Cloud-based online services are useful tools for many enterprises, allowing them to coordinate their teams, share information and enable discussions within groups. However, companies should be sharply aware of how they manage their privacy settings for…
PC Magazine awarded avast! Mobile Security the Editors’ Choice Award for free Android security apps thanks to its “huge array of powerful tools and fine-grained controls.” A major concern for smartphone owners is the increasing threat of malicious software targeting Android OS. Max Eddy, software analyst for PC Magazine, writes that, “avast! is well-positioned to guard […]
As digital immigrants we spend a lot of time trying to understand the dangers of technology. We make it our priority to keep our future generations—and inherent digital natives—safe. We tell them not to say anything online that they wouldn’t say in person, we delete inappropriate applications from their smartphones, and we work hard to Read more…
Does your child show symptoms of the latest digital affliction? Does she experience anxiety, an increased heart rate, diminished attention span, and sporadic outbursts of crying or anger while she waits for her next text? Far from official, we’ve decided to call this highly annoying—albeit treatable— condition “great texpectations.” That’s right. It’s the feeling of Read more…
Recently, a vulnerability in Android package signature verification was announced by Jeff Forristal, CTO of Bluebox Security. Jeff plans on revealing details at the upcoming BlackHat Briefings at the end of this month. Though he has not released any details on his findings beyond the initial blog post more information is becoming available on how Read more…
In the vein of fake computer lockers everywhere, such as the Trojan.Ransomlock, Trojan.Fakeavlock, and Trojan.Winlock families, comes Trojan.Shadowlock. Unlike any of its predecessors however, this malware “encourages” users to fill out an online survey instead of outright demanding an online payoff. Online surveys in general return very little money, but they do eventually add up in the long run. In this case, it turns out the malware author has a sense of humor and left in a certain Easter egg for reverse engineers to find. The Easter egg is a sound bite of the famous five-tone motif from the movie Close Encounters of the Third Kind. The sound is iconic and has been used many times in all kinds of media. In this case, the malware author decided to implement it as part of the way the malware compromises the user’s computer.
Once executed, the user will be shown a popup box.
Figure 1. Popup box to unlock computer
This box will stay on the screen, but can be moved around. If the user attempts to close the box by clicking the X button, the program interprets this as a failed unlock attempt. Attempts to disable the malware through various tools like Task Manager, Command Prompt, PowerShell, Regedit, or MSConfig will be denied by the Trojan. Even tying to launch a restore point will be stopped by Trojan.Shadowlock. After three failed attempts to input the unlock code, the threat will shut down the system. Once the user restarts their computer, the popup box will return after 20 seconds. This provides the user 20 seconds to utilize the previously mentioned tools to neutralize the threat. It seems that this particular malware author is not that destructive. If the user chooses to take the survey, they will be presented with a list of different surveys to choose from.
Figure 2. Survey list
A closer look at the code reveals a few interesting tidbits. One, it has been created using .NET and requires at least version 2.0 of the .NET framework to be installed in order to function properly. By reviewing it with a .NET decompiler, we can see the inner workings of Trojan.Shadowlock.
Figure 3. Top layer of Trojan.Shadowlock
The top layer of Trojan.Shadowlock deals with decrypting resources. After decryption, upon analyzing the resource Loqvd, we found that it contains several functions including BotKill() and EraseStartup() which are never used by the threat. However, other functions, like ones used to decompress files, are used by the threat. The top layer is used to decrypt all three resources. Afterwards, Loqvd is then used to decompress the decrypted versions of Egg and Iudu resources. The main payload is in the Iudu resource. The author more than likely knows that .NET executables can be decompiled like this and added one more layer in an attempt to make analysis more difficult.
Figure 4. Iudu resource decrypted and uncompressed
Looking at the Iudu resource we find obfuscation similar to that used by JavaScript threats, and it can be de-obfuscated in a similar fashion. After some time, Shadowlock finally reveals some of its capabilities. The threat can do several things, such as killing popular browsers (Firefox, Chrome, Internet Explorer, Safari, and Opera) and disabling certain system tools. It can also eat up any available disk space and disable the Windows firewall. It can even redirect users to websites with shocking content through the default Web browser. On a more playful note, the threat can also swap mouse buttons, open the CD tray, or launch basic OS apps like Calculator or MS Paint.
Interestingly enough, a vast majority of these functions are never called in the code. Two possibilities come to mind. One is that the author may have found some code and added the survey scam on top of it. The other possibility is that the author may be testing the waters, so to speak. These functions (as well as others) may find themselves being used in a future variant. At Symantec, we protect our customers by detecting this threat as Trojan.Dropper, Trojan Horse, or Trojan.Shadowlock. According to our telemetry, this threat is not widespread. Be advised however, if you see your CD tray opening and hear eerie theme music, you may be experiencing a close encounter of the Shadowlock kind.
Sometimes I wish there was a comprehensive handbook given to every parent when they leave the hospital with their new bundle. A real ‘how-to’ guide that provided concrete, black and white rules that you simply needed to implement to have a stress free experience with your child. How I wish!! But instead we have to Read more…
A serious Android vulnerability, set to be disclosed at the Blackhat conference, has now been publicly disclosed. The vulnerability allows attackers to inject malicious code into legitimate apps without invalidating the digital signature.
Android appli…
Hello, welcome to this month’s blog on the Microsoft patch release. This month the vendor is releasing seven bulletins covering a total of 36 vulnerabilities. 24 of this month’s issues are rated ’Critical’.
As always, customers are advised to follow these security best practices:
Microsoft’s summary of the July releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms13-Jul
The following is a breakdown of the issues being addressed this month:
MS13-052 Vulnerabilities in .NET Framework and Silverlight Could Allow Remote Code Execution (2861561)
TrueType Font Parsing Vulnerability (CVE-2013-3129) MS Rating: Critical
A remote code execution vulnerability exists in the way that affected components handle specially crafted TrueType font files. The vulnerability could allow a remote code execution if a user opens a specially crafted TrueType font file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full administrative rights.
Array Access Violation Vulnerability (CVE-2013-3131) MS Rating: Critical
A remote code execution vulnerability exists in the way the .NET Framework handles multidimensional arrays of small structures.
Delegate Reflection Bypass Vulnerability (CVE-2013-3132) MS Rating: Important
An elevation of privilege vulnerability exists in the way that the .NET Framework validates the permissions of certain objects performing reflection. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Anonymous Method Injection Vulnerability (CVE-2013-3133) MS Rating: Important
An elevation of privilege vulnerability exists in the way that the .NET Framework validates permissions for objects involved with reflection.
Array Allocation Vulnerability (CVE-2013-3134) MS Rating: Critical
A remote code execution vulnerability exists in the way that the .NET Framework allocates arrays of small structures.
Delegate Serialization Vulnerability (CVE-2013-3171) MS Rating: Important
An elevation of privilege vulnerability exists in the way that the .NET Framework validates permissions for delegate objects during serialization.
Null Pointer Vulnerability (CVE-2013-3178) MS Rating: Important
A remote code execution vulnerability exists in the way Silverlight handles a null pointer.
MS13-053 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851)
Win32k Memory Allocation Vulnerability (CVE-2013-1300) MS Rating: Important
An elevation of privilege vulnerability exists when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.
Win32k Dereference Vulnerability (CVE-2013-1340) MS Rating: Important
An elevation of privilege vulnerability exists in the way that the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.
Win32k Vulnerability (CVE-2013-1345) MS Rating: Important
An elevation of privilege vulnerability exists in the way that the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.
TrueType Font Parsing Vulnerability (CVE-2013-3129) MS Rating: Critical
A remote code execution vulnerability exists in the way that affected components handle specially crafted TrueType font files. The vulnerability could allow a remote code execution if a user opens a specially crafted TrueType font file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full administrative rights.
Win32k Use After Free Vulnerability (CVE-2013-3167) MS Rating: Important
An information disclosure vulnerability exists in the way that the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.
Win32k Buffer Overflow Vulnerability (CVE-2013-3172) MS Rating: Moderate
A denial of service vulnerability exists in the way that the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.
Win32k Buffer Overwrite Vulnerability (CVE-2013-3173) MS Rating: Important
An elevation of privilege vulnerability exists in the way that the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.
Win32k Read AV Vulnerability (CVE-2013-3660) MS Rating: Critical
An elevation of privilege vulnerability exists in the way that the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.
MS13-054 Vulnerability in GDI+ Could Allow Remote Code Execution (2848295)
TrueType Font Parsing Vulnerability (CVE-2013-3129) MS Rating: Critical
A vulnerability exists in the way that affected Windows components and other affected software handle specially crafted TrueType font files. The vulnerability could allow a remote code execution if a user opens a specially crafted TrueType font file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full administrative rights.
MS13-055 Cumulative Security Update for Internet Explorer (2846071)
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3115) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3143) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3144) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3145) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3146) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3147) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3148) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3149) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3150) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3151) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3152) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3153) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3161) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3162) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3163) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3164) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Shift JIS Character Encoding Vulnerability (CVE-2013-3166) MS Rating: Important
A cross-site-scripting (XSS) vulnerability exists in Internet Explorer that could allow an attacker to gain access to information in another domain or Internet Explorer zone. An attacker could exploit the vulnerability by constructing a specially crafted webpage that could allow an information disclosure if a user viewed the webpage. An attacker who successfully exploited this vulnerability could view content from another domain or Internet Explorer zone.
MS13-056 Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (2845187)
DirectShow Arbitrary Memory Overwrite Vulnerability (CVE-2013-3174) MS Rating: Critical
A remote code execution vulnerability exists in the way that Microsoft DirectShow parses GIF image files. This vulnerability could allow a remote code execution if a user opened a specially crafted GIF file. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
MS13-057 Vulnerability in Windows Media Format Runtime Could Allow Remote Code Execution (2847883)
WMV Video Decoder Remote Code Execution Vulnerability (CVE-2013-3127) MS Rating: Critical
A remote code execution vulnerability exists in the way Windows Media Format Runtime handles certain media files. This vulnerability could allow an attacker to execute arbitrary code if the attacker convinces a user to open a specially crafted media file. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights.
MS13-058 Vulnerability in Windows Defender Could Allow Elevation of Privilege (2847927)
Microsoft Windows 7 Defender Improper Pathname Vulnerability (CVE-2013-3154) MS Rating: Important
This is an elevation of privilege vulnerability. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take complete control of the system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. An attacker must have valid logon credentials to exploit this vulnerability. The vulnerability could not be exploited by anonymous users.
More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.
Imagine you’re surfing the web in search of a new pair of shoes on Zappos.com. You browse the website, look over a number of tennis shoes in your size. If you already have an account, you log in and save a couple of your favorites to a wish list. Eventually, you leave the site to Read more…