CyberInsecure.com

Archive for April, 2009

Another ransomware threat have been reported recently by Symantec: Trojan.Ransomlock. Though not as tough as Trojan.Gpcoder (it doesn’t encrypt documents), the Trojan locks the user out of his or her desktop, so that they are unable to access the computer in any way. “Ransomware” threats became pretty familiar by now. When run, they will try and tamper with some functionality on the compromised computer, asking the user to send money to some account in order to undo the tampering. In the case of the Trojan.Gpcoder family, the main purpose of the Trojan was to heavily encrypt documents on a computer and then ask the user for money in order to receive the decryption key/tool.

When run, the Trojan displays the following window:

Notice how the design of the window attempts to mimic the Microsoft Windows interface. The text is in Russian and it says:

To unlock you need to send an SMS with the text 4113558385 to the number 3649

Enter the resulting code:

Any attempt to reinstall the system may lead to loss of important information and computer damage

The code shown is randomly generated each time. Apparently the purpose of the Trojan is to ask users to send an SMS to receive a corresponding code that will disable the Trojan, thus unlocking the computer. The attacker probably receives money for each SMS sent to the number.

Although this Trojan is not particularly dangerous, it is quite annoying. The Ctrl+Alt+Del sequence is inhibited so that a user cannot access the Task Manager to end the Trojan’s process. Rebooting will not help, even in Safe Mode, since the threat installs itself in the “Userinit” registry key so that it runs every time Windows is started.

If you get infected, be careful: don’t send any SMS messages to the number. Symantec has created a tool that you can download to generate the code needed to unlock the computer. You can also refer to the Trojan.Ransomlock write-up for more details. If you cannot download the code generator, then you will have to boot the computer with an external operating system in order to access the file system and delete the Trojan.

How to generate a valid unlock code by yourself:

1. Get the input code; it should be in the form of “411xxxxxxx.” The length of the code can be 10 or 11 digits.

2. Discard the first three digits. For example, if your code is “4111234567” then “1234567” is the number you need.

3. Convert this number to hexadecimal notation. You can do so using the Windows calculator. All of the following calculations will be in hexadecimal. In our case, “1234567” in decimal is “12D687” in hexadecimal notation.

4. Consider only the five less important digits of the hexadecimal number. We only consider “2D687.”

5. Start from the left-most digit, and apply the formula with the parameters as they appear in the disassembly:

x1 = (2 * 0×95) % 0xA7
x2 = (D * 0×6C) % 0×97
x3 = (6 * 0×1F) % 0xA3
x4 = (8 * 0×1D) % 0xB3
x5 = (7 * 0×35) % 0xC5

After this, your values should be:

x1 = 0×83, x2 = 2D, x3 = 0×17, x4 = 0×35, x5 = AE

6. Now you can use these five numbers to compose the unlock code. Perform a “left shift” operation (a multiplication by 0×10) to your values, starting from x1, and then add the result to the next number. In our example:

0×83 * 0×10 = 0×830
0×830 + 0×2D = 0×85d ;  0×85d * 0×10 = 0×85d0
0×85d0 + 0×17 = 0×85e7 ;  0×85e7 * 0×10 = 0×85e70
0×85e70 + 0×35 = 0×85EA5 ;  0×85EA5 * 0×10 = 0×85EA50
0×85EA50 + 0xAE = 0×85EAFE

7. Finally, convert this hexadecimal number back to decimal notation (in our example, you obtain “8776446”), which is the unlock code that you can use in order to get rid of the Trojan.

After you enter a valid unlock code, the malicious window will disappear, but the Windows desktop could still be frozen. Don’t worry—all you need to do is to hit Ctrl+Alt+Del on the keyboard, click on the log-off button, and then log back in. (A reboot will work as well.) At this point, you have control of the computer again and the Trojan will be gone.

Credit:  Andrea Lelli, Symantec

Famed Mac hacker Charlie Miller has found another possible security vulnerability in Apple’s iPhone.

Miller, a principal security analyst at Independent Security Evaluators, is known for his prowess in hacking Apple products, winning the CanSecWest security conference hacking contest two years straight.

Miller detailed his latest find — just discovered a couple of days ago — on Thursday at the Black Hat Europe security conference. The finding refutes what was a commonly held belief about how an unmodified iPhone works.

Most security researchers thought it wasn’t possible to run shellcode on an iPhone. Shellcode is code that can run from a command line, but the iPhone was thought not to allow it for security reasons.

The ability to run shellcode is important, as it would let a hacker do all sorts of malicious actions, such as peeping at a person’s text messages or call history of an iPhone from a remote location.

Earlier versions of the iPhone software didn’t have many protections to prevent people from tampering with its memory to run other commands, Miller said. But the latest version of the iPhone’s software strengthened the overall security of the phone, Miller said.

Miller said he’s found a way to trick the iPhone into running code that enables shellcode. To run shellcode on an iPhone, however, an attacker would first need a working exploit for an iPhone, or a way to target some software vulnerability in, for example, the Safari Web browser or the mobile’s operating system. Miller said he doesn’t have one now.

But if someone did “this would allow you to run whatever code you want,” Miller said in an interview after his presentation.

In 2007 Miller and some of his colleagues did find a vulnerability in mobile Safari that would allow an attacker to control the iPhone. Apple was immediately notified and later issued a patch for the problem.

The significance of Miller’s find is that it works with unaltered versions of the iPhone as the devices are sold in stores. Researchers have shown a greater ability to manipulate iPhones that are “jailbroken,” the term for phones that have been modified to allow installation of applications not vetted by Apple. Those jailbroken phones have fewer protections on the device’s memory, Miller said.

Miller said he isn’t sure if Apple is aware of the latest issue. Miller stopped short of calling the problem a vulnerability, saying instead that Apple engineers may have overlooked the issue. Apple also has never come out publicly and said it is impossible to run shellcode on an iPhone, he said.

Credit: Jeremy Kirk, IDG News Service through Yahoo News

More personal data records were breached last year than the previous four years combined, thanks to increased hacker activity rather than insider threats.

Verizon’s second annual Data Breach Investigations Report also found that the financial services sector accounted for 93 percent of all such record compromises during 2008. The study is based on an analysis of data involving 285 million compromised records from 90 confirmed breaches, 90 per cent of which are blamed on the activities of cybercriminals.

Because the survey is based on actual cases of confirmed data breaches, rather than responses to surveys or questionnaires, it provides a much more revealing insight into cybercrime trends.

Most of the breaches (74 per cent) investigated were caused by external sources, while 32 per cent were linked to business partners. Only one in five (20 per cent) were attributed to insiders, a finding that runs against conventional wisdom in security circles. Some breaches were caused by more than one source, hence the overall figure adds up to more than 100 per cent.

The study also found that the majority of breaches resulted from a combination of events rather than a single security mistake. Two in three breaches were blamed on hackers. Typically, miscreants exploited vulnerabilities to install malware onto systems for later retrieval.

Two in three breaches (69 per cent) were discovered by third parties. Nearly all the records compromised (99 per cent) last year came from internet-connected systems, either servers or applications. The finding put concerns about mobile devices and portable media in context, the SANS Institute’s Internet Storm Centre notes.

Verizon reports that attacks targeting PIN data “exploded” last year.

These PIN-based attacks hit the consumer much harder than typical signature-based counterfeit attacks in which a consumer’s credit card is compromised. Investigators found that PIN fraud typically leads to cash being withdrawn directly from the consumer’s account - whether it is a checking, savings or brokerage account - placing a greater burden on the consumer to prove that transactions are fraudulent.

The higher monetary value commanded by PIN data has spawned a cycle of innovation in attack methodologies. Criminals have re-engineered their processes and developed new tools, such as memory-scraping malware, to steal this valuable commodity.

Bryan Sartin, director of investigative response for Verizon Business, told Wired.com that these attacks involved assaults on both unencrypted data held on insecure systems and encrypted data.

“We’re seeing entirely new attacks that a year ago were thought to be only academically possible,” Sartin said. “What we see now is people going right to the source… and stealing the encrypted PIN blocks and using complex ways to un-encrypt the PIN blocks.”

Hardware security modules, which act as a form of switch for encrypted data within bank networks, are under active attack. “Essentially, the thief tricks the HSM into providing the encryption key,” Sartin explained. “This is possible due to poor configuration of the HSM or vulnerabilities created from having bloated functions on the device.”

The class of attack has been understood in academic circles for some years (researchers at Cambridge and in Israel have published papers on it) but Verizon’s detailed study is the first evidence that it’s been used in anger.

Credit: The Register

Fans of Chelsea, Arsenal and Manchester United are being targeted in a new email scam that attempts to trick recipients into sending premium rate text-messages in the hope of winning non-existent Champions League final ticket prizes.

The ruse promises entry in a draw for a chance of a seat at the Stadio Olimpico on 27 May but promises only to empty fans’ pockets, net security firm BitDefender warns. The Champions League and similarly-themed Uefa Cup scam are aimed at mobile subscribers and began circulating earlier this week, before Liverpool and Manchester City were knocked out of the competitions.

“Under the false appearance of a lottery that offers tickets to the final matches, the text-based spam invite recipients to send text messages with the name of their favorite team to a specific number,” BitDefender analyst Razvan Livintz explains. “Most likely, cybercriminals collect a fee for each SMS, but they do not give any ticket to Sükrü Saracoglu Stadium or Stadio Olimpico in return.”

Credit: The Register

Microsoft’s April batch of security patches fixes at least 20 documented vulnerabilities listed in 8 bulletins. This month’s fixes cover several code execution bugs that are currently being actively exploited (Microsoft Excel and Microsoft WordPad) and two issues that have been publicly known for at least a year (token kidnapping and Safari-to-Internet Explorer blended threat).

The most serious of the flaws could lead to remote code execution attacks that give a malicious hacker complete control over a vulnerable machine. Cumulative Internet Explorer update (MS09-014) covers 4 privately reported and two publicly disclosed vulnerabilities. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer or if a user connects to an attacker’s server by way of the HTTP protocol. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Microsoft’s April updates details:

MS09-009 (Excel) - Multiple memory corruption vulnerabilities allow random code execution. Also affect Excel viewer and Mac OS X versions of Microsoft Office. Replaces MS08-074. Actively exploited.

MS09-010 (Wordpad & Office converters) Multiple vulnerabilities allow random code execution. Replaces MS04-027. Actively exploited.

MS09-011 (DirectX) MJPEG input validation error allows random code execution. Replaces MS08-033. No publicly known exploits.

MS09-012 (Windows) Multiple vulnerabilites allow privilege escalation and random code execution. Affects servers with IIS and SQLserver installed and more. Replaces MS07-022, MS08-022 and MS08-064. Actively exploited, exploit code publicly available.

MS09-013 (HTTP services) Multiple vulnerabilities allow random code execution, spoofing of https certificates and NTLM credential reflection. Related to MS09-014 (below). Exploit is publicly known.

MS09-014 (IE) Cumulative MSIE patch. Replaces MS08-073, MS08-078 and MS09-002. Related to MS09-10, MS09-013 (above) and MS09-15 (below). Exploit code publicly available.

MS09-015 (SearchPath) Update to make the system search for libraries first in the system directory by default and an API to change the order. Replaces MS07-035. Related to MS09-014 (above). Attack method publicly known.

MS09-016 (ISA server) Multiple input validation vulnerabilities allow a DoS and XSS. One of the attack methods publicly known.

Users are advised to install vendor patches as soon as they are available and avoid following links or handling files from unknown or questionable sources.

Microsoft’s summary of the April releases can be found here.

A cross-site scripting worm was spreading in Twitter profiles for several hours during April 12. People started reporting that their profile had sent Twitter messages without their knowledge. Messages looked like this:

Later on the messages morphed several times:

Many people followed the links to promoted website, as they believed the messages to be genuine Tweets from their friends. A cross-site script on the site then caused new users to start to Tweet the same messages.

It is unclear if the spammed site was actually associated with the worm.

According to an explanation on DCortesi blog:

What’s happening here is that it looks like somebody realized they could save url encoded data to the profile URL field that would not be properly escaped when re-displayed. This is particularly nasty because you could get infected simply by viewing somebody’s profile page on Twitter that was already infected. If you visited an infected profile, the JavaScript in the profile would execute and by doing so tweet the mis-leading link, and update your profile with the same malicious JavaScript thereby infecting anybody that then visits your profile on twitter.com.

It looked like Twitter fixed the issue but another round of the worm hit Twitter on Sunday morning. It was effectively the same thing, but attacked a different field. Here’s of the current variants:

Besides the “original” worm that was supposedly written by a teenager, there are some copycats out. The code had also been run through an obfuscator. The copycat Twitter XSS worms exploit the same vulnerability and actually most of the code remains the same. The new version got obfuscated to make analysis a bit harder.

It looks like the folks from Twitter are still fixing all the vulnerabilities so seems that there’s going to be quite a few modified Twitter worms for a day or two. Twitter stats blog said that they are currently addressing a new manifestation of the worm attack.

No passwords, phone numbers, or other sensitive information were compromised as part of this renewed attack, according to Twitter.

All these attacks are Javascript-based so it is possible to turn Javascript off if you’re worried or use a NoScript Firefox add-on.

F-Secure detects the script file as Worm:JS/Twettir.A.

Credit and screenshots: Mikko, F-Secure Weblog
Credit: DCortesi.com Blog
Credit: SANS Internet Storm Center

Foreign cyber-spies have reportedly been infiltrating the US electrical grid and planting software that can be used to destroy key components.

According to the Wall Street Journal - which cites unnamed national security officials - electro-spooks hailing from China, Russia, and “other countries” are trying to navigate and control the power grid as well as other US infrastructure like water and sewage.

The intruders don’t appear to have attempted to cause any damage yet, but US intelligence officials worry they’ll try during a crisis or war, the paper said.

Governments on both sides of the Atlantic have warned lax cyber-security may leave critical infrastructure vulnerable to terrorists and saboteurs — although usually specific countries aren’t fingered as culprits.

“The Chinese have attempted to map our infrastructure, such as the electrical grid,” an unnamed senior intelligence official told the WSJ. “So have the Russians.”

This appears to be an assumption based on the sophistication of the US intrusions. But officials aren’t sure about the motivation — as, for instance, China doesn’t have much reason to disrupt the country’s economy when its loans are presently paying the US government’s bills.

The security trouble is linked to so-called supervisory control and data acquisition (SCADA), software used to control switches and valves at power generators, gas refineries, and manufacturing plants across the world. As more of the systems are being hooked to the internet and corporate intranets to save costs, the easier it is for cyber ne’er-do-wells to gain ill-intended access. Because security on the systems is not regulated in the US, protection of key infrastructure left in the hands of the industry.

Chinese and Russian officials denied electrical grid espionage in the report.

Credit: The register

Websense Security Labs has discovered that the official Web site of Fiat in Singapore, fiat.com.sg, has been compromised and is infecting the machines of site visitors with malicious code. Fiat is an Italian automobile manufacturer and industrial group based in Turin, and it has been in the news recently with press reports indicating a possible deal being discussed with the American car manufacturer Chrysler.

The compromised Web site belonging to an independent Fiat dealership (not Fiat’s official Web site). It is not hosted on Fiat’s IT infrastructure. Malicious code, showing traits of the Luckysploit exploit kit, has been inserted onto the main page of the site using an iframe. This iframe redirects itself to the pages of a different host that contains malicious obfuscated JavaScript code.

This code takes advantage of the MS Snapshot Viewer exploit (CVE-2008-2463) and the Adobe Reader PDF exploit (CVE-2007-5659). Upon successful exploitation, futher malicious files are downloaded and the infection reported via a phone home to ipaddress 213.15[removed] A rootkit is then installed on the user’s machine.

The anti-virus detection rate for this is poor as can be seen in the VirusTotal detection report:

CAT-QuickHeal     -     -     Rootkit.Agent.ino
F-Secure     -     -     Rootkit.Win32.Agent.ipg
Fortinet     -     -     W32/Agent.IPG!tr.rkit
Ikarus     -     -     Rootkit.Win32.Agent
Kaspersky     -     -     Rootkit.Win32.Agent.ipg
Prevx1     -     -     Medium Risk Malware
ViRobot     -     -     Trojan.Win32.RT-Agent.21632

Websense®, Inc. has contacted Fiat to advise them of the issue.

The Foreign and Commonwealth Office (FCO) has warned Brits and others to ignore a phishing scam currently circulating around the internet.

Scam emails attempt to trick users into submitting personal data, in exchange for a chance to benefit from a fictitious “Recession Relief Programme Fund”. The bogus emails purport to come from Foreign Secretary David Miliband and feature subject lines such as “Global economic crisis relief aid”, as explained in an FCO warning here, issued on Monday.

The stimulus package announced by government leaders at the G20 conference last month makes the attempted FCO-themed fraud timely, without making it any more plausible. Most internet savvy users would smell a rat a mile off, but it only takes a tiny fraction to respond to make the ruse worthwhile for cybercrooks. Trend Micro notes the ploy is similar to “Obama Stimulus Check” scam emails spammed out in January.

Phishing scams began as an attempt to trick the gullible into handing over login credentials for online banking or PayPal accounts under the guise of security checks.

Over the years the brands targeted by such attacks have expanded to include a much wider range of e-commerce outlets, and more occasionally, as with the latest example, posing as messages from government departments. Government-themed phishing scams used to offer tax refunds but now we’re seeing examples of supposed grant offers, another sign that fraudsters are adapting to the recession.

Phishing scams in general are more frequently targeted towards consumers, but businesses are not immune to getting taken to the cleaners either.

Credit: The Register

Match.com, an online dating service with reportedly more than 15 million members from 37 countries, is being used by miscreants to infect users with malware. Websense Security Labs has noticed that this new spam campaign aimed at Match.com is being used to spread a trojan called Papras.

On April 7 2009, Websense received thousands of malicious emails in their email Honey Pot system. The emails claim that someone wants to show the user her pictures and videos, and lures the user into visiting the Web site set up by the attacker. When the user starts the video on the Web site, they are asked to install a streaming video player (a malicious file called ADOBE_PlayerInstallation.exe) which is actually a trojan with relatively low AV detection, according to VirusTotal:

BitDefender     7.2     2009.04.08     Trojan.PWS.Papras.V
eSafe     7.0.17.0     2009.04.07     Suspicious File
F-Secure     8.0.14470.0     2009.04.08     Trojan-PSW:W32/Papras.DS
GData     19     2009.04.08     Trojan.PWS.Papras.V
McAfee+Artemis     5577     2009.04.07     Generic!Artemis
Prevx1     V2     2009.04.08     High Risk System Back Door
Sophos     4.40.0     2009.04.08     Mal/EncPk-HJ
Symantec     1.4.4.12     2009.04.08     Infostealer
VBA32     3.12.10.2     2009.04.08     suspected of Malware-Cryptor.Win32.General.3