With the RSA Conference and Security B-Sides San Francisco just around the corner, I’d like to invite readers of the blog to a webinar I’m cohosting tomorrow morning with Sonicwall’s Daniel Ayoub. The talk, titled Today’s Threats Are Overachievers–Are You Prepared to Respond, will feature a deep dive into examples of really fresh malware attacks and their aftermath.
The talk topic is especially intriguing because Sonicwall’s technology is capable of eliminating the vast majority of known threats that traverse a network. However, modern threats evolve more rapidly than the speed at which even the best systems can adapt and block those threats. Those infections which make it through the sieve are more dangerous, because once they run the gauntlet, their presence may remain concealed for some time, posing an ever-greater risk. The current threat climate is such that being prepared to respond to an attack is fast becoming a requirement, a must-do rather than a nice-to-do. Having a complete, easily searched, reconstructable record of network traffic makes it easy to answer the “how long” and “what was stolen” questions that keep IT people awake at night.
If you’re interested in learning about the intersection of social engineering and malware techniques, and what you can do about it, come and check it out. For those following along on Twitter, please use the hashtag #solera if you post about it. Thanks!
A small trickle of badly-malformed spam email turned into a flood last week as hundreds of copycat messages per minute flooded inboxes we use to collect samples. The malware delivered by the spammed links isn’t your garden variety bank phishing Trojan. This one has its eyes on a specific prize: It wants the credentials for online banks that cater specifically to business users — both the employees’ passwords and those of the banks’ customers.
The campaign, covered in its early stages in the previous post, employs Google’s shortlinking service, goo.gl. The exploit, delivered at the other end of that shortlink, rapidly snares victims. In several test runs, the victim computer was infected in well under 30 seconds.
The first malware payload appears to function as a traffic controller of sorts, helping guide additional payloads to the victim PC. It does this work at the behest of a botmaster using 95.57.120.104, an IP address that geolocation services place in Kazakhstan. The malware communicates with its command-and-control server using SSL encryption, but we have a secret weapon: We can decrypt your CnC traffic, and we see what you did here.
LinkedIn Blackhole Spam Fails the Smell Test
Looks like someone’s spam campaign got up on the wrong side of the bed this morning: A badly malformed message appears to be trying to convince the reader it originates with LinkedIn, the business-centric social network.
Hardly any message at all, the spam body consists entirely of ReportIDA161580AD75, which precedes a goo.gl shortlink. The laughable pidgin-English quality of the spam’s subject – last login was Failed xxxxxxxxxxxxx — breaks the illusion completely. The fact that whoever sent this didn’t even try to mask the message’s true origin (a Yahoo mail account) just makes this kind of sad, really.
And yet, on any campaign such as this, some people will be taken in by this phony, broken down soundstage of a ruse, peeling paint and all. When that happens, if those likely-victims happen to click the wrong link in the wrong spam, on a computer with a vulnerable browser, and do so quickly enough to hit the malicious Web site while it’s still online. Well, it’s a bit like this.
Digitally Signed Rogues: As Dumb As The Rest
Both the installer and payloads of a rogue system utility named System Restore (a type of fraudulent software that, in this case, is named exactly like the Windows system utility) sport an unusual characteristic: a digital signature. Digitally signed Trojans such as these are less rare than they used to be, but still unusual, so it was notable that the entire soup-to-nuts infection package being delivered to victims since November uses signed executables.
The rogue installer was delivered by a spam email claiming to originate with the US postal service. The message’s attachment is, allegedly, a PDF document with details about a failed delivery. Of course, as you can see at right, the “PDF documents” are just executable files with an Adobe Reader icon (from the Adobe Reader program, not the icon used by a real PDF document).
One theory that attempts to explain why they’d go to the trouble goes something like this: Some network admins set security policies that only permit digitally-signed executable files to traverse the networks they control. But these policies don’t actually check the validity of the certificates, only that the code itself is signed. Therefore, even invalidly-signed code could, in this hypothetical situation, bypass this rudimentary policy check.
I’m not sure I buy into that. I want to believe that CSOs and IT admins know that such a policy is brain-dead, but you have to assume there’s a reason the malware creator would go to the trouble to generate crypto keys and go through the signing process. However, because we’re talking about subgenius-class malware creators here, it’s not as if this new “feature” bypasses any real security checks. In fact, the certificate is demonstrably false, but it’s only clear this is the case if you go looking for the information.
Security Resolutions for 2012 and Beyond
Welcome back to the office, everyone (except postal and some bank workers). The first Monday after the new year is a great time to jot down a quick list of business-related resolutions. You can even put them into your calendar app, if you’re so inclined, to give yourself an extra nudge.
Here are my (security-themed) new year’s resolutions for 2012:
- I’ll change my passwords at least once a month
This one could be tough, but not to remember. I’m going to schedule the reminder in my phone’s calendar. For my own sake, the password itself has to meet some stringent standards, including a minimum length and some diversity of character types. But what’s tough is the sheer number of passwords this entails. I already use a different password for all of my various online accounts, but the idea of changing them all, so often, seems daunting.
It has to be done, but fortunately, you don’t have to do it alone. In my case, I’m also going to rely heavily on a biometric finger scanner, helpfully preinstalled in the bezel of my laptop, and some third-party password manager software to keep up. You could also use a password manager like KeePass, which generates an optional password “best before” date, to keep you honest.
I’m doing this today, so listen up any criminals who might have been handed on a platter ahem, stolen, or audio-captcha-cracked any of my ‘victim test account’ passwords: use ‘em if you got ‘em.
A Visit from Cyber Nicholas
T’was the night before Christmas, and all over the ‘net
hardly a packet was stirring; Well…’bout 6 gigs a sec.
The Internet background noise whizzes nonstop
– even after the last Admin has punched off the clock.
But buried deep in that noise was a stray protocol.
A command-and-control message within the firewall.
A lone zombie replies to a ping and chirps out
secret signals, to a group who carry some clout.
Legion elves, running ops, scan the networks they’ve pwned;
Seek out mischief, find the troublemakers entrenched in their zones.
With this singular mission they tap at their keys,
and run nmap with umit, and Nessus, as they please.
While sniffing the wires and logging results,
the elf Red Team trades barbs and exchanges insults.
Not with other elves, but with their botmaster rivals,
who work feverishly to pump out some network denials.
For the malware guys knew Santa’s spies were inside,
and they knew their activities they couldn’t hide.
The fat man frowns on phishing, spam attacks,
and false accusations of unpaid income tax.
The bad guys fired off withering DDoS volleys
hoping their adversaries wouldn’t recover from the follies.
But the wily elves weren’t put off by that distraction,
and launched, in return, their own group action:
A packet flood of Christmas cheer so profound
it drove the cybercriminals deeper underground.
It killed all their malware, delisted bad ISPs,
and brought the miscreant operators to their knees.
And today we give thanks to those noble cyberelves,
who took it upon their little elf-hatted selves
to do battle with bad nerds in the middle of the night,
so we could sleep soundly, for once, and with no end in sight.
– Andrew Brandt
(with apologies to Clement Clarke Moore)
If you know me, you know I’m not really prone to spreading security FUD. I’ve been asked to prognosticate a bit about the near-term future, and I have to say, without intending to sound like a fearmonger, the next year is shaping up to be pretty messy from a security perspective. I have a hard time finding any silver linings to the massive storm clouds that seem to hang all around and on top of us.
Right now, the climate for attacks is just brutal. Based on what I’ve been seeing since Halloween, if the pace and volume of attacks keep up, the coming year doesn’t look like it’s going to be pretty. Rampant spam-driven attacks, multiple manifestations of classic social engineering scams, corporate espionage, and malware malware malware look to be on the table for 2012. It was hard to winnow my worst-of-the-worst list down to only five items, but I had to draw the line somewhere, and it seems like a nice, round number.
So, with that in mind, click through the jump to read my top five threats to watch for in 2012.
Someone in the office stumbled upon the domain name Firefox.io and passed the info along to me. Apparently, the person had mistyped the domain name of a Web site (one unrelated to Firefox), adding an additional character. The domain he ended up on was parked, registered but unused; However, one of the ads that loaded on the parked page opened a popunder ad, which redirected this person’s browser to a page on Firefox.io.
This is what he found. I dunno…looks bogus to me. It resembles a really, really out of date Firefox installer download page.
The .io top-level domain, by the way, belongs to the British Indian Ocean Territories, and its TLD is administered from a charming village in England. At least, that’s where they pick up their mail. Not so with Firefox.io.
Spam Campaign Exploits Open Google Redirect
A spam campaign currently underway appears to be abusing a redirection script operated by Google. Redirection scripts aren’t typically left wide open. In fact, when I reported a similar campaign that was exploiting an open redirect in Bing to Microsoft, to their credit, they shut down the redirect the same day. That was two years ago.
Fast forward to today, where the spam messages contain a link to an open redirection script on Google — something that was reported to them a week ago — that continues to do what it’s been programmed to do: push the browser to another Web site. That’s not a problem unless you have a spammer doing exactly what you wouldn’t want them doing: Abusing your redirect, and ruining your reputation in the process.
Google says open redirection, such as what has been abused here, isn’t worthy of its bug bounty program because if a not-smart user can’t figure out what’s going to happen just by looking at the URL, eliminating the redirection scripts that enable malicious behavior won’t fix the problem. So go ahead, take a look at that URL in the screenshot above. It’s just so clear what’s about to happen, right? What do you mean, you can’t decode long strings of seemingly-random characters just by looking at them? I guess we can’t all be Mentats.
Turning down the sarcasm for a moment, it looks like this type of attack is here to stay, for now at least. And it has another unintended consequence: Because Google is such a well-known and trusted domain, Google links often pass through email spam content filters unnoticed. So it’s only natural that criminals would try to exploit the inherent trust of the brand if it’s possible. It’s a fairly effective, low cost way to get spammed links to a target audience.
The email message in which the link arrives had a Subject line of just Konnor Bargo, whatever (or whoever) that is. The body is just the name of a song — in one example, Boston’s 1976 More Than a Feeling. Who knew spammers were such aficionados of ’70s power chord rock?
The redirection using Google is only the first step in the process; You can see the next destination in the screenshot above: free-two-botlles.in. (Sounds like some slavic spammer’s getting hammered for the holidays, and in fact, that’s closer to the truth than I initially thought. The domain — if you believe the WHOIS data — is registered to one “Valery Orlova” of Krasnoyarsk, Russia.)
That page, in turn, redirects the browser to a malicious page (named qwe.php) placed on a compromised public server hosting an outdated, vulnerable WordPress plugin. Qwe.php bounces us to an IP address, 62.122.74.109, assigned to an entity known as Leksim Ltd., an “evil” ISP that caters to criminals’ malicious activities. That IP springs the browser on its final destination, 31.44.184.96, a server in the IP address space registered to Laveco Ltd., hosting the javascript code (and the executable payload, named vclean.exe) of a rogue antivirus “Fakealert.”
We’re putting out a warning today to business owners and employees of both large and small businesses that spammers are now targeting you for infection with malware. In the past few days, we’ve seen a number of email messages in the guise of reports from the Better Business Bureau that claim a complaint has been filed against the email recipient’s company. A link in the message points to drive-by download sites which use a number of different exploits against your computer’s browser and other applications to force the computer to download and execute a Trojan installer.
The messages started showing up in inboxes this week, “signed with the address of the Council of Better Business Bureaus, the national office of the BBB system,” says the BBB announcement, and from email addresses the BBB does not use, such as risk.manager@bbb.org or manager@bbb.org. The messages, which sometimes include a fictitious case number in the subject line, deliver the following example of complete tripe:
Subject: BBB Complaint activity report
The Better Business Bureau has been filed the above-referenced complaint from one of your associates concerning their business relations with you.
The details of the consumer’s concern are explained in enclosed file.
Please give attention to this issue and inform us about your standpoint.
We encourage you to click here to answer this complaint.We look forward to your prompt response.
Seriously? The Better Business Bureau has been filed the above-referenced complaint? How’d they get that whole agency into a file cabinet? And does the so-called complaint come from “one of [my] associates” or a “consumer?” This spam has more grammatical fail per square inch than I’ve seen in a while.
Looking more closely at the linked click here text, it’s clear that the URL does not point to the BBB.org Web site, but to one of a number of IP addresses or unrelated domain names. The URL path almost always contains six random alphanumeric characters, another giveaway.
