Facebook’s enduring popularity means that cybercriminals find it a tempting lure for their malicious misdeeds. A newly-spotted phishing scam is no exception.

We came across a malware sample, which we detected as TSPY_MINOCDO.A. The goal is to redirect users who visit Facebook to a spoofed page, which claims to be a part of the social networking website’s security check feature, even sporting the tagline “Security checks help keep Facebook trustworthy and free of spam”.

It does this by redirecting all traffic to facebook.com and www.facebook.com to the system itself (using the affected machine’s HOST file). This ensures that the user can never reach the legitimate Facebook pages. At the same time, the malware is monitoring all browser activity and redirects the user to the malicious site.

Users eager to log into Facebook may fall victim to this ruse, taking  the ‘security check’ for face value. This may result in them entering their details and thus exposing their credit card accounts to cybercriminal infiltration.

Figure 1. Fake Facebook Security Page

Read the rest of this entry »

Black Hat Europe is a series of highly technical security conferences that gathers professionals, researchers, and leaders of the infosec industry. Below are some of my thoughts about the interesting discussions I attended, which include a compelling talk by Trend Micro threat researcher Kyle Wilhoit about ICS/SCADA.

Day 1

My colleague Kyle and I joined the first session of the full-day vehicle networks workshop. Robert Leale of www.canbushack.com gave a nice introduction to controller area network (CAN) bus and other bus systems by, in which he gave basic information on the types of networks found in modern vehicles. I went to the next talk, “Let’s Play – Applanting” by Ajit Hatti, the co-founder of “null -Open security community,” where he described an attack to silently install an app in a user’s device (this has already been fixed by Google). As it turns out, a lot of people in India use their smartphones for online banking.

“XML out-of-band data retrieval” from Alexey Osipov and Timur Yunusov, which I attended later, showed how to retrieve data from an internal machine and network using several web applications.

Because I own a Huawei USB UMTS/4G stick, I went to the talk “Huawei – From China with Love” from Nikita Tarakanov and Oleg Kupreev. From the discussion, I gathered that the software (available for Windows and Mac) seems to be a mess, security-wise.

One of the better conferences of the day, Tobias Jeske presented the results of his research about floating car data from smartphones, based from Google Navigation and Waze. For his research, he reversed engineered the protocols with an MiTM proxy and source code and later explained to us the several possible attacks that can be launched.

Day 2

The first talk for the day was “The Sandbox Roulette”, which we can summarize as “for an application sandbox (Sandboxie, Chrome, Adobe X) the weakest link is the Windows kernel. An hypervisor sandbox is more secure than an application sandbox.”

Read the rest of this entry »

Hacktivism and crime is a toxic combination for the health of the Internet. This was shown once again in the recent DDOS attack against Spamhaus.org that peaked at 300 Gbit/s. Spamhaus is a non-profit anti-spam organization that helps to filter spam for millions of Internet users. When Spamhaus goes down a lot of inboxes will be flooded with spam.

The DDOS attack was allegedly orchestrated by a Dutch webhosting company called Cyberbunker and CB3Rob. This webhosting company has roots in the hacker scene and has hosted Wikileaks and the Pirate Bay in the past. Cyberbunker claims to have a datacenter in a former NATO bunker in the Netherlands. It is not clear whether that is still true today, and what exact role Cyberbunker had in the DDOS attack against Spamhaus. The owner of Cyberbunker/CB3Rob does act as the spokesman of an attack that tries to blast a company away from the Internet as if that is a normal job. Here is where so called hacktivism on the Internet has derailed totally. The boundary between crime and hacktivism has been blurred. A reality check for Cyberbunker is in order.

Spamhaus claims that Cyberbunker/CB3rob is among the worst webhosting companies in the world. We do see problems ourselves too, but we wouldn’t rate CB3Rob as the worst webhosting company. However, CB3Rob claims that it will host anything except things related to child abuse and terrorism. This may be inspired by an idealistic view that anybody should have an uncensored access to the Internet and inspired cybercriminals as well. This is where hacktivism meets crime – a toxic combination.

A good illustration that crime corrupts hacktivsm is that the network of Cyberbunker has been used in a BGP hijack of an IP address of a DNS server of Spamhaus (https://greenhost.nl/2013/03/21/spam-not-spam-tracking-hijacked-spamhaus-ip/). The DNS servers of Spamhaus are a vital part of its antispam protection. The hijack was an attempt to inject lots of false positives into the spam reputation system of Spamhaus. Though this hijack did not cause a lot of damage as most networks did not accept the hostile BGP announcement, the intention was clear: someone using Cyberbunker/CB3Rob’s network tried to sabotage the spam reputation system of Spamhaus. It does not resemble hacktivism, but rather resembles crime.

Read the rest of this entry »

Our investigation and analysis of last week’s MBR wiper attacks in South Korea is still ongoing. This post summarizes our results and available protection.

The MBR wiper arrives as a dropper file (detected as TROJ_KILLMBR.SM), which drops four files onto the system:

• Agentbase.exe –the actual MBR wiper, also detected as TROJ_KILLMBR.SM
• ~pr1.tmp – a UNIX executable, detected as UNIX_KILLMBR.A
• Alg.exe – non-malicious file, related to PuTTY client
• Conime.exe – non-malicious, related to PuTTY client

However, before it wipes the MBR, it performs two additional routines: firstly, it terminates the processes of two Korean antivirus suites, if these are running on the affected systems. (Other variants we’ve seen also terminate a third antivirus product, which is also Korean.)

Secondly, it searches for saved SSH credentials from two known SSH clients – mRemote and Secure CRT. It searches the folders where these two clients save credentials, namely:

• %AppDataLocal%\Felix_Deimel\mRemote\confCons.xml (for mRemote)
• %Application Data%\VanDyke\Config\Sessions (for Secure CRT)

It checks the credentials stored at these locations at looks for accounts with root access to servers. If it finds any, the malware will attempt to log onto these servers. It checks the operating system of these servers; if it find any of the following operating systems it will upload the ~pr1.tmp file to this server and run it.

• AIX
• HP-UX
• Linux
• SunOS

The actual MBR wiper overwrites the MBR with three repeated strings: PRINCPES, HASTATI. or PR!NCPES. Some variants of this wiper only trigger at or before 2PM on March 20, 2013; others may trigger only at 3PM or later. Deleting the MBR results in the system being unable to boot as normal.

For newer versions of Windows (Vista and later), some variants of the MBR wiper also deletes all files in all folders on the affected system as well. It restarts the PC, and users are then unable to use their machine.

Read the rest of this entry »

With its rich functionality and accessibility, Evernote is a popular note-taking tool for its many users. Unfortunately, it may also provide the perfect cover for cybercriminals’ tracks.

We recently uncovered a malware that appears to be using Evernote as a communication and control (C&C) server. Detected as BKDR_VERNOT.A, the malware attempts to connect to Evernote using https://evernote.com/intl/zh-cn as its referrer, perhaps to make it look like a malicious user.

Figure 1. BKDR_VERNOT.A strings showing how it attempts to access Evernote

Figure 2. BKDR_VERNOT.A connecting to Evernote.

Figure 3. BKDR_VERNOT.A logging into Evernote.

The sample we gathered consists of an executable file, which drops a .DLL file and injects it into a legitimate process. The said .DLL file performs the actual backdoor routines.

Once installed, BKDR_VERNOT.A can perform several backdoor commands such as downloading, executing, and renaming files. It then gathers information from the infected system, including details about its OS, timezone, user name, computer name, registered owner and organization.

But here’s the interesting part: BKDR_VERNOT.A retrieves its C&C server and queries its backdoor commands in the notes saved in its Evernote account. The backdoor may also use the Evernote account as a drop-off point for its stolen information.

Unfortunately, during our testing, it was not able to login using the credentials embedded in the malware. This is possibly a security measure imposed by Evernote following its recent hacking issue.

As stealth is the name of the game, misusing legitimate services like Evernote is the perfect way to hide the bad guys’ tracks and prevent efforts done by the security researchers. Because BKDR_VERNOT.A generates a legitimate network traffic, most antimalware products may not readily detect this behavior as malicious. This can be troubling news not only for ordinary Internet users, but also for organizations with employees using software like Evernote.

Though this is a clever maneuver to avoid detection, this is not the first time that a legitimate service like Evernote was used as a method of evasion. Late last year, BKDR_MAKADOCS.JG was found using Google Docs to communicate to its C&C server. Similarly, the file-hosting site Sendspace was used as a storage of stolen information by TSPY_SPCESEND.A, a spyware that gathers MS Word and Excel files. Malware like BKDR_MAKADOCS.JG, TSPY_SPCESEND and now BKDR_VERNOT.A only show the extent that online bad guys will go to to hide their schemes.

To avoid this threat, you must always be cautious with visiting unknown websites and opening email messages. Trend Micro Smart Protection Network detects both the malware cited in this blog entry.

Update as of April 4, 2013 1:00 AM PDT

We have been in communication with Evernote regarding this incident, and are working with them to detect any other malware that may attempt to use Evernote for malicious purposes.

We also wish to reiterate that BKDR_VERNOT.A was unable to actually log into Evernote because of the incorrect credentials that were hard-coded into the malware. No notes or other information on Evernote servers was actually read, created, or modified.

Had the malware been successful in accessing the notes, it would have used the Evernote account to:

• Retrieve information about C&C server in one of the notes saved
• Obtain backdoor commands from the notes saved
• Use the Evernote account as a drop-off point for stolen information

After getting commands from the Evernote account, the malware would have been able to execute the following backdoor commands:

• Download files
• Execute files
• Rename files
• Unzip archive files