Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Zero-Day Alerts

  • Hacking Team Leak

  • Recent Posts

  • Calendar

    July 2015
    S M T W T F S
    « Jun    
  • Email Subscription

  • About Us

    We discovered GamaPoS, a new breed of point-of-sale (PoS) threat currently spreading across the United States and Canada through the Andromeda botnet. GamaPoS is the latest in a long list of threats that scrape off credit card data from PoS systems. Compared to its predecessors, GamaPoS uses malware coded using the .NET framework—a first in PoS threats.

    The GamaPoS threat uses a “shotgun” or “dynamite fishing” approach to get to targets, even unintended ones. This means that it launches a spam campaign to distribute Andromeda backdoors, infects systems with PoS malware, and hopes to catch target PoS systems out of sheer volume. Rough estimates show us that GamaPOS may have only hit 3.8% of those affected by Andromeda.

    Based on our initial scans, we noted that GamaPoS has affected a number of organizations spread across the 14 locations in North America, 13 of which are US states.

    • Arizona
    • California
    • Colorado
    • Florida
    • Georgia
    • Illinois
    • Kansas
    • Minnesota
    • Nevada
    • New York
    • South Carolina
    • Texas
    • Wisconsin
    • Vancouver, Canada

    Businesses that use Visa, Discovery, and Maestro (among other credit and debit cards) risk losing their customers’ data to GamaPoS.

    GamaPoS in Focus

    The GamaPoS infection starts when victims access malicious emails that contain attachments such as macro-based malware or links to compromised websites hosting exploit kit content. This kind of modus operandi is similar to past Andromeda revivals.

    Once converted into Andromeda bots, the affected machines can now be manipulated via a control panel, letting cybercriminals perform different commands. Attackers use copies of the tools Mimikatz and PsExec to gain control. However, it is only on certain instances that GamaPoS would be installed.

    Figure 1. Andromeda to GamaPoS infection chain

    Both PsExec and Mimikatz are popular tools in targeted attacks. PsExec has been used in the Target breach to kill processes and move files. It is a legitimate whitelisted tool that attackers can use to remotely control and perform diagnostics on systems. On the other hand, Mimikatz is a publicly known tool, inserted in other tools, which attackers typically modify. It can be considered one of the best tools to gather credentials from a Windows system. Having both PsExec and Mimikatz in the GamaPoS infection chain enables attackers to laterally move inside target networks at a great degree.

    Some other notable findings on GamaPoS are as follows:

    • GamaPoS has specific targets in several industries worldwide.
      It is important to note that though the US experiences the brunt of the infections, other organizations in other countries are also affected. Below are some of the specific establishments victimized by GamaPoS:

      • Pet care
      • Theatre
      • Furniture wholesale
      • Home health care
      • Online Market stores
      • Retail
      • Records Storage Facility
      • Employment Agency and professional services
      • Credit union
      • Restaurant
      • Software developer for insurance
      • Software developer for telecoms
      • Industrial supply distributor
    • Attackers use compliance documents and MICROS updates as lures.  They entice their victims to download malicious files either by making them believe that they would be assisting them in Payment Card Industry Data Security Standard (PCI DSS) compliance or help update their Oracle® MICROS® platform.  The recently discovered MalumPoS threat is also known to target systems running on MICROS.
    • GamaPoS holds the distinction of being a .NET scraper—something unseen in prior PoS threats.
      We can attribute this development to the fact that it is easier to create malware in the .NET platform and, now that Microsoft made it available as an open-source platform, more developers are expected to use it for their applications. This makes .NET a viable platform to use for attacks.
      When loading, GamaPoS evaluates a list of URLs to see which command-and-control (or control panel) is up and running. The communication is done in HTTPS and, once a good panel has been selected, it would continue execution. There are no process exemptions and GamaPoS goes through all processes and dumps Track 2 data.
    • GamaPoS targets a range of cards, including Visa and Discover.
      While the evaluated example does not do Luhn validation, GamaPoS does manually filter the data by evaluating the first few numbers of the scraped data.

      • 4 (length=12) – Visa
      • 56 to 59 (length=14) – Maestro and other ATM/debit cards
      • 6011 (length=12) – Discover Card
      • 65 (length=14) – Discover
      Finally, it would attempt to upload the collected data via the command-and-control server that has been selected during initial execution.
    • GamaPoS is closely linked to NitlovePOS, a new malware reported externally.
      Similarities between the two campaigns are no coincidences. Both are spread using a spam campaign that uses macro malware, and the initial stages of both campaigns are hosted in the same IP block.

    The Return of Andromeda

    Andromeda is a well-known botnet that surfaced around 2011. It’s notorious for delivering threats like Gamarue. Cybercriminals use Andromeda for its wide reach, letting them gain control of endpoints, effectively turning them into bots or zombies. The highly configurable and modular design of the Andromeda botnet has been noted to fit any malicious intent, like distributing ZeuS or, more recently, distributing a Lethic bot.

    Earlier this year, the Andromeda botnet was seen spreading macro-based malware—an old cybercriminal trick that has lately been regaining traction. Based on our research, the past few months seem to be quite busy for the Andromeda botnet. Its recent activity reveals its heavy presence in the United States.

    Andromeda is delivered to desktops either through spammed emails or exploit kit content. Both methods inevitably lead to the download of Andromeda binaries onto the computer. We found that there are a total of 9 domains used in this campaign. All of which are hosted in one IP address. Globally, with 85% of the share, the United States is the top source of traffic going to this IP address. It is distantly followed by Canada with 2%.

    Figure 2. Global distribution of Andromeda-related traffic, [insert duration]


    Using an old botnet as a shotgun method to cast a wide net for targets has its merits. Using spam and exploit kits to establish a large mass of bots enables operators to steal information from specific targets, some of which can be resold to other threat actors.

    Another interesting move here was the deployment of PSEXEC and MIMIKATZ – two tools widely used in targeted attacks. More information about the stages of this threat and specific indicators can be found in the GamaPoS technical brief.

    Note that this threat combines a classic botnet with a PoS RAM scraper, thus requiring more sophisticated methods of protection.  To deal with exploit kits and botnets like Andromeda, IT managers need to stay updated on patches for vulnerabilities exploited by these kits.

    Trend Micro is monitoring this ongoing activity. To read up on how to enhance your security posture on your point-of-sale systems, please read Defending Against PoS RAM Scrapers: Current Strategies and Next-Gen Technologies.

    To prevent threats from coming in via malicious emails, enforce strong security policies that work according to how your company uses email so as to prevent threats like macro-malware pass through.  Effective spam filters that evaluate if attachments have malicious intent work best against these threats. Email attachment analysis in the Trend Micro™ Custom Defense™ technology has been proven to detect and help protect companies from targeted PoS threats that uses email as its arrival vector.

    Additional malware analysis by Erika Mendoza and Marvin Cruz; additional information from Joseph C Chen, Maydalene Salvador and Numaan Huq.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    A vulnerability that allows attackers to create their malicious certificates without depending on any external and trustworthy CAs was fixed in the newest version of the open-source software OpenSSL released July 9.

    Identified as CVE-2015-1793 (Alternative Chains certificate forgery) and rated with “high severity”, the vulnerability allows attackers to use certificates to produce other valid Certificates even if the signing certificate is not recognized by a Certificate Authority (CA).

    Using the proof of concept (POC) provided by the OpenSSL team, along with examples tested using the OpenSSL SSL/TLS server and client applications, we decided to look further into this vulnerability.

    Alternative certificate chains

    Before we get into the vulnerability itself, let’s first look at how certificates work in a SSL environment. To validate a certificate a complete chain or hierarchy of certificates must be validated. If in that process some certificate in the hierarchy is missing or wrong then it is possible to initiate an alternative validation finding other certificates with the same Issuer Name. If the certificate to be validated is correctly verified using the Alternative Chain then it is trusted.

    When using OpenSSL applications, clients, and server, the certificate validation process uses two main sources of certificates. One is the certificates provided by server to the client or by the client to the server in case of client authentication, the other one is the configured certificate store. OpenSSL validates the certificate chain using both sources from which a certificate chain is built.

    Figure 1. Certificate validation process

    The diagram above shows the scenario where the client is establishing a SSL/TLS channel with the server and server sends one of the following certificate chains in the SSL/TLS response ( A, B, and C, where A is the main SSL/TLS certificate). The client is able to create two possible certificate chains based on the server response and the Trust Storage certificates: Chain 1 and Alternative Chain. If the server cannot validate Chain 1 then the Alternative Chain is validated. Note that it is possible to build the Alternative Chain because the Issuer Name B matches with J.

    That is the process to implement Alternative Chain validation. One important aspect to note is that the client must have the J certificate inside the Trust Storage, otherwise the Alternative Chain Validation process never will start.

    The alternative chains certificate forgery vulnerability

    The vulnerability exists in the last implementation of the Alternative Chain validation in OpenSSL, which allows the creation of a rogue certificate chain that can be successfully validated. The OpenSSL team has released a POC of the said chain, which can show how validation can be bypassed.

    The POC contains six certificates and one storage labeled Roots.

    Figure 2. POC setup

    There are several important details to note about this chain:

    • The certificate Leaf is signed by the subinterCA, but there is another certificate, subinterCA-ss, which contains the same Issuer Name as subinterCA and is self-signed.
    • Leaf is not a certificate authorized to sign or validate other certificates. It is simply a client certificate.

    Based on this premise, the attack can be implemented as the diagram below shows.

    Figure 3. Exploiting the vulnerability

    We can see the server sending three certificates to the client and the client will accept them as a valid certificate chains, even if the chain is broken because the Leaf certificate is a rogue one. With that configuration, the client is able to build two certificate chains as the image below shows.

    Figure 4. Two certificate chains

    The client side attempts to validate Chain 1 but fails and moves on to the Alternative Chain. The client builds the Alternative Chain because the certificate subinterCA-ss, in the client Trusted Storage, matches with the Issuer Name of the Leaf certificate. However, in the process of building the new chain, the client ends up tracking as if the final chain to be validated contains only one certificate.

    In the image below, we can see the vulnerable code section (x509_vfy.c : X509_verify_cert()).

    Figure 5. Snippet of the vulnerable code

    The counter last_untrusted is reduced in the wrong place and the final value for this case will be 1. This error is critical because once the Alternative Chain is built, the validation of the chain extensions relies on the last_untrusted counter value. The actual validation happens in the section below:

    Figure 6. Code snippet

    Inside the method check_chain_extension(), we can see that because last_untrusted = 1, the method check_chain_extension() returns as true, with all the extensions in the completed chain as correctly validated.

    Figure 7. Certificates are accepted as valid

    Attacks Scenarios

    The vulnerability affects how the certificate chain is validated, which attackers can exploit to use any kind of certificate to sign other certificates. In theory, two types of attack can be implemented:

    The first is the man-in-the-middle (MITM) attack, wherein an attacker sends a malicious chain to the client. Note the same can be applicable to attack a client or impersonate it when using SSL/TLS client authentication.

    Figure 8. Diagram of a MITM attack

    The second type of attack involves using a rogue SSL/TLS server to implement phishing attacks. This can be done with the attacker controlling the SSL/TLS server.

    Figure 9. Phishing attack by way of controlled server


    The vulnerability allows the creation of a certificate hierarchy can be validated successfully, even when some of the intermediate certificates are not vouched by any CA. This can be exploited, which can lead to attacks, including MITM attacks.

    While the vulnerability is rated as severe, the attack surface is very limited due to the following conditions:

    • The server and client Trust Storage must contain a certificate that must match to trigger the Alternative Chain processing.
    • The certification validation process can be implemented outside of OpenSSL, even when some applications use OpenSSL.
    • Commonly used browsers–Internet Explorer, Firefox, Safari and Chrome—do not use OpenSSL, which reduces the chances of being affected by this bug.

    While popular browsers may not use OpenSSL, there are other products that do so. Developers of open source products and commercial software that rely on OpenSSL need to assess if their products are affected and apply the patch if needed.

    Vulnerability protection in Trend Micro Deep Security protects systems from threats that may leverage this issue with the following DPI rules:

    • 1006855 – OpenSSL Alternative Chains Certificate Forgery Security Bypass Vulnerability (CVE-2015-1793)
    • 1006856 – OpenSSL Client Alternative Chains Certificate Forgery Security Bypass Vulnerability (CVE-2015-1793)
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    July proves to be pretty busy for both software vendors and security researchers as various zero-day vulnerabilities were reported. In this month’s patch Tuesday, Microsoft addressed the recently discovered zero-day vulnerability in Internet Explorer that also emerged from the Hacking Team leak. The said vulnerability, covered in MS15-065 and rated as ‘critical’, could allow attackers to take control of the system once successfully exploited.  In addition, a proof-of-concept (PoC) code has been spotted by one of our threats researchers. All in all, Microsoft released a total of 14 security bulletins, 4 of which are tagged as ‘critical’ and the rest as ‘important’.

    Adobe has also rolled out its security patches to fix the recent slew of  Flash zero-day vulnerabilities that also came out of the Hacking team leak.  Both Adobe Flash Player zero-day vulnerabilities assigned with CVE-2015-5122 and CVE-2015-5123 respectively can allow an attacker to take control of the affected system once successfully exploited.  Our researchers are continuously monitoring any vulnerabilities and exploits that may arise from the whopping 440GB of leaked emails from Hacking team.

    Oracle also joined the bandwagon and released its own security updates to fix the Java zero-day exploit (designated with CVE-2015-2590), which was the first in nearly two years.  This zero-day exploit was used in the targeted attack campaign, Operation Pawn Storm that often hit military and defense contractors from the US and its allies among others.  Oracle’s patch update also contains fixes to address the other 193 new vulnerabilities.

    Trend Micro solutions

    Trend Micro Deep Security and Vulnerability Protection protect user systems from threats that may leverage these vulnerabilities with the following DPI rules:

    • 1006750 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1733)
    • 1006754 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1738)
    • 1006831 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2397)
    • 1006832 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2401)
    • 1006833 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2406)
    • 1006835 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2408)
    • 1006837 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2411)
    • 1006839 – Microsoft Internet Explorer ASLR Bypass Vulnerability (CVE-2015-2421)
    • 1006840 – Microsoft SQL Server Remote Code Execution Vulnerability (CVE-2015-1762)
    • 1006841 – Microsoft Windows VBScript Memory Corruption Vulnerability (CVE-2015-2372)
    • 1006842 – Microsoft Internet Explorer Information Disclosure Vulnerability (CVE-2015-1729)
    • 1006843 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2383)
    • 1006845 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2383)
    • 1006846 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2388)
    • 1006847 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2389)
    • 1006848 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2390)
    • 1006849 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2391)
    • 1006850 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1742)
    • 1006851 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2403)
    • 1006852 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2404)
    • 1006853 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2422)
    • 1006857 – Oracle Java SE Remote Code Execution Vulnerability (CVE-2015-2590)
    • 1006859 – Adobe Flash Player BitmapData Remote Code Execution Vulnerability (CVE-2015-5123)
    • 1006867 – Microsoft Internet Explorer Information Disclosure Vulnerability (CVE-2015-2413)
    • 1006868 – Microsoft Internet Explorer JScript9 Memory Corruption Vulnerability (CVE-2015-2419)
    • 1006869 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2425)
    • 1006872 – Microsoft Windows DLL Planting Remote Code Execution Vulnerability (CVE-2015-2369)
    • 1006873 – Microsoft Excel ASLR Bypass Vulnerability (CVE-2015-2375)
    • 1006874 – Microsoft Office Memory Corruption Vulnerability (CVE-2015-2376)
    • 1006875 – Microsoft Office Memory Corruption Vulnerability (CVE-2015-2377)
    • 1006876 – Microsoft Office Memory Corruption Vulnerability (CVE-2015-2379)
    • 1006877 – Microsoft Office Memory Corruption Vulnerability (CVE-2015-2380)
    • 1006878 – Microsoft Office Memory Corruption Vulnerability (CVE-2015-2415)
    • 1006879 – Microsoft Windows Graphics Component EOP Vulnerability (CVE-2015-2364)
    • 1006880 – Microsoft Windows OLE Elevation Of Privilege Vulnerability (CVE-2015-2416)
    • 1006881 – Microsoft Windows OLE Elevation Of Privilege Vulnerability (CVE-2015-2417)

    Users are strongly advised to update their software and systems with the latest patches from Microsoft, Adobe, and Oracle. For additional information on these security bulletins, visit our Threat Encyclopedia page.



    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    6:12 am (UTC-7)   |    by

    Our monitoring of Operation Pawn Storm has led us to an interesting finding: the domain we previously reported hosting the Java 0-day used in the latest Pawn Storm campaign was modified to now lead to a Trend Micro IP address. Our investigations have shown that our systems have not been attacked or compromised. The attackers have simply redirected a DNS record to point to a Trend Micro IP address, likely in retaliation to our disclosure and the subsequent patching of the Orace Java zero-day vulnerability they were exploiting.


    Figure 1. Changes in the Pawn Storm infection chain

    The DNS A record of the domain ausameetings[.]com now points to, an IP address of Trend Micro. While it was serving the zero-day exploit, the IP address of ausameetings[.]com was 95[.]215[.]45[.]189.


    Figure 2. DNS A record of ausameetings[.]com

    We are not sure when the domain was pointed to Trend Micro, but based from DNS record naming convention, it is most likely modified to point to Trend Micro yesterday, July 14.

    We do not have clear evidence that point to the cause behind these developments, but we see the following possible motives:

    • To serve as a form of retaliation by the Pawn Storm operators against Trend Micro for disclosing details about their most recent campaign
    • To mislead network administrators into associating our IP address to the attack, possibly causing admins to mistakenly block it
    • To deceive security researchers into thinking that the Trend Micro IP address is compromised or being misused by Operation Pawn Storm

    It bears stressing that we found no traces of compromise or misuse. We will continue to monitor this and update this post as soon as there are relevant developments.

    Operation Pawn Storm is a campaign known to specifically target government organizations. One of its most recent campaigns targeted NATO members as well as the White House.

    We first discovered the Java 0-day being used in Operation Pawn Storm late last week. Oracle released a security update to address the vulnerability yesterday, July 14.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    What do LeaseWeb, Galkahost, and Spamz have in common? All of them, at one point or another, have functioned as cybercriminal hideouts in the form of bulletproof hosting services (BPHS).

    Simply put, BPHS is any “hosting facility that can store any type of malicious content like phishing sites, pornography, and command-and-control (C&C) infrastructure.” If I were to compare them with real-life crime rings, BPHS would be those hideouts criminals use to perform their illegal activities in private. In the context of cybercrime, it is very common to belittle the role of BPHSs in cybercriminal operations and instead focus on revealing the bad guys’ identities or discussing their modus operandi. But the truth is: BPHSs are crucial. They are so crucial, in fact, that many major cybercriminal groups would not be able to operate without them.

    So why not just shut them down? Well, the thing with BPHS takedowns is that they are easier said than done.

    In my paper, “Criminal Hideouts for Lease: Bulletproof Hosting Services”, I cite several factors that make BPHSs an imposing challenge for security and law enforcement organizations. For one, many BPHS providers operate under the guise of legitimate and legal hosting providers. This makes tracking them a lot trickier.

    Running BPHS as a Business

    BPHS providers usually choose one of three business models when building their services, as follows:

    • Model 1: Dedicated bulletproof servers
      BPHS providers create a convincing business front to avoid suspicion from law enforcement. They usually cater to customers who need to host content that may be considered illegal in certain countries.
    • Model 2: Compromised dedicated servers
      BPHS providers choose to compromise dedicated servers and rent these out to parties who wish to host malicious content.
    • Model 3: Abused cloud-hosting services
      Cybercriminals abuse cloud-hosting services like Amazon Web Services (AWS), Hetzner, OVH, and LeaseWeb to host C&C servers or drop stolen data, among other malicious purposes.

    It is important for these BPHS providers to be able to retain their name or domain for a long time to show how adept they are in keeping customers’ activities confidential, particularly from security researchers and law enforcers. Longtime providers are usually kept afloat by their capability to provide immediate technical support, quickly migrate in case they’re blacklisted, protect from DDoS attacks, and advertise cleverly to reach their specific clientele.

    Figure 1. Sample of a BPHS provider with expensive offerings

    Pricing for BPHSs depends on the risk involved in hosting certain content. Providers in several countries offer as low as US$2 per month for low-risk content, while servers based in China, Bolivia, Iran, and the Ukraine can go as high as US$300 per month for critical infrastructure projects or high-risk content. (You can find a more detailed description of the risk ratings or the toxicity of BPHS servers in the paper.)

    Takedown Impossible

    Another challenge for security and law enforcement organizations is the fact that these services operate in locations that do not heavily police cybercrime. BPHSs are often based in countries with lax regulations and laws that penalize and protect against cybercriminal activities.

    We looked at several BPHS providers in different countries and noted the types of malicious content they frequently host. Do note that this list is not exhaustive. There are many more bulletproof hosts that operate in other countries not cited here.

    Figure 2. Malicious content found in BPHS servers in certain countries

    My FTR colleague, Bob McArdle, sums up the challenges BPHSs pose pretty well: “The very nature of BPHSs is that they protect malicious activity against law enforcement, giving cybercriminals the much-needed loophole to wriggle out of and escape from the clutches of both law enforcement and the security industry. That loophole unfortunately largely remains open today.”

    The paper contains more insights on BPHSs as well as a system of classifying them to help out my fellow security researchers and law enforcements in their own investigations.

    Click on the thumbnail below to read the paper “Criminal Hideouts for Lease: Bulletproof Hosting Services.”

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice