Threat Lab

Over a year has now passed since we were first alerted to a flaw in the OpenSSL cryptography library, widely used in the implementation of Transport Layer Security (TLS) protocol. The bug CVE-2014-0160, was quickly dubbed “Heartbleed” (http://heartbleed.com/) after a missing bounds check in the TLS heartbeat extension. Despite the passing of time and the high profile nature of the flaw, IoT crawler Shodan has recently discovered the vulnerability still exists on over 200,000 internet connected devices.

Shodan (http://www.shodanhq.com/) launched in 2009, is a search tool that seeks out internet-of-things (IoT) and other internet connected devices collecting the information returned by these devices to build up a picture of what services are being offered. The data can then displayed in a variety ways including by geo-region breakdown. This is great tool for IT and security teams and unfortunately also for the bad guys.

Many people will deem 200,000 vulnerable devices on the internet as unacceptable, and in many ways it is. At the same time I think it is important for us all to understand why this happens and why there is currently no easy fix. I believe we will see vulnerabilities like Heartbleed in the wild for many years to come. Whereas I do believe there is a certain level of ignorance to the threat, I also believe there are many other factors.

There are users who aware their devices are vulnerable, not realizing their device uses the buggy version of OpenSSL, or even uses SSL for communication. There will be others that haven’t heard of Heartbleed and many not understanding the tech details, the fix, or the ramifications. Sometimes putting two and two together is little more difficult that we’d like to think. Hey, we are asking users to understand and fix their devices, when at present they still haven’t changed the device’s default admin password – even worst, they’ve not realized their device is even connected to the internet.

Ignorance and even arrogance with regards to the lack of patching has been observed. Not patching a device when possible, believing it is unlikely to be exploited is simply not acceptable. We need to move away from setup and configure once, then leave alone. Users need to research, revisit and understand the devices on the network and especially those connected to the internet.

Search engines like Shodan mean that susceptible devices are less likely to go under the radar – it also highlights the appetite the business and personal sector have for security. Once the configuring and setup of these devices required a certain skill level. That’s all changed now, especially with WPS and other technologies, many devices are completely ‘plug and play’. The complexities of such systems are hidden from the user – even if patches are available for said devices, I very much doubt many users would know how to install them.

There are also many manufacturers that focus on the delivering of ‘cheap’ affordable technology, OEM and unbranded to an untrained eye in many cases. These cheaper offerings normally come at a price – limited aftercare. Put simply you’ll be lucky to ever see manufactures release new firmware and software updates after purchasing and that’s if the vendor still exists.

The mobile phone industry has used a similar business model for years, after a while updates stop, if they even started – meaning customers will need to go out and purchase the a new handset/hardware to have the latest and most secure software. What we are left with is millions of vulnerable internet connected devices. Most devices, especially legacy devices, the ones most likely to be at risk have no OTA (over the air) update capabilities, many do not even include a manual update feature – many are not even capable of running the newer firmware and software.

There’s a lot of bad news, but it doesn’t mean a certain level of protection cannot be offered – something the Shodan results are unable to factor in. Internet connected devices need continuous monitoring to detect common attacks, the use of automated vulnerability scanning solutions, the use of tools like Shodan. There are many possible ways to mitigate risk, like the separating of networks. Heartbleed has been a big wake up call, the number of probable vulnerable devices, the extra media attention along with the slick branding propelled this security risk from the geeks and IT and security professionals all the way to the boardroom. It’s important not to be fooled in to thinking this is only an IoT issue, a proportion of the devices highlighted belong to the more traditional internet infrastructure hardware group. That said, the mass adoption of IoT will only make future vulnerabilities more difficult to correct.

I don’t see these current findings as a ‘we haven’t patched Heartbleed’ issue, it’s another example of what happens without regulation and standardization, without user education and best practices, coupled with the ‘security as an afterthought’ mentality.

Only a month has gone by since the last RaaS (Ransomware as a Service) came to light. It looks this new business model that was first introduced by TOX a few months ago is spreading fairly rapidly. The idea is that now ALL malware authors of ranging skill can now create encrypting ransomware on a easy to use platform. This latest variant called ORX Locker is no different.

Simply enter in the desired info (price, identifiers, time limit, ect.) and the site will generate a new binary tailored to your specifications. The hackers are still responsible for distributing the malware, but renting time on many operational botnets and email phishing campaigns is also fairly easy to do in the underground darknet marketplace.

Once a victim is infected there is no GUI popup once all files are encrypted. It just changes the extension of all encrypted files to “.LOCKED” so you have a nice surprise when you try open one of your compromised files. Instructions on how to get your files back are left on your desktop as locally stored web page.

Special instructions are given to show a novice user how to connect to onion links and pay the ransom. Once you successfully connect to the darknet then the payment page is presented.

The instructions are clear on what you need to do to get your files back. Bitcoin is the criminal industry standard now and you’ll have a hard time paying for any ransom without it. While some ransoms will also accept the legacy money mules like ukash and moneypak, that is quickly dying out in favor of a better fee structure bitcoin launderers offer. Once you’ve paid you just download their tools and it will unlock all of your files using the AES 256 key that was generating during encryption.

This variant does not delete the VSS so as long as you have system restore enabled you can get your files back without paying the ransom. Just download a shadow copy tool like shadow explorer and you can restore files from a previous restore point. While the variant we analyzed showed no advanced techniques and is relatively simple in design, it remains a threat to unprotected systems and should be taken seriously. Improvement tweaks in the future are always possible and may “patch” the back doors it left open to your files.

• MD5 Analyzed:89E1EFDC766E9C7D41305566993BA800
• Additional MD5: D6ED4D4E8B1A95A224EBDD54529B3751
• Additional MD5: 1914724AEEA3CA954322053DD883B14A

Webroot will catch this specific variant in real time before any encryption takes place. We’re always on the lookout for more, but just in case of new zero day variants, remember that with encrypting ransomware the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero day variant of encrypting ransomware you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies. Please see our community post on best practices for securing your environment against encrypting ransomware.

Thinking back on the changes in what we like to call the “threat landscape” over the years, a lot has changed. From the days of actual viruses and worms spreading their way through networks, to the rise of spyware and adware that slowed your computer to a crawl with pop-up ads and toolbars, to the scourge of encrypting ransomware that we see today.

As much as things have changed, the methods of distribution have remained fairly constant. The majority of malware we see is distributed via exploits or through some form of social engineering. While there seems to be no shortage of zero-day exploits being used, many of the exploits used to install malware have been patched for a long time. We see infections that use exploits that were patched years ago on a regular basis. Social engineering has certainly become more advanced, but users continue to click on malicious links or attachments in email messages.

The following is an updated to our Webroot Internet Security FAQ from around 2005. Some of the terminology may be a bit older but the information is still relevant today.

How can I prevent computer viruses? Take these steps to fortify your computer security against viruses right away:

• Use anti virus protection and a firewall
• Update your operating system regularly
• Increase your browser security settings
• Avoid questionable Web sites
• Only download software from sites you trust
• Practice safe email protocol
• Don’t open messages from unknown senders
• Immediately delete messages you suspect to be spam
• Avoid free software and file-sharing applications
• Get anti-spyware software protection

So while the types of threats out there are changing, the fundamentals are staying the same which luckily allows the potential victim to take similar approaches to rectifying the attack and staying safe online. As always, it is best to stay updated with newest trends in security, but always remember the core foundation of staying safe online.

A visit to the Apple store will give any consumer a false sense of security, you will be told that by buying a Mac you are safe from threats and malware. I have even been told this even after I explain what I do for a career. A vast majority of Mac users still believe that they are safe from the threat of malware because of this, even though the magic myth of Mac immunity has long been disproven and really exploited in the past years with such concepts of Thunderstrike and root privilege exploits. However, most of the malware that we come across for Mac has been adware. The annoying pop ups or redirects that try to get you to spend money or download shady software.

Variants of VSearch and Genieo have been on top of the list for most downloaded Mac malware. Most people’s cure for this would be to install an ad blocker such as AdBlock Plus. I can’t blame them for this as I also run an ad blocker on my personal Mac. The downfall to this is that these adware companies have figured this out and added code to their program to allow their ads even with your blocker running. This is why the Mac community needs a strong security software on their machines. Researching one of these variants, we came across code that will search for your ad blocking program, download an exception text file and insert it into the settings of your ad blocker. Here is a sample of the exception text it downloaded.

[Adblock Plus 2.0] @@||search.yahoo.com^$document @@||bing.com^$document @@||genieo.com^$document @@||strtpoint.com^$document

This code allows their ads to run and the user is none the wiser. The adware creates its own rules for your security plugin. This is just the beginning of what could be a crucial change in the malware found on Macs. Malware may only be using exploits like this for advertisements currently but what is stopping it from using this same kind of exploit to send personal data out in the future? Putting your security in the hands of a software that only protects you from one type of malware simply isn’t enough anymore. It is easy to find articles that claim Apple computers are invincible but the fact is malware for Mac is real and it is getting increasingly better at ensuring its survival.

It’s good to see that at last some alternatives to traditional AV endpoint protection are gaining traction. A lot of the questions I was asked at the show were to compare Webroot to other exhibitors who were making similar claims. (But because we lead the Predict, Prevent, Detect, and Respond model there are really no true one to one comparisons. There is however a lot of plagiarism on our market positioning, which I take as an indirect compliment, as does my CMO).

My primary concern now is efficacy, just how good are other solutions at stopping attacks and infections? The other vendors have little or no track record and are in light use. Nor do Webroot or I really care about a kill chain, it’s too damn late if you’re looking at a kill chain. As the Financial Services industry keep saying your investment may well go up or down.

Another annoyance I and the people I talked to have is that there is also no real ‘independent’ testing of next generation AV. We have tried unsuccessfully for over three years to get endpoint tests by all the ‘big’ testers updated. But, there is too much self-interest in their keeping things the same. That’s a shame, as their credibility is truly shot as any security professional sees day in and day out the disconnect between 100% detection test results and their real-life infection rates.

Perhaps the most surprising event (given other infamous events) was the pertinence of John McAfee’s speech quickly followed by the weaknesses in Android being at last partly admitted in Public. Google are willing to let you share your full contacts with a flashlight app and still don’t see any issues. Yet the people who say “don’t worry you’ve nothing to fear if you’ve nothing to hide” are all the actors I want to stay as far away from as possible – as they are ALWAYS up to no good.

So what now after Black Hat 2015? Are we turning failure into success? I’m afraid the answer is still no. Commercial, Government and Hacker interests are still harmoniously aligned and we will not see success until they are hoisted on their own petard. Frankly that cannot come soon enough (as long as they don’t take us all down with them).

This is hacker week. Well, not really that officially, but with Black Hat USA and DefCon happening in Vegas, the biggest collection of black and white hat hackers have come together with experts and companies in the security sector to talk protection, exploits, and hacking. Coming at the conference with a big approach, our threat team has attended sessions all day, taking in the lessons being shared in hopes of continuing our advancement of our threat intelligence.

So coming out of the sessions, I have asked our attending team to share their takeaways of Black Hat 2015 Day 1.

On Internet of Things

Attended the, Intel security presentation on attacking hypervisors through firmware and guest operating systerms. The data they presented verified the work we are doing in the IOT (internet of things) field in bring real time behavior monitoring to industrial endpoints.  John Sirianni – Vice President, Strategic Partners, Internet of Things

On Endpoints

Windows updates for drivers can lead to execution of malware. This isvVery interesting, but requires a proxy configured. None the less, I’d love to test this myself.  Tyler Moffitt – Senior Threat Research Analyst

On Mobile

With regards to Stagefright, everyone is going to need patches to be 100% safe. But the good news is both Google and Samsung have announced 30-day update schedules, and upates for older devices are looking more and more likely. Google is acknowledging this issue much more than we expected and things are going in a good direction for android security.  Cameron Palan – Senior Mobile Threat Research Analyst

On Exploits and Malware

The game over Zeus presentation was great. It  was interesting to see the collaboration it took to take the botnet down. The FBI is offering $3  million USD for info leading to the arrest of the main guy they attribute to the botnet. The same guy also wrote CryptoLocker. Brenden Vaughan made a good observation that the same guy is probably behind Poweliks as it came out very shortly after game over was taken offline.  Grayson Milbourne – Security Intelligence Director

Direct from the team, there is no mistaking the value of Black Hat and the surrounding events. From revelations to new ideas and concepts, day 1 has been packed with incredible information.  We look forward to tomorrow and what it has in store.

If you have any questions for our team, comment below and we will respond with our thoughts and answers.

This week marks the 18th annual BlackHat USA conference where many of the world’s brightest security minds come together to discuss and showcase techniques capable of defeating and compromising a wide array of technologies. This year’s show arrives at a critical time in the world of online security and privacy, with near daily headlines of massive breaches and widespread critical vulnerabilities, all undermining the viability of mitigating today’s threats. All the while technology marches forward, integrating itself into new devices that will make up the future Internet of Things.

There were three headlines from the past few weeks which were especially concerning. The first was the discovery of the DYLD_PRINT_TO_FILE vulnerability affecting OS X Yosemite. What is so alarming about this vulnerability is that, with a single command, you are able to modify any file as a root user, including the sudoers file which stores usernames and passwords. This vulnerability is a perfect example of security oversight during the development process and how such an oversight can have a massive impact on security integrity. At least in this case, the exploit is specific to Yosemite and has been fixed in the latest OS X release.

The second alarming headline talked about 950 million Android phones being at risk of compromise by simply receiving a MMS. The exploit exists within a piece of code, called Stagefright, which is responsible for playing MMS messages. This vulnerable piece of code is part of all Android versions between 2.2 and 5.1, with an update needed to address the flaw. Unfortunately, it is very difficult to patch all devices as updates flow through network carriers at different speeds for different devices. While there are no current examples of this exploit being used in the wild, this won’t be the case for long; and the result of this vulnerability is that there will be millions of Android devices which are vulnerable to being remotely hacked.

The third, and most alarming, headline was for the recall of 1.4 million cars by Fiat Chrysler due to the demonstrated ability to remotely hack and control vehicles through the Uconnect infotainment system. What is so concerning about this hack is that so many critical systems could be controlled remotely. Everything from the wiper blades to the brakes to killing the engine. This begs the questions of, “Why does Uconnect need to have access to the brakes or engine?” It seems obvious that for basic security, these systems would be separated. However this hack demonstrated otherwise.

But as concerning as these headlines are, there is a silver lining. Unlike many headlines, these were all the result of security researchers who were looking to validate that proper security is in place. Thankfully in these cases, the researchers came forward to disclose their findings to improve security for everyone else. I cannot stress how important this type of behavior is to the viability of the future of security. The reality is that it is very difficult to design a bulletproof OS or application and that mistakes will be made. What is important is that when mistakes are discovered, that they are disclosed and addressed rather than sold on hacking forums to be used for malicious purposes. Some companies have done a great job in creating bug bounty programs to encourage the disclosure of vulnerabilities and I hope to see more of this in the future.

So back to BlackHat and why this year’s event is so timely and important. It is because BlackHat drives awareness and attention to the critical issues facing security from all angles. The conference also provides a common ground for collaboration and innovation that often finds its way into the products and technologies of the future.

As we move forward and embrace the Internet of Things, we must learn from our past mistakes and focus on ensuring we integrate the convenience technology has to offer without losing our privacy or security along the way.

Black Hat USA is next week, and with it will come some of the biggest hacker news of the year. From cars to mobile devices, all the way to the hotel HVAC, nothing is really out of the reach of the teams of white hat and black hat security researchers that are about to make their way to this conference. With that though will be the thousands of attendees outside those main groups looking to still get a bit of work done while at the conference. Well, we don’t want to encourage you avoiding it all together, but want to give you some tips to survive the event even with all your devices that you need. So below you will find 10 tips to survive Black Hat 2015. You are welcome to reuse them and share them with your team going, or even as reminders of the digital landscape and threats around.

A new ransomware has emerged and its very similar to tox as it is created for hackers to easily design encrypting ransomware payloads to distrube from their botnets. Since the creator of Tox was selling his operation, this could very well be the end result of that. The idea is to contract hackers with already operational botnets and campaigns use this page to create encrypting ransomware binaries to their specifications and then hand off 20% of their succussful scams to the Encryptor RaaS author.

All a hacker has to do with this page is just input the bitcoin wallet address they want the funds to go to. Then customize the price they want for immediate payment, late payment, and lastly a timer for what is considered a late payment.

Skip forward to infecting a victim and there is no GUI popup. Just all your documents are now encrypted and you have this new instructions text at every directory.

Typically you have to install a layered tor browser to get to here, but tor2web currently is supporting a gateway to the page even if you’re just using a normal browser like firefox or chrome. Here is what you’ll be presented with.

Instructions are fairly clear on how to install a bitcoin wallet and send money to the hackers holding your files ransom. If you wait too long then the price will go up – and is set by the generator we showed earlier. Once you have paid the ransom this page will update showing “PAYED” and will then have a link to the decryptor. The decryptor doesn’t have a GUI either and will just run in the background until all files are decrypted.

MD5 Analyzed: D87BA0BFCE1CDB17FD243B8B1D247E88
Additonal MD5 Analyzed: ECDACE57A6660D1BF75CD13CFEBEDAEE

Webroot will catch this specific variant in real time and heuristically before any encryption takes place. We’re always on the look out for more, but just in case of new zero day variants, remember that with encrypting ransomware the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero day variant of encrypting ransomware you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies. Please see our community post on best practices for securing your environment against encrypting ransomware.

Yesterday information was published online through www.theregister.co.uk discussing an exploit that was discovered in the Mac OSX 10.10 Yosemite operating system. The discovered exploit allows a user to gain root access on a machine without any admin credentials. The exploit uses an environment variable called DYLD_PRINT_TO_FILE that was added in the Yosemite operating system, and is used by the OS to specify where the dynamic linker logs error messages. It was discovered however that the environment variable can be used maliciously in order to modify files that are owned by the “root user” account. The bottom line is that with one basic line of code a malware author could easily do away with the password requirement for the user account being compromised, therefore giving them full reign on the system.

While this exploit has not yet been seen implemented into any new malware in the wild, it is important to be aware that such a huge vulnerability exists. As usual, Mac users should always exercise prudence when downloading and installing software onto their machines, as well as download a reliable internet security app. In addition, the exploit is not present in older versions of Mac OSX, such as Mavericks, and is not present on the 10.11 beta of El Capitan.

The vulnerable code is found below

echo ‘echo “$(whoami) ALL=(ALL) NOPASSWD:ALL” >&3’ | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s

It just doesn’t seem to end with all the exploits being revealed by the Hacking Team dump earlier this month. This vulnerability could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts. The Adobe Type Manager module contains a memory corruption vulnerability, which can allow an attacker to obtain system privileges on an affected Windows system.

Adobe Type Manager, which is provided by atmfd.dll, is a kernel module that is provided by Windows and provides support for OpenType fonts. A memory-corruption flaw (buffer underflow) in Adobe Type Manager allows for manipulation of Windows kernel memory, which can result in a wide range of impacts.  This vulnerability can allow an attacker to gain SYSTEM privileges on an affected Windows system. Hackers would use this to infect users systems with any type of malware and gain remote control access if they desired – all without notifying the user. Also, this vulnerability can be used to bypass web browser and other OS-level sandboxing and protections.

This is a confirmed exploit on Windows XP and up and Windows Server 2003 and up. Since Windows XP and Windows Server 2003 are no longer supported by Microsoft, there is no patch for users on those operating systems so we HIGHLY advise that you migrate to a newer operating system. Windows Vista, 7, and 8 users are going to have an update rolled out shortly that will patch this vulnerability so make sure you keep an eye out for updates. More info here