than another takes its place. During the past year the ransomware CryptoLocker has been in the news. Just after its operation was taken down we saw a similar variant, called CryptoWall.

Victims are infected by opening phishing email attachments.

CryptoWall uses stealth methods for execution, resolving API names, and random number and crypto key generation algorithms that communicate with the malware’s control servers, which are walled behind the TOR network. The use of TOR and Bitcoin in this operation make tracing the attackers more difficult.

CryptoWall is typically obfuscated and compiled with the latest C++ compiler. The malware uses a technique that is common among malware today. Instead of writing its unpacked binary onto a system, it unpacks itself in memory and later maps onto the original malware process address to execute. The unpacking routine contains lots of fake API calls and obsolete instructions to make it hard to analyze.

On execution the malware injects unpacked code into explorer.exe by using the API calls CreateProcessInternalW, ZwCreateSection, and ZwMapViewOfSection.

The infected explorer.exe further injects malicious code into the common process svchost.exe in Windows. The unpacked malware binary does not contain any API information or import address table; instead it creates one at runtime. To resolve the API names, the malware uses a hash-key technique, in which it passes a hardcoded hash to a function to get the API name from the corresponding DLL.

The malware uses Windows cryptography functions to calculate the MD5 hash of the user’s machine name and processor information using a hashing algorithm; thus the malware can store this hash as a unique identification of the infected machine.

The binary uses the following format to encrypt user information and send it to control server.

The communication between the control server and victim is via RC4 algorithm, to bypass traditional intrusion detection or prevention systems. The malware sends user information in encrypted form and waits for commands from the control server.

CryptoWall is different from other common malware in that it uses the POST parameter as a key to encrypt and decrypt POST data (user information and responses from the control server).

In the preceding image,  “/mm5pqllvakv” is the POST parameter and encrypted user data is the “v=5ca…” string outlined in red.

This POST parameter is generated using custom logic with the Mersenne twister algorithm as a random-number generator. Thus each communication is different for same data.

Using the POST parameter and custom algorithm, the malware creates a secret key in the RC4 algorithm for network traffic.

The malware uses RC4 to encrypt the data “{1|cw1500|E283970059F62062A65F957D240764FD|2|1|2|}” with the secret key “5akllmmpqvv.”

After encryption, we see this:

The POST variable name “x=” or “v=” is also chosen randomly from the POST parameter “/mm5pqllvakv.”

On the server side, we find these steps:

• The attacker creates the secret key using the POST parameter.
• Extracts user information from RC4-encrypted data.
• Stores unique MD5 (machine and processor names) data to identify the victim.
• Create a public/private key pair using OpenSSL.
• Encrypts victim’s public key and unique homepage of ransom details with the RC4 algorithm using the secret key.
• Encrypts user files, including docx, ppt, txt, pdf, etc. using the public key.

The communication with the control server looks like this:

Decrypted network traffic:

The secret key is created from the randomly generated POST parameter. The algorithm for creating a secret key is represented below in a simple python program:

Using the preceding algorithm, a secret key can be generated and the network response can be decrypted.

In this case, the POST parameter is “cb1wk21a56w”and the secret key for decryption is “11256abckww.”

Here is the control server response decrypted using the secret key:

After receiving the public key, the malware searches for user data and encrypts it. The data can be decrypted only by its corresponding private key.

To offer that private key, the attacker demands money. The malware displays the following message and instructs the victim to pay. It offers to decrypt one file as proof of its decoding capability.

The victim needs the corresponding private key to decrypt files. The attacker demands US$500 for the private key, with a deadline for this price. After that time, the ransom increases to US$1,000.

Your best protection is to back up your data regularly and avoid phishing emails. McAfee customers are already protected from this threat.

I would especially like to thank my colleague Vikas Taneja for his help in researching this threat.

The post CryptoWall Ransomware Built With RC4 Bricks appeared first on McAfee.

The Dofoil downloader (found in the wild since 2011) occasionally updates itself with new features and encryption techniques to hide communications with its control servers. The latest iteration uses a variation of XOR and RC4 algorithms similar to previous variants to encrypt the list of control servers within the binary and encrypt all traffic with the server.

The Dofoil sample we analyzed (D8AB2694A8AAA0FA729AC0FCC93767A2) contained many antianalysis tricks common to previous versions:

• Code obfuscation
• Self-modifying code
• Sleep for an infinite time if sample is named sample.exe
• Sleep for an infinite time if volume serial number of C:\ is 0xCD1A40 (anti-ThreatExpert) or 0×70144646 (unknown)
• CPU-specific checks
• Virtual machine presence based on an entry in HKLM\System\CurrentControlSet\Services\Disk\Enum
• Presence of sandboxing, etc.
• BeingDebugged and NTGlobalFlags checks in the process environment block

As in previous versions, a GET request to msn.com is made to confirm an active Internet connection on an infected machine.

After the confirmation, the sample proceeds to decrypt the location of its control servers, which are encrypted and stored in a lookup table.

The encrypted strings for the control server domain names are visible in high-entropy areas:

To decrypt, the samples use an XOR-based encryption scheme. The encrypted data conforms to the following format:

One decrypted byte is represented with two encrypted bytes in this scheme. Two bytes are read from the encrypted data and individually XORed with the one-byte key. The difference between the two values yields the decrypted byte. The size_of_encrypted_data field is a bit misleading because it contains an intentionally large value that the sample corrects during its decryption. When decrypted, the control servers are visible:

The sample we examined contains three control servers: hxxp://zoneserveryu(788|789|790)[dot]com

All communications with a server take place over HTTP POST requests; the commands are encrypted with an RC4-based algorithm. Unlike previous variants, in which the MD5 of the infected computer along with the volume serial number of C:\ was passed as the login parameter, the new variant uses a 160-bit hash composed of five components. For example, for the following command string, the login field translates to five DWORDs:

It’s unclear why the malware authors introduced redundancy in the hash. The command is encrypted, prefixed with its size and four-byte encryption key, and sent to the server like so:

When the command is decrypted with the following algorithm, we can see the original command:

The initial request gets a 404/not found response with an encoded body from the control server.

The body consists of encoded commands from the server along with a plug-in file (executable DLL) encrypted with the same algorithm listed above except that it uses a 13-byte key. It decrypts to:

The plug-in file usually has an exported function “Work” and could contain functionality for additional commands and features.

When the sample wishes to download additional malware, it passes a file number using the file parameter:

The server responds with a 404 response but passes on new malware in the content of the response. It also passes its own command in the “Vary” header.

The sample is equipped to handle four commands: to write downloaded files to disk and execute them, remove itself, silently register DLLs, and inject content directly into memory.

The sample returns the result of its command to the server. For example, if the server responds with “0-AAAAAA,” the sample writes the downloaded sample to disk (in %APPDATA% or %TEMP%) and executes it. If it succeeds, it responds with the run=ok command. If the sample fails to execute, it sends run=fail.

Eventually, the sample downloads password stealers and spam bots, which send spam claiming to be from Amazon.com, and embeds an attachment containing the original sample to spread itself:

McAfee customers are protected from this threat by Downloader-FAFW and other signatures.

The post Dofoil Downloader Update Adds XOR-, RC4-Based Encryption appeared first on McAfee.