Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Trend Micro




    Security is one of the top concerns when consumers consider buying smart devices. With cybercrime making the headlines every day, one has to think: is this smart device vulnerable to cyber attacks? Are these technologies secure enough for us to rely on them in our everyday lives?

    A good example of a technology that we need to assess for its security and reliability is the smart lock. One of the key characteristics of smart locks is the use of digital door keys, which are used to open them. Digital door keys are typically stored in the vendors cloud servers, along with other properties of the lock. This gives the owner great convenience, since they can “send” the keys to other people remotely in order to allow them temporary access.  It also enables the user to do comprehensive monitoring/reporting, for example, to detect any forced entry, to report any breakage to the lock, to send alerts to the user, etc.

    Smart locks, however, raise certain security risks as well. For instance, attackers may choose to target the vendor’s cloud servers, which may exist anywhere in the world, to get access to key information. Or if the smart lock supports web access, the attacker may attack the portal through code injection, cross-site scripting, etc. They may also launch phishing attacks to be able to get the user’s credentials to the vendor’s web portal used to manage the lock.

    The attackers can also target the communication between the owner’s smart lock and mobile device. Bluetooth Low Energy (BLE) is a popular protocol used for communication between the smart door lock and mobile device or mobile key fob. During the communication process, the digital key is sent from mobile phone to door lock over the air via BLE. The said communication is encrypted, but certain implementations can be subject to man-in-the middle (MITM) attack, as discussed in security community. Since this type of attack requires capturing of packet exchange during device setup, the time window for attack is short which reduces the attack surface significantly. However, it’s up to the vendor to provide a strong BLE security implementation.

    Some brands of smart locks allow user to lock/unlock anywhere in the world.  You can use vendor mobile app, or vendor web portal to check the lock status and lock/unlock it with a click of a finger.  This can be a desired feature for many consumers because of the ease and convenience it offers. The feature, however, does increase the attack surface.  In this case, instead of using BLE, the commands to the smart lock are sent over the Internet to the home router, and then to the lock via home Wi-Fi network, the smart lock device is visible in the local area network. Traditional IP based attacks such as port scanning and remote attack via open ports/firmware vulnerabilities can be used to attack the device.

    The Internet of Everything revolutionizes traditional hardware functionalities. While it creates security challenges, it also provides great opportunities. In the smart lock case, one can implement comprehensive monitoring/reporting, for example, to detect any force entry, broke of lock, send alert to user along with broken lock picture, and attacker picture, etc.  For critical IoE devices (such as door lock in a home), comprehensive monitoring/reporting is important to ensure software and hardware integrity to detect any malicious software/hardware attacks.

    For more detailed discussion on consumer buyer’s guide for smart home devices, you can read our Security Considerations for Consumers Buying Smart Home Devices.

     



    Since the discovery of Shellshock, Trend Micro has continuously monitored the threat landscape for any attacks that may leverage these vulnerabilities. So far, we have identified an active IRC bot, exploit attempts in Brazil and China, botnet attacks, and a wide variety of malware payloads such as ELF_BASHLITE.A, ELF_BASHLET.A, and PERL_SHELLBOT.WZ among others.  It is reported that other vulnerable protocols like HTTP, SMTP, SSH, and FTP are also affected by Shellshock.

    We found that one of the payloads of Bash vulnerabilities, which we detect as TROJ_BASHKAI.SM, downloaded the source code of KAITEN malware, which is used to carry out denial-of-service attacks. Based on our analysis, when TROJ_BASHKAI.SM is executed, it connects to the following malicious URLs:

    • http://www[dot]computer-services[dot]name/b[dot]c
    • http://stablehost[dot]us/bots/regular[dot]bot

    When it connects to http://www[dot]computer-services[dot]name/b[dot]c, it downloads the KAITEN source code, which is then compiled using the common gcc compiler. This means that once connected to the URL, it won’t immediately download an executable file. Instead, it builds and compiles the source code, resulting in an executable file detected as ELF_KAITEN.SM.

    The act of downloading and compiling on the infected system can be seen as a precautionary measure. Downloaded directly as an executable file, the ELF file may have compatibility issues with different Linux OS distributions. Compiling on the infected system ensures that the malware executes properly.

    This routine could also be viewed as an evasion technique as some network security systems filter out non-executable files from scanning, due to network performance concerns. Systems configured this way may skip the scanning of the source code because it’s basically a text file. In addition, the recompilation of the source code can also have an effect of having differing binary files (which will have different hashes) across different Unix platforms. This will make detecting compiled binaries more difficult.

    ELF_KAITEN.SM connects to an IRC server at x[dot]secureshellz[dot]net where it joins the IRC channel #pwn and waits for commands. Some of the commands the attackers issued are:

    • Perform UDP flood
    • Perform SYN flood
    • Download files
    • Send raw IRC command
    • Start remote shell
    • Perform PUCH-ACK flood
    • Disable, enable, terminate client

    On the other hand, when it connects to http://stablehost[dot]us/bots/regular[dot]bot, it downloads three separate files. One of these is KAITEN source code, which is similarly compiled into ELF_KAITEN.A. This behaves similarly to ELF_KAITEN.SM, except it connects to linksys[dot]secureshellz[dot]net[colon]25 and to the channel #shellshock.

    The second downloaded file is a Mac OS X malware detected OSX_KAITEN.A, which behaves similarly to ELF_KAITEN.A. The third file is a shellbot detected as PERL_SHELBOT.SMO. This is a powerful IRC-controlled shellbot that connects to the same server as the two previous files, but to a different channel (#scan). However, unlike KAITEN that doesn’t scan for vulnerable servers, PERL_SHELLBOT.SMO scans for vulnerable websites through various search engines.

    Aside from downloading KAITEN and Shellbot, regular.bot (detected as TROJ_BASHKAI.SM) creates a file /tmp/c which is used to schedule the download a file from the second URL weekly. This ensures that the payload is up to date.

    KAITENcode

    Figure 1. Screenshot of BASHKAI source code

    Implications

    KAITEN is old IRC-controlled DDoS malware and as such, there is a possibility that the attackers employed Shellshock to revive its old activities like DDoS attacks to target organizations. Another theory we have is that the attackers behind Shellshock would like to expand their infection chain to include DDoS activities via KAITEN malware.

    Typically, systems infected with Shellshock payloads become a part of their botnet, and therefore can be used to launch DDoS attacks. In addition,  the emergence of a downloaded file that targets Mac OS clearly show that attackers are broadening their target platform.

    It was earlier reported that the “vast majority” of Mac OS X users are “safe by default” from Shellshock. However, users who configured to enable the Advanced Unix Services are still affected by this vulnerability. The Advanced Unix services enables remote access via Secure Shell (SSH) which offers ease of access to system or network administrators in managing their servers. This service is most likely enabled for machines used as servers such as web servers, which are the common targets Shellshock attacks.

    Trend Micro is continuously monitoring the threat landscape for any developments regarding Shellshock. For more information about threats exploiting Shellshock, , you can refer to our summary post.

    With additional analysis from Rhena Inocencio, Lenart Bermejo, Anthony Melgarejo, and Dexter To

     


    May22
    8:59 am (UTC-7)   |    by

    We’ve recently seen multiple arrests and take downs of cybercriminals and their infrastructure. Here is another one to add up. Law Enforcement in England has arrested and prosecuted a cybercriminal called Jam3s in cooperation with Trend Micro. His real identity is James Bayliss. James ran some SpyEye command-and-control servers and also coded a SpyEye plugin named ccgrabber. More than four years after the investigation started, this cybercriminal has been successfully prosecuted.

    James worked closely with Aleksandr Andreevich Panin, a.k.a Gribodemon in coding the ccgrabber plugin for SpyEye. This plugin was used to collect credit card numbers, CVV’s by analyzing the POST request made by the infecting machine.

    One of James’s SpyEye servers was installed on the IP address 91.211.117.25 that was active during September 2010. Below is the SpyEye configuration file we decrypted:


    Figure 1. SpyeEye configuration file

    Jam3s had many connections in the underground scene and friends he has made during his online criminal career. They mostly appear to be criminals that run botnets and/or write botnet code. He communicated frequently with Mr Panin, a.k.a Gribodemon and has made friends with Hamza Bendelladj, a.k.a bx1. Trend Micro has also participated in the arrest of Mr Panin as well as Mr Bendelladj. These arrests were part of a global investigation that involved the SpyEye malware and several associated cyber criminals.

    Other accounts from ICQ that he associates with are SpyEye notify, Death/Cripter, Criminal, and Parabola, just to name some.


    Figure 2. Associated accounts

    This arrest shows how security companies, working closely with law enforcement agencies, can deliver results. By going after the cybercriminals themselves instead of their servers, we ensured that permanent damage was done to the whole underground, instead of relatively quick and easily repairable damage caused by takedowns. We believe that this is the way to attack cybercrime and make the Internet safer for all users.

    Malware associated with the IP address 91.211.117.25:

    • 91.211.117.25/se/bin/621430spyeyecrypted.exe 91.211.117.25 179d5d6c506a785d0f700468bf8ac97c Mon, 30 Aug 2010 12:44:07 UTC
    • 91.211.117.25/se/bin/build.exe 91.211.117.25 df30623d3c1aab7321ac0653cb09f2b7 Mon, 30 Aug 2010 12:38:00 UTC
    • 91.211.117.25/sp/admin/bin/build.exe 91.211.117.25 8904d483008d6284a8f76fb5b9a7cb39 Sat, 11 Sep 2010 02:06:27 UTC
    • 91.211.117.25/sp/admin/bin/upload/gbotout.exe 91.211.117.25 87a5f7c496975c778d8c866195c9a7a5 Sat, 11 Sep 2010 02:06:42 UTC
    • 91.211.117.25/sp/admin/bin/upload/out1.exe 91.211.117.25 143fdd161c7360060d30f540d7a86b27 Sat, 11 Sep 2010 00:59:16 UTC
    • 91.211.117.25/sp/admin/bin/upload/out.exe 91.211.117.25 143fdd161c7360060d30f540d7a86b27 Sat, 11 Sep 2010 00:58:58 UTC
    • 91.211.117.25/sp/admin/bin/upload/pedoout.exe 91.211.117.25 c35e406871df034041d5a92bcb01c85b Sat, 11 Sep 2010 02:07:08 UTC
    • 91.211.117.25/spy/bin/621430spyeyecrypted.exe 91.211.117.25 179d5d6c506a785d0f700468bf8ac97c Sat, 11 Sep 2010 02:07:27 UTC
    • 91.211.117.25/spy/bin/build.exe 91.211.117.25 ed3a6cdca7d3d6f22b0232fe5fabe3b1 Wed, 18 Aug 2010 12:15:19 UTC
    • 91.211.117.25/spy/bin/build.exe 91.211.117.25 f4ec7689e35c396f16e4d035f56fb391 Mon, 26 Jul 2010 19:19:04 UTC
    • 91.211.117.25/spy/bin/build.exe 91.211.117.25 fbbdbc7a18ea27b571c1a58e5c38aa6c Mon, 30 Aug 2010 18:26:34 UTC
    • 91.211.117.25/spy/bin/out.exe 91.211.117.25 143fdd161c7360060d30f540d7a86b27 Mon, 06 Sep 2010 00:22:32 UTC
    • 91.211.117.25/spy/bin/spyeye.exe 91.211.117.25 d69b970afe781b385b9c4856dd1690ea Sat, 11 Sep 2010 00:44:12 UTC
    • advertisement1.com/spy/bin/build.exe 91.211.117.25 78a9d665c854873d7c4221935558f8ab Sat, 25 Sep 2010 00:22:29 UTC
    • advertisement1.com/spy/bin/build.exe 91.211.117.25 fbbdbc7a18ea27b571c1a58e5c38aa6c Tue, 14 Sep 2010 03:24:30 UTC
    • hvavac.com/spy/bin/build.exe 91.211.117.25 fbbdbc7a18ea27b571c1a58e5c38aa6c Mon, 30 Aug 2010 01:08:47 UTC
     
    Posted in Malware | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice