Category Archives: Security Response News

User Ignorance of Cloud Services Poses a Data Leak Challenge

Cloud-based online services are useful tools for many enterprises, allowing them to coordinate their teams, share information and enable discussions within groups. However, companies should be sharply aware of how they manage their privacy settings for…

Close Encounters of the Shadowlock Kind

In the vein of fake computer lockers everywhere, such as the Trojan.Ransomlock, Trojan.Fakeavlock, and Trojan.Winlock families, comes Trojan.Shadowlock. Unlike any of its predecessors however, this malware “encourages” users to fill out an online survey instead of outright demanding an online payoff. Online surveys in general return very little money, but they do eventually add up in the long run. In this case, it turns out the malware author has a sense of humor and left in a certain Easter egg for reverse engineers to find. The Easter egg is a sound bite of the famous five-tone motif from the movie Close Encounters of the Third Kind. The sound is iconic and has been used many times in all kinds of media. In this case, the malware author decided to implement it as part of the way the malware compromises the user’s computer.

Technical details

Once executed, the user will be shown a popup box.

Shadowlock 1.png

Figure 1. Popup box to unlock computer

This box will stay on the screen, but can be moved around. If the user attempts to close the box by clicking the X button, the program interprets this as a failed unlock attempt. Attempts to disable the malware through various tools like Task Manager, Command Prompt, PowerShell, Regedit, or MSConfig will be denied by the Trojan. Even tying to launch a restore point will be stopped by Trojan.Shadowlock. After three failed attempts to input the unlock code, the threat will shut down the system. Once the user restarts their computer, the popup box will return after 20 seconds. This provides the user 20 seconds to utilize the previously mentioned tools to neutralize the threat. It seems that this particular malware author is not that destructive. If the user chooses to take the survey, they will be presented with a list of different surveys to choose from.

Shadowlock 2 edit.png

Figure 2. Survey list

A closer look at the code reveals a few interesting tidbits. One, it has been created using .NET and requires at least version 2.0 of the .NET framework to be installed in order to function properly. By reviewing it with a .NET decompiler, we can see the inner workings of Trojan.Shadowlock.

Shadowlock 3 edit.png

Figure 3. Top layer of Trojan.Shadowlock

The top layer of Trojan.Shadowlock deals with decrypting resources. After decryption, upon analyzing the resource Loqvd, we found that it contains several functions including BotKill() and EraseStartup() which are never used by the threat. However, other functions, like ones used to decompress files, are used by the threat. The top layer is used to decrypt all three resources. Afterwards, Loqvd is then used to decompress the decrypted versions of Egg and Iudu resources. The main payload is in the Iudu resource. The author more than likely knows that .NET executables can be decompiled like this and added one more layer in an attempt to make analysis more difficult.

Shadowlock 4 edit.png

Figure 4. Iudu resource decrypted and uncompressed

Looking at the Iudu resource we find obfuscation similar to that used by JavaScript threats, and it can be de-obfuscated in a similar fashion. After some time, Shadowlock finally reveals some of its capabilities. The threat can do several things, such as killing popular browsers (Firefox, Chrome, Internet Explorer, Safari, and Opera) and disabling certain system tools. It can also eat up any available disk space and disable the Windows firewall. It can even redirect users to websites with shocking content through the default Web browser. On a more playful note, the threat can also swap mouse buttons, open the CD tray, or launch basic OS apps like Calculator or MS Paint.

Interestingly enough, a vast majority of these functions are never called in the code. Two possibilities come to mind. One is that the author may have found some code and added the survey scam on top of it. The other possibility is that the author may be testing the waters, so to speak. These functions (as well as others) may find themselves being used in a future variant. At Symantec, we protect our customers by detecting this threat as Trojan.Dropper, Trojan Horse, or Trojan.Shadowlock. According to our telemetry, this threat is not widespread. Be advised however, if you see your CD tray opening and hear eerie theme music, you may be experiencing a close encounter of the Shadowlock kind.

Android Vulnerability Allows App Hijacking

A serious Android vulnerability, set to be disclosed at the Blackhat conference, has now been publicly disclosed. The vulnerability allows attackers to inject malicious code into legitimate apps without invalidating the digital signature.
Android appli…

Microsoft Patch Tuesday – July 2013

Hello, welcome to this month’s blog on the Microsoft patch release. This month the vendor is releasing seven bulletins covering a total of 36 vulnerabilities. 24 of this month’s issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of the July releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms13-Jul

The following is a breakdown of the issues being addressed this month:

  1. MS13-052 Vulnerabilities in .NET Framework and Silverlight Could Allow Remote Code Execution (2861561)

    TrueType Font Parsing Vulnerability (CVE-2013-3129) MS Rating: Critical

    A remote code execution vulnerability exists in the way that affected components handle specially crafted TrueType font files. The vulnerability could allow a remote code execution if a user opens a specially crafted TrueType font file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full administrative rights.

    Array Access Violation Vulnerability (CVE-2013-3131) MS Rating: Critical

    A remote code execution vulnerability exists in the way the .NET Framework handles multidimensional arrays of small structures.

    Delegate Reflection Bypass Vulnerability (CVE-2013-3132) MS Rating: Important

    An elevation of privilege vulnerability exists in the way that the .NET Framework validates the permissions of certain objects performing reflection. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

    Anonymous Method Injection Vulnerability (CVE-2013-3133) MS Rating: Important

    An elevation of privilege vulnerability exists in the way that the .NET Framework validates permissions for objects involved with reflection.

    Array Allocation Vulnerability (CVE-2013-3134) MS Rating: Critical

    A remote code execution vulnerability exists in the way that the .NET Framework allocates arrays of small structures.

    Delegate Serialization Vulnerability (CVE-2013-3171) MS Rating: Important

    An elevation of privilege vulnerability exists in the way that the .NET Framework validates permissions for delegate objects during serialization.

    Null Pointer Vulnerability (CVE-2013-3178) MS Rating: Important

    A remote code execution vulnerability exists in the way Silverlight handles a null pointer.

  2. MS13-053 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851)

    Win32k Memory Allocation Vulnerability (CVE-2013-1300) MS Rating: Important

    An elevation of privilege vulnerability exists when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.

    Win32k Dereference Vulnerability (CVE-2013-1340) MS Rating: Important

    An elevation of privilege vulnerability exists in the way that the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.

    Win32k Vulnerability (CVE-2013-1345) MS Rating: Important

    An elevation of privilege vulnerability exists in the way that the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.

    TrueType Font Parsing Vulnerability (CVE-2013-3129) MS Rating: Critical

    A remote code execution vulnerability exists in the way that affected components handle specially crafted TrueType font files. The vulnerability could allow a remote code execution if a user opens a specially crafted TrueType font file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full administrative rights.

    Win32k Use After Free Vulnerability (CVE-2013-3167) MS Rating: Important

    An information disclosure vulnerability exists in the way that the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.

    Win32k Buffer Overflow Vulnerability (CVE-2013-3172) MS Rating: Moderate

    A denial of service vulnerability exists in the way that the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.

    Win32k Buffer Overwrite Vulnerability (CVE-2013-3173) MS Rating: Important

    An elevation of privilege vulnerability exists in the way that the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.

    Win32k Read AV Vulnerability (CVE-2013-3660) MS Rating: Critical

    An elevation of privilege vulnerability exists in the way that the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.

  3. MS13-054 Vulnerability in GDI+ Could Allow Remote Code Execution (2848295)

    TrueType Font Parsing Vulnerability (CVE-2013-3129) MS Rating: Critical

    A vulnerability exists in the way that affected Windows components and other affected software handle specially crafted TrueType font files. The vulnerability could allow a remote code execution if a user opens a specially crafted TrueType font file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full administrative rights.

  4. MS13-055 Cumulative Security Update for Internet Explorer (2846071)

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3115) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3143) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3144) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3145) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3146) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3147) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3148) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3149) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3150) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3151) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3152) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3153) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3161) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3162) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3163) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3164) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Shift JIS Character Encoding Vulnerability (CVE-2013-3166) MS Rating: Important

    A cross-site-scripting (XSS) vulnerability exists in Internet Explorer that could allow an attacker to gain access to information in another domain or Internet Explorer zone. An attacker could exploit the vulnerability by constructing a specially crafted webpage that could allow an information disclosure if a user viewed the webpage. An attacker who successfully exploited this vulnerability could view content from another domain or Internet Explorer zone.

  5. MS13-056 Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (2845187)

    DirectShow Arbitrary Memory Overwrite Vulnerability (CVE-2013-3174) MS Rating: Critical

    A remote code execution vulnerability exists in the way that Microsoft DirectShow parses GIF image files. This vulnerability could allow a remote code execution if a user opened a specially crafted GIF file. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

  6. MS13-057 Vulnerability in Windows Media Format Runtime Could Allow Remote Code Execution (2847883)

    WMV Video Decoder Remote Code Execution Vulnerability (CVE-2013-3127) MS Rating: Critical

    A remote code execution vulnerability exists in the way Windows Media Format Runtime handles certain media files. This vulnerability could allow an attacker to execute arbitrary code if the attacker convinces a user to open a specially crafted media file. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights.

  7. MS13-058 Vulnerability in Windows Defender Could Allow Elevation of Privilege (2847927)

    Microsoft Windows 7 Defender Improper Pathname Vulnerability (CVE-2013-3154) MS Rating: Important

    This is an elevation of privilege vulnerability. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take complete control of the system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. An attacker must have valid logon credentials to exploit this vulnerability. The vulnerability could not be exploited by anonymous users.

More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

Rendering the Web Red with Redkit

On June 26, we observed an exploit kit attack on the Segway website. Symantec has notified Segway about the attack and Segway has since taken steps to ensure their website is no longer compromised. This blog will look at the details of an attack using the Redkit exploit kit.

Attack details

Code is injected into a jQuery script.

Redkit 1 edit_0.png

Figure 1. jQuery script with code injection

The malicious code is present in the jquery.min.js JavaScript.

Redkit 2 edit.png

Figure 2. Malicious code in jquery.min.js

The injected JavaScript decodes to a malicious iframe, which redirects to a landing page. This also sets up a cookie after the redirection so that users are not compromised more than once.

Redkit 3-1 edit.png

Decodes to:

Redkit 3-2 edit.png

Figure 3. JavaScript decodes to a malicious iframe

The iframe redirects to a Redkit landing page:

  • [REMOVED]. [REMOVED].co.uk/abcd.html

The landing page loads the Java Network Launch Protocol (JNLP) to call the malicious JAR files. On successful exploitation, the JAR files use “Open Connection” and receives the URL from “param value=” in an obfuscated manner.

Redkit 4 edit.png

Figure 4. Obfuscated URL received from “param value=”

The encoded string resolves to:

  • http://[REMOVED]. [REMOVED].co.uk/19.html

The JNLP script is used to deploy malicious JAR files on user’s computer.

Redkit 5 edit.png

Figure 5. JNLP script used to deploy malicious JAR files

The URI for the JAR files:

  • http://[REMOVED]. [REMOVED].co.uk/8o.jar

Current JAR file names are two characters long, such as 80.jar, sj.jar, and 7t.jar. These JAR files download an encrypted payload and employ cipher schemes to decrypt it.

The JAR files used in this attack use a Java type confusion vulnerability (CVE-2012-1723)

Redkit 6 edit.png_0.png

Figure 6. Java type confusion being exploited

The cipher scheme used to decode the URL, passed as param through JNLP, is a simple character substitution algorithm.

Redkit 7 edit_0.png

Figure 7. Cipher scheme used to decode URL

Several pieces of malware are dropped in this attack:

Redkit 8 edit_0.png

Figure 8. Attack scenario

Conclusion

Redkit has been available since early 2012 and still propagates in the same way: Hacked sites with a malicious iframe redirect to the exploit kit landing page, as we have observed in this case, and then plugin detect scripts are used for fingerprinting just like other exploit kits.

Recently, we have observed landing pages with the following URI patterns:

  • [REMOVED]. [REMOVED]/hfiv.htm
  • [REMOVED]. [REMOVED]/hmtg.htm
  • [REMOVED].[REMOVED]/hmtg.htm

Redkit has started deploying JAR files using JNLP script as a plugin to load them. The dropped JAR files have numbered names such as 11.jar or 123.jar. The JAR files are obfuscated and exploit the latest Java vulnerabilities. The payload for these files is encrypted.

Redkit exploits several Java vulnerabilities:

Redkit is known to drop:                                                  

Symantec blocked approximately 150,000 Redkit attacks last month.

Redkit 9 edit.png_0.png

Figure 9. Geographical distribution of attacks

North American, European, and USSR regions are the most affected geographical areas. The motive for these attacks is generally compromising users for monetary benefits. Recently, these attacks have targeted organizations in order to steal intellectual property.

Protection

The good news is that Symantec provides comprehensive protection for Redkit attacks, and customers with updated intrusion prevention and antivirus signatures are protected. Intrusion Prevention scans all the network traffic that enters and exits your computer and compares this information against a set of attack signatures, protecting users against the most common Internet attacks.

Symantec has the following protection in place to protect customers from this attack:

Intrusion prevention:

Antivirus:

Rise of the Java Remote Access Tools

We recently came across an attack campaign which looked quite unusual compared to the standard attacks normally seen in the wild. This campaign is targeting government agencies by sending phishing emails with a malicious attachment. Nothing new so far,…

Spammers Playing in Wimbledon Court

The 127th edition of the Wimbledon Championships, and third Grand Slam event of the year, are coming to an end with the final being played July 7. When it comes to major sporting events we can expect large amount of gambling, and spammers take advantag…

Spammers Playing in Wimbledon Court

The 127th edition of the Wimbledon Championships, and third Grand Slam event of the year, are coming to an end with the final being played July 7. When it comes to major sporting events we can expect large amount of gambling, and spammers take advantag…

Google Play ???? Android ??????

      No Comments on Google Play ???? Android ??????

アプリストアから悪質なアプリを除外するのが難しいことは、先日のブログでもお伝えしたばかりです。本日、シマンテックの自動システムによって、Google Play でも別のミスリーディングアプリが公開されている例が見つかりました。

このアプリは Next Launcher 3D Pro という名前で、同じく Google Play で公開されている Next Launcher 3D という正規アプリの無償版であると謳っています。調べてみると、このアプリには一見して何かがおかしいとわかる明らかな特徴があります。正規版の開発元である Go Launcher Dev Team は、無償版と称するアプリの開発元である TuranPercin とは別です。偽のアプリをインストールすると、無償でアプリを使う前に何ページかの広告を閲覧する必要があると説明されます。

Fig2_275_0.png

図 1. インストール画面

広告表示を実行し終わるとようやく、悪質なアプリはダウンロードに進み、有償版の Next Launcher 3D をインストールするよう求めてきますが、Google Application Licensing サービスによって保護されているため、これは正しく処理されません。

Fig1_275_0.png

図 2. 正規の Next Launcher 3D アプリで表示されるメッセージ

シマンテックでは、同様の手口でユーザーを欺いて正規アプリの偽バージョンをインストールさせようとするアプリをさらに 752 種類特定しています。Google Play で特定されたアプリは 1 つだけで、このアプリが公開されていることは Google 社に通知済みです。

ノートン モバイルセキュリティなどのセキュリティアプリをインストールすることをお勧めします。ノートン モバイルセキュリティは、今回のアプリを Android.Fakeapp として検出します。

スマートフォンとタブレットの安全性に関する一般的なヒントについては、モバイルセキュリティの Web サイト(英語)を参照してください。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

Another Fake Application for Android Found on Google Play

Recently we released a blog talking about the difficulties of keeping app stores free of malicious applications. Today our automated system flagged yet another example of a misleading application that was posted on the Google Play store.
The applicatio…