by Blog Staff | Jan 22, 2014 | Industry Intel, Threat Lab
Operating in a world dominated by millions of malware-infected hosts acting as proxies for the facilitation of fraudulent and malicious activity, the Web’s most popular properties are constantly looking for ways to add additional layers of authentication to the account registration process of prospective users, in an attempt to undermine automatic account registration tactics. With CAPTCHA under automatic fire from newly emerging CAPTCHA solving/breaking services, re-positioning the concept from what was once the primary automatic account registration prevention mechanism, to just being a part of the ‘authentication mix’ these days, in recent years, a new (layered) authentication concept got the attention of the Web’s ‘most popular’. Namely, the introduction of SMS/Mobile number account verification, a direct result of wide adoption of mandatory prepaid SIM card registration internationally, in the context of preventing crime and terrorism.
Naturally, the bad guys quickly adapted to the new authentication mechanism, and in a true ‘malicious economies of scale’ fashion, undermined the concept, successfully continuing to populate any Web property with hundreds of thousands of bogus accounts, degrading the quality of the services offered, as well as directly abusing the one-to-one/one-to-many trust model in place. How do they do it? What type of tactics do they rely on in an attempt to bypass the mandatory prepaid SIM cards registration process, in order to secure a steady flow of tens of thousands of non-attributable SIM cards, at any given moment in time, empowering them to bypass the SMS/Mobile number activation account registration process? Let’s find out.
(more…)
by Blog Staff | Jan 21, 2014 | Industry Intel, Threat Lab
It can be easily argued, that CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), is the modern day’s ‘guardian of the Web’, in the context of preventing the mass, systematic, and efficient abuse of virtually each and every Web property there is.
Over the years, CAPTCHA developers continued to strike a balance between the actual usability and sophistication/resilience to attacks, while excluding the beneath the radar emergence of a trend, which would later on prove to successfully exploit a fundamental flaw in the very concept of the CAPTCHA process. Namely, the fact that, the very same humans it was meant to differentiate against the automated bots, would start to efficiently monetize the solving process, relying on the ‘human factor’, instead of applying scientific based type of attack methods.
Acquired by Google in 2009, reCAPTCHA, quickly emerged as a market leader in the space, leading to good old fashioned (eventual) exploitation of monocultural type of flaws, applied not just by security researchers, but naturally, by cybercriminals as well. How do cybercriminals bypass the Web’s most popular CAPTCHA? Do they rely on human-factor type of attacks, or continue aiming to scientifically break it, like it is most commonly assumed by CAPTCHA developers? Based on the average response times that we’re aware of, a newly launched CAPTCHA-solving/breaking service, that’s exclusively targeting Google reCAPTCHA, might have actually found a way to automate the process, as we’re firm believers in the fact that, no ‘CAPTCHA solving junkie’, can solve a reCAPTCHA in less than a second. Let’s take a peek inside the service, discuss its relevance in the CAPTCHA-solving/breaking market segment, and why its reliance on an affiliate network type of revenue sharing scheme, is poised to help the service, further acquire high-end customers, namely vendors of blackhat SEO/spam tools.
(more…)
by Blog Staff | Jan 17, 2014 | Industry Intel, Threat Lab
It was brought to our attention that the research published had flaws. To read our response, please click here:
https://community.webroot.com/t5/Security-Industry-News/Update-to-the-Target-breach-theory/m-p/77825
by Blog Staff | Jan 17, 2014 | Industry Intel, Threat Lab
Throughout 2013, we not only witnessed the re-emergence of proven mass, efficiency-oriented Web site hacking/exploitation tactics, such as, the reliance on Google Dorks scanning, good old fashioned brute-forcing, but also, the introduction of new concepts, successfully utilizing/standardizing, both, compromised accounting data, and server-farm level access, in an attempt to fraudulently monetize the hijacked traffic from legitimate Web sites.
As we’ve seen on numerous occasions throughout the years, despite sophisticated ‘innovations’, cybercriminals are no strangers to the KISS (Keep It Simple Stupid) principle. Case in point in terms of Content Management Systems (CMSs) is WordPress, whose market share is naturally proportional with attention the platform is receiving from fraudulent/malicious adversaries. In this post, I’ll discuss a DIY type of Python-based mass WordPress scanning/exploiting tool, available on the underground marketplace since July 2013, emphasize on its core features, and overall relevance in a marketplace dominated by competing propositions.
(more…)
by Blog Staff | Jan 16, 2014 | Industry Intel, Threat Lab
In need of a good example, that malicious adversaries are constantly striving to ‘innovate’, thereby disrupting underground market segments, rebooting TTPs’ (tactics, techniques and procedures) life cycles, standardizing and industrializing their fraudulent/malicious ‘know-how’? We’re about to give you a pretty good one.
Regular readers of Webroot’s Threat Blog, are no strangers to the emerging TDoS (Telephony Denial of Service) underground market segment. Primarily relying on the active abuse of legitimate services, such as, for instance, Skype and ICQ, as well as to the efficient and mass abuse of non-attributable SIM cards, for the purpose of undermining the availability of a victim’s/organization’s mobile/communication’s infrastructure, the market segment continues flourishing. Rather a trend, than a fad, established DDoS (Distributed Denial of Service) for hire vendors, are already busy ‘vertically integrating’ within the underground marketplace, by starting to offer TDoS for hire services, either relying on a partnership with a TDoS vendor, or through the reliance on an in-house built infrastructure, established through the use of public/commercially available TDoS tools.
Back in July, 2012, a relatively unknown underground market entrant, publicly announced his ambitions to build a custom TDoS-ready GSM module, capable of supporting between 100-200 non-attributable SIM cards simultaneously, using custom coded management software. In a true product customer-ization style, he also started soliciting feedback, and touching base with potential customers of the custom module, in between promising them a “democratic” pricing scheme for the upcoming release. Then came the ‘innovation’. In November 2013, he made commercially available, what we believe is the first such public/commercially available TDoS-ready custom GSM module, whose very existence is poised to further fuel the growth of the TDoS market segment, tip potential competitors to the rise of the market segment, and directly contribute to the emergence of new TDoS vendors.
Let’s discuss the custom GSM module’s core functionalities, pricing scheme, and why its vendor can easily claim the market disruptor position in early 2014.
(more…)
by Blog Staff | Jan 15, 2014 | Industry Intel, Threat Lab
In the marketing world, it’s widely known sex sells. This is so true the “adult” industry is a multi-billion dollar industry. This is also why malware authors have long used adult content to attract unwitting victims. Lately, this threat researcher has seen way too much of it. There has been an influx of Trojan-like APKs using adult content to trick users into sending premium SMS messages. Let’s take a deeper look at one of these apps.
When you open the app it displays a page showing “GET IT NOW” in the middle, and “NEXT” at the lower right corner. If you tap “GET IT NOW”, it pops up a message saying “Request sent. Thank You”, and goes to the next screen. If you press “NEXT”, it goes to the next screen without a message. After several screens like this, it eventually gets to the last screen which may or may not have several buttons, but always has “T&C”, which I can only guess means “Terms & Conditions”. This opens up an SMS agreement screen.
Using Google translate, the SMS agreement – which is in Indonesian – roughly translates to this:
Subscribe to a few videos now! Click on the mobile, you will be a customer subscription and retrievable content, cost RM3.00/SMS caj, 1-2 day per SMS (not including GPRS caj so canceled). To deselect, sms STOP conductivity to 39 997. Talian CS: 03-7493 1352 (Isnin to Friday). By concatenated, you agree with the terms and conditions that presented.
Click “OK” and you’ll be charged via premium SMS. So what about the “content” that’s promised? Sorry, not going to happen.
Not all, but quite a few of these apps are using the same package name pattern:
com.<naughty_word>.kma2
com.<naughty_word>.gmb2
com.<naughty_word>.lmt2
com.<naughty_word>.ymb2
com.<naughty_word>.mbf2
When looking for “content” out there, be smart about it. If an app is asking you to agree to subscribe to something via premium SMS messages, think twice. Of course, it always helps to have a malware scanner on your phone, like Webroot SecureAnywhere Mobile, as well.
by Blog Staff | Jan 13, 2014 | Industry Intel, Threat Lab
Driven by popular demand, the underground market segment for TDoS (Telephony Denial of Service) attacks continues flourishing with established vendors continuing to actively develop and release new DIY (do-it-yourself) type of tools. Next to successfully empowering potential customers with the necessary ‘know-how’ needed to execute such type of attacks, vendors are also directly contributing to the development of the market segment with new market entrants setting up the foundations for their business models, using these very same tools, largely relying on the lack of situational awareness/understanding of the underground market transparency of prospective customers. Positioned in a situation as ‘price takers’, they’d be often willing to pay a premium to gain access to TDoS type of attack capabilities, with the intermediary in a perfect position to command a high profit margin, further improving the market segment’s capitalization.
A well known (Russian) vendor of TDoS products continues ‘innovating’ and utilizing basic customer-ization concepts, thereby introducing new features into well known TDoS ‘releases’, bug fixes, and overly-continuing to actively maintain a decent portfolio of multiple TDoS applications. Let’s take a peek at the most recently updated, 3G USB Modem/GSM/SIM card based of TDoS attack application, dubbed by the vendor as the most effective and cost-effective form of TDoS attack.
(more…)
by Blog Staff | Jan 9, 2014 | Industry Intel, Threat Lab
First official working week of 2014 and cybercriminals are already busy pushing new releases into the underground marketplace. The goal? Setting up the foundation for successful monetization schemes to be offered through cybercrime-friendly boutique E-shops known for selling access to compromised accounting data obtained through the use of DIY (do-it-yourself) type of services. In this post, I’ll discuss a newly released passwords/game keys stealing tool whose Web-based command and control interface is successfully mimicking Windows 8’s Home Screen, and some of the most common ways through which this very same stolen accounting data would eventually be monetized.
(more…)
by Blog Staff | Jan 7, 2014 | Industry Intel, Threat Lab
Happy New Year, everyone! Despite the lack of blog updates over the Holidays, we continued to intercept malicious campaigns over the same period of time, proving that the bad guys never take holidays. In this post, I’ll profile two prolific, social engineering driven type of malicious spam campaigns that we intercepted over the Holiday season, and naturally (proactively) protected you from.
More details:
(more…)
by Blog Staff | Jan 6, 2014 | Industry Intel, Threat Lab
Over the Christmas period, we here at Webroot have noticed a large amount of Zeus infections that are spoofing the Bitdefender name.
While infections spoofing AV companies aren’t unusual, it’s been a while since we have seen such a spike on one particular vendor in such a short time period. Most of the names are slight variations, but the numbers are impressive – Overall, we have seen 40,000 unique MD5`s in the last week alone!
The infection being dropped is from the Zeus family of infections, which are banking Trojans designed to steal login information when the user logs into their online banking website.
Infection Information:
- File size is normally around 200-300kb
- It’s located in one path of the users appdata folder with a random path+file name
- C:\users\testPC\Appdata\<random letters>\<random letters.exe
- Usually dropped via an exploit kit (Blackhole being the most popular)
- However, it has also been seen attached to Spam emails
- Can disable Windows Firewall and Security Center
- Has the ability to connect to a remote server to download updates
- Can download other infections
Behaviour:
This infection can get onto a user’s PC via a number of different methods, but the most common is through an exploit kit. The commonly used Blackhole exploit kits uses Java Exploits to drop and execute a file.
Unless the user is very alert, they typically won’t even notice they are infected. Once executed, the infection will try a number of methods to make sure it is automatically ran on start-up.
The first is a registry key which points to the infection directly [1]
The second is a fake Security Center update scheduled task [2]
The third is to create a service that auto starts again point to the infection [3]
- hklm\software\microsoft\windows\currentversion\run “C:\Users\User\Application Data\Obunat\ongekie.exe”
- %windir%\tasks\ SECURITY CENTER UPDATE – 4048458695.JOB
- hklm\system\currentcontrolset\services\securitycenterserver673348880 U5″C:\WINDOWS\system32\igizhaot.exe” -service “C:\Users\User\Application Data\Obunat\ongekie.exe”
After this, the infection may connect to a remote server and receive updates and it can also download other infections (Cryptolocker/ICE and other Rogue AV`s)
Due to the large number of variants, I won’t go through all the behaviours, but generally the infection route follows one of the patterns above. This infection can disable the Windows security center or modify the Firewall settings to allow remote access to the PC.
Examples:
| MD5 |
PATH |
FILE NAME |
FILE SIZE |
|
|
|
|
| 83890496EB018EA524E72CE18CD37209 |
%appdata%\ukhecy |
REHEI.EXE |
221,334KB |
| 70AACDCEC7C9D35393CD9D382C8A0454 |
%appdata%\pawary |
YVPULUV.EXE |
217,222KB |
| ED098AB9A5E13D1B12BE816659C4172C |
%appdata%\qaxuile\ |
PAIDP.EXE |
217,222KB |
| 79776C5BE35DFC4089312D42EC70F903 |
%appdata%\hoydatem\ |
SAAFIFV.EXE |
217,222KB |
| 25D00FC9F06E1720A7B4E4C9293D32AE |
%appdata%\siuvmyw\ |
PYRUOV.EXE |
218,783KB |
| 79776C5BE35DFC4089312D42EC70F903 |
%appdata%\zoobir\ |
EQDUG.EXE |
215,105KB |
| MD5 |
PATH |
FILE NAME |
FILE SIZE |
PC Count |
|
|
|
|
|
| A748FEB8EE581E2225CE7F983E364EC0 |
%temp% |
JAVA_UPDATE_71972350.EXE |
222,827
|
181
|
| EC9FC4EE2AA75D0CD6E0490853F27B21 |
%temp% |
JAVA_UPDATE_7bb116be.EXE |
215,105
|
105
|
| DB97134AFFDA00379CAF3FCD00BBFFFF |
%temp% |
JAVA_UPDATE_93D4FD64.EXE |
216,678
|
231
|
| 4FCD4FD7D3D3A5D24EF663CE3419D7CC |
%temp% |
JAVA_UPDATE_0EEF9307.EXE |
217,222
|
174
|
| D4BC7886F04574E5628FD6BBFBB01C19 |
%temp% |
JAVA_UPDATE_8C3C4799.EXE |
218,873
|
134
|
In total, we have seen over 40k files and this is increasing every hour. Most of the files have a digital vendor that is close to the real version (shown below). As you can see from the screenshot above, a number of the files are pretending to be Java updates.
BitKefender S.R.L. with 869 unique MD5`s
BitNefender S.R.L.|BitNefender Antivirus Scanner with unique 19,305 MD5`s
Removal:
Due to the infection route of this particular infection, it is advisable to have the latest version of Java installed and preferably use a modern secure browser with the latest Windows updates installed. The latest build of Firefox disables Java plugins by default, which should help stop this particular attack vector.
As mentioned earlier, this infection has also been seen to be spread by email. It is advisable to use an email provider that has good SPAM filtration. Google and Microsoft mail services are efficient at blocking these emails.
Always be alert to any email attachments, even if they’re from friends/relatives, and especially executable files that are inside a zip file. Over the Christmas period, we have also noticed a targeted attack from malware authors using well known store names lie Costco, Walmart, etc. in spoof emails.
Since SecureAnywhere doesn’t rely on traditional definitions, we can react instantly to this new trend of Zeus. Webroot SecureAnywhere can safely block this infection. Likewise, if installed on a pre-infected PC, Webroot SecureAnywhere can remove the infection.
