tumblr hit counter

PandaLabs Blog Everything you need to know about Internet threats

Security Trends in 2013

  • Vulnerabilities: Software vulnerabilities will be the main target of cyber-criminals next year. It is undoubtedly the preferred method of infection for compromising systems transparently, used by both cyber-criminals and intelligence agencies in countries around the world. In 2012, we saw how Java, which is installed on hundreds of millions of devices, was repeatedly compromised and used to actively infect millions of users. In second place is Adobe, as given the popularity of its applications (Acrobat Reader, Flash, etc.) and its multiple security flaws, it is one of the favorite tools for massively infecting users as well as for targeted attacks.

    Although we may think that home users are exposed to the highest risk, remember that updating applications, which is essential for protecting against these types of attacks, is a very complex process in companies, where updating all computers must be coordinated. At the same time, it is essential to ensure that all the applications used in a company work correctly. This makes the update processes slow, which opens a window that is exploited to steal information in general and launch targeted attacks in search of confidential data.

  • Social networks: The second most widely used technique is social engineering. Tricking users into collaborating to infect their computers and steal their data is an easy task, as there are no security applications to protect users from themselves. In this context, use of social networks (Facebook, Twitter, etc.), places where hundreds of millions of users exchange information, on many occasions personal data, makes them the preferred hunting ground for tricking users.

    Particular attention should be paid to Skype, which after replacing Messenger, could become a target for cyber-criminals.

  • Malware for mobile devices: Android has become the dominant mobile operating system. In September 2012, Google announced that it had reached the incredible figure of 700 million Android activations. Although it is mainly used on smartphones and tablets, its flexibility and the fact that you do not have to buy a license to use it are going to result in new devices opting to use Google’s operating system. Its use is going to become increasingly widespread, from televisions to all types of home appliances, which opens up a world of possible attacks as yet unknown.
  • Cyber-warfare / Cyber-espionage: Throughout 2012, different types of attacks have been launched against nations. The Middle East is worth mentioning, where the conflict is also present in cyber-space. In fact, many of these attacks are not even carried out by national governments but by citizens, who feel that they should defend their nation by attacking their neighbors using any means available.

    Furthermore, the governments of the world’s leading nations are creating cyber commandos to prepare both defense and attack and therefore, the cyber-arms race will escalate.

  • Growth of malware: For two decades, the amount of malware has been growing dramatically. The figures are stratospheric, with tens of thousands of new malware strains appearing every day and therefore, this sustained growth seems very far from coming to an end.

    Despite security forces being better prepared to combat this type of crime, they are still handicapped by the absence of borders on the internet. A police force can only act within its jurisdiction, whereas a cyber-crook can launch an attack from country A, steal data from citizens of country B, send the stolen data to a server situated in country C and could be living in country D. This can be done in just a few clicks, whereas coordinated action of security forces across various countries could take months. For this reason, cyber-criminals are still living their own golden era.

  • Malware for Mac: Cases like Flashback, which occurred in 2012, have demonstrated that not only is Mac susceptible to malware attacks but that there are also massive infections affecting hundreds of thousands of users. Although the number of malware strains for Mac is still relatively low compared to malware for PCs, we expect it to continue rising. A growing number of users added to security flaws and lack of user awareness (due to over-confidence),mean that the attraction of this platform for cyber-crooks will continue to increase next year.
  • Windows 8: Last but not least, Windows 8. Microsoft’s latest operating system, along with all of its predecessors, will also suffer attacks. Cyber-criminals are not going to focus on this operating system only but they will also make sure that their creations work equally well on Windows XP to Windows 8, through Windows 7.

    One of the attractions of Microsoft’s new operating system is that it runs on PCs, as well as on tablets and smartphones. For this reason, if functional malware strains that allow information to be stolen regardless of the type of device used are developed, we could see a specific development of malware for Windows 8 that could take attacks to a new level.

Post to Twitter

  • (5) Comments

Obama punching a guy in the face? Something to do with face… a new Koobface

We have detected a new Twitter spam campaign that may compromise user security. Users receive a direct message on Twitter, which contains the text “Check out Obama punch a guy in the face for calling him a nigger”, and a malicious link to a fake Facebook page.

If you click the link, you will be taken to a bogus Facebook page where you are prompted to submit your Twitter login details. However, if you enter your credentials, the malware will hijack your account in order to send the same malicious message to all of your followers.

Then, you will be taken to a website that displays a fake YouTube video set against a fake Facebook background. This time, you will be asked to update a ‘YouTube player’ to watch the video. As is usual in this type of scam, if you click on the ‘Install’ button, you will find yourself downloading the Koobface.LP worm, which will infect your computer and steal all of your personal data.

This attack exploits the two most popular social networking sites, Facebook and Twitter, to trick users into believing they are viewing a trusted site.  It also relies on its victims’ curiosity by using a scandalous story involving U.S. President Barack Obama and racism. Cyber-criminals know people are curious by nature and take advantage of this to trick users and infect them with their creations.

Twitter Direct Messages, Yet Another Technique to Spread Malware Infections

This is just the latest example of a cyber-scam that uses Twitter direct messages to spread. Users’ accounts receive dozens of them every day, with malicious links and enticing messages like: “What exactly do you think you’re doing on this video clip”, “Hello this guy is saying bad rumors about u…”, “Did you see this pic of you?”, etc., etc.

Never, ever, click the links within the text of those messages as they could infect your computer.  Every time you receive a direct message you should check with the sender that they have knowingly sent it to you. Make sure it has not been automatically forwarded to you from a hacked account. As a general rule, always keep your antivirus software up to date and be wary of messages offering sensational videos or unusual stories as, in 99 percent of cases they are designed to compromise user security.

Post to Twitter

  • (2) Comments

Cyber-Crime insights

Do you want to know a little bit more about Cyber-Crime?  We have created this infographic about it:

 

Post to Twitter

  • (2) Comments

Main computer security threats: Trojan Horses

Do you want to know a little bit more about Trojan Horses?  We have created this infographic about them:

Post to Twitter

  • (4) Comments

Is it your new pic profile? No, it s a worm spreading through Skype and Messenger

Since Saturday, there’s a worm actively spreading through (mainly) Skype as well as Messenger (Windows Messenger, Microsoft MSN Messenger).

Someone who’s infected with this worm will send you the following message:

The link refers to goo.gl and is actually Google’s URL Shortener service. You’ll land on Hotfile.com, which is a legitimate file sharing website. (it’s not the first time Hotfile has been used to spread malware, read more here)

Positive thing is that it is a ZIP file and not an EXE. This means the user still has to manually unpack and run the malware. Inside our ZIP file we’ll find the following file, which is covered as a Skype setup file:

When executing this file, another file (a random 4 character EXE) will be dropped to the %appdata% folder of the currently logged on user:

This file will try to connect to api.wipmania.com, waiting for instructions. Additionally, it tries to connect to the following IP addresses:

74.208.112.178
87.106.98.157
199.15.234.7
213.165.71.142
213.165.71.153
217.160.108.147

Now, how do we know how it spreads and which messages it can display? The file extracted from the ZIP archive -skype_05102012_image.exe looks for the following processes:
msnmsgr.exe
msmsgs.exe
skype.exe

It will then automatically send a message, based on the OS language. It uses the following list to spread:
tas ir jusu jauna profila bildes?
seo do grianghraf prl nua?
ont uusi profiilikuva?
nai aft a fotografa profl sas?
sa kvo profili lusankary aquesta
s la teva nova foto de perfil?
hey ito sa iyong larawan sa profile?
hey lanh tieu cua ban?
hey ini foto profil?
hei zhni de gn zilio zhopin ma?
ni phaph porfil khxng khun?
hej er det din nye profil billede?
hej je to vasa nova slika profila?
hej je to tvuj nov obr zek profilu?
hei er dette din nye profil bilde?
hey la tua immagine del profilo nuovo?
hej to jest twj nowy obraz profil?
hej jeli ovo vasa nova profil skila?
hey bu yeni profil pic?
hej detta är din nya profilbild?
tung, cka paske lyp ti nket fotografi?
moin , kaum zu glauben was für schöne fotos von dir auf deinem profil
hey is dit je nieuwe profielfoto?
ez az j profil ksta tu foto de perfil nuevo?
hey essa sua foto de perfil? rsrsrsrsrsrsrs
hey c’est votre nouvelle photo de profil?
hoi schoni fotis hesch du uf dim profil ppe n
lol is this your new profile pic?

It will then add the link and subsequently adds your username after the equals ‘=’ sign :
http://goo.gl/QYV5H?img=

The malware is identified by Panda as W32/SpySkype.G.worm and spreads via removable drives, instant messaging programs, and social networks. Some variants could get user names and passwords, and block websites related to security updates.  It may also launch a limited denial of service (DoS) attack.

On our test machines there was no additional malware downloaded, even after replicating a few times. Several variants of malware can however always be downloaded, whether it’s ransomware, rogueware….

Conclusion

Worms spreading through Facebook, Twitter as well as IRC, MSN and Skype is nothing new. Still, it appears to be very successful as human curiosity wins in cases of doubt:
Do I really have (embarassing) pictures of myself on this website? Better take a look!

No, no, no!

Never click on unknown links, especially when a URL shortener service like goo.gl is used. (others are for example t.cobit.ly,tinyurl, etc.)
Don’t be fooled by known icons or “legit” file descriptions, this can easily be altered.

Even if you clicked the link and you’re not suspicious, you should be when a file is downloaded and no pictures are shown, but just an EXE file.

For checking what is really behind a short URL, you can use:
http://getlinkinfo.com/
http://longurl.org/

Keep your antivirus always updated.  Here you will find a free 6-month trial of Panda Cloud Antivirus Pro.

I would like to thank our colleague Bart Parys http://www.twitter.com/bartblaze, (Panda Security Benelux)

Post to Twitter

  • (1) Comment

New version of Panda Cloud… Oh wait!

A new Trojan has been discovered –DarkAngle– that steals users’ confirmation information like passwords, banking details, etc. Nothing unusual about this, just one more to add to the more than 73,000 new viruses that appear every day. However, there is something truly special about this new piece of malware…

It tries to pass itself off as our Panda Cloud Antivirus. As you can see in the image, it uses the well-known Panda icon to trick users, who may think they are actually installing our antivirus software. Once run, DarkAngle logs all commands entered by the user and sends them to an external server. In addition, it loads up every time the user reboots the computer, making sure it logs the victim’s data at all times. Furthermore, it uses stealth techniques to bypass antivirus engines.

Panda Cloud Antivirus is one of the best free antivirus programs available, as shown by the millions of users who rely on it to protect their PCs from the cloud. Cyber-criminals know this and try to exploit the software’s popularity to spread their creations. Actually, this is not the first time that they have done something like this, nor will it be the last. For this reason, we’d like to take this opportunity to warn you and advise you that if you want to use Panda Cloud Antivirus, you should download it from its official website www.cloudantivirus.com, or the product’s Facebook page, where you will find a free 6-month trial of Panda Cloud Antivirus Pro.

Post to Twitter

  • (2) Comments

How to stay protected against Internet Explorer’s 0-day vulnerability

Just a few days after a critical vulnerability was detected in Java 1.7, we now find a new vulnerability being used in the wild, this time the compromised system is Internet Explorer. Microsoft’s browser has been compromised by a group of cybercriminals, who have discover a security hole and have created several malicious web pages that, by exploiting this breach on the browser, download malware elements into the users’ computers.

The malware that is currently being distributed is part of the already known Poison Ivy Trojan family, and it gets into the computer when the user visits one of the compromised websites when using Internet Explorer as a browser. Without the user’s notice, the Trojan is downloaded silently to his computer, entering through the browser’s security hole. The Trojan is a specialist in taking control of infected computers, which allows the cybercriminal to steal the user’s sensitive information, such as passwords, banking data, etc.

At Panda Security we protect our clients and users against this Trojan, but we are sure that the cybercriminals are already working on new malware programs that exploit this Internet Explorer vulnerability, to compromise new computers. So we encourage the public to be really careful to avoid being infected. In any case, from PandaLabs we  keep on fighting against malware 24 hours, identifying new samples and creating vaccines against them.  In addition, we have our TruPrevent proactive technologies that provide protection against new malware based on their behavior.

Microsoft has already informed about this problem in their blog, and has made available to all users an urgent toolkit which would seal the hole, called Enhanced Mitigation Experience Toolkit (EMET), until they are able to deliver a patch that solves the vulnerability once and for all.

In any case, the easiest solution is to avoid using Internet Explorer until Microsoft solves this vulnerability on its browser, and use Chrome or Firefox.

Post to Twitter

  • (2) Comments

Java exploits reloaded

As you probably already know, we detected a 0-day vulnerability in Java 1.7 0 whereby the machine could be exploited by any malware for remote code execution. Only users who use this version of Java are were affected . Fortunately, Oracle has released an emergency update to prevent cybercriminals from taking advantage of it.

One of the means the cybercriminals were using to exploit this vulnerability is via spam email. The email pretends to come from a company called ADP and notifies you that your digital certificate is about to expire, threatening to cut your “ADP’s Internet services”.

When you click on any of the links in the email, you are redirected to a compromised website, which will load the exploit on your system and downloads several malicious files.

Luckily, our Panda Security products already detected this attack, so our customers were protected at all times.

Just in case a similar exploit happens again, we want to include a little guidance on how to disable Java.

If you use Windows:

In the Control Panel, you can access the Java control panel on your machine. In the Java tab, click on the View button to change the settings. Just disable version 1.7, which was exploitable. If you have an earlier version, do not turn it off, as we can still use the basic features of the program.

Then, depending on the browser you use, this is what you do:

Internet Explorer:

To disable Java in Microsoft’s browser, access the Tools menu, now select Internet Options. Within the Programs tab click Manage Add-ons. Select all plugins and disable Java version 1.7 if it is installed.

Firefox:

From the Tools menu you access Add-ons. On the left, select the Plugins menu and disable those belonging to Java 1.7.

Google Chrome:

The easiest way is to type “chrome://plugins/” (remember to remove the quotation marks) in the address bar of the browser, which will direct you to the plugins menu. There you can disable the Java 1.7 plugin.

In any case, try to avoid such situations: as always we recommend you have an antivirus installed and updated on your computer as well as patching or updating all software versions you may have on your computer (like Java).

Post to Twitter

  • (3) Comments

The Rise of the Ransomware – Police Virus Reloaded

Some of you probably remember this article where I described the huge increase of attacks seen in some countries by malware that was posing as different law enforcement agencies. This kind of malware is called “Police Virus” due to this, and its main purpose (as usual with malware) is to steal money from the users. And to do that it tries to scare users (that’s why this kind of malware is sometimes called “scareware”)

During the last months, these attacks have evolved. As posing as the police was not enough, they started using ransomware tactics, encrypting files from the computer and “forcing” to pay the fine in order to recover access to those files. Basically they took this functionality from PGPCoder, a trojan designed to encrypt files, which were only decrypted once you paid a ransom to the cybercriminals behind it.

The first versions of this new police virus were only encrypting .doc files, and the encryption was not really hard, so it was possible to decrypt them without having the key. However these cybercriminals realized they had made a mistake and created a new version. This time the encryption was using a more advanced technique, so in order to decrypt the file the key is needed. Not only that, but the key is different for every computer that has been infected, so unless anyone can access to the server where the keys are stored there is no way to recover those files. And they are not just encrypting .doc files anymore: some variants have a list of extensions of files to encrypt; some others have just an exclusion list to avoid encrypting any critical system file, and they encrypt everything else.

How much further can they go? At the end of the day what these cybercriminals need is to scare the users as much as possible to have them paying this ransom (“fine”). Last week we came across yet another variant, which oddly was activating the webcam of the computer. What for? They have modified the typical warning page they were using before:

For a new one that includes a frame with the image taken by the webcam:

As you can see there is a frame where the stream of the webcam is shown, and a caption that says “Video recording”. However it is not recording any video, nor sending it anywhere, it is just showing the image taken by the webcam. But of course the user doesn’t know this, and most of them will be really scared and will pay asap to get rid of this. This one does not have the encryption feature, they must have thought that the webcam use is scary enough.

Post to Twitter

  • (6) Comments

LinkedIn spam serving Adobe and Java exploits

Today we will be reviewing a cybercriminal’s recipe for success:

  1. Hacking LinkedIn’s password (and possibly user-) database.
  2. Sending an email to all obtained email addresses, which is urging you to check your LinkedIn inbox as soon as possible.
  3. A user unawarely clicking on the link.
  4. An exploit gets loaded. Malware gets dropped. Malware gets executed.
  5. User’s computer is now a zombie (part of a botnet).

I was forwarded an email that appeared to come from LinkedIn. The email was inviting you to check your LinkedIn Inbox. As you know, LinkedIn was hacked some time ago and passwords were compromised in the attack. I believe however that (a part of) the user-database was breached as well.

If we verify the “To” and “CC” fields of this email, we see about 100 other recipients. A quick look-up of a few of them on LinkedIn reveals the unconvenient truth… Here’s the email in question:

LinkedIn mail

Subjects of this email might be:
Relationship LinkedIn Mail‏“, “Communication LinkedIn Mail‏”, “Link LinkedIn Mail” or “Urgent LinkedIn Mail‏“. No doubt the subjects of this email will vary, and are not limited to these four.

Step 1 and step 2 of the cybercrook’s scheme are already fulfilled. Now he just has to wait until someone clicks on one of the links. Which brings us to point 3.

Suppose someone clicks on the link. What will happen exactly ? This depends on the version of these programs that may be installed on your computer:

  • Adobe Reader
  • Java

In some cases, your browser will crash. In other cases, the page will just appear to sit there and nothing happens. In unfortunate cases, the exploit will begin doing its work. As said before, a mixed flavor of Adobe & Java exploits are used.

In this case, we will review the specific Adobe exploit. We will check with Process Explorer what exactly is happening:

Process Explorer

What’s this ? There’s a process from Adobe Reader loaded under our Internet Explorer ? Which seems to spawn a .dll file, which in turn spawns another file… Okay, you get the point here. Your machine is executing malware and is in the process of being infected.

You might get the following message from Adobe Reader, stating it has crashed (this is due to the exploit):

Adobe Reader Error

After the user clicks OK, everything looks fine. Right ? No, of course not. Ultimately, there’s a malicious executable which will start every time the computer boots.

The exploits’ source is probably the Blackhole exploit kit. The exploits in question are:
CVE-2006-0003
CVE-2010-0840
Unknown (at this point) Adobe Reader exploit

Step 3 and 4 have also been accomplished now. The user clicked on the link, the exploit(s) got loaded and the user is now infected.

The malware will try to phone home or connect to the following IP addresses:
188.40.248.150
46.105.125.7

The IPs above (188.40.248.150 in particular) are part of a known botnet. The IPs are used to receive new instructions from the botherder or to download additional malware.

After all 4 steps have been executed, Step 5 of the process is completed as well and the machine will be successfully part of a botnet. In particular, the Zeus botnet.

Conclusion

Today’s lesson is a very important one and is one of the basics of security:

PATCH PATCH PATCH people ! Keep ALL of your software up-to-date ! This means Adobe, Java, but don’t forget other software, for example VLC, Windows Media Player…. You get the picture.

This also includes installing your Windows patches, keeping your browser up-to-date as well as any plugins or add-ons you might have installed.

If possible, avoid using Adobe and/or Java. There are other (also free) alternatives on the market.

Finally, use an up-to-date Antivirus product to keep your machine safe should you not have done any patching. Several of Panda’s products use heuristics to determine if an exploit is being loaded on the system or a process is being injected into another process.

Tuesday, June 12, 2012

LinkedIn spam, exploits and Zeus: a deadly combination ?

Is this the perfect recipe for a cybercriminal ?:

  1. Hacking LinkedIn’s password (and possibly user-) database.
  2. Sending an email to all obtained email addresses, which is urging you to check your LinkedIn inbox as soon as possible.
  3. A user unawarely clicking on the link.
  4. An exploit gets loaded. Malware gets dropped. Malware gets executed.
  5. User’s computer is now a zombie (part of a botnet).

I would definitely say YES.

A reader of my blog contacted me today, he had received an email from LinkedIn which was looking phishy. We can verify that Step 1 is accomplished, by the simple fact that in the “To” and/or “CC” field of the email below, there are about ~100 email addresses. A quick look-up of a few of them on LinkedIn reveals the unconvenient truth…

Here’s the email in question:


Reminder from LinkedIn. You got a new message !

Subjects of this email might be:
Relationship LinkedIn Mail‏, “Communication LinkedIn Mail‏“, “Link LinkedIn Mail” or “Urgent LinkedIn Mail‏“. No doubt the subjects of this email will vary, and are not limited to these four.

Step 1 and step 2 of the cybercrook’s scheme are already fulfilled. Now he just has to wait until someone clicks on one of the links. Which brings us to point 3.

Suppose someone clicks on the link. What will happen exactly ? This depends on the version of these programs that may be installed on your computer:

  • Adobe Reader
  • Java

In some cases, your browser will crash. In other cases, the page will just appear to sit there and nothing happens. In unfortunate cases, the exploit will begin doing its work. As said before, a mixed flavor of Adobe & Java exploits are used.

In this case, we will review the specific Adobe exploit. We will check with Process Explorer what exactly is happening:


The green highlighting indicates the spawning of a new process

What’s this ? There’s a process from Adobe Reader loaded under our Internet Explorer ? Which seems to spawn a .dll file ? Which in turn spawns another file …. Okay, you get the point here.

The PDF file has several embedded files, which are dropping malicious executables and executing them. After the process of spawning and dropping processes and executables, the malware will also clean-up any leftovers, including the PDF file at first:


Message from Adobe Reader it has crashed. Have a guess why

After the user clicks OK, everything looks fine. Right ? No, of course not. Ultimately, there’s a malicious executable which will start every time the computer boots.

Interesting to note is, that there is also an attempt to exploit CVE-2006-0003. An exploit from 2006 nonetheless !

Step 3 and 4 have also been accomplished now. The user clicked on the link, the exploit(s) got loaded and the user is now infected. With what you may ask ? Well, let’s review all the associated files:

The initial Java exploit – set.jar -
(when I first uploaded this sample a few hours before this blogpost, there were ZERO detections)

Result: 2/42
MD5: b0697a5808e77b0e8fd9f85656bd7a80
VirusTotal Report
ThreatExpert Report

I just now re-uploaded set.jar (17:47:41 UTC), it has now 6 detections. Most probably the Blackhole exploit kit is responsible for this attack. Microsoft identifies the file as
Exploit:Java/CVE-2010-0840.NQ“.
The corresponding CVE can be found here.

I got Java patched, always“, you might say. Great ! How about Adobe Reader ?
c283e[1].pdf
Result: 11/38
MD5: ad5c7e3e018e6aa995f0ec2c960280ab
VirusTotal Report
PDFXray Report
MWTracker Report

Thanks to PDFiD, we are able to see there’s an AcroForm action and 6 embedded files. Basically, AcroForm is just another way to execute JavaScript in a PDF document. Embedded files are… files hidden in your PDF document:


PDFiD results

Here’s our first dropped file – calc[1].exe
Result: 5/38
MD5: 4eead3bbf4b07bd362c74f2f3ea72dc4
VirusTotal Report
ThreatExpert Report
Anubis Report

Calc[1].exe will drop other files. Examples:

amutwa.exe
Result: 9/42
MD5: e7e25999ef52e5886979f700ed022e3d
VirusTotal Report
ThreatExpert Report
Anubis Report

nyyst.exe
Result: 10/42
MD5: fbc4bb046449fd9cef8a497941457f4f
VirusTotal Report
ThreatExpert Report
Anubis Report

The malware will try to ‘phone home’ or connect to the following IP addresses:
188.40.248.150 – IPVoid Result
46.105.125.7 – IPVoid Result

The IPs above (188.40.248.150 in particular) are part of a known botnet.

After all 4 steps have been executed, Step 5 of the process is completed as well and the machine will be successfully part of a botnet. The Zeus botnet. For more information about Zeus, you can read upon the (limited in information, but sufficient) Wikipedia article:
Zeus (Trojan Horse)

There are also numerous articles on the Zeus botnet, the takedowns by Microsoft (whether they were successful or not, I’ll leave in the middle), and many other reports.

Conclusion

Post to Twitter

  • (1) Comment
  • Become a fan!


    Panda Security on Facebook
  • Blogroll

  • Categories