Tag Archives: threat

AtomBombing, a new threat to your Windows

atombombing panda security

A few days ago Tal Liberman, a security researcher from the company enSilo revealed a new code injection technique that affects all Windows versions up to Windows 10. Due to the nature of this technique it is unlikely that it can be patched. In this article I’d like to shed light on this attack, its consequences and what can be done in order to protect ourselves.

How does it work?

Basically this attack takes advantage of the own operating system to inject malicious code and then use some legit process to execute it. Although it is not that different to what malware has been doing for ages (malware has been injecting itself in running processes for decades) it is true that the use of the atom tables (provided by Windows to allow applications to store and access data) is not common, and it is likely to go unnoticed by a number of security solutions.

This attack is not common, and it is likely to go unnoticed by a number of security solutions.

The best explanation you can find so far is the one made by Tal in his blog “AtomBombing: A Code Injection that Bypasses Current Security Solutions”.

If there is no patch and it affects all Windows versions, does it mean that we are under great danger?

Not really. First, in order to use this technique malware has to be able to be executed in the machine. This cannot be used to remotely attack and compromise your computer. Cybercriminals will have to use some exploit or fool some user into downloading and executing the malware, hoping for the security solutions in place not to stop it.

Is this really new?

The way the attack is performed to inject code is new, although as I mentioned earlier malware has used malware injection techniques for a long time, for instance you can see that in many ransomware families.

 

atombombingNew, but not that dangerous… why the panic?

As I said first malware has to be executed in the machine, but we know that at some point this will happen (not a matter of IF, but WHEN.)

Many security solutions have the ability to detect process injection attempts, however to do this they rely on signatures, therefore many of them are not able to detect this particular technique nowadays. On top of that, many of them have a list of trusted processes. If the malicious code injection happens in one of them, all security measures from that product will be bypassed.

 

Finally, this attack is really easy to implement, now that it is known there will be a number of cybercriminals implementing it in their malware sooner than later.

What can we do to protect our company’s network?

On one hand, traditional antimalware solutions are great to detect and prevent infections of hundreds of millions of different threats. However they are not that good at stopping targeted attacks or brand new threats.

On the other hand we have the so called “Next Gen AV”. Most of them claim that they do not use signatures, so their strength come from the use of machine learning techniques, which have evolved greatly in the last few years, and they have shown they are pretty good at detecting some new threats. As they know their weakness is that they are not that good stopping all threats, they have a great expertise in post-infection scenarios, offering a lot of added value when a breach has already happened. Another issue they have is that machine learning won’t give you a black or white diagnosis, which translates into high false positive rates.

Using traditional antimalware + Next Gen AV is the best approach?   

Not the best, although it is better than using just one as they can complement each other. It has however a few downsides. As a starter you have to pay for both. Although it can be justified due to the overall protection improvement, it means you will need extra budget for the extra work (false positive exponential growth coming from Next Gen solutions, different consoles to manage each one, etc.) Performance can become an issue is both are running in the same computers. And finally these solutions don’t talk to each other, which means you are not taking full advantage of the information each one handles.

Panda Solutions for Companies combine the power of the traditional solutions and the machine learning techniques.

The best solution is one that has both capabilities, one that has the power of traditional solutions as well as long experience in machine learning techniques combined with big data and cloud. Working together and exchanging information, with a continuous monitoring of all running processes, classifying all programs that are executed on any computer of your corporate network and creating forensic evidences in real time in case of any breach. Only deploying a small agent that will take care of everything, using the cloud for the heavy-processing tasks offering the best performance in the market. In other words, Adaptive Defense 360.

 

The post AtomBombing, a new threat to your Windows appeared first on Panda Security Mediacenter.

Be careful with CryptoBit, the latest threat detected

A few days ago at PandaLabs, Panda Security’s anti-malware lab, we discovered a type of ransomware that we believe is extremely important to talk about, especially because of its novelty and its unique features. The name of this new ransomware is CryptoBit.

If we compare it to what we’ve learned thus far from other ransomware, we can say that CryptoBit is a one-of-a-kind specimen. It’s different from other ransomware for many reasons, one of the main differences being the message that appears instructing the victim to rescue their files. Its additional features will be revealed in this article.

Analyzed Sample

This report focuses on the analysis of the following sample:

a67855dbd18652e99f13d29045b09391382bb8c817cda1e498cd01eb4a7bdf2c (sha256)

This sample is protected thanks to a “packer”, a trojan that disguises another type of malware. After “unpacking” it, we can notice that, in addition to a date of recent compilation (April 5, 2016 at 12:20:55 PM), there is a total lack of strings, evidence that the author of CryptoBit wished to hinder the analysis of your code, by any and all means.

Distribution

After analyzing the data provided by Panda Security’s “collective intelligence systems”, it is possible to determine the vector that was used to distribute CryptoBit is being used by the “Exploits Kits” that affect different web browsers.

Behavior

Once the sample’s behavior is unpacked and analyzed, we can more accurately determine the basic way CryptoBit works:

Cryptobit_1

 

The first thing CryptoBit does is check the keyboard’s configured languages. If the keyboard is configured with one of the following codes: 0x1a7, 0x419 (Russian) or 0x43f (Kazakh), the program does not end up encrypting any file.

After making sure that the keyboard is not in their blacklist, CryptoBit goes to all local disk drives, network folders, and removable drives (USB), searching for files containing any of the intended extensions. What is its objective? To encrypt the entire contents of the file (another unusual feature) in order to request their rescue later on.

In particular, CryptoBit is interested in the following file extensions:

ods crp arj tar raw xlsm prproj der 7zip bpw dxf ppj tib nbf dot pps dbf qif nsf ifx cdr pdb kdbx tbl docx qbw accdb eml pptx kdb p12 tax xls pgp rar xml sql 4dd iso max ofx sdf dwg idx rtf dotx saj gdb wdb pfx docm dwk qba mpp 4db myo doc xlsx ppt gpg gho sdc odp psw psd cer mpd qbb dwfx dbx mdb crt sko nba jpg nv2 mdf ksd qbo key pdf aes 3ds qfx ppsx sxc gxk aep odt odb dotm accdt fdb csv txt zip

 

Once the process of file encryption has begun, the user can see a window on their computer similar to the one show below:

Cryptobit_2

 

 

In this message we see some details that draw our attention and which can be used to classify this new type of ransomware:

ID shown as “58903347”

In the number shown for the analyzed sample, this value is always the same. It does not matter if you run this Malware repeatedly, or if you do it on different devices.  This suggests that we will find ourselves with an ID of ransomware rather than a particular user (or computer).

The number of bitcoins you have to pay

In general, the required amount of Bitcoins are fixed, or have a limit. In this specific example, we see that the author (or authors) are requesting a bailout that is a little excessive.

How to get in contact with “them”

The user is not able to contact the hacker through a web server accessible via a URL, and they do not ask the user for anything in particular, at least they don’t at this exact moment.

They ask the user to contact them with using an email address that seems untrustworthy (ex. [email protected]). If the victim does not receive a response, they can also contact the hacker using an application called “Bitmessage”, a branch of another application that can be found in “GitHub”.

Additionally, if this message is not enough to convince them that their files have been encrypted, each time that this folder is accessed with one of these (now) indecipherable files, the user will discover a couple of extra files that were created intentionally:

 

Cryptobit_3OKSOWATHAPPENDTOYOURFILES.TXT

If we take a look at this file we will find the same message (this time in text format) that is shown to the user after their files are encrypted.

sekretzbel0ngt0us.KEY

In this second file we see a hexadecimal sequence with a length of 1024 which, once decoded, will correspond to a binary sequence of 512 bytes (or 4096-bits).

Later, in the “encrypted” section, it will show us the meaning of the file called “sekretzbel0ngt0us.KEY“, where encryption has been used to encrypt other files.

Another CryptoBit action that is visible to the user is an HTTP request that looks like:

http://videodrome69.net/knock.php?id=58903347

Notice: the requested script “knock.php” does not exist, what it’s doing is ignoring the intentions of the last action.

Encryption of Files

Encrypting files to encrypt other files, in each run, CryptoBit generates the algorithm AES, or “Advanced Encryption Standard” (a random key of length 32 bytes or 256 bits), making it practically impossible to decrypt files unless this information known.

In order for us to not lose this key which allows us to decrypt files if the ransom was paid, the author of this ransomware, stores the AES key generated with an encryption using the RSA algorithm.

A public key that is chosen is a length of 4096 bits and we find it “hardcoded” within the analyzed sample.

Once encrypted with a RSA AES key, it will be stored in the files named “sekretzbel0ngt0us.KEY“, making it only comprehensible if there are corresponding RSA “private keys” (which in theory, would only be in the possession of the cypher’s author.)

In this section, we notice a specific detail: the absence of calls to the native libraries that encrypt files using the RSA algorithm. CryptoBit uses a series of statically compiled routines that allow you to operate with large numbers (“big numbers”), making it possible to reproduce the RSA encryption algorithm.

Conclusion

As we can see, this newly discovered ransomware phenomenon is not going out of style. We are finding new samples every day that still surprise us. In this specific case, we aren’t as shocked by the use of “serious cryptography” (AES + RSA), something that is more and more standardized, but we are amazed by the ambition behind it and can appreciate its good design and interesting ideas.

As always, keep your antivirus updated and make sure to back up your important files.

 

Analysis of CryptoBit by: Alberto Moro, Abel Valero and Daniel Garcia

 

 

 

The post Be careful with CryptoBit, the latest threat detected appeared first on Panda Security Mediacenter.

Weather Forecast for Today? Advert Flood Coming from East

Despite blocking efforts, online advertising is a daily part of our lives. Most of us get used to the large volume of adverts displayed daily, but authors of malicious code are trying to push the limits much further nowadays via advert-injection techniques used in malware threats.

Spreading

In this post, we present a case study of one such malware that we detected via our AVG Identity Protection (IDP) component. Based on our telemetry, this infection is highly active and it is reaching its maximal peak. The most affected countries are the United States and Germany, followed by Saudi Arabia and the United Arab Emirates.

Countries most affected by spreading of this adverts-injection campaign (Jun-Sep 2015).

Behaviour of This Threat

The user infection starts while installing an application proclaimed by its authors as a “Weather Forecast Application”. However, once installed, this application silently downloads and installs other components that are purely malicious – this threat tries to infect all installed browsers and inject additional adverts in browser pages. It also periodically loads sets of adverts in the background without user notification. As a side-effect, it sacrifices security and performance of the infected systems for the purpose of making money via ad providers.

Injecting adverts in visited pages.

Flood of pop-up windows.

Detailed Analysis

Details about this threat are described in the following technical analysis.

You can also download the report now.

Stay Safe

AVG customers are protected against this threat via our multi-level protection in AVG Internet Security. If you’re not protected, you might want to check your systems using the indicators of compromise (IOC) listed in the aforementioned technical analysis.

Windows Phone Store scam: malicious mobile apps aren’t unique to Google Play

Although it’s possible to use third-party apps stores safely and securely, the fact that scams do still occur in a variety of app stores shouldn’t be ignored. On Sunday, a threat was discovered by a user who posted the issue on our forum. The scam, located within the Windows Phone Store, advertised three fraudulent versions of Avast Mobile Security. These fake apps not only include the Avast logo, but also feature actual screenshots from AMS in their image galleries. Our fast-acting team has since blocked the pages and has labeled them as malicious.

Fake AMS apps collect personal data and redirect users to adware



If downloaded, these fake versions of AMS found on the Windows Phone Store pose a risk to users’ security. Here’s how they work:

  1. New Avast security: This app includes three control buttons which show only advertisements. Even without actively clicking on the ads, the app redirects users to additional adware.
  2. Avast Antivirus Analysis: Claiming to “protect your phone from malware and theft”, this malicious app runs in the background of victims’ devices once downloaded and collects their data and location.
  3. Mobile Security & Antivirus – system 2: Simply put, this is a paid-for version of “New Avast security” that forcibly leads users to adware.

The fun doesn’t stop there!

After doing some additional research, our malware analysts discovered that TT_Game_For_All, the same user that published the fake AMS apps, isn’t solely impersonating Avast. Instead, this cybercriminal has published a large collection of close to fifty apps, the majority of which cost around the equivalent of 1.99 USD. Certain apps even claim to be from other well-known companies such as Qihoo 360, APUS, and Clean Master. 



Keep your eyes open for app store threats

This case goes to show that when it comes to mobile malware, it’s not only the Android platform that is vulnerable to attacks. Although Windows Phone devices aren’t currently as widely used as that of Android, it’s important to be careful regardless of the platform that you use. Finally, keep in mind that Google Play isn’t the only app store users should be paying attention to when it comes to avoiding mobile scams and threats — these threats can occur within any app store.


Follow Avast on FacebookTwitterYouTube, and Google+ where we keep you updated on cybersecurity news every day.

Widespread iScam ransomware originates from US servers

iPhone and iPad users who turn on Avast SecureLine VPN while on unsecured Wi-Fi are protected from iScam.

It’s a common belief (and myth) that Apple products are invincible against malware. This false line of thinking has recently again been refuted, as iPhone and iPad users have been encountering a ransomware threat that freezes their Internet browsers, rendering their devices unusable. The ploy, commonly known as iScam, urges victims to call a number and pay $80 as a ransom to fix their device. When users visit an infected page while browsing using the Safari application, a message is displayed saying that the device’s iOS has crashed “due to a third party application” in their phone. The users are then directed to contact customer support to fix the issue.

iScam displays a "crash report" to affected users. (Photo via Daily Mail)

iScam displays a “crash report” to affected users. (Photo via Daily Mail)

In the midst of this vexing threat, Avast’s suite of security applications identifies URLs which contain malicious content. When discovered, these addresses are flagged for malware and then stored in our blacklist database.

While scanning for malicious URLs, we discovered that many of the servers related to iScam are located in the United States. While iScam has affected users located in both the U.S. and U.K., the origins of the threat have remained fairly nebulous up until this point. Here are a few examples of where we’ve discovered malicious servers in the U.S.:

  • Scottsdale, Arizona (system-logs.info)
  • Concord, North Carolina (pcassists.info)
  • Kirkland, Washington (Adbirdie.com)
  • Chicago, Illinois (pcsafe.us)
  • Los Angeles, California (clevervc.com)

Every cloud has a silver lining – in this case, you can celebrate the fact that you’re protected from iScam using Avast SecureLine VPN. Not only does Avast SecureLine VPN protect you while browsing on unprotected Wi-Fi networks, but it also scans websites to check for malicious content and keep you from becoming affected by them. Once Avast SecureLine VPN is installed onto your iPhone or iPad, it automatically notifies you of the risks of connecting to unsecured Wi-Fi and you have the option of connecting to the secure VPN. Once turned on, Avast SecureLine VPN creates a private ‘tunnel’ for your data to travel through, and all your activities done over the Internet – inbound and outbound through the tunnel — are encrypted. If a website is infected with iScam, Avast SecureLine VPN blocks it, so users will not encounter the scam. For your best protection, Avast SecureLine VPN is available to download in iTunes.

How to clean your system if you’ve been infected by iScam

  • Turn on Anti-phishing. This can be done by visiting Settings > Safari and turn on ‘Fraudulent Website Warning’. When turned on, Safari’s Anti-phishing feature will notify you if you visit a suspected phishing site.
  • Block cookies. For iOS 8 users, tap Settings > Safari > Block Cookies and choose Always Allow, Allow from websites I visit, Allow from Current Websites Only, or Always Block. In iOS 7 or earlier, choose Never, From third parties and advertisers, or Always.
  • Allow JavaScript. Tap Settings > Safari > Advanced and turn JavaScript on.
  • Clear your history and cookies from Safari. In iOS 8, tap Settings > Safari > Clear History and Website Data. In iOS 7 or earlier, tap Clear History and tap Clear Cookies and Data. To clear other stored information from Safari, tap Settings > Safari > Advanced > Website Data > Remove All Website Data.

Check out Apple’s support forum for additional tips on how to keep your device safe while using Safari.

Avira Threats Landscape: Visualizing threats for you

Every day, thousands of different malicious programs are trying to infect as many devices as possible. The goal is the same for all of them: Get your data and if possible your money as well.

We have always been the firsts to learn about the threats that loom over every owner of a PC, Mac, tablet, or smartphone, but us having all the insights is not enough. While studying threats, keeping an eye on where they appear, and adapting our programs accordingly makes sure we keep our users as safe as possible, it’s still complicated to explain to the rest of the world why being protected is that important.

Sure, one reads about the newest threats, but only other people are affected by them, right? Especially big companies or governmental institutions seem to be the targets, so why bother at all. And that is where people are wrong. While the media most often talks about high profile cases, everyone else is at risk just as well! Every day there are millions of threats which have only one goal, namely to infect your devices. Be it your smartphone, laptop, Mac or PC – each and every one of them is at risk. Just think about the latest iOS and OS X exploits or the different ways cybercriminals try to gain control over what’s on your computer.

Check out the Avira Threats Landscape to find out where danger is lurking. #cybersecurity

In order to make our point we decided to share our insights with you in form of an interactive map. Our Avira Threats Landscape allows you to not only see which countries are the top targeted ones but also which threats are popping up the most and how many threats were detected in your country. Take a look at it, you won’t regret it. And when you see just how far reaching and widespread those threats are, make sure to warn your family and friends as well.  The most important thing though: Stay protected!

The post Avira Threats Landscape: Visualizing threats for you appeared first on Avira Blog.

Cyber risk analysis, assessment, and management: an introduction

Risk analysis is the first step towards managing risks, particularly when it comes to cyber risks. This recorded webinar introduces and explains key concepts, with links to several useful risk assessment tools.

The post Cyber risk analysis, assessment, and management: an introduction appeared first on We Live Security.