Be honest. Do you really read the warning messages that your browser displays to you? Or do you blindly click the phishing site warnings or the SSL mismatch dialog away? Apparently most users don’t seem to care too much about those warnings and c…
Improving effectiveness of phishing bait is always at the top of any phishers’ agenda. They prefer to use bait that reflects enticing subjects in order to catch the attention of as many users as possible. Recently, we have seen phishers moving one step ahead. In addition to having eye-catching bait, they are compelling users to spread the word. In today’s example, phishers used free cell phone airtime as the phishing bait.
The phishing site requested Indian Facebook users to verify their account by entering their login credentials in order to get the fake offer of free cell phone airtime. But phishers, not content with just duping one user and eager to target even more, start off by saying the offer is only valid after posting this same offer on the profile pages of a number of friends. Phishers devised this strategy because obviously receiving messages from friends is more convincing than from unknown sources. The method phishers are using in effect enlists unsuspecting users into spamming for them.
Figure 1. Facebook account verification
Figure 2. “Like us” enticement
Figure 3. Sharing enticement
Figure 4. Sharing enticement and personal information request
The first page of the phishing site asked users to verify their Facebook account. Users were then alerted that all information should be entered correctly. The second page of the phishing site displayed an image of a selection of Indian cell phone network operators. The phishing page stated that free airtime worth “Rs. 500” is available from the offer after following four additional steps. The steps were essentially to like, subscribe, share, and post the offer to at least 10 friends. Finally, in order to complete the process, the phishing site asked users for personal information including name, email address, cell phone number, network operator, and cellular zone. If any user fell victim to the phishing site, phishers would have successfully stolen personal user information for identity theft.
Users are advised to follow best practices to avoid phishing attacks:
En el panorama actual de amenazas las divisiones entre las herramientas cibernéticas de investigación y las de espionaje se vuelven cada vez más borrosas. El descubrimiento reciente de dos nuevas amenazas es un hecho que confirma …
In a previous blog, we talked about the rise of remote access tools (RAT) written in Java that are capable of running on multiple operating systems. With the growing popularity of the Android operating system, it comes as no surprise that the Android O…
Cloud-based online services are useful tools for many enterprises, allowing them to coordinate their teams, share information and enable discussions within groups. However, companies should be sharply aware of how they manage their privacy settings for…
In the vein of fake computer lockers everywhere, such as the Trojan.Ransomlock, Trojan.Fakeavlock, and Trojan.Winlock families, comes Trojan.Shadowlock. Unlike any of its predecessors however, this malware “encourages” users to fill out an online survey instead of outright demanding an online payoff. Online surveys in general return very little money, but they do eventually add up in the long run. In this case, it turns out the malware author has a sense of humor and left in a certain Easter egg for reverse engineers to find. The Easter egg is a sound bite of the famous five-tone motif from the movie Close Encounters of the Third Kind. The sound is iconic and has been used many times in all kinds of media. In this case, the malware author decided to implement it as part of the way the malware compromises the user’s computer.
Once executed, the user will be shown a popup box.
Figure 1. Popup box to unlock computer
This box will stay on the screen, but can be moved around. If the user attempts to close the box by clicking the X button, the program interprets this as a failed unlock attempt. Attempts to disable the malware through various tools like Task Manager, Command Prompt, PowerShell, Regedit, or MSConfig will be denied by the Trojan. Even tying to launch a restore point will be stopped by Trojan.Shadowlock. After three failed attempts to input the unlock code, the threat will shut down the system. Once the user restarts their computer, the popup box will return after 20 seconds. This provides the user 20 seconds to utilize the previously mentioned tools to neutralize the threat. It seems that this particular malware author is not that destructive. If the user chooses to take the survey, they will be presented with a list of different surveys to choose from.
Figure 2. Survey list
A closer look at the code reveals a few interesting tidbits. One, it has been created using .NET and requires at least version 2.0 of the .NET framework to be installed in order to function properly. By reviewing it with a .NET decompiler, we can see the inner workings of Trojan.Shadowlock.
Figure 3. Top layer of Trojan.Shadowlock
The top layer of Trojan.Shadowlock deals with decrypting resources. After decryption, upon analyzing the resource Loqvd, we found that it contains several functions including BotKill() and EraseStartup() which are never used by the threat. However, other functions, like ones used to decompress files, are used by the threat. The top layer is used to decrypt all three resources. Afterwards, Loqvd is then used to decompress the decrypted versions of Egg and Iudu resources. The main payload is in the Iudu resource. The author more than likely knows that .NET executables can be decompiled like this and added one more layer in an attempt to make analysis more difficult.
Figure 4. Iudu resource decrypted and uncompressed
Looking at the Iudu resource we find obfuscation similar to that used by JavaScript threats, and it can be de-obfuscated in a similar fashion. After some time, Shadowlock finally reveals some of its capabilities. The threat can do several things, such as killing popular browsers (Firefox, Chrome, Internet Explorer, Safari, and Opera) and disabling certain system tools. It can also eat up any available disk space and disable the Windows firewall. It can even redirect users to websites with shocking content through the default Web browser. On a more playful note, the threat can also swap mouse buttons, open the CD tray, or launch basic OS apps like Calculator or MS Paint.
Interestingly enough, a vast majority of these functions are never called in the code. Two possibilities come to mind. One is that the author may have found some code and added the survey scam on top of it. The other possibility is that the author may be testing the waters, so to speak. These functions (as well as others) may find themselves being used in a future variant. At Symantec, we protect our customers by detecting this threat as Trojan.Dropper, Trojan Horse, or Trojan.Shadowlock. According to our telemetry, this threat is not widespread. Be advised however, if you see your CD tray opening and hear eerie theme music, you may be experiencing a close encounter of the Shadowlock kind.
A serious Android vulnerability, set to be disclosed at the Blackhat conference, has now been publicly disclosed. The vulnerability allows attackers to inject malicious code into legitimate apps without invalidating the digital signature.
Android appli…
Hello, welcome to this month’s blog on the Microsoft patch release. This month the vendor is releasing seven bulletins covering a total of 36 vulnerabilities. 24 of this month’s issues are rated ’Critical’.
As always, customers are advised to follow these security best practices:
Microsoft’s summary of the July releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms13-Jul
The following is a breakdown of the issues being addressed this month:
MS13-052 Vulnerabilities in .NET Framework and Silverlight Could Allow Remote Code Execution (2861561)
TrueType Font Parsing Vulnerability (CVE-2013-3129) MS Rating: Critical
A remote code execution vulnerability exists in the way that affected components handle specially crafted TrueType font files. The vulnerability could allow a remote code execution if a user opens a specially crafted TrueType font file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full administrative rights.
Array Access Violation Vulnerability (CVE-2013-3131) MS Rating: Critical
A remote code execution vulnerability exists in the way the .NET Framework handles multidimensional arrays of small structures.
Delegate Reflection Bypass Vulnerability (CVE-2013-3132) MS Rating: Important
An elevation of privilege vulnerability exists in the way that the .NET Framework validates the permissions of certain objects performing reflection. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Anonymous Method Injection Vulnerability (CVE-2013-3133) MS Rating: Important
An elevation of privilege vulnerability exists in the way that the .NET Framework validates permissions for objects involved with reflection.
Array Allocation Vulnerability (CVE-2013-3134) MS Rating: Critical
A remote code execution vulnerability exists in the way that the .NET Framework allocates arrays of small structures.
Delegate Serialization Vulnerability (CVE-2013-3171) MS Rating: Important
An elevation of privilege vulnerability exists in the way that the .NET Framework validates permissions for delegate objects during serialization.
Null Pointer Vulnerability (CVE-2013-3178) MS Rating: Important
A remote code execution vulnerability exists in the way Silverlight handles a null pointer.
MS13-053 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851)
Win32k Memory Allocation Vulnerability (CVE-2013-1300) MS Rating: Important
An elevation of privilege vulnerability exists when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.
Win32k Dereference Vulnerability (CVE-2013-1340) MS Rating: Important
An elevation of privilege vulnerability exists in the way that the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.
Win32k Vulnerability (CVE-2013-1345) MS Rating: Important
An elevation of privilege vulnerability exists in the way that the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.
TrueType Font Parsing Vulnerability (CVE-2013-3129) MS Rating: Critical
A remote code execution vulnerability exists in the way that affected components handle specially crafted TrueType font files. The vulnerability could allow a remote code execution if a user opens a specially crafted TrueType font file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full administrative rights.
Win32k Use After Free Vulnerability (CVE-2013-3167) MS Rating: Important
An information disclosure vulnerability exists in the way that the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.
Win32k Buffer Overflow Vulnerability (CVE-2013-3172) MS Rating: Moderate
A denial of service vulnerability exists in the way that the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.
Win32k Buffer Overwrite Vulnerability (CVE-2013-3173) MS Rating: Important
An elevation of privilege vulnerability exists in the way that the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.
Win32k Read AV Vulnerability (CVE-2013-3660) MS Rating: Critical
An elevation of privilege vulnerability exists in the way that the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.
MS13-054 Vulnerability in GDI+ Could Allow Remote Code Execution (2848295)
TrueType Font Parsing Vulnerability (CVE-2013-3129) MS Rating: Critical
A vulnerability exists in the way that affected Windows components and other affected software handle specially crafted TrueType font files. The vulnerability could allow a remote code execution if a user opens a specially crafted TrueType font file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full administrative rights.
MS13-055 Cumulative Security Update for Internet Explorer (2846071)
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3115) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3143) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3144) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3145) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3146) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3147) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3148) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3149) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3150) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3151) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3152) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3153) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3161) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3162) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3163) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3164) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Shift JIS Character Encoding Vulnerability (CVE-2013-3166) MS Rating: Important
A cross-site-scripting (XSS) vulnerability exists in Internet Explorer that could allow an attacker to gain access to information in another domain or Internet Explorer zone. An attacker could exploit the vulnerability by constructing a specially crafted webpage that could allow an information disclosure if a user viewed the webpage. An attacker who successfully exploited this vulnerability could view content from another domain or Internet Explorer zone.
MS13-056 Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (2845187)
DirectShow Arbitrary Memory Overwrite Vulnerability (CVE-2013-3174) MS Rating: Critical
A remote code execution vulnerability exists in the way that Microsoft DirectShow parses GIF image files. This vulnerability could allow a remote code execution if a user opened a specially crafted GIF file. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
MS13-057 Vulnerability in Windows Media Format Runtime Could Allow Remote Code Execution (2847883)
WMV Video Decoder Remote Code Execution Vulnerability (CVE-2013-3127) MS Rating: Critical
A remote code execution vulnerability exists in the way Windows Media Format Runtime handles certain media files. This vulnerability could allow an attacker to execute arbitrary code if the attacker convinces a user to open a specially crafted media file. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights.
MS13-058 Vulnerability in Windows Defender Could Allow Elevation of Privilege (2847927)
Microsoft Windows 7 Defender Improper Pathname Vulnerability (CVE-2013-3154) MS Rating: Important
This is an elevation of privilege vulnerability. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take complete control of the system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. An attacker must have valid logon credentials to exploit this vulnerability. The vulnerability could not be exploited by anonymous users.
More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.
On June 26, we observed an exploit kit attack on the Segway website. Symantec has notified Segway about the attack and Segway has since taken steps to ensure their website is no longer compromised. This blog will look at the details of an attack using the Redkit exploit kit.
Code is injected into a jQuery script.
Figure 1. jQuery script with code injection
The malicious code is present in the jquery.min.js JavaScript.
Figure 2. Malicious code in jquery.min.js
The injected JavaScript decodes to a malicious iframe, which redirects to a landing page. This also sets up a cookie after the redirection so that users are not compromised more than once.
Decodes to:
Figure 3. JavaScript decodes to a malicious iframe
The iframe redirects to a Redkit landing page:
The landing page loads the Java Network Launch Protocol (JNLP) to call the malicious JAR files. On successful exploitation, the JAR files use “Open Connection” and receives the URL from “param value=” in an obfuscated manner.
Figure 4. Obfuscated URL received from “param value=”
The encoded string resolves to:
The JNLP script is used to deploy malicious JAR files on user’s computer.
Figure 5. JNLP script used to deploy malicious JAR files
The URI for the JAR files:
Current JAR file names are two characters long, such as 80.jar, sj.jar, and 7t.jar. These JAR files download an encrypted payload and employ cipher schemes to decrypt it.
The JAR files used in this attack use a Java type confusion vulnerability (CVE-2012-1723)
Figure 6. Java type confusion being exploited
The cipher scheme used to decode the URL, passed as param through JNLP, is a simple character substitution algorithm.
Figure 7. Cipher scheme used to decode URL
Several pieces of malware are dropped in this attack:
Figure 8. Attack scenario
Redkit has been available since early 2012 and still propagates in the same way: Hacked sites with a malicious iframe redirect to the exploit kit landing page, as we have observed in this case, and then plugin detect scripts are used for fingerprinting just like other exploit kits.
Recently, we have observed landing pages with the following URI patterns:
Redkit has started deploying JAR files using JNLP script as a plugin to load them. The dropped JAR files have numbered names such as 11.jar or 123.jar. The JAR files are obfuscated and exploit the latest Java vulnerabilities. The payload for these files is encrypted.
Redkit exploits several Java vulnerabilities:
Redkit is known to drop:
Symantec blocked approximately 150,000 Redkit attacks last month.
Figure 9. Geographical distribution of attacks
North American, European, and USSR regions are the most affected geographical areas. The motive for these attacks is generally compromising users for monetary benefits. Recently, these attacks have targeted organizations in order to steal intellectual property.
The good news is that Symantec provides comprehensive protection for Redkit attacks, and customers with updated intrusion prevention and antivirus signatures are protected. Intrusion Prevention scans all the network traffic that enters and exits your computer and compares this information against a set of attack signatures, protecting users against the most common Internet attacks.
Symantec has the following protection in place to protect customers from this attack:
Intrusion prevention:
Antivirus: