Compromised WordPress sites Drive Users to Blackhole Exploit Kit

We were alerted to reports of a mass compromise of WordPress sites that lead to CRIDEX infection. To lure users to these compromised sites, the cybercriminals behind this employed spammed messages purporting to come from known legitimate sources such Better Business Bureau and LinkedIn, just to name a few. These spam use social engineering tactics to entice unsuspecting users to click the link found in the email.

Clicking this link leads to a series of compromised WordPress sites, which ultimately point users to the Blackhole Exploit kit that targets vulnerabilities cited in CVE-2010-0188 and CVE-2010-1885. This is detected by Trend Micro as JS_BLACOLE.IC.

Once users click on any of the URLs seen on Figure 3, users are redirected to sites that host the said exploit kit.

Based on our analysis, this exploit results to the installation of WORM_CRIDEX.IC on the affected system. When executed, this worm connects to a remote site http://{Random URL}.ru:8080/rwx/B2_9w3/in/ to download its configuration files.

WORM_CRIDEX.IC was also found to generate several random domains using domain generating algorithms (DGA). This is a well-known technique used by cybercriminals to evade law enforcement and to prevent botnets from being shut down. The malware also uses DGA to download its configuration file. As of this writing, the exact behavior of the sample is dependent on the configuration file. Based on static analysis, however, it is capable of executing a file, deleting a file/folder, and retrieving certificates in a certificate store. During our testing, we were unable to download the configuration file as this was no longer available.

Trend Micro protects users from this threat via its Trend Micro™ Smart Protection Network™ that blocks malicious URLs related to this attack as well as detecting the related malware. To avoid encountering these compromised sites, users should think twice before clicking those links found on dubious-looking messages. Always verify the validity of received messages, specially those that claim to be from well-known sources.

With additional text and analysis by security evangelist  Ivan Macalintal.

Signed Malware – You can run…But you can’t hide

It’s been over a year now since McAfee became an Intel company and the team and I have been privileged to be a part of designing and developing our DeepSAFE technology, as well as Deep Defender, the first available product that leverages this advancement. Recent threats in-the-news validates what we’ve been working on and this blog serves an update to our followers.

Signed Malware Prevalence

Digitally Signed Malware has received the media attention recently.  Indeed over 200,000 new and unique malware binaries discovered in 2012 have valid digital signatures.

Source: McAfee Labs Sample Database

Why Sign?

Attackers sign malware in an attempt to trick users and admins into trusting the file, but also in an effort to evade detection by security software and circumvent system policies.  Much of this malware is signed with stolen certificates, while other binaries are self-signed, or “test signed”.  Test signing is sometimes used as part of a social engineering attack.

Which signature is real?

Answer:  Well, they’re both real and valid certificates, but one is test signed.

Test Signing

Test Signing is particularly useful to attackers on 64bit Windows, where Microsoft enforces driver signing. By default such drivers will not load.  However, Microsoft provides developers with the means of disabling this policy, and malware authors have learned to do the same.  64bit rootkits such as Necurs used byBanker, Advanced PC Shield 2012, and Cridex use this approach to compromise the operating system. To combat this, Deep Defender v1.0.1 blocks Test Signed drivers by default, while allowing EPO administrators to selectively exclude in-house kernel driver developer’s systems as necessary.

This is just one layer of protection of course.  Security is about “defense in depth”, from network to silicon.  Real time memory monitoring allows Deep Defender to identify the Necurs rootkit as it attempts to compromise the kernel.

Trying to Hide

Being able to observe transient events in memory allows DeepSAFE to get passed obfuscated file views that challenge traditional antivirus solutions.

Case in point is the Mediyes Trojan referenced in the aforementioned press articles. A quick check of our sample database shows over 7,000 unique binaries in this family. Yet memory rules written over a year ago to cover rootkit techniques are able to proactively identify the latest signed attack, 0day.

After the attacks were known, the certificate was revoked

Here DeepSAFE intercepts the malware attempting to modify the write protection bit of the Cr0 control register, as well as install kernel inline hooks on the ZwResumeThread function.

VirusTotal shows traditional file scanning was not very successful against this particular sample (2 out of 43 scanners detecting):

More to Come

For some time now we’ve seen malicious payloads that attempt to steal digital certificates for nefarious purposes and we are likely seeing the fruits of that labor. With so much malware on the line, we are sure to see this signed malware trend continue higher.

P.S. Deep Defender v1.0.1 is currently in beta and is expected to hit the market in Q2.  If you’re interested in helping protect the world beyond the OS, we’re hiring.

Privacy in the Digital Age: Whose Data Is It, Anyway?

Concerns about privacy on the Internet have always been out there, but news events of late seem to be bringing this problem more and more into the public eye.

Earlier this month, Google began implementing its “new” privacy policy – despite opposition from many parties, including French and European Union regulators. The new privacy policy allows Google to consolidate what it knows about users across all of its services, something it had never done before. According to Google, this makes for a “simpler, more intuitive Google experience.”

It’s not just search engines themselves falling under watch for privacy problems. Early in February, the popular Pathand Hipster apps were discovered to be uploading user address books to their servers. Later on, it was discovered that both iOS and Android suffered from problems that allowed apps access to user photos even if they had not granted that particular permission.

So far, there really hasn’t been a good set of guidelines that companies holding our data could be held accountable to and asked to follow. Essentially, companies with access to our private data were left to their own devices when it came to treating that data – with predictable consequences to our privacy.

In February, it was announced that many advertising networks and leading Internet companies such as AOL, Google, Microsoft, and Yahoo have all agreed to implement the Do Not Track feature: essentially, it stops websites (and advertising networks) from tracking users. This blocks certain practices used by advertisers, such as personalized advertising.  (We discussed personalized advertising earlier on our ebook Be Privy to Online Privacy.)

This was in line with a White House blueprint for what it called a “Consumer Privacy Bill of Rights”. The set of principles that the white paper includes are all sound and, frankly, common sense: they give user’s online data the same set of protections that they should have offline. Fundamentally, the US approach calls for Internet companies and industries to voluntarily adopt regulations which are then enforced by regulatory agencies.

Does this mean that users no longer have to worry about their privacy, that advertisers and website owners will no longer abuse what they know about users? Sadly, that is far from being the case

The Do Not Track announcement was not about anything that could be immediately implemented. How Do Not Track will actually be implemented – and thus, whether it actually works – is not yet entirely clear. In short, it will take some time for Do Not Track to actually be something that users can turn on.

What these steps do mean is that regulators are finally paying attention to privacy as an issue, and companies are realizing that they have to start paying some attention, instead of just issuing blanket statements that said nothing. European privacy regulators have already launched a probe into Google’s new privacy policy. As a result of a settlement with California authorities, app store operators like Apple and Google have agreed in principle to make app developers include privacy policies if their apps gather user information.

User concern about tracking and personal privacy is very real. A Pew Research poll found that almost two-thirds of American search engine users disapproved of personalized search results. A similar number had negative views on targeted advertising. A separate study by the University of Queensland found similar attitudes among Australian users. Clearly, users have serious concerns about what kind of information is gathered about them, and how this information is being used.

The debate over privacy in the digital age will, no doubt, continue. Different people will have different standards for what they consider the acceptable trade-off between convenience and privacy is. Users should be free, however, to make that decision for themselves – and to have the information and tools to decide where their data will end up going.

Virus Bulletin Spam Filter Test

Virus Bulletin updated its spam filter test, and found that compared to last year, spam filters are doing worse. Sadly, the detailed results are only for paid subscribers. But Virus Bulletin published a brief summary of the latest result as a teaser [1]. 

I think this is not all bad news. To understand this, one has to consider that the overall volume of spam has dropped significantly. The take down of some large botnets removed a lot of easy to classify spam off the net, leaving a more diverse "spam zoo" that is not as easy to classify. So I don't think this trend is as "worrying" as Virus Bulletin makes it sound. 

[1] http://www.virusbtn.com/news/2012/03_18.xml

Malicious Email Campaign Uses Current Socio-Political Events as Lure for Targeted Attack

We have recently analyzed a series of emails sent to specific users that leverage a certain prominent socio-political issue.  One of these messages is about the supposed statement from the German Chancellor regarding the protests in Lhasa, Tibet.  The From field indicates that it came from a key officer from the ATC or Australian Tibet Council.  But of course, the email is faked and the email address was just created and used to impersonate the said ATC officer. It also includes a .DOC file that supposedly contains the relevant parts of the statement. Once downloaded, the file detected as TROJ_ARTIEF.AE exploits a vulnerability in Microsoft Word (CVE-2010-3333) to drop other files. This file is detected as TSPY_MARADE.AA. TSPY_MARADE.AA was found to gather network and system information once specific shell commands are executed. These stolen data are then uploaded to malicious sites.

We received another sample with more details in its message. It purportedly comes from the Tibetan Women’s Association Central, which contains the recent speech given by TWA during the 56^th Session of the Commission on the Status of Women at the United Nation Commission. Like the first sample, it comes with a .DOC file of the complete speech.  This attachment is detected as TROJ_ARTIEF.CP and drops the malware TROJ_REDOSDR.AH.

Based on our analysis, we have reason to believe that these messages are part of a targeted attack.  Both samples use specific political issues as social engineering bait.  We also noticed that the people behind these attacks have a certain level of knowledge about the important figures and organizations in the TibetMovement.  The messages spoofed the organizations TWA Central and Australian Tibet Council to appear credible to intended recipients. This is a common technique used by spammers and those behind targeted attack campaigns and does not necessarily mean that these groups were compromised.  To add to our suspicions that this is a possible targeted attack, the TWA sample email was directed specifically to the email address of a prominent Tibetan figure.

Below is a list of email we intercepted with malicious attachments related to this incident. This list, however, is not definitive as there may be other variants yet to be seen.

Email Subject	Attachment File Name	Attachment Type	Attachment Detection Name	Dropped File Detection Name
Germany Chancellor Again Comments on Lhasa protests	Germany Chancellor Again Comments on Lhasa Protests.doc	.DOC	TROJ_ARTIEF.SV	TSPY_MARADE.AA
TWA’s speech in the meeting of the United Nations Commission for Human Rights	TheSpeech.doc	.DOC	TROJ_ARTIEF.CP	TROJ_REDOSDR.AH
Fowarding of TWA message	English_Final_Statement.doc, English_Final_Statement_1.doc	.DOC	TROJ_ARTIEF.DA, TROJ_ARTIEF.DB	TROJ_SWISYN.GT
Open Letter To President Hu	Letter.doc	.DOC	TROJ_ARTIEF.DD	TSPY_ROFU.NSS
Tibetan environmental situations for the past 10 years	Tibetan environmental statistics.xls	.XLS	TROJ_MDROPPR.BJ	BKDR_MECIV.AC
An Urgent Appeal Co-signed by Three Tibetans	Appeal to Tibetans To Cease Self-Immolation.doc	.DOC	TROJ_ARTIEF.CX	TROJ_SASFIS.UL
About TYC Centrex Notice and New email id of TYC Centrex	Centrex_Contact.doc	.DOC	TROJ_ARTIEF.CZ	TROJ_SHWOM.A
[Tanc] JOINS US: March 10, Saturday: 53rd Commemoration of the 1959 Tibetan National Uprising Day.	march10.doc	.DOC	TROJ_ARTIEF.DF	TROJ_SHWOM.A
10th march speech	10th March final.doc, 10th March final.pdf	.DOC, .PDF	TROJ_ARTIEF.CU	BKDR_MECIV.AA, BKDR_MECIV.AD
FW: Call for End to Burnings	Support List.xls	.XLS	TROJ_MDROPPR.BK	BKDR_PROTUX.BK, BKDR_PROTUX.BJ
Public Talk by the Dalai Lama _ Conference du Dala_ Lama Ottawa, Saturday, 28th April 2012	Public Talk by the Dalai Lama.doc	.DOC	TROJ_ARTIEF.DG	TROJ_SWISYN.GT
Bonafide Certificate of Miss Tenzin Tselha	tentselha.zip (contains tentselha.jpg, tentselha.jpg.lnk, tentselha1.jpg)	ZIP (containing LNK, EXE, JPG)	TROJ_REDOSDR.AH	TROJ_REDOSDR.AH
TWA mourns the self immolation deaths of two female protesters this past weekend	TWA mourns the self immolation deaths of two female protesters.doc	.DOC	TROJ_ARTIEF.SM3	TSPY_MARADE.AA, TSPY_ZBOT.BPG
Self-Immolations: New heightened form of Non Violent protests in Tibet	TWA looks back at the aftermath and the undercurrents of the 52 years of Chinese rule in Tibet.doc	.DOC	TROJ_ARTIEF.DH	BKDR_AGENT.ZZZZ
Arrest and protests mar ‘Losar’ week in Tibet.eml	an appealing letter to the United Nations.doc	.DOC	TROJ_ARTIEF.CW	TROJ_SWISYN.HV
UN Human Rights Council publishes written statement on discrimination in Tibet.eml	G1210456.doc	.DOC	TROJ_ARTIEF.CT	TROJ_SWISYN.HV
Students For A Free Tibet !.eml	Action Plan for March 10th.doc	.DOC	TROJ_ARTIEF.JD	BKDR_DUOJEEN.A

The infection chain shown by the two samples above is noticeably similar to a previous attack that used NBA star Jeremy Lin as a social engineering hook. If you check out some of our blog postings on targeted attacks from way back in 2008 such as the ones we wrote about here and here, you will find similarities from past targeted attack campaigns of the same nature. Each scenario involves a malicious .DOC file that exploits a Microsoft Wordvulnerability to drop infostealing malware.

If you see any of these messages in your inbox, please delete them immediately. If you’ve already opened or downloaded the attached files, please coordinate with Trend Micro support team. As a rule, always be cautious with opening your email, especially with opening and downloading attachments. Even mail coming from supposedly trusted sources must be taken with a grain of salt as cybercriminals are crafty with spoofing email addresses to make it appear legitimate.

We will continue to monitor this campaign and update this blog post with our analysis.

Anonymous Supporters Tricked into Installing Zeus Trojan

In 2011, dozens of Anonymous members who participated in distributed denial-of-service (DDoS) attacks in support of Anonymous hacktivism causes were arrested. In these DDoS attacks, supporters using the Low Orbit Ion Cannon denial-of-service (DoS) tool would voluntarily include their computer in a botnet for attacks in support of Anonymous. In the wake Anonymous member arrests this week, it is worth highlighting how Anonymous supporters have been deceived into installing Zeus botnet clients purportedly for the purpose of DoS attacks. The Zeus client does perform DoS attacks, but it doesn’t stop there. It also steals the users' online banking credentials, webmail credentials, and cookies.

The deception of Anonymous supporters began on January 20, 2012, the day of the FBI Megaupload raid. An attacker took a popular PasteBin guide, used by Anonymous members for downloading and using the DoS tool Slowloris, and modified it. In this modified version, the attacker changed the download link to a Trojanized version of the Slowloris tool with matching text:
 

Figure 1. a) Legitimate Slowloris post from May 2011 Anonymous campaign, and b) trojanized PasteBin post for the deception of Anonymous members.

Later that same day, a separate Anonymous DoS guide was posted on PasteBin which included links to various DoS tools. Slowloris was included in this list of tools—the Trojanized version copied from the modified guide:
 

Figure 2. Anonymous DoS guide with copied Trojanized Slowloris link. The Slowloris link was copied from the deceptive post earlier in the day.

This Anonymous DoS tool on PasteBin has become quite popular among the Anonymous movement with more than 26,000 views and 400 tweets referring to the post. The following is a timeline of the tweets with related hacktivism causes highlighted:
 

Figure 3. Attack timeline from the start of the Megaupload raid. The PasteBin including the Trojanized Slowloris link is still being commonly linked to in new Tweets to-date.
 

Supporters still refer to this PasteBin guide post as “Tools of the DDos trade” and “Idiot’s Guide to Be Anonymous,” seen below:
 

Figure 4. Twitter search results on February 15th, 2012 for references to the Anonymous DoS guide PasteBin post with Trojanized Slowloris.

Figure 5. Flow of events as the hacker specifically targeted the Anonymous group with the Trojanized Slowloris download.
 

When the Trojanized Slowloris tool is downloaded and executed by an Anonymous supporter, a Zeus (also known as Zbot) botnet client is installed. After installation of the Zeus botnet client, the malware dropper attempts to conceal the infection by replacing itself with the real Slowloris DoS tool. Zeus is an advanced malware program that cannot be easily removed. The Zeus client is being actively used to record and send financial banking credentials and webmail credentials to the botnet operator. Additionally, the botnet is being used to force participation in DoS attacks against Web pages known to be targets of Anonymous hacktivism campaigns. This usage is summarized in the figure below:
 

Figure 6. Observed usage of the installed Zeus clients in the Anonymous Slowloris attack. Cookies, online banking credentials, and webmail credentials are sent to the server from the infected machines. Commands are given to the botnet clients to execute Slowloris and attack Anonymous hacktivism targets.
 

Communication to the command-and-control (C&C) server is achieved through HTTP POST messages. Below are examples of decrypted POST messages sending a cookie, financial credentials, and webmail credentials to the C&C server:
 

Table 1. Example of decrypted POST data sent from the Zeus client to the C&C domain for a) cookie data being sent to the server, b) credentials sent to the server after stealing an online banking username and password, and c) stolen webmail account credentials.
 

Not only will supporters be breaking the law by participating in DoS attacks on Anonymous hacktivism targets, but may also be at risk of having their online banking and email credentials stolen. The joining of malicious financial and identity fraud malware, Anonymous hacktivism objectives, and Anonymous supporter deception is a dangerous development for the online world. We will continue to watch for new developments.

Malware Targets Demonstrators Opposed to Putin's Re-Election

A wave of spam emails promoting a rally against newly elected president Vladimir Putin of Russia began around March 5. An attachment purporting to contain details of an upcoming anti-Putin demonstration accompanied email subjects with varying call-to-action lines:

• “All to demonstration”
• “Instructions what to do”
• “Meeting for the equal elections”

Here is a sample email that was sent:

File name: Инструкция_митинг.doc (Instructions_rally.doc)
Subject: Instructions - what to do at the meeting
Body: Instructions of your actions on rally against Putin

The body of the email contains just one sentence indicating the attached document contains “Instructions of your actions on rally against Putin” or “It is very important that you know what to do on the day as everybody will follow the same instructions”. Phrases like these are intended to play on curiosity, especially regarding the latest election news in Russia, in an attempt to persuade recipients to open the malicious attachment.

The malicious document, detected as Trojan.Dropper, contains a malicious macro, which drops and executes an encrypted executable component detected as Trojan.Gen. If an unsuspecting recipient opens this document, they will see details of an apparent upcoming anti-Putin rally:

If macros are enabled when the document opens, a particularly nasty Trojan is executed that searches for and then overwrites any files with the following extensions. These files are subsequently deleted, which makes it difficult to recover the files even using hard disk forensics:

• .7z
• .doc
• .exe
• .msc
• .rar
• .xls
• .zip

The Trojan also attempts to connect to IP address 193.104.153.31 (down at the time of analysis), which contains links to the notorious Trojan.Smoaler threat. Smoaler recently used the surero48421.ru domain as part of its command-and-control server and this website formerly resolved to the above IP address. The Trojan does not stop here! Once it has destroyed all of the above files by overwriting them, it then runs code to cause the computer to crash (blue screen) through a call to the RtlSetProcessIsCritical API.

From a spam perspective, this attack is quite unusual – mainly because of its size (average of more than 500 KB). Most spam messages do not exceed 10 KB. (For example, in the latest Symantec Intelligence report, 56 percent of all February spam messages were less than 5 KB with 30 percent between 5 - 10 KB and only 13 percent greater than 10 KB.)

The graph below illustrates the catch rate volume for this spam mail:

The signature rule was created by automated scenarios based on information that was received from Symantec's global honeypot network during the early hours of Monday, March 5, when the attack first began.

As always, be aware of any unsolicited emails containing attachments, which might be take advantage of current events like the recent election result in Russia.

Hacktivist Arrests Are Great, But They Don’t Protect Your Networks

While everyone on the Internet seems to want to add commentary on the announced Lulzsec arrests today, I might as well jump in with my own thoughts on the matter.

While it is great to see those who break the law get brought to justice, I think there is a much larger issue underlying the growing Hacktivist phenomenon.

First, I think the more important message here, and that is that these arrest really don’t change the trajectory of Hacktivist attacks – the hackings & attacks will continue, and in fact they may even escalate.

Why? Because they can.

The underlying story here is this – it should not be so trivially easy for Hacktivists (or anyone else for that matter) to hack people’s networks.

These Hacktivists are – for the most part – not truly “professional criminals”. The real professional cybercriminals are still out there in Eastern Europe and China (and elsewhere), and they are not posting their pilfered data to Pastebin or announcing their purloined data caches on Twitter. I highly doubt that law enforcement, for the most part, will be able to properly identify these “professional” criminals, much less get them arrested, extradited, and prosecuted.

And while I think that most people want lawbreakers arrested, I think it is unrealistic to think that it will happen in anything approaching a majority of these cases. In fact, that may even be the wrong primary approach.

The real target here is the poor security posture, awareness, and operational practices of organizations around the world with regards to unauthorized access to their intellectual property, PII (Personally Identifiable Information), control systems, credit card data, and other valuable information & systems.

Sure, I’m glad these guys got arrested, but I think there is a much more important message here which is not being put forward – organizations are simply not doing a good enough job of protecting their assets.

There needs to be a much more holistic approach to this problem, and I’m not even exactly sure where to start – perhaps with the basics? There is a plethora of network and data protection practices which organizations can take to continue to “raise the bar” in the effort to change the odds in their favor. It is a continual assessment posture – a holistic security operational practice of the OODA Loop (observe, orient, decide, act) phenomenon, which is widely accepted combat practice geared towards “optimal situational awareness”.

What I really like about the OODA Loop reference model is that it forces organizations to do constant “care and feeding” of their security posture, observations, measurements, and adjustments.

Now, this may sound like a bunch of hooey, but this is actually a known successful security posture which has been advocated by network security professionals for over 20 years. The first thing you need to do, as an organization, is understand what your network looks like, properly segment & protect the assets according to their intrinsic value, and then constantly protect & monitor traffic which may indicate improper or unauthorized access.

I could go on about these concepts for many, many pages (and perhaps I will in a future white paper), but the bottom line is that, when you are connected to the Internet, there is no 100% security. The best you can do is continually “raise the bar”on protecting your assets, making it more & more difficult for your organization’s security to be penetrated.

No amount of Hacktivist arrests can do that job for you.