We often observe applications bundled with ad-displaying programs to generate revenue for those products. These are not necessarily unethical, but some of them try to make easy money by deceiving users. McAfee categorizes such apps as potentially unwanted program (PUPs). Here’s a look at a recently discovered Russian-based campaign that is very well organized.

We can summarize the flow of campaign with this flowchart:

We came across one of the many sites that are part of this campaign. This site promises to give users pirated keys for various antimalware software so that they can use AV products for free.

Wrapped website.

Wrapped RAR file download button.

The keys are offered in a RAR file that is available on the site. However, we found this to be an adware executable with the name sample.rar.exe, which has a RAR icon to misguide users into thinking the file is an archive instead of an executable. One click by the user, and the adware is executed.

Icon resource of executable posing as a RAR file.

After executing, the sample first reports a confirmation to the back-end server of InstallCube (cubinapi.com) with a unique load ID. The load ID comes from an algorithm that generates a number from the composition of range 0-9 and a-f. Each character of the key is generated using a different algorithm.

Fragment of algorithm to generate the key.

Generated post key.

This unique count helps determine how far the ads spread and eventually is converted to cash.

After loading the execution stat, the executable opens a page in Internet Explorer that has a big green download button and small download link. If the button is clicked, it will lead to two possible downloads: Either a big file (10MB-20MB) or a small executable (less than 1.5MB), which is the ad-producing software. Refreshing the same link will lead to various files being downloaded.

Bundle download button.

The big file is Trash.exe and pretty much justifies its name. This is a simple application made in Visual C++ and its only function is to display a dialogue reading “Trash Project, Version 1.0.” The likely use for such a big file is to create traffic to certain sites.

Trash.exe file.

In the following chart we can see the conversion of ads into cash:

The money flow.

We tried to register our account on InstallCube, which promised us that our software would be wrapped in a packer and installed to a number of users. However, to start the campaign they demanded at least 2000 rubles.

Installcube demanding payment from advertisers.

If the webmasters host only the deceptive adware and not useful files, traffic to their sites will decline because of unsatisfied customers. In this following chart we see this issue addressed by a webmaster, demonstrating the drop in traffic after the adware was hosted on his site.

Graph showing amount of views (blue) and visitors (green).

As a result, sites host the adware for a only short time, and periodically remove it so that the reputation of the site remains good. The adware executables on this site are also briefly hosted and are frequently replaced by useful files.

InstallCube is not the only organization profiting from this campaign. The webmasters who host misleading software are also making quick money by using InstallCube. In the following Russian blog we found a discussion among webmasters about how to use this software to make money.

Showing ads is not always bad behavior, but in this case two breaches make this campaign unethical. First is the deception of making an executable appear as an archive, and second there is no mention of the ads (such as an End User License Agreement). Users are given no options and become victims of the ad campaign as soon as they click the fake executable.

Such ads and force-fed bundled software are not malware, but they can annoy users and also take up a chunk of their bandwidth.

McAfee has blacklisted the InstallCube site and the back-end tracking service.

We also offer generic coverage of ad-producing executables as PUP-FSP, PUP-FRP, PUP-FQL, and PUP-FPA.

The post InstallCube: How Russian Programmers Turn Adware Into Cash appeared first on McAfee.

Scammers love to sell “Flash Player” for Android to careless users who are easily deceived. Although a series of these scam apps were deleted from the official Android app store after our recent report, malicious apps such as Android/Fladstep have reappeared in the store. This time scammers are promoting their sales tools using the RSS feeds from the world’s most popular movie distribution site, YouTube, to impersonate legitimate apps.

After being launched, the malicious app shows a playlist of video movies with titles related to Flash Player for Android devices.

This playlist of movies is actually retrieved from YouTube, from its published RSS feeds. We can bet that these movies do not belong to the attacker.

The playlist appears to start with advice about Flash Player. However, the scammer first replaces all the movie links with links to fraudulent sales websites, which require visitors to pay money for the fake Flash Player. (Adobe’s version is free.) We have seen these websites before.

If a user selects “Yes” on the download site, a familiar, suspicious page appears. Finally the user is redirected to a PayPal page. Unlike the previously reported case in which the scammer offered the free Flash Player for €5, this time the scammer has doubled the price, to €10.

Of course, you don’t need to pay for this bogus free version of Flash Player for Android; you should directly download and install it from Adobe. If it appears you have been tricked into buying a maliciously crafted version of Flash Player, you can simply close the app or browser if you see the preceding screen.

The post Scammers Sell Free Mobile Flash Player Using YouTube Feeds appeared first on McAfee.

Adobe Flash vulnerabilities and exploits have worried users and security professionals for many years. The situation today remains serious. A quick search of the National Vulnerability Database shows 277 vulnerabilities reported in Flash Player since 2011. For Flash zero-day attacks (which means that there was no patch from Adobe when the vulnerability was exploited), researcher Chris Evans provided a useful spreadsheet tracking all of them in recent years (except for the recent CVE-2014-9163). Since 2011, 21 Flash zero-day attacks have been disclosed, and that doesn’t count those exploited in the wild soon after Adobe’s patch. On average, there are about six Flash vulnerabilities per month, and every two to three months we have seen a Flash zero-day attack. Flash threats are not only Flash exploits; because Flash works as a plug-in to browsers, vulnerabilities in browsers can sometimes be exploited with the aid of Flash. This usually happens with Microsoft Internet Explorer. Previously, we have seen IE zero-day attacks involving Flash, such as the IE CVE-2014-1776 zero-day attack in April 2014, and the IE CVE-2013-3163 zero-day attack in July 2013.

At McAfee Labs we have performed leading research on Flash for quite a long time. During the last couple of years, we have analyzed every Flash-related threat. We were the first security vendor to successfully identify the modern exploitation technology on Flash Player, which we named Flash Vector Spraying, in February 2013. This advanced technology soon became the leading exploitation method used in many Flash and IE zero-day attacks to defeat address space layout randomization and data execution prevention on Windows 7 and later operation systems. You may have read about the technology talking about zero-day or watering-hole attacks.

Flash is a complex application. From a research point of view, the Flash Player binary Flash32_xx_xx_xx.ocx is about 16MB without any symbols, which makes it really hard for researchers to reverse-engineer the application. Thus it’s not easy to analyze and debug Flash exploits. The core script engine on Flash–the ActionScript language–is extremely flexible, but this flexibility makes it almost impossible to deliver meaningful signatures against malicious Flash contents.

What about sandbox-based detection, you ask? Yes, sandboxing is cool and has attracted a lot of attention in the industry. However, once you understand how the bad guys make Flash exploits, you won’t think sandboxing is such a good idea. First, a Flash exploit–especially for targeted or advanced attacks–may work on only one or some versions of Flash Player that are vulnerable. Flash Player has frequent updates; there are many Flash Player versions. Thus it would be really hard for a sandboxing solution to set up the vulnerable version for any potential Flash exploit. A sandboxing solution that can’t trigger the exploit code is ineffective. Second, due to their nature, sandboxing systems are offline solutions, and cannot prevent malicious Flash exploits by blocking these attacks inline, in real-time. Third, Flash content is so common on the Internet that running all the Flash content in a sandbox would likely introduce performance problems and thus harm the usability of a sandbox solution as well as the user experience.

Considering these challenges, we find the best way to fight Flash exploits is with the traditional “static” approach, aided by some innovative ideas based on our in-depth understanding of how Flash exploits work, as well as the nature of Flash compilers. From a product perspective, the static approach is useful because it’s the fastest solution and users expect the highest performance. In addition, it’s quite easy to integrate our detection engine with many of our security products. Our approach is to detect malicious exploitation operations not based on signatures or patterns, and our engine effectively detects and stops zero-day (or any unknown) attacks related to Flash content. We tested our in-the-Labs engine with all samples involved in all previous Flash and IE zero-day attacks when they came out, and none of them could evade our detection engine. Here is a short list of the zero-day attacks and their typical in-the-wild Flash samples, and we detected all of them at the time they appeared.

Concerned about our customers’ experiences, we have performed quite a lot of large-scale tests against real-world Flash samples from both our internal and external VirusTotal sample databases. Based on the results, we are confident that our solution will balance the effectiveness, performance, and false-positive rate very well.

During the past 18 months, our research and engineering team has been busy implementing the engine and integrating it into our Network Security Platform (NSP). With the release of NSP Version 8.2, we are excited to announce the availability of this feature. Our NSP customers may refer to this page for information regarding this release.

We are excited about this advanced and innovative feature for combating Flash exploits, and we hope our customers will share that excitement, too. We strongly suggest our NSP customers try this feature and give us feedback regarding your experience. Because the feature can recognize zero-day attacks, we also encourage our customers to share the intelligence when they detect unknown samples.

Protecting our customers from threats–advanced or otherwise–is our mission. The McAfee Labs IPS team, part of Intel Security, continues to work hard to maintain its leadership in this field.

Thanks to Chang Liu and Winny Thomas, who made special efforts for this product feature.

The post An Advance You Won’t Want to Miss: McAfee Adds Flash Exploit Detection to NSP 8.2 appeared first on McAfee.

In the middle of 2012 McAfee Labs observed the complex malware XDocCrypt infecting documents, Excel workbooks, and executable files. Recently we have seen a similar infection method that attacks PDF, MSI (Windows installer), and executables, though the current malware is not as complex as XDocCrypt.

W32/PDFCrypt is not complex. The coding standards, propagation methods, stealth mechanism, and the payload binaries clearly indicate that this author is a novice.

W32/PDFCrypt adds selective parasitic capabilities to infect PDF, MSI, and executable files–the last named setup.exe (all lowercase)–as shown in the following screen capture, which names the file types that this malware can infect. Infections occur only through removable media and writable mapped network drives. We saw no infections on the local host. Nothing appeared to happen during the first 30 minutes, but then the malware started to work.

The hijacked original files are compressed using the APLIB compression library. Then the original file is replaced with the infected executable and the compressed data (original file) is added in resource data directory “RT_DATA 2AF8”.

Though coded to infect PDF, MSI, and setup.exe files, we saw active infections only on PDFs. This malware did not have the intelligence to check for the actual file type; rather it just read the file extension.

The malware decompresses the original file (pdf, msi, exe) and copies it to %temp% with a random name. It then executes the original file from %temp% along with the following files. The malware creates these files if they do not exist:

• %APPDATA%\SoftwareProtectionPlatform\sppc.exe
• %WINDIR%\SYSTEM32\wsauth.exe
• \temp.exe

Wsauth.exe runs as a service and hides from Windows Explorer by hooking the function NtQueryDirectoryFile in ntdll.dll.

We saw temp.exe, which ensures the host becomes infected, only on removable media. It has the icon of a folder to lure users.

This malware does not ask for any ransom to decompress the original files–unlike the ransomware CryptoLocker. W32/PDFCrypt spies on its victims, collecting user data by hooking onto browsers such as Internet Explorer, Firefox, and Chrome.

The malware gathers the following information from the compromised system:

After a delay of around 45 minutes, the malware downloaded an old Conficker worm, which McAfee has detected since January 2013.
The resource data directory contained the following DLLs and corresponding resource IDs.

The files client.dll, on 32-bit machines, and client64.dll, on 64-bit machines, are the main infectors. Once in the memory of explorer.exe, this file carries out the complete infection cycle. Client*.dll uses the file *bit aplib.dll to compress the target files. It also runs the file wsauth.exe as a service component.

The miniresource.dll file hosts the icons for PDF and MSI files. The icon and resource information of the original executable is reused by the infected file. Miniresource.dll builds the resource information on the infected executable.

Like Conficker, this malware can generate domains using the Domain Generation Algorithmand uses DNS to check the status of the remote host. Once connected to a live server, the malware downloads further payloads, in our case Conficker. W32/PDFCrypt can also connect to remote control servers.

This malware is not widespread at this point. We have seen it in very few places around the world. McAfee DATs detect the dropper component. Infected PDF and exe files can be restored using the latest beta DATs and the McAfee Stinger tool.

The post Slow File Infector Spies on Victims appeared first on McAfee.

For McAfee Labs the New Year will start with a lot of excitement. During the next 10 weeks, several of us researchers will teach a master class at Oregon State University. During this class, “Defending against the Dark Arts,” more than 60 students will be served a diversity of topics, including malware, forensics, memory analysis, exploits, rootkits, and mobile threats.

The master class is part of the Multiple Engineering Cooperative Program (MECOP). The program began in 1978 as collaboration between OSU and Oregon-based manufacturing companies that hired engineering graduates. Its purpose is to provide the highest level of engineering graduate, and bridge academic theory with industrial reality. Since 2013, Intel Security Group (McAfee) has been a member. Both classroom instruction and internships are part of the program. More than 70 percent of the students end up with a job offering from the more than 120 participating MECOP companies.

Personally, I’m really looking forward to teaching the first two weeks of classes: malware basics and incident response/forensics. In these two weeks we will build a foundation of terminology, tools, and practices. During malware basics, students will start to interact with real malware samples, to understand how they work and how to conduct basic analysis. In the second week, we will spend a few hours as an incident responder and forensic investigator. We will end that week with a great challenge in which the students will compete with each other.

It is fulfilling to inspire young people who are about to graduate and choose a career path. We hope we can share some of the passion for the areas we work in. As John Wesley said, “When you set yourself on fire, people love to come and see you burn.”

The post McAfee Labs Researchers Offer Master Class in Security at Oregon State appeared first on McAfee.

I want to share some of the good work McAfee Labs did in the past year in optimizing and enhancing the V2 DATs (malware definition files, also known as AVV DATs) used in McAfee VirusScan Enterprise and other McAfee enterprise products. In 2014, we reduced DAT size by more than 45% to about 70MB, down from a high of about 132MB.

These enhancements have led to a big performance win: The reduction in DAT size automatically translates into faster system scan times and smaller DAT updates. Even more impressive is that these massive size reductions have been achieved while delivering consistently high protection effectiveness results in tests last year by AV-Test, AV-Comparatives, and NSS Labs.

Shrinking strategy
McAfee Labs evaluated its DAT signature categories and focused first on hash-based detections that had been added by our automation systems. Over time, human-authored generic signatures evolved to overlap most hash-based signature content, allowing for their safe removal without losing any detection capability.

The second strategy was to target signatures not seen in the field—mainly single-use malware deployed in common spam campaigns. The risk of seeing these old files in the field is very low. If these signatures were not seen via our McAfee Global Threat Intelligence (GTI) cloud telemetry, we moved them into the McAfee GTI cloud where they still provide protection but without the performance impact of constantly downloading unneeded data.

Antimalware engine releases such as the 5600 and 5700 engines used in McAfee VirusScan Enterprise and other McAfee enterprise products also allow us to port commonly used code in the DAT files to native engine code. Although in the past there were limitations to authoring generic detections on unsupported packers or file formats, new engines enable better decomposition of these formats, allowing researchers to create better generic signatures.

Continuing performance focus
The DAT optimization project was incredibly complex, requiring significant testing and validation to ensure DAT quality, safety, and consistently high protection effectiveness. Scan times are now back to pre-2011 levels without any product or technology uplifts.

As we continue to innovate, the ability to process V3 DATs—the successor to V2 DATs—will be integrated into all McAfee endpoint products. Today, V3 DATs are used by McAfee Endpoint Protection for SMB, McAfee Internet Security, and McAfee Antivirus Plus. V3 DATs further reduce DAT size. Currently, they are smaller than 30MB, providing even better system scan time performance while still delivering outstanding protection results!

To learn more about the V2 DAT and the new V3 DAT, see KB82396: “FAQs for V3 DAT files.”

The post Optimizing DAT Performance: Smaller Is Better appeared first on McAfee.

At the AVAR Conference in November 2014, McAfee Labs presented how to exploit a cross-site scripting vulnerability of the Costco and Walgreens apps on Android. We shared with our audience research on other app vulnerabilities because we believe apps (especially mobile apps) will be an increasing attack surface for cybercriminals. Today we’d like to provide an update to this issue concerning insufficient transport-layer protection.

This topic covers similar ground to the stats Intel Security called out last year in the McAfee Mobile Security Report: “After analyzing the behavior and permissions of thousands of Android apps, our research team found that 82% of apps track mobile activities,” the report said. When this type of data collection is sent to the app developer’s server without proper encryption, users’ personal information and enterprise data are at risk.

Costco app: naked credentials

The Android apps we analyzed in our AVAR paper are also exposed to this vulnerability. When we tested the Costco app with a fake account, the login request was clearly captured in Fiddler because the request was in plain HTTP. What does this mean? Be more cautious if you are shopping online using your phone while connecting to a public wireless network.

Motivated to discover similar risks in other apps, we tested a few more programs in depth and became very alarmed. This plain HTTP risk is everywhere. Let’s walk through two such apps, Weibo and Sogou.

Weibo: social media chat easily sniffed or spoofed

Weibo is a Chinese social media platform like Twitter or Facebook. You post your status, chat with your friends, etc. Now suppose you post a message as follows in Weibo:

You can see what’s being sent to the Weibo backend by capturing the traffic from Wireshark:

And the cookie is there for an attacker to harvest or even alter your post message via a man-in-the-middle attack.

You may ask Who cares? This is a post on social media and is meant to be public. But what about your private chats with friends? We sent the following message via the chat window:

Again Wireshark shows us exactly the text, without encryption, begging for an attack (such as modifying the chat, injecting malicious links, etc.). There’s no privacy here!

Sogou sends device data via plain HTTP

Sogou is the most popular Chinese input-method editor, claiming more than 400 million installations. Users benefit from hints to optimized words without having to fully spell them out in Pinyin). (Instead of typing ni hao for “hello”, for example, you type just “nh.”)

That’s all we want from a language input editor, and that’s why we installed it on a Windows 7 machine. However, when we connected an iPod via USB to this machine, we saw the following captured on Fiddler:

At first glance the preceding data may not seem like much, but it leads to a question: Why would a language input editor want to know “the user has connected an iOS device (iPod5), it is running on iOS 7.0, the serial number is “650…,” and it is connected via the USB hub “USB#ROOT_HUB20#48…”?

When we connected an Android phone, Fiddler showed a similar data collection:

Collecting device information in these scenarios is not something we expect or appreciate from language-input software. What is scarier is that the plain-HTTP transport invites attacks in the world full of poisoned mobile hotspots.

We call for app developers to close loopholes like these in their security development life cycles.

The post Apps Sending Plain HTTP Put Personal Data at Risk appeared first on McAfee.

Unfortunately, the good guys aren’t the only ones with resolutions for the New Year. From cyber espionage to increasingly unforgiving ransomware, non-Windows malware to attacks on the Internet of Things—new and evolving cyberthreats are expected to surface rapidly in 2015.

Join us for a discussion of the current and upcoming cyberthreat landscape, and the ways in which we can prepare for the latest threats before they strike.

During our January #SecChat, we’ll discuss key findings and predictions from the McAfee Labs Threats Report, November 2014. Through this discussion, we hope to spark an insightful conversation around threats in the New Year, and how organizations can take action to prepare against those threats. Joining us for this #SecChat will be some of most senior threat researchers in McAfee Labs; they will provide valuable insights on their 2015 threat predictions. We look forward to your predictions as well.

Intel Security #SecChats are held in an open forum. We seek to foster conversation with participants on pressing issues facing the information security community. During the discussion, participants will have an opportunity to ask questions and contribute their own insights on the 2015 threat predictions highlighted in the McAfee Labs Threats Report. Ready to join in? Here’s what to do on January 29 at 11am PST:

• Sign into your Twitter account at www.twitter.com.
• Search for the #SecChat hashtag to watch the real-time stream.
• Be sure to follow @IntelSec_Biz on Twitter, as we will tweet our questions to kick off the discussion.
• Feel free to tweet your reactions, questions, and responses to chat topics by tagging all your tweets with the #SecChat hashtag.
• If you have any questions prior to the chat, please tweet them to @IntelSec_Biz.

Don’t forget to mark your calendars for 11am PT on January 29^th and RSVP here. We look forward to the upcoming discussion!

The post New Year, New Cyberthreats: What’s in Store for 2015? January #SecChat appeared first on McAfee.

By Raj Samani (@Raj_Samani) and Christiaan Beek (@ChristiaanBeek),

In the McAfee Labs Report published in November 2014, Senior Vice President Vincent Weafer commented that 2014 will be remembered as “the year of shaken trust”.  Indeed almost every single threat measured saw notable increases in Q3 which pointed to a rather ominous 2015.  There was however one notable exception; ransomware.

The above figure provided a respite against the threat of ransomware, but as predicted in the McAfee Labs threat predictions “Ransomware will evolve its methods of propagation, encryption, and the targets it seeks.”

For many, this prediction appears to be ringing true with the rise in Backdoor-FCKQ (aka known as CTB-Locker) being distributed via multiple channels including IRC, peer-to-peer networks, newsgroup postings, email spam, etc. 

Details

“Backdoor-FCKQ” is a new crypto malware delivered through email that encrypts data files present in the target system.

It copies itself to the following folder:

• %temp%< 7 random characters>.exe
• %temp%\wkqifwe.exe

It also creates job task containing random 7 random characters:

• %windir%\Tasks\cderkbm.job

The following registry keys have been added to the system:

• %ALLUSERSPROFILE%\Application Data\Microsoft\<7 random characters>

It will inject code into svchost.exe and svchost.exe will launch file from the following:

• %temp%\<7 random characters>.exe

The code injected into svchost.exe will encrypt files with following extension:

• .pdf
• .xls
• .ppt
• .txt
• .py
• .wb2
• .jpg
• .odb
• .dbf
• .md
• .js
• .pl

Once infected, the malware will display the following image on the system:

The newly created process create a mutex named:

• \BaseNamedObjects\lyhrsugiwwnvnn

An interesting angle in this new round of Backdoor-FCKQ malware is the usage of a well-known ‘Downloader’, known as Dalexis). There are several versions of this downloader around, a simple query in our internal database resulted in more than 900 hits of this downloader and variants of it.  To circumvent anti-spam tools, the downloader is hidden in a zip file that contains a zip and eventually unpacks to a .scr (screensaver) file.

The function of the downloader is to download additional malware from certain locations, unpack the Xor coded malware and execute it. In this case the additional malware, the actual CTB’ was packed in a file called ‘pack.tar.gz’:

Figure 1 ‘pack.tar.gz’

As can be retrieved from the above screenshot, there’s no file-header present that represents a known file-type. For example if this was an executable file, the first two characters (aka the Magic Number’ would have been ‘MZ’. This is one of the ways in which malware authors try to circumvent gateway-detection of malware. Some other tricks we have seen a lot recently is to put the payload of the malware up on Pastebin or Github.

In this case, the ‘pack.tar.gz’ file was using different XOR keys for encrypting parts of the file, once this puzzle was cracked, the ‘unpacked’ code of ‘Backdoor-FCKQ’ is revealed:

Figure 2 Unpacked code of Backdoor-FCKQ

With multiple samples of Backdoor-FCKQ (CTB-Locker) as comparison material, immediately code parts were recognized.

As a quick Yara detection-rule, the following could be used:

Bitcoin trail

While tracing the bitcoin trail and possible transactions, no value on the account was found and no transactions were made to other accounts.

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

A special thanks to Sanchit Karve for his assistance in the analysis.

The post The Rise of Backdoor-FCKQ (CTB-Locker) appeared first on McAfee.

The figgy pudding is gone, the champagne is flat. As New Year celebrations fade to the past and 2015 really sets in, one thing remains constant: cybercriminals have not changed. They’re still up to their tried and true antics, and the year will bring new, more sophisticated threats to individuals and enterprises alike. In our January Twitter #SecChat, we discussed the changing threat landscape and top threat predictions for 2015. This discussion was based on key findings and predictions from the McAfee Labs Threats Report, November 2014. Below are some of the highlights from the chat:

Which cyberthreats do you anticipate will cause the most damage in 2015?

We kicked off our #SecChat by asking attendees which threats they thought would cause the most damage this year. While diverse perspectives were shared, ransomware was a common thread in the conversation (as seen in @craigschmugar‘s answer below). In addition to ransomware, Twitter user @imuttik claimed that while 2014 was seemingly the year of crypto-vulnerabilities, 2015 could be the year of cloud abuse. According to @bsmuir, ICS/SCADA systems and open source code will also be central cyberthreat themes in 2015:

A1: Damage can certainly be defined in different ways, but financially speaking ransomware is off to a bang in 2015 #SecChat

— Craig Schmugar (@craigschmugar) January 29, 2015

A1. Also, year 2014 was the year of “crypto vulnerabilities”. 2015 may well become a year of cloud abuse. #SecChat — Prof. Igor Muttik (@imuttik) January 29, 2015

A1: ICS/SCADA will still be the most vulnerable from a “physical” perspective. But open source code will have it’s share too. #SecChat — Brent Muir (@bsmuir) January 29, 2015

What struggles with data privacy do you foresee occurring in 2015?

#SecChat attendees agreed that the topic of data privacy brings with it many unanswered questions. @Raj_Samani suggested that our standards of privacy are unrealistically high. Likewise, @mdennedy pointed out that the tug-of-war between surveillance, speech and human controls present “massive open questions.” While many participants agreed that the state of data privacy in 2015 was very much “up-in-the-air,” @SPCoulson changed the pace, asserting that companies’ should first decide what personal information is at risk and what needs securing:

@IntelSec_Biz A5 our expectation of #privacy is based on absolutes that in fairness never existed even in the physical world. #SecChat

— Raj Samani (@Raj_Samani) January 29, 2015

@IntelSec_Biz massive open questions re surveillance v speech v human controls #SecChat

— M Dennedy (@mdennedy) January 29, 2015

A5 Companies not getting to the bottom of what information is at risk, needs securing. #SecChat

— Stuart Coulson (@SPCoulson) January 29, 2015

How do you think organizations should prepare for the changing threat landscape? 

In closing, we asked #SecChat participants how they thought organizations should prepare for emerging cyberthreats in 2015. @Scott_Nelson19 insisted that understanding threat motivations and preparing a breach response are key to taking cybercrime head on. A different approach was proposed by @HaifeiLi, who said that comprehensive solutions are necessary when combatting new threats. @IntelNorris suggested companies combat emerging threats by investing in a framework built for quick threat identification, communication and remediation, such as McAfee Threat Intelligence Exchange. Finally (and perhaps key to each of the above points), @ITrusevych said that staff education and training is vital when preparing for new threats:    

A7 Understand motivations of threat: destroy assurance & privacy or create liability, practice diligence & prepare breach response #SecChat

— Scott Nelson (@Scott_Nelson19) January 29, 2015

A. Final: Comprehensive solutions needed, network/endpoint/sandboxing, no single solution can protect against all the threats. #SecChat

— Haifei Li (@HaifeiLi) January 29, 2015

@IntelSec_Biz A7: Invest in a network framework that can quickly identify, communicate and remediate potential threats such as TIE #SecChat

— Norris Brazier (@IntelNorris) January 29, 2015

A.Final: Organizations need to continuously train their staff #SecChat

— Ivan Trusevych (@ITrusevych) January 29, 2015

Our #SecChat covered a lot of ground on the topic of cyberthreat predictions for 2015, from discussing the inevitable growth of ransomware to suggesting measures organizations should take to optimize network security as the year progresses. Thanks to all who joined the conversation! To view the full chat on Twitter, check out the #SecChat hashtag, and be sure to follow @IntelSec_Biz to stay informed about upcoming chats.

The post January Twitter #SecChat Recap—New Year, New Cyberthreats: What’s in Store for 2015? appeared first on McAfee.

During the last few months, McAfee Labs has seen an increase in Steamstealer samples. The following chart shows the recent trend:

Steamstealer is a Trojan that remotely steals a victim’s sensitive information. This malware needs Microsoft .Net framework to be installed on the victim’s machine and spreads via spam messages that come through the Steam community–where users play and download the games, software, etc. Users of this community need to create an account to get access to these services. Whenever a user tries to log in to a steam account, the system sends a one-time password to the registered ID to log in to the account. The following snapshot shows an example:

The malware is propagated via Steam chat. Once a user logs into the account, the attacker sends unsuspected victims malicious links. Sometimes the attacker uses the Steam marketplace to offer “deals” at very low prices to lure victims into installing an innocuous screensaver or games that are actually a threat. The malicious executable may have one of the following names:

• steamwebhelper.exe
• steamfilestealer.exe
• img_012.exe
• browse_service.exe
• bv847347bdg.exe
• SteamStear260115.exe
• Attachments_27_01_2014.exe

Steamstealer usually copies itself into the administrator’s application data folder:

• C:\Documents and Settings\Administrator\Application Data\steamwebhelper2\steamwebhelper.exe

This malware is highly obfuscated with Confuser, an open-source app. Confuser is a popular free product that obfuscates files to make them difficult to reverse engineer. If we load the obfuscated file in IDA, we see the following error:

Steamstealer uses several icons:

Some of the Steamstealer’s main functions are shown below:

Functions

• Steamworker is the name of the class with the object that collects the information of the victim’s machine, including cookies, friends, etc.
• addOffer is the function the attacker uses to ask the victim to add in the list, which can be used later:
  

  addOffer(“765611981401****2”, ”179905**4”, ”3dnc**Nb”)

The first parameter, “765611981401****2,” is the profile ID of the user “steamcommunity.com/765611981401****2.” The second parameter, “179905**4,” is used as the trade offer ID  “steamcommunity.com/179905**4.” The third parameter is the Token ID such as “steamcommunity.com/179905**4&token=3dnc**Nb.”

• ParseSteamCookies allows the attacker to steal the session cookies of the Steam user.
• addItemstoSteal defines the items and information to steal from the victim’s machine.
• SendItems sends the stolen information from the victim’s account to the attacker’s account.
• sendMessageToFriends sends the message to the stolen ID.

Stealing the data

The malware first compresses the stolen data into the zip format:

It next grabs the victim’s machine name, username, and IP address, by sending a web request to icanhazip.com (the data can be used for future spamming). The malware sends this data to the attacker’s email ID:

The attacker sends links that appear harmless to the victim but actually downloads the malware. The attacker sends a Google document that looks legitimate but contains an executable.

The attacker also collects information about user login data from various browser files:

• OldOperaPath=”%Appdata%\\Opera\\Opera\\wand.dat”
• OldOperaPathX64=”%Appdata%\\Opera\\Opera x64\\wand.dat”;
• ChromePath=”%LocalAppdata%\\Google\\Chrome\\User Data\\Default\\Login Data”
• YandexPath=”%LocalAppData%\\Yandex\\Yandex Browser\\User Data\\Defaul\\LoginData”

A snapshot of the attacker’s credentials:

Stolen data from the victim’s machine:

McAfee products detect this threat as PWS-FCAA! and PWS-FBYZ!

I would like to thank my colleague Rakesh Sharma for his help with this analysis.

The post Steamstealer Attacks Victims via Chat appeared first on McAfee.

Why are data breaches so commonplace?  Whether the attacks are against the energy sector as reported July 2014[i] with over 1,000 energy companies in North America and Europe reported to have been compromised.  To other attacks targeting other sectors (e.g. Operation Troy, Operation High Roller Nightdragon, etc.) it would appear that no sector is immune from data breaches. One common theme amongst these and other attacks is the initial infection vector, namely exploiting the subconscious of a trusted employee. The modus operandi for most of the common data breaches is to leverage some form of social engineering to coerce the user into an action facilitating malware infection.

The prevalence of social engineering in many publicly disclosed cyber-attacks demonstrates either an inherent weakness in the acumen of victims to distinguish malicious communications, or that cybercriminals are using more complex methods to bypass the ‘human firewall’.  The answer of course likely lies somewhere in between these two statements, but regardless of the root case it does demonstrate that the first line of defense is evidently failing.  The default position to blame users as the cause for breaches which is not entirely fair.  Whilst there will be examples where clearly unsafe practices are being employed, our latest whitepaper “Hacking the Human Operating System” demonstrates the techniques used by attackers are to bypass the consciousness of their targets and attempt to manipulate victims through leveraging subconscious levers of influence.

The paper reviews the concept of social engineering; the techniques used within many of the recent cyber-attacks, levers used to influence victims, communication channels used, and suggested controls to reduce the risk..   Much has been written about social engineering.  The content of these sources vary widely, from definitions, to mitigation.  The purpose of the paper is to define the concepts, and introduce mitigations that go beyond simply suggesting that awareness is a panacea.

Unless we address the first line of defense, data breaches will continue to hog our Twitter timelines, and support the ever burgeoning cost of cybercrime.

Twitter@Raj_Samani

Twitter @McAfee_Labs

[i] http://www.bbc.co.uk/news/technology-28106478

The post Hacking the Human OS: A Report on Social Engineering appeared first on McAfee.

The latest threats report from McAfee Labs, published today, includes a sobering discussion about ongoing vulnerabilities in mobile apps; details about a powerful, easy-to-use, and now very popular exploit kit; and an overview of the challenging world of potentially unwanted programs (PUPs). The report also includes our regular serving of threats statistics.

Mobile apps exposed to SSL/TLS vulnerabilities

An average person has 27 apps on his or her smartphone and uses them more than 30 hours a month. Many of these mobile apps attempt to securely connect to their companion websites. Unfortunately, the cryptographic implementation on thousands of mobile apps is vulnerable to exploitation, and many of them have not been fixed. With Mobile World Congress coming up on March 2, mobile security is an important topic.

McAfee Labs tested the top 25 downloaded mobile apps that were identified as vulnerable by CERT in September 2014; when we tested them in January this year, we found that 18 still have the same vulnerabilities. We were able to intercept usernames and passwords sent between the apps and their associated websites. Some of these apps log into their own hosts, so users with distinct passwords are exposing only information passed between the mobile app and the website. However, others use third-party services such as Facebook, Instagram, and Microsoft OneDrive, potentially giving attackers access to users’ private information on other websites.

These mobile app vulnerabilities are the result of poor programming practices related to the establishment of Secure Sockets Layer (SSL) connections. Mobile app developers can take advantage of online documentation on SSL vulnerabilities, including sound guidance from CERT and Google’s Android team. Open-source tools such as Nogotofail can also be used to find and fix weak SSL connections and inappropriate cleartext traffic.

And users? Employing unique passwords and logon credentials will contain exposure to at least a single app or service. Think about whether the convenience of using social network credentials for other apps justifies the risk. Is it even worth logging in? What additional benefits are received beyond those of a “guest” user? Before installing a new app (or continuing to use a current one), do a quick web search to see what others are saying about it.

The powerful Angler exploit kit

In 2013, the creator of the popular Blacole exploit kit was arrested. By mid-2014, a new exploit kit, Angler, seems to have taken Blacole’s place as one of the most popular criminal tools. This exploit kit is simple to use and confers hacking powers on anyone who downloads it. During the past year, Angler has added new tricks, including fileless infection, awareness of virtual machines to evade sandboxing, and other security defenses. Angler can deliver many payloads, from rootkits to ransomware, and it is the first kit to exploit a vulnerability in Microsoft Silverlight. Key defenses against Angler include frequent or automatic installation of Windows updates and other software patches, enabling antivirus scanning on all attachments, and using a browser plug-in to block script execution.

Potentially unwanted programs

Malware headlines are usually focused on data theft or unauthorized access, but there is another type of high-risk program that generates more than 90% of the daily hits detected by our telemetry: potentially unwanted programs (PUPs). These programs, often adware, do not steal user data but instead hijack information flow to serve specific ads. Because their actions are not overly malicious, they are difficult to classify and often piggyback on legitimate software installations such as browser extensions and toolbars. McAfee Labs analyzes PUPs for unwanted behavior and then classifies them so that you can easily block them.

For more information on these and other topics, read the February 2015 Threats Report from Intel Security.

The post Threats Report From McAfee Labs Highlights Mobile Apps Vulnerabilities appeared first on McAfee.

At the AVAR Conference in November 2014, McAfee Labs presented how to exploit a cross-site scripting vulnerability of the Costco and Walgreens apps on Android. We shared with our audience research on other app vulnerabilities because we believe apps (especially mobile apps) will be an increasing attack surface for cybercriminals. Today we’d like to provide an update to this issue concerning insufficient transport-layer protection.

This topic covers similar ground to the stats Intel Security called out last year in the McAfee Mobile Security Report: “After analyzing the behavior and permissions of thousands of Android apps, our research team found that 82% of apps track mobile activities,” the report said. When this type of data collection is sent to the app developer’s server without proper encryption, users’ personal information and enterprise data are at risk.

Costco app: naked credentials

The Android apps we analyzed in our AVAR paper are also exposed to this vulnerability. When we tested the Costco app with a fake account, the login request was clearly captured in Fiddler because the request was in plain HTTP. What does this mean? Be more cautious if you are shopping online using your phone while connecting to a public wireless network.

Motivated to discover similar risks in other apps, we tested a few more programs in depth and became very alarmed. This plain HTTP risk is everywhere. Let’s walk through two such apps, Weibo and Sogou.

Weibo: social media chat easily sniffed or spoofed

Weibo is a Chinese social media platform like Twitter or Facebook. You post your status, chat with your friends, etc. Now suppose you post a message as follows in Weibo:

You can see what’s being sent to the Weibo backend by capturing the traffic from Wireshark:

And the cookie is there for an attacker to harvest or even alter your post message via a man-in-the-middle attack.

You may ask Who cares? This is a post on social media and is meant to be public. But what about your private chats with friends? We sent the following message via the chat window:

Again Wireshark shows us exactly the text, without encryption, begging for an attack (such as modifying the chat, injecting malicious links, etc.). There’s no privacy here!

Sogou sends device data via plain HTTP

Sogou is the most popular Chinese input-method editor, claiming more than 400 million installations. Users benefit from hints to optimized words without having to fully spell them out in Pinyin). (Instead of typing ni hao for “hello”, for example, you type just “nh.”)

That’s all we want from a language input editor, and that’s why we installed it on a Windows 7 machine. However, when we connected an iPod via USB to this machine, we saw the following captured on Fiddler:

At first glance the preceding data may not seem like much, but it leads to a question: Why would a language input editor want to know “the user has connected an iOS device (iPod5), it is running on iOS 7.0, the serial number is “650…,” and it is connected via the USB hub “USB#ROOT_HUB20#48…”?

When we connected an Android phone, Fiddler showed a similar data collection:

Collecting device information in these scenarios is not something we expect or appreciate from language-input software. What is scarier is that the plain-HTTP transport invites attacks in the world full of poisoned mobile hotspots.

We call for app developers to close loopholes like these in their security development life cycles.

The post Apps Sending Plain HTTP Put Personal Data at Risk appeared first on McAfee.

Unfortunately, the good guys aren’t the only ones with resolutions for the New Year. From cyber espionage to increasingly unforgiving ransomware, non-Windows malware to attacks on the Internet of Things—new and evolving cyberthreats are expected to surface rapidly in 2015.

Join us for a discussion of the current and upcoming cyberthreat landscape, and the ways in which we can prepare for the latest threats before they strike.

During our January #SecChat, we’ll discuss key findings and predictions from the McAfee Labs Threats Report, November 2014. Through this discussion, we hope to spark an insightful conversation around threats in the New Year, and how organizations can take action to prepare against those threats. Joining us for this #SecChat will be some of most senior threat researchers in McAfee Labs; they will provide valuable insights on their 2015 threat predictions. We look forward to your predictions as well.

Intel Security #SecChats are held in an open forum. We seek to foster conversation with participants on pressing issues facing the information security community. During the discussion, participants will have an opportunity to ask questions and contribute their own insights on the 2015 threat predictions highlighted in the McAfee Labs Threats Report. Ready to join in? Here’s what to do on January 29 at 11am PST:

• Sign into your Twitter account at www.twitter.com.
• Search for the #SecChat hashtag to watch the real-time stream.
• Be sure to follow @IntelSec_Biz on Twitter, as we will tweet our questions to kick off the discussion.
• Feel free to tweet your reactions, questions, and responses to chat topics by tagging all your tweets with the #SecChat hashtag.
• If you have any questions prior to the chat, please tweet them to @IntelSec_Biz.

Don’t forget to mark your calendars for 11am PT on January 29^th and RSVP here. We look forward to the upcoming discussion!

The post New Year, New Cyberthreats: What’s in Store for 2015? January #SecChat appeared first on McAfee.

Netwire is a multiplatform remote administration tool (RAT) widely used by cybercriminals since 2012. Netwire provides attackers with various functions to remotely control infected machines.

Lately, McAfee Labs has seen a spike in the number of attacks employing Netwire. In a recent case, Netwire was used in a targeted attack involving banking and healthcare sectors.

The Attack
This recent attack used a specially crafted Word document with an embedded malicious macro. An attacker might also use social-engineering tricks to lure victims into opening the malicious document.

Once the document is opened, the exploit downloads Netwire from Dropbox:

hxxp://www.dropbox.com/s/q*********/tcpview.exe?dl=1

Once executed, the malware tcpview.exe copies itself to the AppData folder. By using trusted storage sites such as Dropbox the malware can sometimes avoid firewall and heuristic detection.

Netwire

Netwire is a sophisticated RAT with various remote-control functions, including:

• Collecting system information
• File manager
• System manager
• Keylogging and screen capture

The following screen capture shows Netwire’s host-monitoring tool:

The file tcpview.exe is obfuscated with a custom cryptor. The malware also creates a start-up entry in the registry for persistence.

The Netwire client tcpview.exe is signed by fake and invalid digital certificates.

The second stage of the attack involves a Netwire backdoor connecting to the following control servers:

• davidluciano.mooo.com
• jydonky.mooo.com
• papybrown.mooo.com

Mooo.com is a dynamic DNS domain provider often favored by Netwire attackers. Currently all these domains point to the following IP addresses in the United States:

• 216.38.7.229
• 23.105.131.179
• 23.105.131.236

The malicious Word document is detected by McAfee Advanced Threat Defense with high severity.

Advanced Threat Defense also classifies the downloaded file as malicious.

The post Netwire RAT Behind Recent Targeted Attacks appeared first on McAfee.

Intel Security’s McAfee Labs recently published its Hacking the Human OS report, which details a number of ways in which cybercriminals rely on victims’ trust in a particular brand or public authority to hand over information or allow their systems to become infected with malicious code. This week, the McAfee Labs team uncovered a new scam leveraging user trust in the Amazon brand.

Amazon is one of the biggest online shopping markets. Recently, Intel’s McAfee Labs team found new Android malware spreading via SMS (short message service) mascarading as an Amazon Rewards application. The SMS appears to come from your trusted contacts such as your family or friends who already have infected devices. Have you received an SMS (as below) offering an Amazon Gift Card from your family or friends by any chance?

The SMS uses a shortened URL and leads users to a malicious website to download malware with the filename AmazonRewards.apk. Then the website attempts to make users rush to download the application by reducing the remaining number of Free Gift Cards—a sneaky tactic!

After installation, “Amazon Rewards” is registered on the Menu.

The malware shows a survey website after it runs. It’s a good guess that the user can get an Amazon Gift Card by answering the survey, but that’s not the case. The survey and application offered by the malware are the legitimate advertisement and legitimate applications from the Google Play store. The malware author will get “reward” money from you when you answer the survey or install the application.

In addition, the malware sends SMS messages like the one above to all listed contacts, including your family and friends. As a result, the malware can spread widely and rapidly, and the malware author will get more money with each infection.

This SMS spreading method via contacts on infected devices will make this threat widespread in the mobile world, as we have already seen in China. So please do not install applications from untrusted sources, especially if they arrive in the form of an unexpected SMS message. Think before you click: If it’s too good to be true, it usually is! Your awareness will help slow the spread of such malware.

McAfee Mobile Security detects this Android threat as Android/Gazon and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit https://www.mcafeemobilesecurity.com.

The post Amazon Gift Card Malware Spreading via SMS appeared first on McAfee.

In November last year, McAfee Labs researchers reported about Operation Mangal, an ongoing targeted attack campaign against several Indian domestic and overseas organizations. We have actively tracked the campaign since last year. In our previous analysis of this attack, we uncovered several exploits that were closely connected to India’s developmental agenda. These exploits lure victims into opening malicious documents that compromise their machines and steal confidential data. We found that this targeted campaign has been going on since 2010 with periodic variations in the malware families.

The recently appointed government and heightened activity on the domestic front has led to considerable interest from organizations and consumers. Since January this year, we have seen a steady flow of similar exploits as part of this campaign. These exploits continue to closely follow national events.

Following are some recent exploit filenames or themes:

• Indian Diplomacy At Work–UNSC Reforms.doc (MD5: faa97d7c792e3d8e7fffa9ea755c8efb; first seen: Oct 31, 2014).
• Vibrant Gujarat Summit 2015.doc (MD5: b44a0ebddabee48c1d18f1e24780084b; first seen: Jan  6).
• U.S.,_India_to_formulate_smart_city_action_plans_in_three_months.doc (MD5: b0ae36bcf725d53ed73126ed56e55951; first seen: Jan 28).

During late 2014 and early 2015, the attackers modified the shellcode and the dropped malware family, continuously changing their tools and techniques. Some of the recent exploits involved in this campaign drop PlugX malware. The following images show how the shellcode has been modified between exploits observed on January 6 (at left) and January 28 (at right).

While researching this campaign, we gained access to one interim control server, which appears to be the short-term registration server that the compromised host communicates with after decoding the first-stage URL. The directory structure of the control server is:

/cms: 

This directory holds all the client data in JavaScript Object Notation from compromised machines connected to this server. The following image shows the directory structure and the information stored in the file:

Filename: h_HOST-NAME_TIMEVAR_t. All the machine information (IP, MAC, OS type, hostname, OS version, infection time stamp, etc.) was recorded on the remote server with this filename.

Next we see how the machine information looks on the control server, highlighting the infection time stamp from late last year:

Filename: r_off_PCNAME_TIME_TIME_t. This holds base-64-encoded data for command-line outputs that ran on the compromised host.

Decoding this data reveals the command executed on the compromised host and also exposes the list of documents and files on the machine that could have been stolen.

Filename: c_HOSTNAME_TIME_t. This file holds an encoded WMI script or script variables in the following form:

which turns out to be a readable WMI script when decoded:

Filename: d_rdown_HOSTNAME_TIME_t. This file is uploaded from the compromised host to the control server.

Filename: rdown_HOSTNAME_TIME_t. This file is downloaded from the control server to the compromised machine. It could contain postexploitation tools to run on the host.

/tools:

The tools directory hosts several postexploitation tools and malware to be downloaded from the control server to run on compromised machines. We found malicious DLLs, rootkits, encoded JavaScript malware, and cab files. One of the WMI scripts is an installer for other malware:

We have tracked down the location of many of this campaign’s control servers, primarily in the United States and China. More than 60% of the servers were hosted in the United States and more than 20% were hosted in China.

McAfee Advanced Threat Defense

McAfee Advance Threat Defense provides coverage for all of these exploits as well as for the dropped files involved in this attack.

Attackers are continuously on the lookout for social engineering opportunities. Influencing targeted users to open malicious documents following national events is one the most effective and effortless ways of performing these attacks. Users need to exercise extreme caution when opening documents from unknown sources, and use patched software.

I would like to thank my fellow researcher Brad Arndt for assistance in researching and tracking this campaign.

The post Targeted Attack Campaign Against Indian Organizations Continues With More Exploits Focused On National Events appeared first on McAfee.

A newly crafted ransomware, Teslacrypt, has arrived in the malware genre that encrypts user files using AES encryption and demands money to decrypt the files. This ransomware infects systems from a compromised website that redirects victims to a site running the Angler exploit kit. (For more on Angler, read the McAfee Labs Threats Report, February 2015.) This ransomware, like many others, encrypts document files including text, pdf, etc. to force victims to pay a ransom to have their files restored.

Upon execution, this malware copies itself to the AppData\Roaming\ folder.

• C:\Users\Administrator\AppData\Roaming\iylipul.exe
• C:\Users\Administrator\AppData\Roaming\key.dat
• C:\Users\Administrator\AppData\Roaming\log.html

Teslacrypt is compiled with C++. After executing, victims see the following window:

The malware asks victims to follow certain steps to obtain the private key from the server to decrypt the encrypted files.

Teslacrypt uses the following icons to confuses users into thinking that this threat is the same as CryptoLocker. Earlier the malware’s icon was called Teslacrypt, but now it is called CryptoLocker.

• Windows XP

• Windows 7

The malware’s parent file creates another process and also starts a thread that performs other malicious activities on the system after resuming the thread. The name of the thread is the same as of the parent file. This variant also uses debugging functions to check the context of the thread.

In the preceding screenshot “GetThreadContext” and “SetThreadContext” are the debugging functions that check the context of the thread.

After creating the thread, the malware terminates the following running processes:

• ProcessExplorer
• Cmd.exe
• Regedit.exe
• taskmgr
• msconfig

The malware then tries to delete shadow copies of the system through vssadmin.exe, so that the victim cannot return to previous system restore points. Also it targets the Zone.Identifier NTFS stream to delete the downloaded-files history from the system.

We found the following strings in memory; these are the targeted file extensions that the malware will encrypt.

Some of the affected games and gaming software:

• Bethesda Softworks settings file
• F.E.A.R. 2 game
• Steam NCF Valve Pak
• Call of Duty
• EA Sports
• Unreal 3
• Unity scene
• Assassin’s Creed game
• Skyrim animation
• Bioshock 2
• Leagues of Legends
• DAYZ profile file
• RPG Maker VX RGSS
• World of Tanks battle
• Minecraft mod
• Unreal Engine 3 game file
• Starcraft saved game
• S.T.A.L.K.E.R. game file
• Dragon Age Origins game

The malware sends the victims’ information to its control server:

It also stores information about the encrypted files in HTML format for later use.

We have seen the following network activity for this ransomware:

The following table describes the commands sent to the control server:

The encryption of this ransomware has not yet been cracked. The only apparent way to recover the files is to pay the ransom. (However, not all ransomware attackers decrypt files, even after receiving payment.) The attackers also offer “free” decryption, which is a fake offer.

The attacker demands a payment of either BTC1.5, or US$1,000 if victims use PayPal. The attacker prefers Bitcoins because they are harder to trace; thus payment by Bitcoin is cheaper than by PayPal.

Intel Security advises users to keep their antimalware signatures up to date at all times. McAfee products detect this threat as Ransom-Tescrypt! and Ransom-FXX!

I would like to thank my colleague Lenart Brave, who helped research this malware.

The post Teslacrypt Joins Ransomware Field appeared first on McAfee.

In recent weeks, McAfee Labs has seen a rise in the W97MDownloader malware, which comes with a macro downloader embedded in doc files. One of the malware families that serves these embedded macros is Bartallex, whose appearances have increased significantly during this period. The following chart shows the recent trend for the family:

Background

This threat is a malicious macro that comes into users’ systems through a spam email and a Microsoft Word file, which leads to downloading and running the malware on the victim’s machine. Whenever a user tries to open the malicious doc file, Word should show a security notification asking whether the user wants to enable macros. If enabled, this threat will execute.

One difference in this variant of W97MDownloader is that it clears the contents in the Word document after the macro is enabled. It also generally downloads its payload in the %temp% folder.

The spam email may look like this:

Infection Chain

This threat shows that attackers have not forgotten the classic exploitation technique of tricking users into enabling Office macros to execute malicious code.

The infection chain starts with the spammed email. The email is carefully designed to lure users and seems legitimate. After executing, Bartallex drops a .bat file and a .vbs file onto the victim’s system. They download further malware.

The following figure shows a .doc file with embedded macro posing as a fax:

If email recipients open the document, they first see junk data with a request to enable the macro–in spite of the security warning to not trust its content. The doc file has a random name, for example:

• invoice_985861.doc
• fax=5Fmsg759-746-3956.doc
• legal_complaint.doc
• logmein_coupon.doc
• receipt_3458764.doc

Upon execution, this malware drops the following files:

• %Temp%\adobeacd-update.bat
• %Temp%\adobeacd-updatexp.vbs

The downloaded files are:

• %Temp%\444.exe (for Windows XP and earlier)
• %User Temp%\444.exe (for Windows Vista and later)

Extracting the Macro

This document contains three embedded macros. The details of the extracted macros follow:

Let’s take a look some of this malware’s evasion efforts. The first two lines use some classic obfuscation.

• BART212 = “” & “d-up” + “date”
• BART2 = Chr (97) + Chr (100) & “” & “o” & “” & “b” & “e” + “ac” & BART212

Splitting a variable is typical for evading scanners searching for keywords and other suspicious activities such as downloading a file. The Chr function returns a string containing the character associated with the specified character code. For example, Chr (97) is the letter a and Chr (100) is the letter d.

After removing the breaks and making the substitutions, we see a meaningful string:

BART2 = “adobeacd-update”

Payload

Opening the document file with macros enabled runs the dropped batch file, which in turn runs the .vbs file, which immediately downloads other malware–such as malware families Upatre, Vawtrak, and Chanitor– from the remote server.

The malware connects to the control server “http:/xx.xxx.254.213/us/file.jpg” and downloads the payload, which appears to be a .jpg file but is really a malicious .exe file.

Here’s a look at the traffic:

We have also seen this threat download a clean PNG image file and save it with a random file name, for example %temp%\savepic.su\5123965.png.

We are seeing lot of malware propagating through this infection vector. It’s always a good idea to pay attention to system security messages. Don’t ignore a suggestion to be careful.

McAfee products detect this threat and its payloads as:

• W97M/Downloader.aen
• Generic-FAWE! [partial hash]
• Backdoor-FCMU! [partial hash]

I would like to thank my colleague Lenart Brave for his help with this analysis.

The post Bartallex Renews Strain of Macro Malware appeared first on McAfee.