Girl Scouts and OpenText empower future leaders of tomorrow with cyber resilience

The transition to a digital-first world enables us to connect, work and live in a realm where information is available at our fingertips. The children of today will be working in an environment of tomorrow that is shaped by hyperconnectivity. Operating in this...

World Backup Day reminds us all just how precious our data is

Think of all the important files sitting on your computer right now. If your computer crashed tomorrow, would you be able to retrieve your important files? Would your business suffer as a result? As more and more of our daily activities incorporate digital and online...

3 Reasons We Forget Small & Midsized Businesses are Major Targets for Ransomware

The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups. Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be...

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

New Russian DIY SMS flooder using ICQ’s SMS sending feature spotted in the wild

In order to emphasize on the growing trend of cybercriminals abusing legitimate infrastructure for their malicious purposes, last week, I profiled a DIY SMS flooder using Skype’s SMS-sending capability to launch a DoS (denial of service attack) against a user’s mobile device.

This week, I’ll continue providing factual evidence for the emergence of this trend, by profiling yet another recently released DIY SMS flooder, this time abusing ICQ’s sms-sending feature.

More details:

read more…

Wirenet: The Password-Stealing Trojan Lands on Linux and OS X

No matter what people think about it, the increasing exposure of Linux and OS X to malicious code is strictly related to the worldwide exposure of those operating systems on desktops and laptops. In the last couple of years, more and more home users decided to switch to Linux (e.g. Ubuntu Linux, just to name one of the best known Linux distributions) or OS X. Most of these users, when questioned about why they switched from Windows to another operating system, usually answer by blaming Windows’ critical exposure to malware.

However, this increasing trend has been followed by many virus writers as well, who started writing malicious code able to target these alternative operating systems. This shouldn’t be a surprise though, as it’s the expected response of cybercrime: the more users there are using Linux and OS X, the more virus writers are interested in infecting them as well.

This is the main reason why the security industry in the last year saw a rising trend of malware attacks involving OSX. Apple also chose to include a basic malware scanner in their operating system, turned on by default and regularly updated by Apple through the system update mechanism. To be fair, we are not yet seeing the same complexity level already reached by Windows-based malware – which clearly is a good thing. On the other hand it means that malware writers have plenty of room to improve their malware capabilities on such operating systems. Things are actually quickly changing, as trojan Wirenet may show us.

First isolated by Russian security company Dr.Web, Wirenet is a trojan with backdoor features able to hit Linux and Mac users in a way that looks way similar to what trojans are currently doing on Windows. Wirenet is among the first cross-platform password stealing trojans, able to steal sensitive data from Linux and Mac environments as well as from Windows and Solaris.

How the infection reaches the operating system is still unknown, though it’s easy to assume that social engineering and unpatched flaws in Java and/or Flash plugins could have played a key role in its spreading.

When executed, the infection runs as a standard executable (ELF on Linux and Solaris, Mach-O on OSX, PE on Windows) located in the current user session. It’s easy to spot the infection (if you know what to look for) though. It’s behavior allows the infection to get access to all the user’s sensitive data it wants. Don’t forget that even ZeuS and SpyEye infections on Windows-based environments are pure user-mode infections, though they have been able to steal a critical amount of sensitive data worldwide and they are still among the most common banking infections.

The architecture of the infection is similar to most trojans on Windows: the trojan’s configuration is embedded inside its body and it’s RC4 encrypted, so that the average user can’t read any plain text data from the file. The configuration contains, among all the settings, the address to the command and control (C&C) server, where the trojan uploads all the stolen data from the infected PC. The connection to the server is AES encrypted, though the password for the encryption can be easily recovered from the local configuration data, after it has been decrypted. The current C&C server address is 212.7.208.65 (remote port 4141) and the AES password used is “sm0k4s523syst3m523” (without quotes), though this can easily change as we’ve found earlier samples of this infection using the remote address “xyl2k.no-ip.biz” and AES password “Password” (without quotes). Before stealing data, the trojan sends an authentication packet to the C&C server which contains the string: “RGI28DQ30QB8Q1F7”. It creates a mutex to make sure that just one instance of the trojan is running: on Linux the mutex is named vJEewiWD, on OSX it’s named lbOOjfsO.

Wirenet searching for sqlite database

The Linux (and Solaris) variants of Wirenet look for user profiles created by Google Chrome, Mozilla FirefoxMozilla ThunderbirdMozilla SeaMonkeyOperaPidgin and, if any of them is found, it tries to steal them and the passwords stored in them.

With Mozilla products, it decrypts the passwords stored in the encrypted signons.sqlite database by “exploiting” the same routine used by Mozilla to decrypt them (PK11_GetInternalKeySlotPK11_AuthenticateNSSBase64_DecodeBufferPK11SDR_Decrypt). When looking for Opera’s wand.dat, it extracts the whole file and uploads it to its command and control server. With Google Chrome (and Chromium), it locates the Login Data folder (.config/google-chrome/Default/Login Data.config/chromium/Default/Login Data) and decrypts the SQlLite database. When looking for Pidgin, it steals whole .purple/accounts.xml configuration file.

On OS X, on the other hand, the trojan looks for just Mozilla and Opera products, and if they are found, Wirenet uses the same techniques to steal the passwords saved in their password managers. On Windows, like on Linux, it targets Chrome, Chromium, Mozilla products, Opera, Pidgin, Internet Explorer and Microsoft Live accounts.

On all the operating systems the trojan can receive commands from the C&C server, which could be either upload data, download and execute other malicious code, steal system information, kill processes, hide windows, change window titles, enumerate all windows on the desktop (CGSGetOnScreenWindowList on OSX, XQueryTree on Linux, EnumWindows on Windows) and much more.

Wirenet taking screenshots on OS X

On both operating systems, Wirenet can take screenshots of the desktop and upload them to the C&C server. On Linux, it exploits the X11 APIs XGetGeometryXGetImage andSaveXImageToBitmap. On OSX, the trojan exploits the Quartz Display Services APIsCGMainDisplayIDCGDisplayCreateImageCGImageDestinationCreateWithData,CGImageDestinationAddImageCGImageDestinationFinalize. Wirenet contains a routine able to convert BMP images to JPEG format.

To improve the stealing routine, Wirenet includes a keylogger feature on its Linux (and Solaris) and Windows versions. This isn’t really a surprise as keylogger proof of concepts on Linux are widely available online. Point here is that a keylogger can run on Linux in the same easy way as it’s run on Windows, even without root privileges. The same applies to Windows, where a simple keylogger can be written by using just a single API and it could easily intercept everything even without administrator privileges – this was the situation in Windows XP, before Windows Vista and Windows 7 where Microsoft introduced UACMIC and UIPI technologies, which allow the operating system to better isolate processes from each other even if they are sharing the same user session.

On Linux, Wirenet opens a handle to the Display by calling XOpenDisplay(), and callsXQueryExtension(), looking for the XInputExtension extension. It then enumerates all the devices by calling XListInputDevices(), looking for the device named “AT” or “System keyboard“. When found, it opens a handle to that device by invoking XOpenDevice() and selects the keyboard events it wants to log by calling XSelectExtensionEvent(). In the end, in a infinite loop, it logs all the keyboard events with the XNextEvent() API. Few easy steps and the keylogger is working perfectly, able to steal passwords written on a bank’s login webpage or anything else. On its Windows release, the keylogger routine exploits the RegisterRawInputDevices()/GetRawInputData() APIs – I won’t spend too much time on this as it’s a very basic keylogging routine, already widely known.

Keylogging on Linux

On OS X, it steals the system information from the following unexported system variables:_kCFSystemVersionBuildVersionKey_kCFSystemVersionProductNameKey,_kCFSystemVersionProductVersionKey

The path where the trojan installs itself on Linux is: %home%/WIFIADAPT, while on OSX is%home%/WIFIADAPT.app

Finally, on all operating systems it is able to bind a shell to allow remote access (the backdoor feature) and it’s able to simulate keyboard and mouse activity from remote (keystrokes and mouse movements). On Linux and Windows it acts as a SOCKS4/5 proxy server as well.

Shell binding

As you may spot from the analysis of this trojan, the similarities between a classic Windows trojan and Wirenet are quickly increasing. The idea is that Wirenet looks like a real attempt to port Windows infections to Linux and OS X. In some ways it reminds me of the first password stealing trojans on Windows NT, when it was enough for Windows-based malware to implement a classic keylogger using GetAsyncKeyState() to steals keystrokes, far before they started using hook-based techniques.

It was a long time ago on Windows. Perhaps it is the beginning of a new era on Linux and Mac?

A Primer for Secure Coding in PHP and MySQL

PHP is an incredibly popular language for creating dynamic web applications — websites such as Facebook are built on it. This can be attributed to many reasons; it is easy to learn, easy to install and does not require the user to compile code. An unfortunate side effect of the ease of development with PHP is a tendency to ignore security during the development process.

In this post, I will discuss some of the ways to make your PHP apps more secure. I will go through creating a PHP web app that connects to a MySQL back end database. The application will be a simple address book. The approach I will take to secure the PHP code is one of layered security. There is no sure fire quick method of blocking all attacks, but using the layered security approach we severely limit our exposure.

read more…

New Russian service sells access to thousands of automatically registered accounts

What happens when a cybercriminal cannot efficiently gain access to thousands of working accounts at popular Web services, either through data mining a botnet’s population, or through phishing campaigns?

He’ll just start systematically abusing the legitimate services by automatically and efficiently registering thousands of bogus accounts, thanks to the easy to use India based CAPTCHA-solving operations.

In this post I’ll profile a recently launched Russian based service, offering access to thousands of automatically registered accounts at popular Russian social networking sites, and free email services.

More details:

read more…

Cybercriminals abuse Skype’s SMS sending feature, release DIY SMS flooders

Cybercriminals are masters of abusing legitimate infrastructure for their malicious purposes. From phishing sites and Black Hole exploit kit landing URLs hosted on compromised servers, abuse of legitimate web email service providers’ trusted DKIM verified ecosystem, to the systematic release of DIY spamming tools utilizing a publicly obtainable database of user names as potential “touch points”, cybercriminals are on the top of their game.

In this post, I’ll profile a recently advertised DIY SMS flooder using Skype’s infrastructure for disseminating the messages, and assess the potential impact it could have on end and corporate users.

More details:

read more…

Intuit themed ‘QuickBooks Update: Urgent’ emails lead to Black Hole exploit kit

It didn’t take long before the cybercriminals behind the recently profiled ‘Intuit Marketplace’ themed campaign resume impersonating Intuit, with a newly launched round consisting of millions of Intuit themed emails.

The theme this time? Convincing users that in order to access QuickBooks they would have to install the non-existent Intuit Security Tool. In reality though, clicking on the links points to a Black Hole exploit kit landing URL that ultimately drops malware on the affected hosts.

More details:

read more…

Spamvertised ‘Wire Transfer Confirmation’ themed emails lead to Black Hole exploit kit

Over the past 24 hours, cybercriminals started spamvertising millions of emails impersonating the United Parcel Service (UPS) in an attempt to trick end and corporate users into previewing a malicious .html attachment. Upon previewing it, a tiny iFrame attempts to contact a client-side exploits serving a landing URL, courtesy of the Black Hole web malware exploitation kit.

More details:

read more…

Cybercriminals spamvertise PayPay themed ‘Notification of payment received’ emails, serve malware

Cybercriminals are currently spamvertising millions of emails impersonating PayPal, in an attempt to trick PayPal users into executing the malicious attachment found in the emails.

Using ‘Notification of payment received‘ subjects, the campaign is relying on the end user’s gullibility in an attempt to infect them with malware. Once executed, it grants a malicious attacker complete control over the victim’s PC.

More details:

read more…