Industry Intel

Girl Scouts and OpenText empower future leaders of tomorrow with cyber resilience

The transition to a digital-first world enables us to connect, work and live in a realm where information is available at our fingertips. The children of today will be working in an environment of tomorrow that is shaped by hyperconnectivity. Operating in this...

World Backup Day reminds us all just how precious our data is

Think of all the important files sitting on your computer right now. If your computer crashed tomorrow, would you be able to retrieve your important files? Would your business suffer as a result? As more and more of our daily activities incorporate digital and online...

3 Reasons We Forget Small & Midsized Businesses are Major Targets for Ransomware

The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups. Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be...

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

HTC acknowledges security flaw, plans update to fix

A couple of days ago researchers for Android Police wrote about a security vulnerability in several HTC phones. The vulnerability lies with logging tools installed by HTC. These logging tools collect personal data like user accounts, email addresses, GPS info and SMS data. Having these tools logging users data is one thing but the fact that they are left unsecured and available to be exploited by a 3rd party app is a big blow to the device manufacturer. A 3rd party app would only need to request the INTERNET permission to gain access to the information collected by the tools. Why HTC has these tools in place hasn’t been answered, an answer they’ll have to provide to their customers at some point.

 
HTC’s public statement: “In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers data, there is a vulnerability that could potentially be exploited by a malicious third-party application. A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws. So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability.”

 

The update will be sent over-the-air and users will receive a notification to install. No word on when the update will be available.

 
We all have a role to play in keeping our computing secure, but developers have a key role in that they need to ensure their applications are secure when it comes to customer’s data. This happens a lot, most recently with Skype, hopefully with more and more big name vendors being called out we’ll see developers tighten up their code.

 

Affected phones

EVO 4G

EVO 3D

Thunderbolt

EVO Sensation

MyTouch 4G slide

Mebromi: the first BIOS rootkit in the wild

By Marco Giuliani

In the past few weeks a Chinese security company called Qihoo 360 blogged about a new BIOS rootkit hitting Chinese computers. This turned to be a very interesting discovery as it appears to be the first real malware targeting system BIOS since a well-known proof of concept called IceLord in 2007. The malware is called Mebromi and contains a bit of everything: a BIOS rootkit specifically targeting Award BIOS, a MBR rootkit, a kernel mode rootkit, a PE file infector and a Trojan downloader. At this time, Mebromi is not designed to infect 64-bit operating system and it is not able to infect the system if run with limited privileges.

The infection starts with a small encrypted dropper that contains five crypted resource files: hook.rom, flash.dll, cbrom.exe, my.sys, bios.sys. The goal of these files will be presented later in this analysis.

The infection is clearly focused on Chinese users, because the dropper is carefully checking if the system it’s going to infect is protected by Chinese security software Rising Antivirus and Jiangmin KV Antivirus. To gain access to the BIOS, the infection first needs to get loaded in kernel mode so that it can handle with physical memory instead of virtual memory.

Many of you may recall the old CIH/Chernobyl infection, the infamous virus discovered in 1998 that was able to flash the motherboard BIOS, erasing it. Even CIH needed to gain kernel mode access to reach the BIOS, though at the time the virus was exploiting a privilege escalation bug in Windows 9x operating system which allowed it to overwrite the Interrupt Descriptor Table with its own payload from user mode, then triggering the overwritten interrupt handler and its malicious code is executed in kernel mode. Mebromi does not use such kind of privilege escalation trick anymore, it just needs to load its own kernel mode driver which will handle the BIOS infection. To do so, it uses two methods: it could either extract and load the flash.dll library which will load the bios.sys driver, or it stops the beep.sys service key, overwriting the beep.sys driver with its own bios.sys code, restart the service key and restore the original beep.sys code.

The bios.sys driver is the code which handle the BIOS infection. To read the BIOS code, it needs to map the physical memory located at physical memory address 0xF0000, this is where the BIOS ROM usually resides. Once read, the driver verifies if the BIOS ROM is Award BIOS, by checking the presence of the string: $@AWDFLA. If found, the driver tries to locate the SMI port that will be used by the rootkit to flash the BIOS ROM.

If the BIOS ROM matches the string, the rootkit saves a copy of the BIOS to the file C:bios.bin and pass the next step to the user mode component of the infection. The dropper extracts two files: cbrom.exe and hook.rom. Cbrom.exe is a legitimate tool developed by Phoenix Technologies, used to modify the Award/Phoenix BIOS ROM binaries. Hook.rom is the rootkit ISA BIOS ROM that is added to the BIOS binary, containing the rootkit infection. The dropper executes cbrom.exe with the /isa switch parameter, passing the hook.rom file. Before actually injecting the malicious ISA ROM, the dropper checks the BIOS ROM code looking for the “hook rom” string, used as a marker of the infection. If found, it means that the BIOS is already infected and it doesn’t need to be infected again.

After that the bios.bin file has been modified, the bios.sys driver send to the BIOS SMI port the command 0x29, used to erase the BIOS flash, and then the command 0x2F used to write the new BIOS ROM code to the BIOS ROM.

The BIOS is now infected, and the dropper goes to its next step: infecting the Master Boot Record. The infection is 14 sectors long and the original MBR is stored to the sector 7. To avoid potential startup issues, the infected MBR stores a copy of the original MBR’s partition table. Finally the dropper extracts the my.sys driver on the root of the C: drive. My.sys is a kernel mode rootkit that hijacks disk.sys’s IRP major functions, by redirecting the IRP_MJ_READ/WRITE and IRP_MJ_DEVICE_CONTROL native functions. It is used to hide the infection on the disk. Even if the BIOS infection doesn’t succeed, the rootkit does infect the MBR.

At the next system startup, after the BIOS POST phase, the malicious code injected inside it prepares the full MBR infection (all the first 14 sectors are stored inside the malicious BIOS rom, 7168 bytes in total) and checks the MBR code of the hard drive looking if the infection is already present. To do it, the BIOS malicious code checks for the presence of the string “int1” at the offset 0x92. If the string is not found, the BIOS malicious rom will overwrite all the first 14 sectors of the hard drive, thus restoring the MBR infection.

The system startup procedure continues and the control now passes to the malicious master boot record. Here the malicious payload analyzes the original MBR partition table and looks for the active partition, checking if it’s using a NTFS or FAT32 file system. The malicious MBR code contains indeed NTFS/FAT32 parser routines, used to get inside the file system to look for winlogon.exe or wininit.exe file. When found, the malicious code contains a file infection payload, able to inject malicious code inside the specified file and hijack the entry point of it. Before infecting the file, the MBR malicious code checks if it is already infected, by looking for the string “cnns” at the offset 0x50 from the beginning of the PE file. This is the infection marker. If the string is not found, the infection stores a crypted payload – about 600 bytes of code – inside winlogon.exe or wininit.exe and hijacks the PE entry point to the beginning of it, saving the original entry point at the offset 0x60.

The job of the MBR infection ends here, waiting for the Windows startup which will load the  patched executable. When loaded, the payload self-decrypt its malicious code and loads in memory the my.sys driver. Then it tries to download an additional infection from the (now unavailable) URL address: http://dh.3515.info:806/test/91/calc[removed].

The concept behind Mebromi is not new. In fact we must recall the IceLord BIOS rootkit published in 2007, a public proof of concept able to target Award BIOS rom, using an approach very similar to the Mebromi one – or should we say that Mebromi is more than just inspired by the IceLord rootkit?

Storing the malicious code inside the BIOS ROM could actually become more than just a problem for security software, giving the fact that even if an antivirus detect and clean the MBR infection, it will be restored at the next system startup when the malicious BIOS payload would overwrite the MBR code again. Developing an antivirus utility able to clean the BIOS code is a challenge, because it needs to be totally error-proof, to avoid rendering the system unbootable at all. The job of handling with such specific system codes should be left to the developers of the specific motherboard model, who release BIOS updates along with specific tool to update the BIOS code.

On the other hand, although this kind of infection is potentially one of the most persistent infections known out there in the wild, it will hardly become a major threat because of the level of complexity needed to achieve the goal. While a kernel mode infection or a MBR infection could still work in a generic way among all the PC out there – and they still have a huge available free space to play with, a BIOS-based rootkit needs to be fully compatible with all major BIOS rom out there, it should be able to infect all the different releases of Award, Phoenix, AMI BIOS’s out there; a level of complexity that is simply unasked for writing a good persistent infection (e.g. TDL rootkit, various Rustock releases, ZeroAccess rootkit among all). In fact, why is Mebromi only targetting Award BIOS rom? Perhaps because there was already a known proof of concept that is 5 years old targeting Award BIOS ROM available online.

Are BIOS rootkits a real threat? Yes, we can consider Mebromi the first real BIOS rootkit incident discovered in the wild – let’s consider IceLord BIOS rootkit more a proof of concept. Should we be concerned about BIOS rootkits? Well, while we try to discover whether our PC is infected by an unknown and super-stealth BIOS rootkit, let’s try and look if there is a more “humble” kernel mode rootkit which is already infecting our PC, allowing a remote attacker to silently own our system.

Morto Worm Annoyances Outstrip Functionality

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

The past couple of days have been very busy for a lot of people, following the announcement by Microsoft that they had discovered a new network worm called Morto. After reading the refreshingly thorough writeup about Morto from both Microsoft and our partner Sophos, we were surprised to find that a few of our customers had been infected — and cleaned up — beginning with some poor schlub in South Africa as early as July 23rd, but the worm kicked into high gear last Thursday and began to propagate rapidly.

But, as much as the technical details in these posts are useful for researchers and analysts, they don’t really get to the heart of how a user of an infected computer would be affected by the worm. So, after spending a bit of time infecting some of my own machines these past couple days, I wanted to share my hands-on experience with you.

Bottom line, the worm was written to spread to (and infect) the computers run by people who don’t take security seriously: It copies itself to other computers by trying to Remote Desktop into those computers using a list of what can only be described as completely moronic passwords (the full list is on Microsoft’s technical writeup about the worm). The repurcussions are that people (or companies) who use poor quality, easily guessed passwords have been (or are going to get) spanked by Morto, and then they’ll be really irritated at the (reversible but obnoxious) changes the worm makes to the behavior of the infected computer.

read more…

Trojans Employ Misdirection Instead of Obfuscation

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

An unusual family of Trojans, apparently of Chinese origin, engages in rootkit-like behavior which seems designed not to hide the presence of the malware on an infected system, but to misdirect or confuse a technical person who might be using system analysis tools on an infected computer.

The Trojans all originated from a server operated by a free Web host in China, and each sample we tested sent profiling data about the infected system to a command-and-control server located on yet another free Web host, also located in China. It appears to have capabilities to receive instructions to download other components, and it scans the system for antivirus products commonly available in China, including products made by Qihoo 360, China’s largest homegrown antivirus company.

But the most interesting aspect of the Trojans was how it managed to fool most of the free tools someone might use to monitor running programs. The Trojan shows up in the list of active programs, but when that list includes a full path to the running executable, that path points at a nonexistent file supposedly in another location. read more…

Black Hat Redux: Botnet Takedown Mistakes to Avoid

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

FireEye’s Lanstein and Wolf speak at Black Hat

I’ve worked in the security industry for nearly five years, and it was apparent early on that the most successful people in this field bring to their work a passion and a commitment to protecting not only one’s customers, but to providing a certain level of information about security threats to the world at-large, so even your non-customers can help or protect themselves.

It can be hard to know where to stop once you get on a roll. Malware infections frequently lead to unexplored, interesting backwaters on the Internet. And, sometimes, those backwaters are where the criminals run those operations. When I stumble upon a criminal network or a botnet controller, it simply doesn’t feel like I’ve done enough when I merely add signatures which block or remediate infections and communications with a command-and-control server from Webroot customers. If malicious behavior depends on one or more Internet sites that send instructions, my (and many others’) initial reaction is we need to shut that down, permanently. But sometimes, a too-rapid reaction can blow back in your face.

Obviously, that was also the case when Alex Lanstein and Julia Wolf of internet security firm FireEye stumbled upon the Rustock botnet. At one time, before law enforcement in several countries swooped in on the data centers hosting the botnet’s command-and-control (CnC) infrastructure in a coordinated raid earlier this year, the massive network of Rustock-infected computers was responsible for about half of spam flooding the ‘net. The researchers’ instincts to engineer a takedown of the botnet sounded very familiar, but their initial attempts to do so backfired, and may have even spurred the malware developers to change their game, and may have made it more difficult, eventually, to eliminate the CnC altogether.

read more…

Targeted Malware Infects Windows-based Cash Registers

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

A serious, targeted threat from customized malware that steals credit card magnetic strip track data could literally bankrupt your business. That’s the message two security researchers from Trustwave gave at their talk during the Defcon computer security conference Saturday.

The researchers, Jibran Ilyas and Nicholas Percoco of Trustwave Spider Labs, respond to calls for help when businesses find malware in critical systems. When banks field reports of credit card fraud, they try to find the earliest common location or business where all the victims used their card. When they do, the bank calls the business, who then call in the researchers.

In their talk, Malware Freak Show 3, the researchers reported on several types of malware all of which are designed to steal the so-called Track 1 data — the information encoded on the magnetic strip on the back of the card — when a salesperson or waiter swipes the credit card attached to the cash register.

The malware may reside on the register (a device that, in many cases, is simply a custom-configured Windows computer) or on a server in the back room of the business that’s used to process credit card transactions. Once the malware has the Track 1 data, it transmits the string of numbers to remote locations, where the data can be used to produce fake, but functional, physical credit cards. The thieves can then sell or use the cards to purchase valuable merchandise.

read more…

TDL3 and ZeroAccess: More of the Same?

By Marco Giuliani

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

In our previous technical analysis of the ZeroAccess rootkit, we highlighted how it acts as a framework by infecting the machine — setting up its own private space in the disk, first through a dedicated file system on the disk, and more recently by using a hidden and locked directory. This is where the rootkit stores the modules it downloads from the command and control servers. Until now, the plugins we’ve monitored have been ad-clickers and search engine hijackers.

We have also noted how the ZeroAccess rootkit acts very similar to the TDL3 rootkit, either by infecting a random system driver, using its own file system to store its plugins or by filtering the disk I/O by analysing the SCSI packets – though in a pretty different way. It’s more effective in the TDL3 rootkit and less effective in the ZeroAccess rootkit, however ZeroAccess has many more self-protection mechanisms in place.

While analyzing the ZeroAccess rootkit, I’ve always had the feeling it was inspired by the TDL3 rootkit. But while looking at the latest updates of it I’ve found something pretty interesting: The ZeroAccess team is looking at TDL rootkit as an enemy that needs to be defeated. The questions remains, is there a link between the two rootkits? We suspect the answer is yes.

read more…

Two Days in Vegas: Black Hat in Brief

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Cofer Black addresses attendees of the Black Hat Briefings, Aug 3, 2011The Black Hat briefings, held Wednesday and Thursday this week, once again brought together some of the best and brightest in the security industry to share knowledge about novel attacks and better defenses against old and new attacks. And, once again, there were some eye opening moments at the conference.

Right from the beginning, it was clear the scope of the conference had shifted from the previous year. Conference founder Jeff Moss described a new, more rigorous committee-driven process that Black Hat had begun to employ to scrutinize and vet talk proposals. Talks this year would be more technical, go deeper into security threats, and would encompass a broader range of topics than had been done in years past.

But soon after Moss introduced former ambassador and CIA counterterrorism expert Cofer Black, the opening keynote speaker to the conference, someone pulled a fire alarm in the hall where the speech was taking place. While lights flashed and warning sirens sounded, Black joked about the prerecorded messages playing over loudspeakers.

read more…

New Tool Released: Kiss (or Kick) ZeroAccess Goodbye

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

There are fewer types of malware infections more frustrating and annoying than a rootkit with backdoor capabilities. Over the past couple of years, we’ve seen the emergence of this new, tough-to-fight infectious code, and its transformation from nuisance to severe threat.

With the hard work and perseverance of Threat Research Analyst and master reverse-engineer Marco Giuliani, we’re proud to release the latest build of a tool we’ve used internally to clean the infections from the notable ZeroAccess rootkit off of victims’ computers. AntiZeroAccess exploits many of the vulnerabilities that Marco discovered in the rootkit to cleanly remove the rootkit code from infected machines.

The free tool removes the rootkit but does not restore the Access Control Lists (ACLs) that have been modified by the rootkit. For that, you’ll probably want to use a free tool like SetACL, which can make software functional that ZeroAccess disabled by modifying its ACL.

This Week: Black Hat Coverage

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

As I do every year, I’ve deliberately traveled to the most inhospitable climate zone in the continental US — that is, the city of Las Vegas — to attend the elite technical conference known as the Black Hat Briefings.

Black Hat is not just a technical conference, but a kind of calling for its attendees, which brings together experts in computer security, privacy, and attacks with high level officials in government and industry. In this rarefied environment, the security industry and its benefactors share information, tools, and techniques that help the entire industry coordinate their work against the interests of criminals, spies, and the vast numbers of Internet ne’er-do-wells.

I’ll be reporting from the conference about cool tools, new information about attacks, and deep analysis of malware all week. On Friday, the conference switches gears to become Defcon, which is a little less formal, a little less businesslike, and a lot more chaotic and interesting. Stay with us this week as we cover the most interesting conference in the security world.

Brazilian “Winehouse” Trojan Sends Hotmail, Bank Passwords to China

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Amy Winehouse malware steals bank & Microsoft passwords and sends them to ChinaLate Monday, after news about the death of troubled pop singer Amy Winehouse had been circling the globe for a little more than 48 hours, we saw the first malware appear that used the singer’s name as a social engineering trick to entice victims to run the malicious file. Abusing celebrity names, news, or even deaths isn’t a new (or even particularly interesting) social engineering tactic, but there was one unique aspect to this particular malware’s behavior that raised some eyebrows around here: It appears that Brazilian phisher-Trojan writers seem to be working more closely with their Chinese counterparts, using servers in China as dead drops for their stolen goods.

The widely-reported case of the malware campaign continues to distribute new, randomized files via a download link managed through a dynamic DNS service, more than a week on. The file’s name, in Portugese, (“103684policia-inglesa-divulga-fotos-do-corpo-da-cantora-amy-winehouse-WVA.exe“) translates roughly to English police divulge photos of singer Amy Winehouse’s corpse, but victims who open this file are only going to see their computer become compromised.

The malware modifies the Hosts file in Windows to redirect traffic from 78 different Web sites — the vast majority of which are Brazilian banks and finance sites such as e-gold, with the rest being American Express, and Microsoft‘s Brazilian and US domains for Hotmail, Live, and MSN — to one of 9 IP addresses, almost all of which point to servers hosted in Chinese networks. One oddball outlier IP address in the modified Hosts file list points to an IP address belonging to the network operated by the Ford Motor Company, but that IP address was not allocated to an operational server when I did some tests.

read more…

Criminals Abuse Amazon Hosting with Rogues, Ransomware

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

The criminals who push rogues at the world don’t really care about the reputations of the ISPs or Web hosting services they abuse. They leap from free service to free service until they’ve thoroughly worn out their welcome and, in some cases, destroyed the reputation of the service they abused. But they have behaved in one predictable way over the years: They’re stingy, and won’t pay for anything unless it’s absolutely necessary, despite the fact that they’re raking in cash by the boatload.

But that seemed to change this week when we saw a number of Web sites pop up on the radar. The sites employ the now well-worn scam of pretending to be some sort of video streaming service. In this case, they pretended to be a porn site, but the most surprising part was not what was hosted, but where: Amazon’s Cloudfront hosting service ended up, temporarily for a few hours, serving up malicious Web pages. Amazingly, it seems they actually paid for hosting instead of just stealing it.

Amazon shut the sites down quickly, but before they did, we visited one site called xrvid-porno.com. The page isn’t exactly family friendly, but the gist of the scam is that that page eventually redirected the browser to a server inside of Amazon’s cloud hosting service, and that’s where the trouble began.

read more…