Malware Bytes

How the EU intends to battle fake news

Malware Bytes Security - Tue, 11/21/2017 - 3:20pm

Last week the European Union issued a press release to announce their next steps against fake news.

These steps will be the launch of a public consultation and the setup of a high-level expert group representing academics, online platforms, news media, and civil society organizations.

The first results of the information gathered by the consultation are expected in April 2018. Despite other initiatives against fake news and online disinformation like the First Draft Coalition (that has the cooperation of Twitter and Youtube among others), or International Fact Checking Day (April 2), the amount of fake news being generated and disseminated is still on the rise, especially on social media.

One of the questions in the public consultation

The reason for action

A Eurobarometer survey published on November 17, 2016 showed that European citizens are worried about the independence of the media, and levels of trust in media are low. For example, 55 percent of Europeans stated that they lost their trust in the news presented on social media. Personally, I feel that number should even be higher—and it probably is after what has happened in the year that passed since the survey was published.

European Commission First Vice-President Frans Timmermans said:

The freedom to receive and impart information and the pluralism of the media are enshrined in the EU’s Charter of Fundamental Rights. We live in an era where the flow of information and misinformation has become almost overwhelming. That is why we need to give our citizens the tools to identify fake news, improve trust online, and manage the information they receive.

It has become clear that fake news and online disinformation have become a deliberate method to taint the reputations of public persons and institutions, to influence the outcome of democratic processes, and to change the public opinion on important matters like health care, environmental changes, immigration, and terrorism.

The latest technologies and the number of people that are active on social media has increased not only the impact of fake news, but also the speed with which it’s being spread.

The countermeasures of the EU

The first step outlined by the EU is a public consultation. Citizens, social media platforms, news organizations (broadcasters, print media, news agencies, online media and fact-checkers), researchers, and public authorities are all invited to share their views in the public consultation until mid-February 2018.

The consultation is set up as a number of multiple choice questions and only addresses fake news and disinformation online when the content is not illegal, per se,  and thus not covered by existing legislative and self-regulatory actions.

The commission is inviting experts to apply for the high-level group on fake news to advise on scoping the phenomenon, defining the roles and responsibilities of relevant stakeholders, grasping the international dimension, taking stock of the positions at stake, and formulating recommendations. The commission aims at a balanced selection of the experts from each field, be it academia or civil society.

The results are expected to:

  • Determine the scope of the problem, i.e. how fake news is perceived by citizens and stakeholders, how they are aware of online disinformation, or how they trust different media.
  • Give a first assessment of measures already taken by platforms, news media companies, and civil society organizations to counter the spread of fake news online, as well as positions on the roles and responsibilities of the relevant stakeholders.
  • Advise on possible future actions to strengthen citizens’ access to reliable and verified information and prevent the spread of disinformation online.
What can we expect

As mentioned before, private initiatives have been undertaken in the battle against fake news and online disinformation, but with the authority to implement legislation, the EU can have a bigger impact, and create measures that other institutions can’t enforce. For example, it could:

  • Force social media to close fake accounts.
  • Claim back revenues of websites that utilize online disinformation (and maybe even clickbait) to attract visitors.
  • Set up organizations that look for and flag fake news.
  • Collaborate with existing fact checking organizations to establish a code of conduct for fact-checking.

So far, measures in use by online platforms and news media organizations to counter the spread of fake news only seem to capture a small fraction of the disinformation, plus it involves time-consuming human verification of content. Legislation in the field that makes verification mandatory may speed up the development of such methods. One may hope that Artificial Intelligence (AI) can do a more adequate job in the future.

To counter the speed involved in the propagation of fake news, we should act quickly and with accuracy in order to protect against it. On the other hand, we need to be aware of the danger that comes with employing any such methods and not let them fall into the realm of censorship.

Recent examples

If you have any doubts about how serious the problem of fake news has become, and how it leads to unrest and distrust, we invite you to read some of these articles.

Kenya’s election proves fake news is a serious threat to international security

Czech elections show how difficult it is to fix the fake news problem

Russia has launched a Fake News war on Europe. Now Germany is fighting back

Ukraine says it warned Facebook of Russia fake news in 2015

Spain Catalonia: did Russian ‘fake news’ stir things up?

If you are a EU citizen and want to make your voice heard, participate in the public consultation by clicking here to learn more and complete the questionnaire as either a citizen, legal entity, or journalist.

The post How the EU intends to battle fake news appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Text messages and the Bitcoin Code: follow the money trail

Malware Bytes Security - Tue, 11/21/2017 - 11:00am

I was a bit surprised to receive lots of messages similar to the one below this past week:

I mean, we’ve all done it—managed a bulk text spam campaign offering free Bitcoins in your spare time, while completely forgetting said business exists. Maybe I did it in my sleep? It’s all gone a bit Fight Club. And as we all know, the first Rule of Fight Club is “Don’t run a free Bitcoin bulk text spam campaign in your spare time, while completely forgetting said business exists.”

Or maybe not.

Either way, I decided to find out what was going on. Had someone taken a cheeky jab at a security researcher by placing my contact details into the pipeline somewhere, did I actually set up a bulk spam campaign with free Bitcoins at the end of it, or was there a more mundane explanation that didn’t require people to yell at me via capslock?

There’s only so much “dashing expectations on the shore” a guy can take. Or, to put it another way…

Expectations:

Shore:

No wonder everyone was so grumpy.

First up, the text. The only examples I had sent to me were written in Dutch:

“You have 1 Bitcoin in your account. Confirm here: [URL] Current market value: €6064.”

Bitcoin value is through the roof at the moment, so it’s no wonder someone might want to jump on the opportunity. I’d love to see how many people clicked from the text to the URL with the promise of riches already in the bank.

The short link in the text is a text(dot)id URL. The site is registered to an address in Jakarta, Indonesia, but it’s the email address that’s of interest (well, to me, anyway):

Unfortunately, lots of people thought this was me, instead of any of the other numerous Chris Boyds floating around the Internet, hence the confused and occasionally angry, “Where are my coins? Also drones deployed” messages. As it turns out, that email address—mrmessaging—is tied to a bulk mail service, and the Chris Boyd in question appears to own the default address listed for the registered URL. He’s an actual person and everything, and easily found with about 10 seconds of Googling. But he’s not me.

So that’s that short mystery put to bed. Also please stop asking me for Bitcoins.

No, really. I insist.

Choice insults aside, the URL redirects to another site located at

mama-system.com/Bitcoin-NL-CPA/[snip].

What do we have here? Something called The Bitcoin Code, which bears zero relation to paintings, Tom Hanks, or ancient prophecy.

Time to fire up Google Translate:

Join The Bitcoin Code The Bitcoin Code is exclusively intended for people who have responded to the outrageous returns Bitcoin offers and who have earned a fortune with it. The Bitcoin Code Members enjoy month-in-month outs of the most beautiful stays around the world, while they earn their money on their laptop every day with just a few minutes ‘work.’

Actually, this sounds way better than Tom Hanks.

 

Hi, I am a former software developer at a large company that I do not want to mention. I designed the Bitcoin Trading software that generated more than € 18,484,931.77, just in the last 6 months. This software makes more millionaires faster than the first investors in Uber, Facebook or AirB&B. If you want to earn a million with Bitcoin, watch the video above and learn how it works.

The short version is, you sign up via email then add in a mobile number and some other pieces of information. After that, you deposit “250 Euro” to get things moving and then it’s automated stock exchange programs and Bitcoin all the way down.

We can’t vouch for how effective said software may be, but we can definitely confirm it’s nothing to do with my good self, and generally speaking I’d be wary of signing up to random text messages with 250 euros of my hard earned money—and you should be, too.

As the disclaimer at the bottom of the splash page says:

Significant Risk Reporting: Trading in binary options can lead to major gains, but also entails the risk that part or all of the capital will be lost and this has to be recognized by budding investors. We advise you to read the terms and conditions and the indemnity before making any investment. Customers must inform themselves about the tax rules in the country of establishment. US residents should not be approached to trade commodity options, even when it comes to ‘predictive’ contracts, except when it concerns contracts registered with a CFTC-registered stock exchange or in case of a legal exception.

I’m no Wall Street banker, but that sounds a bit dodgy. My coins—metal, digital, and chocolate—will be staying in my pocket for the time being (apart from the chocolate ones, which are at significant risk of melting, and also the digital ones which only exist in your computer. Not mine. I don’t own any, sorry). Should you receive one of these texts claiming you’re somehow in possession of a Bitcoin, do the block / report / delete dance as fast as your fingers will allow.

The post Text messages and the Bitcoin Code: follow the money trail appeared first on Malwarebytes Labs.

Categories: Malware Bytes

OSX.Proton spreading through fake Symantec blog

Malware Bytes Security - Mon, 11/20/2017 - 1:29pm

Sunday night, a series of tweets from security researcher @noarfromspace revealed a new variant of the OSX.Proton malware, spreading in a concerning new method—spoofing security company Symantec’s blog.

Method of infection

The malware is being promoted via a fake Symantec blog site at symantecblog[dot]com. The site is a good imitation of the real Symantec blog, even mirroring the same content. The registration information for the domain appears, on first glance, to be legitimate, using the same name and address as the legitimate Symantec site. The email address used to register the domain is a dead giveaway, however:

Even more suspicious is the certificate used by the site. It is legitimate SSL certificate, but was issued by Comodo rather than Symantec’s own certificate authority.

The fake site contains a blog post about a supposed new version of CoinThief, a piece of malware from 2014. The fake post claims that a new variant of CoinThief has been spotted. In fact, as far as I’ve been able to determine, this is a made-up story, and no such new variant of CoinThief actually exists.

The fake post promotes a program called “Symantec Malware Detector,” supposedly to detect and remove the malware. No such program actually exists.

Unfortunately, links to the fake post have been spreading on Twitter. Some of the accounts tweeting the link appear to be fake accounts, but others seem to be legitimate. Given the fact that the primary goal of the Proton malware is to steal passwords, these could be hacked accounts whose passwords were compromised in a previous Proton outbreak. However, they could also simply be the result of people being tricked into thinking the fake blog post is real.

Users who download and run the “Symantec Malware Detector” will instead be infected with malware.

Malware behavior

When run, the malicious Symantec Malware Detector application displays a very simple window, using the Symantec logo:

If the user quits the application at this point, the malware does not actually get installed. However, let’s be honest—if you’ve been tricked into downloading and opening this application, you probably won’t bail out at this point.

Clicking the “Check” button results in a request for an admin password:

The average Mac user has seen these kinds of password request many times before, so again, this is unlikely to raise suspicions among users who have gotten this far. In reality, this is a very well-done fake and will give the malware your password. (Unlike the legitimate password request this is designed to imitate, which does not give the requesting software the user’s password.)

If an admin password is provided, the application displays a progress bar claiming to be scanning the computer.

In reality, however, the application has installed the Proton malware.

The malware will begin capturing information, including logging the user’s admin password in clear text, among a lot of other personally-identifying information (PII) to a hidden file:

[...] <metadata> <date>2017-11-19T20:29:19.801Z</date> <serial>*********</serial> <username>test</username> <fullname>test</fullname> <hostname>test%E2%80%99s Mac</hostname> <password>testpw</password> <os_version>10.12.6</os_version> <os_locale>en_US</os_locale> </metadata> [...]

The malware also captures and exfiltrates things like keychain files, browser auto-fill data, 1Password vaults, and GPG passwords. Since the malware has phished the user’s password, the hackers will be able to decrypt the keychain files at a minimum.

Indicators of compromise

The Symantec Malware Detector application is, as far as I’m able to determine, a completely made-up name. If you see such an application—perhaps in the Downloads folder, or perhaps in the Applications folder, depending on where the user puts it—it should be deleted.

If you are unsure of whether the application is actually malicious, you can check the code signature. Enter the following command in the Terminal, substituting the actual path:

codesign -dvvv "path/to/Symantec Malware Detector.app"

The malicious application has been signed by someone named Sverre Huseby, using a certificate with a team identifier of E224M7K47W. Anything signed with this certificate should be considered malicious.

Once this malicious “dropper” application has been run, the following paths will be found on the system:

/Library/LaunchAgents/com.apple.xpcd.plist /Library/.cachedir/ /Library/.random/

The .random directory holds the malicious Proton executable, which is kept running by the com.apple.xpcd.plist launch agent. The .cachedir folder contains data that has been or will be exfiltrated.

In addition to these files, the /private/etc/sudoers file will have been modified. The following line will have been added to the end:

Defaults !tty_tickets

That line should be removed from the sudoers file.

Fortunately, Apple is aware of this malware and has revoked the certificate used to sign the malware. This will prevent future infections by the Symantec Malware Detector. Revoking the certificate will not, by itself, do anything to protect a machine that is already infected.

Implications

Malwarebytes for Mac will detect and remove Proton infections for free. If you find your Mac to be infected, it’s quite easy to remove the malware. However, removing the malware is only a part of the solution.

Since Proton is designed to steal login credentials, you will need to take some emergency actions post-infection. You should treat all online passwords as compromised and change them all. Be sure, while you’re at it, to use different passwords on every site, and use a password manager (such as 1Password or LastPass) to keep track of them. Since 1Password vaults are a target of Proton, be sure that you don’t store your password manager’s master password in your keychain or anywhere else on the computer. That should be the one and only password that you memorize, and it should be strong.

You should also enable two-factor authentication on every account that will allow you to do so. That will minimize the impact of such breaches in the future by ensuring that a hacker will need more than just your password to access your accounts.

In addition to passwords, you should consider any other information that may have been part of the compromise. For example, if you store credit card numbers or other sensitive data in the keychain, it should be treated as compromised and you should respond accordingly.

As always, if the machine that was compromised was issued to you by your employer, or has company data on it, you should notify IT immediately. Failure to do so could lead to a very serious breach of your company’s systems.

Conclusion

Proton has been circulating for quite some time after its initial appearance in March. It has previously been distributed via a compromise of the Handbrake application and a similar compromise of a couple Eltima Software applications. It is highly likely that Proton will continue to circulate, and similar incidents will continue to occur.

Proton illustrates an increasing problem in the Mac community. The prevailing attitude that you can avoid Mac malware if you’re careful enough is failing in the face of supply chain attacks, such as the hacks of the Handbrake and Eltima Software systems.

Further, so-called “fake news” being used to distribute malware is a highly dangerous threat. Many people these days are looking to download malware removal software for the Mac, due to the increasing prevalence of annoying Mac adware. Unfortunately, it is often the case that such software will be downloaded after a search that gives questionable results, or after seeing a recommendation from a hacked or fake account on social media or forums.

Macs are the targets of an increasing amount of malware. They can no longer be assumed to be safe. The old advice that “Macs don’t get viruses,” which can still be found echoing in many Mac-centric forums, has never been true, and this is becoming increasingly obvious to those following such events. Do not fall victim due to a false sense of security caused by the fact that you have a Mac!

The post OSX.Proton spreading through fake Symantec blog appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A week in security (November 13 – November 19)

Malware Bytes Security - Mon, 11/20/2017 - 12:45pm

Last week, we gave you some tips for the inevitable online chaos that is Cyber Monday, explained how “trusted” root certificates can sometimes be anything but, and explored the strange world of catphishing. We also pulled apart some malware found on Google Play and laid out the specifics of the cloud in simple terms.

Other news
  • London Metropolitan Police aren’t massively keen on facial recognition technology. (source: The Register)
  • Fake News is a bigger problem than just in the realm of the political. (source: Digital Shadows)
  • Banking Trojans won’t be going away anytime soon—here’s another one! (source: Security Intelligence)
  • Why do bug bounty hunters, er, hunt bug bounties? Study available here. (source: Help Net Security)
  • That camera in your home may have a vulnerability lurking. (source: Talos Security)
  • A legitimate email appears to be phishy fun with the Punisher. (source: io9)
  • Hide your Facebook and Twitter from this piece of malware. (source: CNet)

Stay safe everyone!

The post A week in security (November 13 – November 19) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

10 tips for safe online shopping on Cyber Monday

Malware Bytes Security - Fri, 11/17/2017 - 12:33pm

Shoppers familiar with the Cyber Monday circus know they’re stepping into the lion’s den. The Internet has always been a lawless place, but it becomes particularly rough during the holiday shopping season.

In preparation for the frenzy, cyber villains have crafted a virtual onslaught of social engineering scams, malspam, and malicious, spoofed websites in order to dupe the droves of people expected to spend nearly $4 billion online this year.

So, bargain hunters, it’s important to know the warning signs. Here’s your guide to safe online shopping on Cyber Monday and beyond.

  1. Go directly to a store’s website instead of using search engines to look for deals. If you happen to find a deal using a search engine, try to verify it by searching for the exact name of the deal in quotes. If it’s a scam, then it’s likely someone will have already put out a warning.
  2. Give pop-ups and other digital ads the stank eye. Many pop-ups could contain fake coupons, redirect you to malicious sites, or expose you to cross-site scripting attacks. If a coupon seems to come out of nowhere with a too-good-to-be-true offer, don’t think twice. Just click that “x” and shut it down.
  3. Watch out for social media scams, especially on Facebook. Cybercriminals are using fake or compromised Facebook accounts in order to post links to amaaaaaazing deals that don’t actually exist. They’re especially prone to dropping links on the walls of open groups dedicated to shopping. “One of the top shopping scams to avoid in the run-up to Cyber Monday is the social media fakeout,” says Chris Boyd, Lead Malware Analyst at Malwarebytes. “During any given holiday period there will be an excess of fake offers, deals, and supposed freebies which tend to have a sting in the tail. If you’re being asked to share something on Facebook in order to get your hands on something too good to be true, you can bet there’s a scam involved.”
  4. Dump Cyber Monday emails with attachments in the virtual garbage. Cyber Monday emails with attachments, especially zip files, are super suspect—it’s possible, in fact likely, that they contain malware. Delete them immediately. Not only that, but you should review any other Cyber Monday-related emails with a hawk eye. If you get an email from a store claiming to have a deal, type the store’s URL directly into your browser instead of clicking on the link. If the site doesn’t verify the deal, you know it’s a fake.
  5. Make sure you’re on a secure connection. Look for the padlock icon to the left of the URL when you go to check out. If it’s there, then that means the information passed between a store’s server and your browser remains private. In addition, the URL should read “https” and not just “http.”
  6. Do not use debit cards to shop online. Want to give cybercriminals direct access to your bank account? Then by all means, use your debit card! Otherwise, play it safe by using credit cards or a PayPal account that’s linked to a credit card. While many banks are cracking down on fraudulent withdrawals, you’ll still have to wait for your money while they investigate the charges.
  7. Avoid using public wifi to shop. All a cybercriminal needs to do to get a public wifi password and wreak havoc is order a coffee. If you’re shopping and entering personal data, best to do it on your secure wifi connection at home.
  8. Watch out for malicious QR codes. Q what now? QR codes are small, pixelated codes meant to be scanned by a smartphone’s camera. They often contain coupons, links to websites, or other product marketing materials. Some hackers have started creating codes that link to a phishing or malware site, printing them on stickers, and placing them on top of the legit QR codes. Best to avoid them.
  9. Don’t fork over extra info. If a site starts asking for out-of-the-ordinary personal data, like Social Security numbers or password security questions, slam on the brakes and get the heck out of Dodge.
  10. Tighten up security before you shop on Cyber Monday. Make sure all software on your computer is up-to-date, including your OS, browser, and other apps. And if you don’t already have it, install a cybersecurity program on your desktop (whether it’s a Mac or PC) that prevents malware infection to insure maximum coverage. In addition, since mobile shopping is set to outpace desktop shopping for the first time this year, it’s a smart idea to download a cybersecurity program for your phone. If you’ve already covered your cybersecurity bases, make sure you run updates on all those programs as well.

Happy, and safe, holiday shopping everyone!

The post 10 tips for safe online shopping on Cyber Monday appeared first on Malwarebytes Labs.

Categories: Malware Bytes

When you shouldn’t trust a trusted root certificate

Malware Bytes Security - Thu, 11/16/2017 - 12:30pm

Root certificates are the cornerstone of authentication and security in software and on the Internet. They’re issued by a certified authority (CA) and, essentially, verify that the software/website owner is who they say they are. We have talked about certificates in general before, but a recent event triggered our desire for further explanation about the ties between malware and certificates.

In a recent article by RSA FirstWatch, we learned that a popular USB audio driver had silently installed a root certificate. This self-signed root certificate was installed in the Trusted Root Certification Authorities store. Under normal circumstances, you would have to agree to “Always trust software from {this publisher}” before a certificate would be installed there.

However, the audio driver skipped this step of prompting for approval (hence “silently” installing).  The silent install was designed to accommodate XP users, but it had the same effect in every Windows operating system from XP up to Windows 10. The installer was exactly the same for every Windows version. Ironically enough, the certificate wasn’t even needed to use the software. It was just introduced to complete the installation on Windows XP seamlessly.

Why is this a bad thing?

Root certificates can be installed for purposes such as timestamping, server authentication, code-signing, and so on. But this particular driver installed a certificate valid for “All” purposes. So any system with these drivers installed from any of the vendors will trust any certificate issued by the same CA—for “All” purposes. Under normal circumstances, only a certificate issued by Microsoft would have “All” in the root certificates “Intended Purposes” field.

Having a certificate in the Trusted Root Certification Store for “All” intended purposes on a Windows system gives anyone that has the private key associated with the certificate the ability to completely own the system on which it is installed. The impact is the same as for any Certificate Authority (CA) behind certificates installed on Windows systems.

An exception is that in some instances large companies may choose to do the same with the intent to perform SSL decryption at the perimeter for outbound traffic. So, not only does silently adding a root certificate break the hierarchical trust model of Windows. It also gives any owner of the private key that goes with that certificate a lot of options to perform actions on a computer with that certificate installed.

How can they be abused?

An attacker who gets ahold of the private key that belongs to a root certificate can generate certificates for his own purposes and sign them with the private key. Any certificate with the root certificate already in their Trusted Root Certification Store on a Windows system will trust any certificate signed with the same private key for “All” purposes. This applies to software applications, websites, or even email. Anything from a Man-in-the-Middle (MitM) attack to installing malware is possible. And as if this wasn’t bad enough, security researchers at the University of Maryland found that simply copying an authenticode signature from a legitimate file to a known malware sample can cause antivirus products to stop detecting it, even though it results in an invalid signature.

Methods of abuse

There are several ways of abusing certificates by criminals. They can:

Of all these methods, it stands to reason that stolen certificates, especially those intended for “All” purposes, are the most dangerous. So introducing one of these just because you want to install a driver or to enable easier customer support, and not letting the user know, is inadvisable at best.

If you think that the number of certificates in use by malware authors can’t be that large, have a look at the suspects that have been reported at the CCSS forum.

How can I remove certificates I don’t need or trust?

A list of known signing certificates that are being abused by threat actors has been made available at signedmalware.org. As explained earlier, using signing certificates gives criminals a lot of options to bypass system protection mechanisms, which is why you might want to remove those from your machine. There is also a test site where you can check if any of the software programs that are open to an MitM attack are active on your system.

To delete a trusted root certificate:

  • Open the certificates snap-in for a user, computer, or service. You can do this by running certmgr.msc from your Run/Searchprograms box or from a command prompt.
  • Select Trusted Root Certification Authorities.
  • Under this selection, open the Certificates store.
  • In the details pane on the right-hand side, select the line of the certificate that you want to delete. (To select multiple certificates, hold down control and click each certificate.)
  • Right click the selection you made and in the action menu, click delete.
  • Confirm your choice by clicking yes if you are completely sure that you want to permanently delete the certificate.

Please note that user certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can only be managed by an administrator or user who has been given the appropriate permissions.

You might want to back up the certificate by exporting it before you delete it. For the procedure to export a certificate, see export a certificate.

If you want to look at the Thumbprint, aka serial number, of the certificates, you can use this Powershell command to list the non-Microsoft certificates in the Trusted Root Certification Authorities:

Get-ChildItem -Path cert:\currentuser\AuthRoot -Recurse | select Thumbprint, FriendlyName, Subject | ConvertTo-Html | Set-Content c:\users\public\desktop\certificates.html

This will create a html file on the public desktop that shows the list by Thumbprint (in reverse order) and where you can look up the Friendly Name and Subject that belongs to a Thumbprint.

For those that do like to keep an eye on things, there is a guide by Xavier Mertens for a piece of code that alerts you about changes in the certificate store.

Conclusion

Since root certificates are intended to heighten security, it should be clear to those issuing them that they should be treated as such, and not as something that they can install willy-nilly whenever it suits their needs. The whole point of prompting users is to establish a chain of trust that they should be able to rely on. And in this case, the prompt was bypassed only to enable installation on a no-longer-supported operating system. That both ruins user trust and introduces unnecessary security risk for a rather shallow reason.

The post When you shouldn’t trust a trusted root certificate appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Bad romance: catphishing explained

Malware Bytes Security - Wed, 11/15/2017 - 12:46pm

You’ve heard or read about some variant of this story before: Girl meets Boy on a dating website. Girl falls in love. Boy claims he does, too. Girl is excited to meet Boy soon. But at the last minute, Girl finds out that Boy (1) had an accident and broke a hip; (2) has a very sick relative he needs to look after; (3) is going away to a secluded place to “find himself”—you’re not the problem, he is, right?; or (4) (through a helpful and mournful friend) is dead.

Suddenly suspect, Girl digs a little deeper. Girl finds out that Boy isn’t the dreamboat he portrays himself to be. Boy is, in fact, her female colleague’s timid 13-year old son whom she met once at a work function.

Bummer, right? Here’s another one:

Two months ago, Deloitte revealed that it was breached by hackers, who most likely already had access to compromised servers since November 2016. Around the same time, a cybersecurity staffer at Deloitte was convinced to open a booby-trapped Excel file from a female friend he met on Facebook months before. Her name was “Mia Ash,” a London-based photographer. She was described as lovely and disarming.

She was also 100 percent fake.

Mia Ash is the latest in a lengthening line of online femme fatales who successfully infiltrated corporate systems by targeting and successfully duping smart men working in IT and cybersecurity—people who everyone expects to practice what they preach. Her equally fake predecessors went by the names of Robin Sage and Emily Williams. Although all three were created as social engineering lures, one significant difference stood out: Sage and Williams were the brainchildren of cybersecurity experts who wanted to expose the human weakness in the national defense and intelligence communities. Ash, on the other hand, was the product of a known Iranian APT group who deliberately took advantage of that weakness to achieve their nation-state goals.

Two very different stories, one common theme: romantic deception.

What is catphishing?

Catfishing (spelled with an “f”) is a kind of online deception wherein a person creates a presence in social networks as a sock puppet or a fictional online persona for the purpose of luring someone into a relationship—usually a romantic one—in order to get money, gifts, or attention. Catphishing (spelled with a “ph”) is similar, but with the intent of gaining rapport and (consequently) access to information and/or resources that the unknowing target has rights to.

Simply put, the former is out to break hearts (and bank accounts), while the latter is out to compromise individuals, organizations, and quite possibly even countries.

Can we say that catphishing has gone beyond bad romancing for money? Absolutely.

What motivates catphishers to do what they do?

The motivations behind the act are likely similar to why spies steal secrets: to make use of the stolen information to gain the upper hand against the target or organization they belong to. As we all know, stolen information in the hands of criminals can be used in many ways—for extortion, for sale on the black market. However, in the end, the organization that was compromised loses integrity, clients, business opportunities, and gets fined if they were found to be non-compliant with security and privacy regulations.

Catphishing is dangerous enough that most companies consider it a business threat.

On the other hand, those catphishing individuals might also use the information they gather from individuals to create even more social media profiles. Sometimes, catphishers mislead simply to bully people online.

Read: Tackling the myths surrounding cyberbullying

Blimey. Those catphishers ought to pay for what they’ve done!

Unfortunately, in many countries, catphishing (and catfishing) isn’t illegal. In the UK, “catfishing” is not even a legally-defined term. Although at present, the practice is pretty much legal, active campaigns are aiming to change this.

In the US, Oklahoma is the only state that made catfishing illegal.

Although one cannot lawfully pin catfishing/catphishing against someone, there are other legal areas that those affected by the practice can look into and decide whether they want to pursue these instead. They are (but are not limited to) the following:

  • Copyright violation (for photos stolen and used in the deception)
  • Criminal impersonation
  • Defamation
  • Identity fraud
  • Espionage
How can we protect ourselves from this?

Start by familiarizing yourselves with the following red flags, which indicate that you may be dealing with a catphisher online:

  • Everything that they claim to be seems too good to be true.
  • If you meet them on a dating website, and they suggest getting in touch with you via other means, such as email and other chat services.
  • They show no interest in a face-to-face meeting or even in using voice chat services.
  • Most (if not all) photos they use don’t include other people.
  • Quite a number of their social media followers appear to be sockpuppet accounts.
  • They ask a lot of information about you early on in the relationship like how much you earn, what kind of home you live in, and where your parents are (to name a few).

Stay safe out there!

Recommended reading for parents:

The post Bad romance: catphishing explained appeared first on Malwarebytes Labs.

Categories: Malware Bytes

New Android Trojan malware discovered in Google Play

Malware Bytes Security - Tue, 11/14/2017 - 7:07pm

A new piece of mobile malware has been discovered in Google Play masquerading as multiple apps: an alarm clock app, a QR scanner app, a compass app, a photo editor app, an Internet speed test app, and a file explorer app. According to Google Play data, all were last updated between October and November 2017.  These dates are likely when they were added to Google Play, based on their low version numbers (e.g. 1.0, 1.0.1).

We named this new malware variant Android/Trojan.AsiaHitGroup based on a URL found within the code of these malicious APKs.

Click to view slideshow.

For the sake of discussion as we analyze this malware, let’s concentrate on just one of its associated apps, since they all share the same behavior. We will focus on a malicious QR scanner app named Qr code generator – Qr scanner.

Surface analysis of Trojan AsiaHitGroup

AsiaHitGroup has several layers of maliciousness. It starts innocently enough with an icon created on the mobile device after install. Click on the icon, and it opens a functioning QR scanner, as promised.

Click to view slideshow.

However, this QR scanner is short lived. You only get one chance to use the app, because after clicking out of it, the icon disappears! Out of frustration, you may immediately go to your apps list to uninstall this bizarre-behaving QR scanner, but good luck finding it. If you are looking under the Q’s for Qr coder generator or Qr scanner, it’s not there. It’s not even under the icon’s name, Barcode reader, which is shown briefly before vanishing. Instead, this deceiving app is called Download Manager in the app list. Unless you know all the apps on your mobile device exceptionally well, it’s near impossible to discover this app name.

Diving deeper into Trojan AsiaHitGroup

If the behaviors listed above weren’t enough to conclude this QR app is malicious, it gets worse. The first step performed by the malicious app in the background is checking the location of the mobile device. This is done by using the website ip-api.com which provides Geolocation using IP. If the location is in an area that satisfies rules within the code, then it proceeds to the next step. This next step is to download an APK by visiting a website that contains download instructions.

Code from http://[hidden_domain]/api/custom/dynamic-fragment with instructions to download an APK

{"id": "duy.van.dao.dynamicduy.20171005.16", "files": [{"id": "duy.van.dao.dynamicduy.20171005.16", "md5": "4662e8537751c49beb06309a989796fc", "url": "https://[hidden_domain]/hoanghai27/dynamic-fragment/raw/master/dynamic-plugin-v22.apk"}], "version": "20171005.16", "fragments": [{"code": "duy.van.dao.dynamicduy.20171005.16", "name": "duy.van.dao.dynamicduy.MainFragment", "host": "dynamicfragment"}]}

Unfortunately during testing, the APK could not be downloaded via the malicious QR app—most likely due to my location. However, I was able to manually download the APK using the URL provided within the download instructions. The behavior of this downloaded APK was that of a Trojan SMS (which is why I subsequently named it Android/Trojan.SMS.AsiaHitGroup). Based on all the references to Asia within the code, my assumption is you must be in Asia for this malware to fully function.

Add some adware into the mix

Even if the malicious Trojan SMS fails to download, there is yet another layer to the malevolence.  Hidden within the malicious QR app is another APK waiting to do its biding. However, this hidden APK is a less threatening, adware-pushing app.

The hidden adware app comes with an unusual service name: vn.solarjsc.fakeads.ShowAdsService.  Within this service, there is reference to the same domain that was used to gain download instructions of the Trojan SMS. Although I was unable to verify, this domain may also contain the “fakeads” referenced in the service name. Regardless, rest assured we are detecting this hidden adware app as well as Android/Adware.AsiaHitGroup.

Google Play: not quite flawless

Even with the introduction of Google Play Protect, there appears to be no fail-proof way to stop malware from entering the Play store. This is where a second layer of protection is strongly recommended. By using a quality mobile anti-malware scanner, you can stay safe even when Google Play Protect fails. We (obviously) recommend Malwarebytes for Android. Stay safe out there!

 

Malicious APK samples: use at own risk Android/Trojan.AsiaHitGroup

MD5: 178E6737A779A845B8F2BAF143FDEA15, Package Name: duy.van.dao.qrcode
MD5: 7EEC1C26E60FEDE7644187B0082B6AC4, Package Name: com.varvet.barcodereader
MD5: 7CEDA121F9D452E9A32B8088F50012B8, Package Name: com.maziao.alarm
MD5: B481CE9D0B7295CDA33B15F9C7809B95, Package Name: com.magiaomatday.editimage
MD5: 60A71632004EE431ABB28BF91C3A4982, Package Name: com.maziao.speedtest
MD5: N/A, Package Name: com.ruzian.explorer

Android/Trojan.SMS.AsiaHitGroup

MD5: 3CC02E4FECEB488B084665E763968108, Package Name: duy.van.dao.dynamicduy

Android/Adware.AsiaHitGroup

MD5: 995D5DC873104B5E42B3C0AF805359DB, Package Name: com.offer.flashcall

The post New Android Trojan malware discovered in Google Play appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Explained: the cloud

Malware Bytes Security - Tue, 11/14/2017 - 1:24pm

Even if you are reading this post because you have no idea what the cloud is, you might be using it more often than you realize. Twitter, LinkedIn, Dropbox, Google Drive, and Microsoft Office 365 are some of the most well-known cloud apps.

Let’s start with a definition of the cloud to get a grip on things:

Cloud computing, often referred to as simply “the cloud,” is the delivery of on-demand computing resources—everything from applications to data centers—over the Internet.

Cloud resources are often split up in three different ways:

  • Public: cloud services are delivered over the Internet and sold on demand, which provides customers with a great amount of flexibility. You only pay for what you need.
  • Private: cloud services are delivered over the business network from the owner’s data center. You have control over the hardware, as well as the management and related costs.
  • Hybrid: a mix of the above. Businesses can choose to have control over the most sensitive data or their average user and use public services to cover the rest of their needs.

Multi-cloud is another expression you may have come across. This means that companies use more than one public cloud provider, maybe for specific applications or as a method to cover outages. When using hybrid and multi-cloud solutions, it is important to spread the workload in a cost-effective manner.

Perceptions of the cloud

There are a few expressions about saving your data in the cloud that are not completely true, but will give you an idea of people’s perception of the cloud and what risks might be involved.

  • Your data is on someone else’s computer.
  • Your data is in a huge server farm.
  • You can’t be sure where your data is right now.

As you can probably tell from these statements, the main concern about the cloud is a lack of control over the data. This is not surprising, given the number of breaches that have occurred in recent times. According to an article on CSO, more data records were lost or stolen in the first half of 2017 than in all of 2016.

So what we really want to know is: Who actually has access to our data? This is not only relevant with regards to cybercriminals that can gain access through breaches. The Patriot Act gives the US government a lot of freedom to access and investigate data that is stored in cloud infrastructures. And of course, the cloud provider who stores that data can see it. Depending on the provider, they can even advertise to you based on your data, as is the case with most social media platforms.

And in case of a breach? Is your data stored and sent encrypted? What if someone manages to intercept the traffic? These questions may not all be relevant in your case, but they are worth thinking about.

Pros and cons

As with all technology, there are pros and cons to using the cloud. Here are a few:

Pros

  • scalable and flexible, so you can quickly react to ups and downs
  • cost effective—you pay for what you use
  • off-site backup, so no need to worry about losing it all in a fire or other catastrophe
  • access to data in any location

Cons

  • less direct control
  • potential for privacy and security violations (breaches)
  • different security measures from what you may be used to
  • access dependent on access to the Internet, which means services outages could lock you out of your data

Choosing the right cloud service

First and foremost, when looking for a cloud service provider, you should consider one that not only suits your data storage needs, but also is a reliable partner. Look at their track record and ask for references. With public cloud solutions, you need to consider the possibilities of traffic being intercepted, maybe even being altered, and data being stolen. And always look for providers that offer encryption and multi-factor authentication.

Because running cloud applications requires more attention then straightforward data storage, it’s helpful to distinguish Infrastructure-as-a-Service (IaaS) from Platform-as-a-Service (PaaS) when you are talking about cloud security.

  • IaaS is when your systems are running on virtual servers in the cloud.
  • PaaS is when your applications are running on cloud environments.

For IaaS situations, the security problems that are left up to you to take care of are not that different from the ones in your regular environment. You should be able to treat the servers as if  they were in your own network. They require the same security solutions as your own, which could be anything from anti-malware software to a firewall.

For a PaaS environment, application hardening will be different as it may require a web-application firewall. As the applications are not running from the systems within your intranet, they will very likely be using different Internet connections to send and receive traffic. This is something to determine with the cloud service provider. Who takes care of what?

One other thing to consider when choosing your cloud service provider is the physical location of your data. It is your responsibility to make sure you remain compliant with laws and industry regulations. This can also be an important consideration when you are about to decide which data you will move to the cloud and which should be kept in-house.

Summary

The cloud is in essence a method to use other resources than your own to run applications or store any kind of data. It offers users flexibility, scalability and puts the care of systems in other hands than yours. The price, besides the fees, is a loss of control over the resources and data. For businesses, compliance is another factor to weigh. When talking to potential cloud service providers, security should always be a point on the agenda. It has to be clear who takes care of which aspects of cloud security, otherwise it could slip through the cracks.

The post Explained: the cloud appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A week in security (November 6 – November 12)

Malware Bytes Security - Mon, 11/13/2017 - 3:47pm

After coming out victorious in a case against PUPs, Malwarebytes CEO Marcin Kleczynski has this to say:

We fought for our users and we won.

— Marcin Kleczynski (@mkleczynski) November 9, 2017

And my, do we feel like champions!

You can read more about this here.

Last week, we looked into the cryptocurrency mining phenomenon, rising digital crimes that target businesses—the final supplement of a two-part series—a bogus WhatsApp app that got through the Google Play store because the actor behind it used Unicode, and puppy scams. We also revealed a Bitcoin multiplier scam that actors behind the Magnitude EK were banking on and the coming back of the Disdain EK, this time delivering a Neutrino bot.

Lastly, we put out word about potential fakeries from cybercriminals targeting those shopping on Singles’ Day and a little exercise for the talented guys and gals who like to tinker with code, which we followed with a step-by-step tut on how to solve it.

Other news
  • Paradise lost? Breach of law firm, Appleby, exposes information of the rich. And so are their tax schemes. (Source: Quartz)
  • There’s a flaw in Tor that allows user IP address to leak. This affects macOS and Linux users. (Source: Computing)
  • Proofpoint reveals a multi-prong attack against Android users, wherein users are first faced with a phishing campaign, and then convinces users to install malware, then finally attempted to steal card details. (Source: InfoSecurity Magazine)
  • To hack back or not to hack back: this has been a longstanding debate from within and without the security industry. Keith Alexander, ex-NSA Director, weighed in on the debate, advising companies to never hack back as this might start wars. (Source: Motherboard)
  • According to a DHS testing, the Boeing 757 aircraft is found to be vulnerable to hackers. (Source: Aviation Today)
  • Companies granting a lot of admin rights to employees can actually leave them vulnerable to cyber attacks. (Source: TEISS)
  • Mozilla’s “Privacy Not Included” guide reveals gadgets and devices one might not acquire for loved ones as they can spy on them. (Source: CSO)
  • No, your Netflix account has been suspended. If you see an email saying otherwise, watch out! It’s a phishing campaign. (Source: Wired)

Safe surfing, everyone!

The post A week in security (November 6 – November 12) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Augmented Reality games and real-world trolling

Malware Bytes Security - Mon, 11/13/2017 - 2:46pm

Augmented Reality games—where you wave a device around and the digital collides with reality— have been booming in popularity ever since Pokemon GO! rolled into mobile storefronts. However, many AR games haven’t really been designed with the possible consequences of real-world safety in mind. Take this hurricane howler, for example.

Even games that aren’t AR often include some sort of real-world activity. Black Watchmen is an Alternate Reality Game that involves solving puzzles both online and off, and depending on how much personal information you volunteer, you’ll gain access to more involved gameplay aspects.

At the absolute other end of the scale are games which (by accident or design) don’t include enough information ingame to explain how to achieve certain goals or tasks. In those cases, you’ll find a whole boatload of third-party tools, services, and community-driven sites that help keep the game fully functional from a “How do I do this?” perspective. Elite: Dangerous, for example [1], [2], [3]. This could also bring risks in the shape of fake/malicious downloadable programs.

In all of this, the potential for people to abuse tools outside of the game itself is high. And that’s exactly what happened to players of Ingress, the AR sci-fi game about aliens and capturing portals. The game relies on lots of player data, including location, which is a big part of how it works. And despite the data being anonymous (and stacked alongside piles of other player information), there are limits.

Geolocation is a huge driver for the game, and when a third-party tool designed to prevent players spoofing location was put to use by cheaters, it resulted in players finding themselves blocked into their property by vehicles, notes left on their doorstep, and even players on the other team knowing the “victim” was going out of town on holiday.

Many AR games are dead in the water without geolocation, as without it you may as well be sitting at home. The challenge for developers is to ensure games where players are in competition aren’t abused and turned into weird cases of real-world harassment. For now, these (hopefully isolated) stalker cases will likely put some folks off taking the plunge into competitive AR titles, and that’s a shame.

At a time when games are becoming more sociable, it’s ironic that a tool designed to stop cheaters has ended up becoming another sneaky way to grief people both online and off. “Be mindful of the information you post online and reveal in games” doesn’t really help much when the culprit is data being scraped outside of your control. So unless the games you play can prevent this kind of activity, you may wish to simply leave some mobile titles on the shelf for the time being.

The post Augmented Reality games and real-world trolling appeared first on Malwarebytes Labs.

Categories: Malware Bytes

How to solve the Malwarebytes CrackMe: a step-by-step tutorial

Malware Bytes Security - Fri, 11/10/2017 - 8:00am

The topic of this post is a Malwarebytes CrackMe—an exercise in malware analysis that I recently created. First, the challenge was created to serve internal purposes, but then it was released to the community on Twitter and triggered a lot of positive response. Thanks to all of you who sent in your write ups! Some of the links are included in the appendix.

I got several questions from people who were stuck and needed some more explanation/guidance. So I promised to present my own solution in a step-by-step tutorial to the CrackMe. I am going go into detail so that even someone with little experience in reverse engineering will not feel lost. But if you still find something unclear, please don’t hesitate to ask in the comments.

The CrackMe was intended to be simple, yet to demonstrate various techniques commonly used by malware—that’s why we hoped it would be a good learning experience for the beginner malware analyst. Like always, the demonstrated solution is just one of many possible approaches.

Techniques demonstrated

The techniques/skills that we wanted to exercise in the CrackMe are:

  • Noticing common evasion tricks (antidebug, anti-vm, etc.) and bypassing the checks
  • Detecting XOR-obfuscated payload and decoding it
  • Basic understanding of the RunPE technique
  • Finding a way to debug/load shellcode
Environment and tools used

For the analysis environment, I used Windows 7 32bit on Virtual Box, with an Internet connection.

During the analysis, I used the following tools:

Stage 1

When we run the CrackMe, the first thing we see is the following banner:

So far, we know that the CrackMe is finished when we get a flag in the following format:

flag{...}

There is no password prompt whatsoever—we just see the failure message on the screen. The only way to understand it more is by looking inside. For this purpose, I am going to use IDA.

Finding the decisive variable

The code is not obfuscated, and we can easily see that this message comes after the check:

The success of the check will depend on the value of AL registry (AL=0 leads to failure). This value is set in the function above: sub_4014F0. Let’s go inside the function and see where exactly is it set:

So there is some variable (IDA automatically named it szUrl, suggesting that it will be used somewhere as a URL) that is passed to a function sub_403380. The output of this function (at this point we can guess that it is some checksum) is going to be compared with the hardcoded one. If it matches, AL is being set. So, our goal is to have szUrl filled in such a way that it will give us the valid checksum: 0x3B47B2E6.

Finding references

First, let’s have a look at the external references (xrefs) of the variable szUrl to find out how is it used and where is it set. We can view them by pressing CTRL+X in IDA:

As you can see, it is referenced from three places in the code. The second (highlighted) one is the place where we came from (szUrl being passed to the checksum calculation).

How is the variable used?

The third xref will probably refer to the usage of this variable. So, let’s see it:

Entering in the function sub_4033D0, we can see some API calls related to reading the content from the given URL, such as:

And:

At this point, we can be sure that the content of the szUrl, if filled correctly, will be used to download some content from the Internet.

How is the variable filled?

Now let’s have a look at the first reference and find out where the value of szUrl comes from:

We can see it is one of the parameters passed to the function sub_4031C0. This function takes also an array of DWORDs. Let’s look inside the function. We can see that Windows Crypto API is being used:

The passed content is decrypted with the help of Windows API, using AES algorithm.

Following the order of the passed parameters, it is easy to guess that this function is going to decrypt the passed buffer (the array of DWORDs) and the szUrl will be used to store the output. So the only thing that we need to take care of is a valid key for the decryption. Then we will get the proper URL that has the defined checksum 0x3B47B2E6.

Finding the decryption key

The key is derived from the hash another buffer, passed as one of the function’s parameters. We can see that Windows Crypto API is used to derive the hash. The used hashing function is SHA256 (algorithm ID: 0x800C = CALG_SHA_256):

This hash is used to derive the AES128 key (algorithm ID: 0x660E = CALG_AES_128):

We find that the buffer used as the base of the key is passed as a 4-th parameter to the function:

Let’s name it key_buf and find out where is is passed to the function:

Again, xfers can tell us more about where is it set:

We find out that the full buffer consists of pieces that are set DWORD by DWORD in various functions. Let’s have a look at each of those functions.

At this point, things are getting easy: We have various environment checks that malware often uses for recognizing if it is run in a controlled environment or not. For example, checking if it runs under the debugger:

While malware detecting the debugger often terminates the execution, in this case the conditions are reversed. Having each check passed/item detected gives us one more piece of data to the buffer. We need to catch them all!

We may achieve it by following each check and patching it out (removing the conditional jump) so that the chunk will be added to the buffer unconditionally. You can use IDA for patching, but IMHO it is not convenient, so I usually do it with the help of some other tools (debuggers like OllyDbg, or PE-bear), and use IDA just to find the branches.

Example: removing conditional checks in PE-bear:

Follow the offset of the check (CTRL+R):

Select the bytes on the hex view and modify them:

Result:

After following and removing all the checks, we can save the patched file:

If we deploy the patched version, we see some progress! The message “You are on the right track!” is printed on the screen. We can also see a hint that something is being uncompressed.

Examining the traffic

We already know that something was downloaded from the Internet (using the decrypted URL), so it may be helpful to have a closer look at the network traffic. There are many ways of checking the URL that was queried. We can do it with the help of Wireshark or Fiddler:

Request and response:

We see that the content was downloaded from the pastebin from the URL: http://pastebin.com/raw/9FugFa91

The content is in Base64, but decoding it by a Base64 decoder does not give us any sensible result. (We guess that the reason is the content is compresses and/or further encrypted). So, let’s go inside the applications again!

Understanding the payload

First, let’s do some static analysis to understand what exactly this payload is supposed to be and how is it going to be used. Let’s search first where the “Nope :(” message box is being shown. We see that before there is a check if the buffer starts from “MZ,” it is a well-known magic number starting DOS applications and also Windows Executables (PE files).

Taking a closer look at this function, we find out that the downloaded file is processed by few functions.

First, it is base64 decoded. Then, the output is uncompressed:

We understand that this function is responsible for decompression by looking inside and finding the relevant API calls, such as RtlDecompressBuffer:

Then, we notice a function that reads like something from the clipboard:

Going inside it, we can also easily find relevant API calls, such as:

We find that the format that is being read from the clipboard is one that measures text (CF_TEXT).

Then, we find that the content that was read from the clipboard is being used by another function. It becomes an XOR key to decrypt the downloaded content:

After all this, the result starts from the “MZ” magic number. It is being injected into rundll32.

Following inside the function sub_4011F0, we see exactly how the injection was made. It is a classic RunPE technique. The new process is created as suspended. The payload is being written into its memory space, linked to its PEB and resumed:

More detailed explanation of this well-known technique is out of scope of this article. However, unpacking it is very easy—we just need to dump the payload after it is decrypted but before it is converted into the virtual format and written to the remote process. I will show some of the possible unpacking methods next.

Decrypting the payload

During the static analysis, we found out the following information:

  • The payload is downloaded from the decrypted URL
  • It is Base64-decoded
  • It is decompressed with RtlDecompressBuffer
  • It is XOR-decrypted with the help of some key that is read from the clipboard

To pass this level, we must find the XOR key. It will not be difficult, knowing that the XOR operation is self-reversible. But first, let’s dump the payload after it is decompressed so that we can get the material for further analysis.

I will run the patched version of the CrackMe under the debugger (e.g. ImmunityDbg) and go to the API call RtlDecompressBuffer:

I am setting the breakpoint at the end of the decompression function and then running the CrackMe.

We can see on the stack the variable that was passed to the function. Let’s follow the buffer that was uncompressed:

We can see some repetitive patterns and the string “malwarebytes.” It is easy to guess that it will be the XOR key passed via clipboard. At this point, we can choose various approaches of unpacking it. I will demonstrate just one of them.

Decoding the XOR-obfuscated payload

After the buffer is decompressed, we dump it to file and decode by our external tool dexor.py.

First, we dump the buffer:

Then, we have to trim it so that it will start from the proper offset. We can do so by opening the dumped memory page in XVI32 hexeditor, navigating to the beginning of out buffer, and choosing:

Edit->Dump to cursor

Then, we can easily decode it by the script, supplying the XOR key. In this case, we could easily guess that the key is “malwarebytes” because this string repeats multiple times in the decoded buffer (XOR key is visible in those fragments of file when it was applied on NULL bytes).

dexyor.py --file dump.bin --key "malwarebytes"

You can see the steps taken on the video below:

As we expected, based on the earlier findings, the decoded output is a new PE file.

Stage 2

Stage 2 is inside the new executable. After we dumped it, we can run it as a fully independent module. We see that it pops up the following message:

Let’s open it in IDA and have a look. It is not obfuscated and the structure is pretty simple.

Understanding the checked conditions

First of all, we can see why the “Fail” message was displayed. The first thing that is checked is the module path, compared with the path to rundll32.exe. The check is not done by direct comparison of the strings, but instead, the checksums of the paths are calculated and compared:

In short, if the current PE is not injected into the rundll32.exe, the check should fail and lead to the mentioned message box. At the moment, we want to run this PE file as an independent unit, not via rundll32. So we need to get rid of this check. We can do it by simply patching out the conditional jump (the same way as we patched out the conditional jumps in Stage 1).

Alternatively, we can load the executable under a debugger, set the breakpoint on the check, and change the flag to bypass it.

In order for the final flag to pop-up, two more conditions have to be met:

1. A process with a window of given class has to be running in the system.

First, the EnumWindows function is called. The searched checksum is given in the parameter to the callback:

Inside the callback function, each window’s class name is compared to the checksum. If it matches, the particular process is being opened for further injection:

Someone may notice that this check is implemented similar to this one. The searched window class belongs to ProcessExplorer.

2. The application must be loaded under the debugger.

The presence of the debugger is being checked, and sets the flag that further on influences the value of the XOR key.

If we run the executable under the debugger and if we have a ProcessExplorer (32-bit) running, the MessageBox with the flag will be injected there and we will get the solution instantly. Example:

Dumping and running the shellcode

If we have luck, we may get it very quickly. But in real life, finding the proper process that has to be injected could be problematic. Also, people who were running the CrackMe on the 64bit version of Windows will encounter problems because the shellcode is 32bit and can be injected only to the 32bit version of Process Explorer. However, in order to solve it, knowing the process name is not at all required. We can just dump the shellcode before it is injected and load it by our own loader.

First, we have a look in IDA and see the part of the code where the injection is made. Before, the checksum of the shellcode is calculated:

So at this point we already have the valid shellcode stored in the buffer. We don’t really care where it is injected—we can just dump it and run it on our own. To reach this place, we only need to bypass the search of the window with the given checksum. We can do it by simply patching the condition (or changing the flag under debugger). This is the condition that must be patched out:

On the attached video we can see the full solution: dumping the shellcode and running it independently. In the given example, the shellcode was added as a new section to the original CrackMe with the help of PE-bear:

That’s how we got the final flag:

Conclusion

In this tutorial, I tried to explain step-by-step one of the possible solutions to the CrackMe. I recommend you to have a look at the write ups below to see different perspectives and learn more. And of course, I encourage you to try on your own and describe your own solution, because this is the best way to learn.

Appendix

Received write ups:

https://mauronz.github.io/mb-crackme/ – by

https://drive.google.com/file/d/0Bzb5kQFOXkiSSURnMUZmaVpWRlk – by

https://drive.google.com/file/d/0Bzb5kQFOXkiSUmgwN2dWT21jdXM – by @ShAd0wHuNt3r_0

https://29wspy.ru/reversing/SolutionHasherezadeCrackme2017.pdf – by @ValthekOn

The post How to solve the Malwarebytes CrackMe: a step-by-step tutorial appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Singles’ Day deal seekers beware

Malware Bytes Security - Thu, 11/09/2017 - 10:00pm

Originally a day set aside for singles in China to be proud of their singlehood, Singles’ Day has been transformed into what is arguably the world’s single largest e-commerce festival, thanks to the involvement of The Alibaba Group. In fact, the Alibaba Group alone reported $17.8 billion in sales; six times higher than what was spent on Black Friday (around $3 billion).

Today, Singles’ Day has evolved into a shopping phenomenon that has gained traction beyond the shores of China, with shoppers across Southeast Asia eagerly awaiting previews, hoping to make a killing on the deals set to land on November 11.

However, also waiting to make a killing are cybercriminals, who see e-commerce festivals and heavy shopping holidays such as Singles’ Day, Black Friday, and Christmas as huge opportunities to dupe unsuspecting deal seekers and steal their hard-earned cash. Traditionally, cybercrime activity tends to pick up during festive periods, especially those that involve increased online shopping.

As we await Singles’ Day, many retailers will be sharing promotional links via email, social media, or mobile. Based on past experience, cybercriminals will also be ready to disseminate their own versions of fake promotional links through these channels. These emails from hackers, known as “phishing emails,” could be so well designed as to accurately mimic an email from legitimate and renowned retailers.

Phishing emails would likely contain links to fake promotions, which, instead of giving shoppers a great deal, would instead link directly to malware or ask users to provide personal details that can be abused for nefarious purposes later.

Taking it one step further, entire web pages built to look like legitimate online shopping sites are often built by cybercriminals to take advantage of shoppers. Sometimes hackers even build random e-commerce sites from scratch. These sites are used to steal personal data and even credit card information. And with many deals being time-based in the form of “flash” deals, shoppers sometimes fail to stop and consider the authenticity of a site before rushing to make a purchase.

A quick guide to safe online shopping during Singles’ Day

To ensure you can celebrate Singles’ Day safely and smoothly, here are some basic guidelines to protect oneself from being a victim on Singles’ Day.

1. Beware of spoofed links

Don’t simply click on a link if you can’t be a hundred percent sure it is indeed from the retailer, even if you know the “sender.” To make sure the link is legit, check the sender’s email header and message context. Display the full email address and reply-to address instead of looking at the sender’s name alone. An additional step you can take is to hover over the link to ensure it directs to a legitimate site. Also, be doubly wary of social media posts and texts that offer deals that are too good to be true.

2. Shop at retail websites directly

Instead of keying in personal details into a coupon link in direct emailers or on social media posts, it is wiser to go directly to a retailer’s main website. If the offers are legitimate, chances are more often than not you would be able to find them on the website itself.

3. Check the validity of retailers’ websites

Choosing to shop directly at a retailer’s website is a great first step, but always remember to ensure you are, in fact, on the right website before beginning to shop. Check the URL of the website. If it ends with a “.net” or has a different name in the URL, there is a good chance the site is not legitimate. Also, make sure the sites include “https” at the beginning of the URL. This indicates your data is encrypted whilst browsing or purchasing. Furthermore, check the website copy. If there are numerous grammatical errors and typos, this might not be the website you’re looking for.

4. Install the latest antivirus software

Aside from laptops, shopping through smartphones and tablets has become commonplace nowadays. Therefore, make sure to have a next-generation antivirus software installed, and preferably one that offers multi-layered protection. While having antivirus solutions installed on desktops is relatively common, many of us are guilty of failing to do the same for our mobile devices.  Maintaining a multi-layered security solution across all devices will help protect you from all sorts of malware such as worms, Trojans, spyware, ransomware, and more.

While consumers should stay alert of potential cyberattacks when shopping online throughout the year, one should pay extra attention during festive shopping periods such as Singles’ Day. Cybercriminals are ramping up their attempts to target hungry shoppers, who are rushing for the limited hours deep discounts. So stay calm and think twice before taking any actions. Don’t just rush for the best deals and forget the basic concepts of Internet safety. If you keep your head, you can protect yourself from being a victim of cybercriminals during Singles’ Day.

 

The post Singles’ Day deal seekers beware appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Disdain exploit kit served with a side of social engineering

Malware Bytes Security - Thu, 11/09/2017 - 7:23pm

Today we picked up new activity from an exploit kit that was first discovered back in August of this year. The Disdain exploit kit, simply identified by a string of the same name found in its source code, is being distributed again after a short interruption via malvertising chains.

Disdain EK relies on older vulnerabilities that have long been patched and some that do not appear to be working properly. From a traffic to infection point of view, this means that the conversion rates are going to be lower than, say, RIG EK, the other most common exploit kit at the moment.

This may explain why we are seeing Disdain being used as a drive-by download alongside a social engineering attack to increase the likelihood of infections. Case in point, the following site was compromised to serve Disdain EK while also distributing a fake Flash Player update:

What’s interesting is that both payloads (Disdain’s and the Flash update) are actually the same malware binary, just delivered by different methods. The former is loaded via an iframe injected into the page, while the latter is a regular download that requires user interaction to execute it:

Disdain’s landing page exploits older Internet Explorer vulnerabilities and attempts to load Flash exploits as well, although in our tests these did not work.

The final payload, served either via the exploit or social engineering route, is Neutrino Bot, which we have documented on this blog before when it was served in malicious spam campaigns.

In the past few weeks, there have been a few developments in the exploit kit scene beyond the long running RIG exploit kit, where threat actors are attempting new tricks both from an evasion and distribution point of view. Despite this, there remains a lack of innovation in what really matters at the end of the day: the exploits being used to deliver drive-by infections.

While some groups have switched to pure social engineering-based attacks, others are attempting either or both methods at once. In the current threat landscape, the campaigns that have the most success are those that can draw a lot of traffic and use clever techniques to fool users.

Systems that have been patched regularly would not be affected by this exploit kit, but at the same time users should beware of non-legitimate software updates. Many of the so-called “Flash Player” or “Video Player” updates typically push adware and, as we saw recently with the BadRabbit outbreak, even ransomware.

Malwarebytes users are protected from the Disdain exploit kit and Neutrino Bot malware.

The post Disdain exploit kit served with a side of social engineering appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Winning the battle against PUPs – on your computer and in U.S. District Court

Malware Bytes Security - Thu, 11/09/2017 - 8:00am

I know very few people, other than lawyers, that get excited about corporate court cases. But, I want to share with you a recent decision that I believe is cause for every computer user to celebrate.

This week, a United States District Court judge ruled in Malwarebytes favor, dismissing a lawsuit brought against us by Enigma Software Group USA LLC (“Enigma”). Essentially, they sued us because we classified two of their software programs as Potentially Unwanted Programs (PUPs).

Sounds mundane, but the reality is that this is not only a critical win for Malwarebytes, but for all security providers who will continue to have legal protection to do what is right for their users. This decision affirms our right to enable users by giving them a choice on what belongs on their machines and what doesn’t.

Those of you that follow this blog know that for years, we have taken an aggressive stance against PUPs. We continue to monitor all known software against Malwarebytes’ PUP criteria to give our users the choice to select what programs you want to keep or to remove from your computer. We strongly believe that you should be allowed to make this choice and we will continue to defend your right to do so.

This company was founded on a real problem I experienced and a dream that everyone at Malwarebytes still affirms: that computer users have a right to choose what’s on their computers. As PUPs became more prevalent and problematic, we began offering protection against them too, a choice that is now backed by the United States District Court.

If you are interested in the brief news release we shared today, it may be found here.

A copy of the U.S. District Court Clerk’s filing (Case 5:17-cv-02915-EJD Document 105) may be found online here.

The post Winning the battle against PUPs – on your computer and in U.S. District Court appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Of scammers and cute puppies

Malware Bytes Security - Wed, 11/08/2017 - 1:37pm

We’ve followed tech support scammers for quite a while at Malwarebytes. They’ve been of particular interest because of their preference for scamming the poor, the elderly, and the developmentally disabled.  But there’s a diverse spectrum of online scams a criminal can profit from, and today we’re going to take a look at one of the more despicable ones: puppy scams.

The basic gist of the scam is that the crook will find photos of beautiful purebred dogs, put them up on Craigslist or a private website, and advertise them for adoption. Once a buyer is found, they’re on the hook for fees including fake vet bills, registration, kennel fees, and transport to the victim’s location. Suffice it to say: there is no dog. Average losses for this scam run from US$800 to $5,000.

Shopping for a fake dog

For our investigation, we started with pomeranianhouse[.]com. Clicking on puppies for sale, we get Paulie, an unbelievably cute dog that looks happy to see us.

This dog is not actually for sale.

The “About us” page has extensive copy on the care and upkeep of these beautiful dogs designed to make your heart melt. But when we reverse image search on Paulie, we get another site entirely: www.thebombpoms.com.

This site has the same dog:

It includes the same copy, but contains identifying details of the breeder, along with a lengthy diatribe against scammers who steal her photos.

Having confirmed that the first site is a huge scam, we decided to give them a call and see what happens.

 

Unsurprisingly, instead of a woman from Oklahoma, we get a man with a south Asian accent requesting a Walmart-2-Walmart money transfer. If you’re unfamiliar, Walmart-2-Walmart is a money transfer that allows a recipient to collect funds with an ID and a reference number. Most commonly, scammers will recruit money mules to do the collections as part of a work from home scheme. This particular scammer wanted to take us for $850 for the non-existent dog, but that probably would have gone up over time with assorted “unforeseen” costs.

So what about the perpetrator? Pomeranianhouse.com is WHOIS protected, with no significant pDNS, but the email they used with us, dydydav849@gmail[.]com, was partially reused on their last scam iteration in July, as seen below on a scam information website:

Once pomeranianhouse[.]com is taken down for fraud, the scammer will most likely set up a new site with fresh stolen pictures in another three months.

How to stay safe

Please do not use unconventional payment methods with people you do not know, or cannot find a reputable history on. Money wire, ACH transfer, and any sort of gift card should all be enormous red flags for “maybe I should not do business with this person.” You can also decrease your chances of getting scammed by buying pets locally from shelters or breeders who allow you to meet the dog first (to make sure it exists). Stay safe, and stay suspicious—no matter how cute the puppy is.

The post Of scammers and cute puppies appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Phony WhatsApp used Unicode to slip under Google’s radar

Malware Bytes Security - Wed, 11/08/2017 - 12:13pm

After a troubling week for Google not so long ago, the company is under the spotlight once more for missing another app that, after further investigations by several members of Reddit, was found laden with adware.

This app, which was called “Update WhatsApp Messenger,” used the logo and developer name of the real WhatsApp app—two elements that a user familiar with the app expects to see. However, the developer name for this bogus app had an extra space at the end, so it looked like this:

WhatsApp, Inc.{space}

To aid users in realizing this deception, Redditor Megared17 posted snapshots of a code section belonging to the real WhatsApp and the fake app to compare the two. We have reproduced the shots below for your convenience.

That bit in the box is the percent coding equivalent of a blank space, which translates to U+00A0, the Unicode value of a no-break space. Although this is something our normal eyes may have a difficult time spotting, many decried that Google’s scanner should have quickly picked this up.

Read: Out of character: Homograph attacks explained

Once downloaded and installed, Redditor Dextersgenius pointed out that “Update WhatsApp Messenger” hid from users by “not having a title and having a blank icon,” which he then supplemented with screenshots that we also reproduced below.

From Dextersgenius’s testing, they also pointed to a piece of code that indicated this bogus app appears to access a hardcoded bit.ly shortened URL that presumably downloads an update APK named whatsapp.apk. Upon closer inspection, however, the bit.ly URL led to another shortened URL—this time Google’s URL shortener, goo.gl—that then led to a Google search result for a WhatsApp Messenger APK file.

Essentially, users are told to “Look for the APK file from these search results. It’s got to be in one of them!” No updates are sent to the phones at all, so they’re just left with a PUP app.

“Users need to be more vigilant,” advised Armando Orozco, Lead for the Mobile Protection Team at Malwarebytes. “If they want to update WhatsApp, they need to use the update mechanism in the Play Store app, not a secondary app.”

Apart from reading app reviews for any reports of questionable behavior, it also pays for users to check the link to the developer of the app, which might have helped catch “Update WhatsApp Messenger” and possibly lessen the number of affected devices.

Stay safe!

Other related post(s):

The post Phony WhatsApp used Unicode to slip under Google’s radar appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Part 2: All rise! Mind these digital crimes and arm your business against them

Malware Bytes Security - Tue, 11/07/2017 - 2:53pm

In the first installment of this two-part series, we advised consumers to stay on top of a selection of up-and-coming crimes to significantly lessen the chances of encountering them in the future. For this post, we’re going to look into digital crimes that keeps small businesses and large enterprises on their toes: cloud attacks, attacks over SSL, ATM malware, and RDoS attacks.

It’s important to note that regardless of any digital attack an organization might face, fostering a culture of cybersecurity plays a massive role in arming employees with knowledge of what these attacks are and how they should respond if and when such incidents happen.

Let’s begin!

Cloud attacks

Many are surprised with how quick cloud computing has taken hold. In fact, Internet users who may not have heard about “the cloud” likely have no idea how much they rely on it when they check updates on Facebook, their work mail, or their online bank statement. Indeed, cloud services have made our lives a lot more manageable, to the point that we think everything we need is just within reach of our fingertips, wherever we are in the world.

Unfortunately, online criminals have caught on and started using cloud services as lures to dupe people into handing over their account and personal details. Retrieved credentials—say, for work email—are then used to access the account to gain further access to other repositories the credential owner has rights to, primarily company files stored in other cloud services. And this is just one of the many possibilities that could happen to compromised enterprise accounts.

How to protect your business

  • Take advantage of your cloud provider’s two-factor authentication (2FA) feature. They are used by the majority of cloud vendors today—using it is no longer optional. And that should be great news for any business looking into beefing up their security but only have a vague idea of where to start. Just remember that 2FA comes in various forms.
  • Know who accesses what information stored in the cloud. Not everyone in the company should be able to read or obtain sensitive files. Audit your access list and, if possible, restrict access to more sensitive data to a smaller group of decision makers.
  • Limit access to company resources based on user context. Employees in the office who use the internal network should be able to access files based on privileges assigned to them. Remote workers, on the other hand, should have limited access to company files, or they must go through additional sign-on steps to ensure that the person accessing the data is indeed who they say they are.
  • Encrypt highly sensitive files stored in the cloud. Offsite backups work well, too.
  • Use a cloud vendor that provides encrypted data transfers. (Not all of them offer this.)
  • Toughen up on passwords. Make sure that employee passwords have an acceptable rating of complexity. The system should straight up reject ones that are easily guessed like “admin,” “password,” or “123456.”
  • Regularly update your software to keep exploits at bay.
Attacks over SSL/TLS

Secure Socket Layer (SSL) or Transport Layer Technology (TLS) is a protocol wherein transmissions between a server and a browser are authenticated and encoded. While an increasing number of companies are learning and adopting encryption as part of their security and privacy strategies, using secure communication over the network to hide malicious antics is how threat actors level up the playing field. We’ve seen this in multiple malvertising campaigns in previous years. Malware being sent over an encrypted channel is not new either. Phishers, on the other hand, mainly use SSL as a way to make their campaigns more believable, seeing that more Internet users are clued in on what to look for on a potential phishing page.

Some threat actors use free SSL certificates, while others have breached company sites with them already installed. Regardless, organizations have a big hand to play in stopping the bad guys by securing their websites and also educating their employees on current, more sophisticated criminal tactics.

How to protect your business

  • Keep server OS and other software running on your website up to date.
  • Strengthen the passwords of your website admin accounts.
  • Make sure that text boxes on your website where users can post content to them, such as a search box, comment window, or forum post, are SQL injection- and cross-site scripting (XSS)-proof. You can install tools to prevent scripts not hosted on your server from running on your website. Or you can tinker with the server-side code to make it difficult for the bad guy’s script injection to run even if it were successfully posted to the page.
  • Install a Web Application Firewall. There are niche brands that offer this, with some of them being cloud-based. So do your research and choose a service that fits your company’s needs.
  • If you allow users to upload files—say, a screenshot—to your website, make sure that limitations are explicitly set to prevent users from uploading other file types.
  • Switch to HTTPS. You may also want to consider using SSL inspection.
  • Restrict physical access to your server.
  • Conceal your admin directories. Hackers have been known to scan web servers for conspicuous directories they can focus on gaining access to, such as the admin folder. Choose new names for your administrator folders, and make sure you and your webmasters are the only ones who know them.
  • Back up your website. Always.
ATM malware

Crimes involving ATMs don’t necessarily require physical skimming devices. Sometimes, there’s malware—and a bit of phishing—in there, too. And these two combined form network-based ATM attacks. Europol’s European Cybercrime Centre (EC3) and Trend Micro’s Forward-Looking Threat Research (FTR) Team have circulated a 40-page report, warning banks about the rise of ATM targeting. Based on this report, not only is ATM malware becoming commonplace, it has evolved remarkably through the years.

EC3 and FTR have also revealed that there are two objectives of ATM malware: (1) empty the affected machine from cash, which is called “jackpotting,” and (2) record card data from clients using the affected ATM, effectively acting as a virtual skimming device.

Below is a video shared by Bleeping Computer about the latest ATM malware sold on the Dark Web in action:

How to protect your business

  • The majority of malware that infiltrates a bank’s network starts off as phishing emails. As such, it’s more important than ever for senior managers to focus on running awareness programs and surprise simulations within the organization on a regular basis.
  • To prevent crooks from delivering malware via the ATM’s USB and CD drives, fortify the machine by replacing the default generic locks on the shell to prevent thieves from purchasing generic keys for these locks. Also, make sure that the location where the ATM machine is situated is well-lit and has a security camera in place (that cannot be easily tampered with).
  • Ensure that the communication between the interbank network and the ATMs are encrypted and have integrity controls.
  • Religiously update all software installed on the ATM. Also, whitelist software that are only allowed to run on ATM machines.
  • By default, use two-factor or multi-factor authentication between devices and software.
  • Employ whole disk encryption for hard disks.
  • Secure the ATM BIOS against unauthorized access.
Ransom DDoS (RDoS) attacks 

A distributed denial of service attack, or DDoS, involves the use of hundreds, if not thousands, of electronic devices controlled by a botmaster. These devices are then used to attack an organization by overwhelming their network with garbage traffic, resulting in websites being shut down and clients not being able to access them for an indefinite period. This translates to a significant loss of profit and disruption of productivity. An RDoS attack happens when an organization is threatened with a DDoS attack but fails to deliver or ignores a threat actor’s demands for money, which is usually in the form of cryptocurrencies. According to a Kaspersky report, a majority of threat actors behind these attacks are beginners and not organized hacker groups. Regardless, a DDoS attack is not something any company with an online presence would want to get entangled with.

Although RDoS attacks on enterprises regularly make the news, small businesses shouldn’t be lax as they have more to lose in the event of such attacks. Unfortunately, a vast number of small business are ill-equipped to handle DDoS and RDoS attacks.

How to protect your business

  • Plan ahead. Little can be done once an attack is already taking place. Prevention is critical in this case. Assess the potential DDoS risk, exposure, and severity to the business and come up with mitigation strategies to address them.
  • Monitor bandwidth for spikes on the network. This could mean an oncoming attack or the presence of malware.
  • Have security software in place. Install anti-malware, email and URL filtering, firewall, and other security software to beef up your company’s computer, device, and network protection. Make sure that they are also whitelisted and regularly patched. Some companies even offer DDoS protection.

Regardless of the nature of the business, as long as you have an online presence—if we guess correctly, almost all SMEs have this—securing your assets, which are either stored in the cloud or on-premise, should be an essential part of any business plan. Organizations of all sizes can no longer afford to overlook security and privacy matters regarding how they should handle confidential company and client information, especially with the arrival of GDPR.

On the other hand, users are also responsible for making sure that their electronic devices are protected both from unauthorized physical and electronic access, their sensitive information kept behind digital lock and key, and that the resources and assets they use for work are maintained within acceptable security standards.

The post Part 2: All rise! Mind these digital crimes and arm your business against them appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A look into the global drive-by cryptocurrency mining phenomenon

Malware Bytes Security - Tue, 11/07/2017 - 8:00am

An important milestone in the history of cryptomining happened around mid-September when a company called Coinhive launched a service that could mine for a digital currency known as Monero directly within a web browser.

JavaScript-based mining is cross-platform compatible and works on all modern browsers. Indeed, just about anybody visiting a particular website can start mining for digital currency with eventual profits going to the owner’s wallet (in the best case scenario). In itself, browser-based cryptomining is not illegal and could be seen as a viable business model to replace traditional ad banners.

To differentiate browser-based mining from other forms of mining, many started to label these instances as JavaScript miners or browser miners. The simplicity of the Coinhive API integration was one of the reasons for its immediate success, but due to several oversights, the technology was almost instantly abused.

However, many web portals started to run the Coinhive API in non-throttled mode, resulting in cases of cryptojacking—utilizing 100 percent of the victims’ CPU to mine for cryptocurrency with no knowledge or consent given by the user.

We decided to call this new phenomenon drive-by mining, due to the way the code is delivered onto unsuspecting users, very much like drive-by downloads. There’s one important caveat, though: There is no malware infection at the end of the chain.

While the harm may seem minimal, this is not the kind of web experience most people would sign up for. To make matters worse, one does not always know if they are mining for the website owner or for criminal gangs that have found a new monetization tool for the hacked sites they control.

In our full reportA look into the global drive-by cryptocurrency mining phenomenon, we review the events that led to this new technology being abused and explore where users involved in cryptomining against their will are located.

To give you an idea of the scope of drive-by mining, Malwarebytes has been blocking the original Coinhive API and related proxies an average of 8 million times per day, which added up to approximately 248 million blocks in a single month.

With their new mandatory opt-in API, Coinhive hopes to restore some legitimacy to the technology and, more importantly, push it as a legal means for site owners to earn revenues without having to worry about ad blockers or blacklists. This could also benefit users who might not mind trading some CPU resources for an ad-free online experience.

Time will tell how criminals react, but in the meantime, drive-by mining continues unabated.

For more information on this latest trend in the cryptocurrency world, please download our report.

The post A look into the global drive-by cryptocurrency mining phenomenon appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Stay away from the Bitcoin multiplier scam

Malware Bytes Security - Mon, 11/06/2017 - 1:30pm

It is well known that hot commodities tend to attract scammers and online criminals. The continuous rise of Bitcoin over the past year (valued at over USD $7,188 at the time of writing) is generating frenzy amongst fans of cryptocurrencies as well as those watching from the sidelines.

While the threat of Bitcoin theft from hackers or rogue operators remains high, we also see many scams inspired by the classic Ponzi scheme. Such is the case of the Bitcoin multiplier scheme, where victims are enticed to send some of their Bitcoin to a particular wallet and be given x times the amount they invested.

Multiply your loss

There are a few different ways users are drawn to this scam. One of them is searching online for sites that offer such a service (and you can find many). Some people are even asking the million dollar question: “Is there any genuine Bitcoin multiplier?” which scammers immediately pounce on and use for Search Engine Optimization (SEO) purposes.

Another tactic is to use advertising to redirect users to such sites:

The offer sounds too good to be true and should raise an immediate red flag. Even the “confidence” indicators displayed at the bottom of the page are fake and just for show.

However, the scam artists are using an interesting ploy by first asking the user for their email address and Bitcoin address, suggesting that the service might actually send them something. But the opposite happens. When the user submits their information, they are taken to a different page asking them to send BTC to the perpetrator’s wallet:

This might make some people feel uneasy, but the crooks have an answer for any doubts that might arise. They keep a page with previous payments they have sent, although this information is bogus.

In trying to deconstruct this scam, one question that comes to mind is why such a service would exist in the first place, especially considering that nowhere on the site do they mention any kind of commission for their effort. Well, apparently, these guys are doing it for the altruistic love of technology.

Sadly, many people have fallen for this scam and have never seen their money again. The criminals behind this are setting up temporary websites and keep on resurfacing after they have been taken down.

The best piece of advice we can give you is to stay away from too good to be true promises, especially when it involves something like Bitcoin or other cryptocurrencies. And if you need any more guidance, the answer to the million dollar question is: No, there are no genuine Bitcoin multipliers.

The post Stay away from the Bitcoin multiplier scam appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Pages