Girl Scouts and OpenText empower future leaders of tomorrow with cyber resilience

The transition to a digital-first world enables us to connect, work and live in a realm where information is available at our fingertips. The children of today will be working in an environment of tomorrow that is shaped by hyperconnectivity. Operating in this...

World Backup Day reminds us all just how precious our data is

Think of all the important files sitting on your computer right now. If your computer crashed tomorrow, would you be able to retrieve your important files? Would your business suffer as a result? As more and more of our daily activities incorporate digital and online...

3 Reasons We Forget Small & Midsized Businesses are Major Targets for Ransomware

The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups. Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be...

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

A peek inside a CVE-2013-0422 exploiting DIY malicious Java applet generating tool

On a regular basis we profile various DIY (do it yourself) releases offered for sale on the underground marketplace with the idea to highlight the re-emergence of this concept which allows virtually anyone obtaining the leaked tools, or purchasing them, to launch targeted malware attacks.

Can DIY exploit generating tools be considered as a threat to the market domination of Web malware exploitation kits? What’s the driving force behind their popularity? Let’s find out by profiling a tool that’s successfully generating an exploit (CVE-2013-0422) embedded Web page, relying on malicious Java applets.

More details:

read more…

Fake Microsoft Security Scam

Recently we have seen an increase in fake Microsoft security scams, which function by tricking people into thinking that their PC is infected.  With these types of scams there are a number of things to remember:

  1. Microsoft will never call you telling you that your PC is infected
  2. Never allow strangers to connect to your PC
  3. Do not give any credit card info to somebody claiming to be from Microsoft
  4. If in doubt, shut down your PC and call Webroot

The current scam will display a webpage that is very similar to the one in Figure 1. There are a number of ways to figure out that this is a false alert. The first is that it’s a website message and not a program; the second is that location of the web site will be a random string of letters.

These websites will normally only stay active for 24-48hrs before they are pulled down. The websites’ primary function is to get you to run a “removal tool” called “security cleaner”. This file is the infection and, if ran, will infect the PC and start displaying pop-ups (like the one in Figure 2).

browser_alert

Figure 1: Fake Alert

At this stage, the PC is not infected so it’s safe to close the browser and ignore any alerts from the website. Noting the website that displayed the message is good idea as you can notify the webmaster (if it’s a legitimate website).

I have seen examples of this type of fake webpage being linked from advertising links. Using a browser that has a pop-up blocker will reduce the likelihood of encountering a bad advertising link. With scams like this, the most important way to stop getting infected is to be diligent when you’re online.

If a website asks you to run a file that you haven’t asked for, be extremely cautious. The same goes for emails (even from friends). Do not open executable files unless you are 100% sure they are good.

FakeAV

Figure 2: Fake AV Pop-up

Behavior

The info below is only a guideline as the payload can change. However, it follows the same pattern of dropping a fake AV that stops you from opening most programs.

  • Drops a randomly named file in the current users folder (Fake AV payload)
  • Creates a service for the above file
  • Disables Windows Firewall or modifies the settings to allow the file full access to the PC
  • Creates a number of files in the windows recycler folder (usually Zero Access)
  • Flags any opened program as an infection (by modifying the open shell reg key)
  • Fake AV will then prompt the user to pay to remove the detected “infections”

Webroot Detection logs:
Infection detected:
c:usersownerappdatalocalmicrosoftwindowstemporary internet filescontent.ie5wckxi56gsecurity_cleaner[1].exe

MD5: 68D9F9C6741CCF4ED9F77EE0275ACDA9
Detection rate of the file 28/46 Vendors on Virus Total.

Registry Changes:
Below is an example of some of the changes. The first shows how it modifies the open shell command so when you open any file it will run the Fake AV. The second shows the security center notifications that are disabled.

hkcrw1shellopencommand”C:UsersUserAppDataLocalgpt.exe
hklmsoftwareclientsstartmenuinternetiexplore.exeshellopencommand
HKLMSOFTWAREMicrosoftSecurity Center  AntiVirusDisableNotify   00000001
HKLMSOFTWAREMicrosoftSecurity Center  AntiVirusOverride   00000001

How to protect yourself from these scams

There are a number of ways to ensure your PC is protected from these types of scams. The first step is simply being aware that these scams exist! Also, make sure to:

  • Use Webroot Secure Anywhere
  • Keep Windows updates turned on and set them to automatically update
  • Use a modern secure browser like Firefox  or Chrome
  • Update any 3rd party plugins (Java/Adobe Reader/Flash player)
  • Use an ad-blocker add-on in Firefox/Chrome

I have seen a number of infections that would have been prevented if Windows was up to date. Microsoft is constantly updating Windows to patch various security updates.

Removal

Webroot SecureAnywhere automatically blocks the installation of the infection so it won’t even run (Figure 3).  If the PC has no AV software installed, booting into Safe Mode with networking and installing Webroot Secure Anywhere will remove the threat.  Manually removing this threat is possible; however, there may be some system damage that will need to be repaired.

Webroot support is always available to help with removal and questions regarding this infection.  Please visit the Webroot support web site for more detail at: http://www.webroot.com/support/.

WSAremoval

Figure 3: SecureAnywhere Removal

Managed ‘Russian ransomware’ as a service spotted in the wild

By Dancho Danchev

In 2013, you no longer need to posses sophisticated programming skills to manage a ransomware botnet, potentially tricking tens of thousands of gullible users, per day, into initiating a micro-payment to pay the ransom for having their PC locked down. You’ve got managed ransomware services doing it for you.

In this post I’ll profile a recently spotted underground market proposition detailing the success story of a ransomware botnet master that’s been in business for over 4 years, claiming to be earning over five hundred thousands rubles per month.

More details: read more…

How fraudulent blackhat SEO monetizers apply Quality Assurance (QA) to their DIY doorway generators

How are cybercriminals most commonly abusing legitimate Web traffic?

On the majority of occasions, some will either directly embed malicious iFrames on as many legitimate Web sites as possible, target server farms and the thousands of customers that they offer services to, or generate and upload invisible doorways on legitimate, high pagerank-ed Web properties, in an attempt to monetize the hijacked search traffic.

In this post I’ll profile a DIY blackhat SEO doorway generator, that surprisingly, has a built-in module allowing the cybercriminal using it to detect and remove 21 known Web backdoors (shells) from the legitimate Web site about to be abused, just in case a fellow cybercriminal has already managed to compromise the same site.

Are turf wars back in (the cybercrime) business? Let’s find out.

More details: read more…

Cybercriminals impersonate Bank of America (BofA), serve malware

Relying on tens of thousands of fake “Your transaction is completed” emails, cybercriminals have just launched yet another malicious spam campaign attempting to socially engineer Bank of America’s (BofA) customers into executing a malicious attachment. Once unsuspecting users do so, their PCs automatically join the botnet operated by the cybercriminal/gang of cybercriminals operating it, leading to a successful compromise of their hosts.

More details: read more…

Historical OSINT – The ‘Boston Marathon explosion’ and ‘Fertilizer plant explosion in Texas’ themed malware campaigns

Following the recent events, opportunistic cybercriminals have been spamvertising tens of thousands of malicious emails in an attempt to capitalize on on the latest breaking news.

We’re currently aware of two “Boston marathon explosion” themed campaigns that took place last week, one of which is impersonating CNN, and another is using the “fertilizer plant exposion in Texas” theme, both of which redirect to either the RedKit or the market leading Black Hole Exploit Kit.

Let’s profile the campaigns that took place last week, with the idea to assist in the ongoing attack attribution process.

More details:

read more…

CAPTCHA-solving Russian email account registration tool helps facilitate cybercrime

By Dancho Danchev

Just how challenged are cybercriminals when they’re being exposed to CAPTCHAs in 2013?

Not even bothering to “solve the problem” by themselves anymore, thanks to the cost-efficient, effective, and fully working process of outsourcing the CAPTCHA solving process to humans thereby allowing the cybercriminals to abuse any given Web property, as if it were multiple humans actually performing the actions.

In this post I’ll profile an automatic CAPTCHA-solving (Russian) email account registration tool which undermines the credibility of Russia’s major free email service providers by allowing cybercriminals to register tens of thousands of bogus email accounts.

More details:

read more…

DIY SIP-based TDoS tool/number validity checker offered for sale

By Dancho Danchev

Over the past year, we observed an increase in publicly available managed TDoS (Telephony Denial of Service) services. We attribute this increase to the achieved ‘malicious economies of scale’ on behalf of the cybercriminals operating them, as well as the overall availability of proprietary/public DIY phone ring/SMS-based TDoS tools.

What are cybercriminals up to in terms of TDoS attack tools? Let’s take a peek inside a recently released DIY SIP-based (Session Initiation Protocol) flood tool, which also has the capacity to validate any given set of phone numbers.

More details: read more…

DIY Russian mobile number harvesting tool spotted in the wild

By Dancho Danchev

Earlier this year we profiled a newly released mobile/phone number harvesting application, a common tool in the arsenal of mobile spammers, as well as vendors of mobile spam services. Since the practice is an inseparable part of the mobile spamming process, cybercriminals continue periodically releasing new mobile number harvesting applications, update their features, but most interestingly, continue exclusively targeting Russian users.

In this post, I’ll profile yet another DIY mobile number harvesting tool available on the underground marketplace since 2011, and emphasize on its most recent (2013) updated feature, namely, the use of proxies.

More details: read more…

A peek inside a (cracked) commercially available RAT (Remote Access Tool)

By Dancho Danchev

In an attempt to add an additional layer of legitimacy to their malicious software, cybercriminals sometimes simply reposition them as Remote Access Tools, also known as R.A.Ts. What they seem to be forgetting is that no legitimate Remote Access Tool would possess any spreading capabilities, plus, has the capacity to handle tens of thousands of hosts at the same time, or possesses built-in password stealing capabilities. Due to the nature of these programs, they have also become known as Remote Access (or Admin) Trojans.

Pitched by its author as a Remote Access Tool, the DIY (do it yourself) malware that I’ll profile in this post is currently cracked, and available for both novice, and experienced cybercriminals to take advantage of at selected cybercrime-friendly communities.

More details:

The first time we came across the underground market ad promoting the availability of the DIY malware was in June 2012 and offered for sale for $1,000. Then in October 2012, a cracked and fully working version of the DIY malware leaked on multiple cybercrime-friendly communities, potentially undermining the monetization attempted by its author.

The Web/Client based release has numerous features, presented in a point-and-click fashion, potentially empowering novice cybercriminals with a versatile set of online spying capabilities. Let’s go through some screenshots to demonstrate the capabilities of this particular (cracked) underground market release.

Sample screenshot of the DIY Web/Client based malware:

Commercial_Private_RAT_Remote_Access_Tool_Trojan_Horse_Malware_Rootkit

Sample screenshot of the DIY Web/Client based malware:

Commercial_Private_RAT_Remote_Access_Tool_Trojan_Horse_Malware_Rootkit_01

Sample screenshot of the DIY Web/Client based malware:

Commercial_Private_RAT_Remote_Access_Tool_Trojan_Horse_Malware_Rootkit_02

Sample screenshot of the DIY Web/Client based malware:

Commercial_Private_RAT_Remote_Access_Tool_Trojan_Horse_Malware_Rootkit_03

Sample screenshot of the DIY Web/Client based malware:

Commercial_Private_RAT_Remote_Access_Tool_Trojan_Horse_Malware_Rootkit_04

Sample screenshot of the DIY Web/Client based malware:

Commercial_Private_RAT_Remote_Access_Tool_Trojan_Horse_Malware_Rootkit_05

Sample screenshot of the DIY Web/Client based malware:

Commercial_Private_RAT_Remote_Access_Tool_Trojan_Horse_Malware_Rootkit_06

Sample screenshot of the DIY Web/Client based malware:

Commercial_Private_RAT_Remote_Access_Tool_Trojan_Horse_Malware_Rootkit_07

Sample screenshot of the DIY Web/Client based malware:

Commercial_Private_RAT_Remote_Access_Tool_Trojan_Horse_Malware_Rootkit_08

Sample screenshot of the DIY Web/Client based malware:

Commercial_Private_RAT_Remote_Access_Tool_Trojan_Horse_Malware_Rootkit_09

Sample screenshot of the DIY Web/Client based malware:

Commercial_Private_RAT_Remote_Access_Tool_Trojan_Horse_Malware_Rootkit_10

Sample screenshot of the DIY Web/Client based malware:

Commercial_Private_RAT_Remote_Access_Tool_Trojan_Horse_Malware_Rootkit_11

Sample screenshot of the DIY Web/Client based malware:

Commercial_Private_RAT_Remote_Access_Tool_Trojan_Horse_Malware_Rootkit_12

Sample screenshot of the DIY Web/Client based malware:

Commercial_Private_RAT_Remote_Access_Tool_Trojan_Horse_Malware_Rootkit_13

Sample screenshot of the DIY Web/Client based malware:

Commercial_Private_RAT_Remote_Access_Tool_Trojan_Horse_Malware_Rootkit_14

Sample screenshot of the DIY Web/Client based malware:

Commercial_Private_RAT_Remote_Access_Tool_Trojan_Horse_Malware_Rootkit_15

Sample screenshot of the DIY Web/Client based malware:

commercial_private_rat_remote_access_tool_trojan_horse_malware_rootkit_16

Sample screenshot of the DIY Web/Client based malware:

commercial_private_rat_remote_access_tool_trojan_horse_malware_rootkit_17

Sample screenshot of the DIY Web/Client based malware:

commercial_private_rat_remote_access_tool_trojan_horse_malware_rootkit_18

Sample screenshot of the DIY Web/Client based malware:

commercial_private_rat_remote_access_tool_trojan_horse_malware_rootkit_19

Sample screenshot of the DIY Web/Client based malware:

Commercial_Private_RAT_Remote_Access_Tool_Trojan_Horse_Malware_Rootkit_20

Cracked malware releases either cease to exist since the cybercriminal behind them has failed to monetize his release in the initial phrase, continue being developed as private releases, or become adopted by novice cybercriminals taking advantage of today’s managed malware crypting services to ensure that the actual payload remains undetected before it is distributed to the intended target(s).

We’ll continue monitoring the development of this RAT software/DIY malware, in particular, whether or not its developer will continue working on it, now that there are leaked versions of it available online.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.