Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Brooks Li (Threats Analyst)




    Around this time in 2013, the most commonly used exploit kit – the Blackhole Exploit Kit – was shut down after its creator, Paunch, was arrested by law enforcement. Since then, a variety of exploit kits has emerged and have been used by cybercriminals.

    The emergence of so many replacements has also meant that there are now some key technical differences between these various exploit kits. In this post, we shall go over some of these differences.

    Exploits used

    Exploits targeting Internet Explorer, Silverlight, and Adobe Flash vulnerabilities were frequently used by exploit kits in the past year. The four vulnerabilities below were some of the most frequently targeted by exploit kits:

    1. CVE-2013-0074 (Silverlight)
    2. CVE-2014-0515 (Adobe Flash)
    3. CVE-2014-0569 (Adobe Flash)
    4. CVE-2014-2551 (Internet Explorer)

    The most notable change in this list is the relative absence of Java vulnerabilities. Exploit kits have been removing Java because of the increasing use of click-to-play for Java applets, rendering Java a far less attractive target for exploits.

    The tables below shows which exploits are in use by exploit kits:


    Table 1. Exploits used by various exploit kits
    (Click thumbnail to enlarge)

    Plugin Detection

    Almost all exploit kits run some sort of software that detect the browser platform a would-be victim is running in order to determine which exploit to send to the user.

    The code necessary to do this varies from one exploit kit to another, and is actually fairly complex due to the number of permutations of browsers and plugins that are possible.

    Two exploit kits – Nuclear and FlashPack – use a legitimate JavaScript library, PluginDetect. This minimizes the work the creators of the exploit kit need to do, as well as providing a complete set of features. However, this also means that this library has known characteristics: this makes it more visible to security vendors looking for sites used by exploit kits.

    By contrast, most exploit kits write their own library to perform this task. This makes detection harder, but it also reduces the capabilities of the libraries. Many of these libraries, for example, will only function under Internet Explorer. The Magnitude exploit kit uses a third method – server-side code – to detect plugins.

    The following table summarizes which libraries are used.

    Table 2. Plug-in detection methods used

    The following screenshot shows the PluginDetect library as used in exploit kits:

    Figure 1. PluginDetect library in use

    The following screenshot shows one of the custom libraries in use:

    Figure 2. Custom library in use

    Antivirus Detection

    A new feature that has been added to exploit kits is the ability to detect installed security software. If certain specific security products are installed, the exploit kit will stop itself from running. Both antivirus products and virtual machine software can be targeted in this manner.

    This behavior is possible due to a vulnerability in Internet Explorer (CVE-2013-7331). This vulnerability allows an attacker to check for the presence of files and folders on an affected system. It was first reported to Microsoft in February 2014, but was only patched in September of the same year as part of MS14-052.

    The following table summarizes the products that each exploit kit detects:

    Table 3. Software products detected by exploit kits

    Obfuscation Techniques

    Exploit kits regularly use various techniques to obfuscate their activity, but some exploit kits have added new techniques. In both of these cases, the attackers are using legitimate tools to obfuscate their files.

    The Angler exploit kit now uses the Pack200 format to help avoid detection. Pack200 is a compactive archive format that was developed by Sun (Java’s original developers) to compress .JAR files significantly. Tools to uncompress these files are provided as part of the Java development kit, but many security products don’t support these formats (so they are unable to scan the said malicious file).

    Figure 3. HTTP request and reply headers

    When compressed, one can see that we do not encounter the “PK” header expected of standard Java files:

    Figure 4. Binary examination of Java file

    Meanwhile, Flash files are also being protected by the FlashPack and Magnitude exploit kits. These use a commercially available tool called DoSWF to hide their files. This tool was meant to allows developers to hide the ActionScript contents of their Flash file from people who would copy or pirate the contents. Unfortunately, this also works against security software, which are unable to decrypt the DoSWF encryption.

    Figure 5. Code calling DoSWF in ActionScript

    Statistics

    The chart below shows the monthly traffic (as measured in number of hits) we detected each month for various exploit kits. No one exploit kit dominated the market, with fierce competition leading to changes in the landscape. Magnitude, Angler, and Sweet Orange were the most frequently encountered kits throughout the entire year.


    Figure 6. Traffic seen to various exploit kits
    (Click thumbnail to enlarge)

    Summary

    Exploit kit developers have not been idle in the year since the collapse of the Blackhole exploit kit. They have made various improvements that help improve the capabilities of these tools.

    The defenses against these tools on the part of users remains the same. We highly recommend that users implement all updates to their software as is practical, since many of the vulnerabilities targeted by attackers have long been fixed by software vendors.

     
    Posted in Exploits |



    Malicious browser extensions bring about security risks as these often lead to system infection and unwanted spamming on Facebook. Based on our data, these attacks have notably affected users in Brazil.

    We have previously reported that cybercriminals are putting malicious browsers in the official Chrome Web store. We also came across malware that bypasses a Google security feature checks third party extensions.  For this blog entry, we performed an in-depth analysis of malicious Chrome browser extension and its evasion tactics, after receiving samples in from Facebook. Facebook’s Security team conducts their own malware research and they regularly collaborate with Trend Micro to keep their service safe.

    The Ins and Outs of the Browser Plugin

    The malicious Chrome plugin (detected as BREX_KILIM.LL)  is composed of two files, manifest.json and background.js. The file manifest.json will inform Chrome where to load background.js:

    malbrowser1

    Figure 1. Two files behind the malicious plugin

    The file background.js will execute the following routines:

    1. It prevents the removal of the malicious plugin. If  users open a tab to chrome://extensions to check for malicious browser extensions, the plugin will close this tab immediately.

    malbrowser2

    Figure 2. Code showing the closing of said tab

    2. It prevents access to antivirus websites. Any attempts to visit antivirus software websites will be blocked.

    malbrowser3

    Figure 3. Code showing the blocking of specific sites

    malbrowser4

    Figure 4. Notification showing access was blocked by the extension

    3. It removes the security option from HTTP response header. This security option is typically used to avoid cross site scripting attacks. The plugin removes this as it will will inject script that does not belong to Facebook.

    malbrowser5

    Figure 5. Code removing portions of the HTTP header

    4. It runs a JavaScript code when users visit Facebook. When users go on Facebook, the plugin will run a JavaScript code into the tab where the site is open. Doing so will allow the cybercriminals to control the users’ accounts; users will unwillingly follow, like, or subscribe to Facebook accounts as dictated by the cybercriminals behind this attack. These commands are performed automatically by the included JavaScript code. The affected users’ friends will also see these actions on their feed and may possibly inadvertently install the plugin as well.

    malbrowser6

    Figure 6. Screenshot of the malicious JavaScript that triggers users to follow, like, subscribe a Facebook account owned by cybercriminals

    Evasion Tactics

    To avoid having their extensions detected and removed from computers, cybercriminals are using the following evasion methods:

    1. They use malicious multi-script  files that work together.

    malbrowser7

    Figure 7. Malicious plugin using multi-script

    The malicious behavior is separated into multiple files. If each script file is analyzed independently, the overall malicious behavior may not be spotted and the files may be (mistakenly) thought to be clean.

    2. They encode the JavaScript content.

    Hackers use HEX to encode strings as seen in the screenshot below:

    malbrowser8

    Figure 8. Encoded strings via Hex

    After decoding the Hex string, they appear like in the screenshot below, showing that it’s the same as the original. This behavior helps to avoid detection by security products.

    malbrowser9

    Figure 9. Decoded string

    3. They use HTTPs and a known, good domain to host malicious JavaScript.

    malbrowser10

    Figure 10. A good domain used by the malicious plugin

    For instance, herokuapp.com is a free cloud application platform where everyone can upload APP to it, and cybercriminals can use this site to host the malicious JavaScript. This tactic is also used to prevent URL detection and blocking by security solutions.

    4. They use Twitter to hide malicious URLs.

    malbrowser11

    Figure 11. Code communicating with Twitter servers

    malbrowser12

    Figure 12. Twitter profile that houses the URL

    A malicious plugin runs a JavaScript into the user’s browser tab and downloads content from a Twitter user’s profile. The cybercriminals use the affected Twitter user’s profile content to hide the malicious URL that  the plugin connects to. Once cybercriminals change the profile content, they can change the behavior of the malicious plugin.

    5. They use fake file extensions.

    malbrowser13

    Figure 13. The plugin uses .DLL as its supposed extension

    Infections and Protection

    Based on our data starting from May 2014 onwards, Trend Micro HouseCall has helped about 1,000,000 users whose computers have been infected by malicious browser extensions. The top affected countries are mostly located in the Latin American region, such as Brazil, Mexico, Colombia, and Peru.


    Figure 14. Top affected countries

    We strongly advise users to avoid clicking links from messages, even if they appear to come from your friends. Users can also opt to use Trend Micro HouseCall to secure their systems from online threats, including those that may leverage or abuse Facebook.  Trend Micro and Facebook are working closely together to combat this threat.

    Below is the SHA1 hash of the malicious file:

    • 4733c4ea00137497daad6d2eca7aea0aaa990b46

     

     



    Exploit kits have long been part of a cybercriminal’s arsenal. One of the most notorious exploit kits in recent years is the Blackhole Exploit Kit. Coverage over this particular exploit kit reached a fevered pitch with the arrest of its author in 2013.

    The Blackhole Exploit Kit may have met its demise, but this hasn’t deterred cybercriminals from using other exploit kits for their schemes. In fact, other exploit kits are still in use, often with improvements or upgrades. An example is the Nuclear Exploit Kit.

    We observed that the Nuclear Exploit Kit exploit kit recently included the Silverlight exploit (CVE-2013-0074) in its scope. We believe that the attackers behind the Nuclear Exploit Kit included Silverlight in its roster of targeted software for two reasons: to have an expanded attack surface and to avoid detection (as not many security solutions have detections for this particular exploit).

    The Silverlight exploit

    Like other targeted software, the Nuclear Exploit Kit’s landing page will check if the victim’s system has Silverlight installed. If the check passes, it will then attempt to use the Silverlight exploit to drop malware into the system.

    nuclearexploit_fig1

    Figure 1. The payload

    Upon closer analysis, it appears that an error exists in the version checking the JavaScript code. Read the rest of this entry »

     



    There are already many known ways by which cybercriminals target Facebook users. In the infographic we recently released, “The Geography of Social Media Threats,” we illustrated the different social networking features cybercriminals abused and the threats that these usually lead to.

    In the course of conducting research, we found one specific attack that targeted Facebook users through a different route—malvertisements.

    We encountered an infection chain wherein the user is led from a page within Facebook to a couple of ad sites then, finally, to a page that hosts exploits. When we traced the connection between the ad sites and Facebook, we found that the ad providers were affiliated with a certain Facebook application. We checked out the said application and found that it is indeed ad supported. We were able to come up with the likely infection chain based on this finding:

    Read the rest of this entry »

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice