Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Ilja Lebedev (Threats Analyst – EMEA Regional TrendLabs)




    We’ve previously discussed how difficult it is to safely connect to networks when on the go. This is particularly true on vacations and holidays, where the availability of Internet access is one of the most important factors when looking for a place to stay. In fact, many holiday lodges and hotels today have made Wi-Fi access an integral part of their offered amenities. With all the fun and relaxation set before you, it is easy to take secure Internet access for granted.

    The story below took place in exactly such a situation. While I was on vacation, using the provided Internet access, the Facebook app on my smartphone refused to connect. Other apps and websites worked fine, however.

    Trying to access Youtube using the mobile browser resulted in this:

    Figure 1. Fake Youtube alert

    Obviously, the above warning made no sense on an Android device. What would happen if I tried to access Facebook on a PC, then? The same issue occurred – and an off-guard user might not find it suspicious at all:

    Figures 2-3. Fake Facebook alerts

    If the user actually clicked the OK button on either of the two messages the following pages would appear:

    Figures 4. Fake Internet Explorer update

    Figures 5. Fake Adobe Flash Player update

    In both pages, there is fine print that says that the sites are not official download pages. However, because of the professional look of these pages, one could be forgiven for being misled.

    Clicking on any part of the site results in a malicious file, detected as TSPY_FAREIT.VAOV, being downloaded and run on the affected system. FAREIT malware is typically used to download other threats onto an affected system.

    So, how was this done? A little investigation found that the DNS settings had been modified so that DNS queries went to a malicious server, that redirected users trying to visit the facebook.com and youtube.com domains to malicious sites:

    Figure 6. DNS replies and settings

    The IP address of the malicious DNS server is known to be involved in distributing fake Adobe Flash updates. The IP addresses involved in this attack are hosted across multiple ISPs located in France, Canada, and the United States.

    The router of the network was a TP-Link TD-W8951ND all-in one modem/router, which combined a DSL modem and a wireless router in just one device. However, this router contains a fairly serious vulnerability: an external user can access the page where the router’s firmware can be upgraded or backed up. However, this firmware file can be easily decoded; once decoded it contains the root password in the very first line.

    This particular vulnerability has not received much media attention, although it is very similar to “The Moon” attack that hit Linksys routers earlier this year. It appears to have been disclosed publicly at least twice: once in January and a second time several days later. However, DNS poisoning attacks are not new. In fact have been around for many years.

    I was able to verify that the settings of the device were modified by the attackers. Google’s free DNS server at 8.8.8.8 was also set as the secondary address, explaining why the requests for non-targeted websites worked.

    Figure 7. Router DNS settings

    The list of targeted sites was fairly extensive, with more than 600 domains being targeted. Some of the sites targeted (aside from Facebook and Yahoo) include Ask, Bing, Google, Linkedin, Pinterest, and SlideShare. All of these sites used the .com top-level domain. There were also aimed at users visiting local sites with specific TLDs, such as:

    Poland:

    • allegro.pl
    • gazeta.pl
    • interia.pl
    • otomoto.pl
    • tablica.pl
    • wp.pl

    Italy

    • google.it
    • libero.it
    • repubblica.it
    • virgilio.it

    Turkey:

    • google.com.tr
    • hurriyet.com.tr
    • milliyet.com.tr

    How do you prevent yourself from becoming a victim of this attack? One suggestion is to explicitly use public DNS servers, such as those of Google (8.8.8.8 and 8.8.4.4). (This can usually be done in the operating system’s network settings, and is applicable to both mobile and non-mobile systems.) One can also consider the advice we provided earlier about using open wi-fi networks, which include the usage of VPNs.

    What about the likely targets of attacks like these? The most likely targets of these attacks are either homeowners or small businesses that use consumer-grade routers. In such cases, we highly recommend that consumers keep the firmware of their devices up to date. (For this particular router, for example, updated firmware is available for some versions.)

    Two settings can also help in reducing the risks from these attacks: first, port 80 should be forwarded to a non-existent IP address. In addition, the web management interface of the router should not be accessible from the WAN side of the network.

    Update as of May 26, 2014, 02:25 A.M. PDT

    Based on our further analysis, we found out that TSPY_FAREIT.VAOV downloads BKDR_NECURS.BGSJ, which drops RTKT_NECURS.B. NECURS is known for disabling security features on affected systems. In this case, BKDR_NECURS.BGSJ disables the Windows firewall, and RTKT_NECURS.B also disables other security-related services.

    Aside from the function aforementioned, since starting of 2014, we have seen that NECURS malware is associated with banking trojans such as ZBOT.

    We detect the malicious files that are part of this attack.

     
    Posted in Malware, Vulnerabilities | Comments Off



    Threats today are designed to appeal to local audiences everywhere: two separate threats we’ve recently encountered show how ransomware is targeted towards users in specific countries; in these cases users in Turkey and Hungary were the targets.

    First, we came across a notification email sent to Turkish users that talks about a billing update. Recipients are prompted to download and view the updated version of the invoice. Upon clicking on the links provided, users are directed to a website which prompts them to enter a CAPTCHA phrase and download the document. It’s also worth noting that any attempts of accessing the website with a modified link will result in the redirection to the official website, in attempt to avoid user suspicion.

    The downloaded file appears to be a PDF file, but a closer look reveals it to be an executable file. Once executed, this malicious file, detected as TROJ_RANSOM.ZD, encrypts files found in the affected system. A pop-up notification appears, instructing the victim to pay for the file decryption. The desktop wallpaper is also modified to display the same message as that of the notification.

    Figure 1. Pop-up notification informing users of file encryption

    The message informs the victim that a vulnerability in the system was exploited to encrypt the files. The victim has three days to pay for the decryption password. An email address acts as the sole contact detail for the person behind this attack; this address belongs to a Ukrainian free email provider.

    It’s worth noting that the message specifically mentions IT administrators – according to the message, the data was encrypted using a technique that will supposedly take a thousand years to decrypt. In addition, to hide its malicious activity, any access to the malicious domain aside from the URLs in this attack redirect to the legitimate website.

    Secondly, we also saw users in Hungary targeted with ransomware. This particular variant is detected as TROJ_RANSOM.HUN and lists the file types that were encrypted, as well as the steps to unlock the file and the amount of the ransom (20,000 forints, or just under 90 US dollars.)

    Figure 2. Hungarian ransomeware

    While the attacks may have very similar behavior, our analysis indicates that the malware files themselves are not related. This indicates that multiple cybercrime gangs have “gone local” and are adapting ransomware tactics to their local “markets”; they may have been inspired by the success of CryptoLocker in recent months.

    Trend Micro blocks all related threats, emails, and URLs associated with these attacks. We advise users to exercise caution when opening all emails. Since the files cannot be decrypted (aside from perhaps paying the fee), it’s also good practice to constantly back up files in case of instances such as this one. Other safety practices can be found in a previous blog entry. More information about ransomware is provided in a special Threat Encyclopedia page.

    Additional analysis and insights by Mark Manahan.

     
    Posted in Malware, Spam | 1 TrackBack »


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice