Threats

Social Media Wall: TheSAS2016


Wonderful tweets and posts from Kaspersky Security Analyst Summit 2016 on Tenerife, Spain

Kaspersky Security Bulletin. Spam and phishing in 2015

The year in figures According to Kaspersky Lab, in 2015 The proportion of spam in email flows was 55.28%, which is 11.48 percentage points lower than in 2014. 79% of spam emails were no more than 2 KB in size. 15.2% of spam was sent from the US. 146,692,256 instances that triggered the ‘Antiphishing’ system were recorded. Russia suffered the highest number of phishing attacks, with 17.8% of the global total. Japan (21.68 %) took the lead in the ranking of unique users attacked by phishers. 34.33% of phishing attacks targeted online financial organizations (banks, payment systems and online stores). New domain zones in spam In early 2015, we registered a surge in the number of new top-level domains used for distributing mass mailings. This was caused by the growth in interest among spammers for the New gTLD program launched in 2014. The main aim of this program is to provide organizations with the opportunity to choose a domain zone that is consistent with their activities and the themes of their sites. The business opportunities provided by New gTLD were enthusiastically endorsed by the Internet community, and active registration of new domain names is still ongoing. In 2015, proportion of #spam was 55.28% down from 66.76% in 2014 #KLReportTweet However, new domain zones almost immediately became an arena for the large-scale distribution of spam, as cybercriminals registered domains to spread mass mailings. At first, there was some logical connection between the theme of the spam and the domain name, but this changed as the year went on and the domain names used in mass mailings were, on the whole, not related to the subject of the spam. However, even now we still come across isolated cases where the connection is noticeable. For example, online dating sites are often placed in the .date zone. This lack of any connection between the domain name and spam theme was mainly caused by the cost of new domains. The attackers try to choose the cheapest possible hosting because the sites will often be used just once for a specific spam mass mailing, so the domain name does not play a major role. Instead, the deciding factors tend to be the cost of the domains and the discounts that small registrars are willing to provide for bulk purchases. Spammer tricks: methods for expressing domain names Scammers try to make every email unique in order to bypass mass filtering and complicate the work of content filters. It is quite easy to make each text different by using similar characters from other alphabets, or by changing the word and sentence order, etc. But there is always the address of the spammer site – it can’t be changed so easily, and the whole point of sending out spam is for users to click a link to the advertised site. Over the years, spammers have come up with numerous ways to hide the spammer site from anti-spam filters: redirects to hacked sites, generation of unique links to short URL services, the use of popular cloud services as redirects, etc. In 2015, 79% of spam emails were less than 2 KB in size #KLReportTweet In 2015, in addition to the methods mentioned above, spammers also focused on ways of expressing domain names and IP addresses. Here we take a closer look at these tricks by studying examples taken from a variety of spam messages. Special features of the IP protocol: different IP formats The standard method of writing IP addresses IPv4 is the dotted-decimal format where the value of each byte is given as a decimal number from 0 to 255, and each byte is separated by a dot. However, there are other formats that browsers will interpret correctly. These are binary, octal, hexadecimal formats, and the format dword/Undotted Integer when every IP byte is first converted to a hexadecimal format, then all the bytes are written in one number in the order they were written in the IP address, and then this number is converted into the decimal system. All these formats can be combined by writing each part of the IP in a different way, and the browser will still interpret it correctly! These techniques are exploited by spammers. They write the same IP addresses in many different ways, including the method of combining different formats: oct – hex oct – dword hex – dword Addresses in hexadecimal format can be written with and without dots separating the numbers: Additionally, 4294967296 (256*4) can be added any number of times to the number in the Integer format, and the result will still be interpreted as the same IP address. In 2015, 15.2% of spam was sent from the US #KLReportTweet In the decimal format, the number 256 can be added to each part of the IP address any amount of times – as long as there is a three-digit result, the address will be interpreted correctly. In the octal format, any number of leading zeros can be added to the IP address, and it will remain valid: You can also insert any number of forward slashes in the address: Although in some legal libraries IP addresses can be stored in different formats, it is prohibited to use any format other than the standard dotted-decimal in the URL (i.e., in the links being referred to). Obfuscation of an IP address, or how many ways can a number be written in Unicode We have already written about the obfuscation of key words in spam using various Unicode ranges. The same tricks can be applied when writing IP addresses and domain names. With regards to an IP, in 2015 spammers often used Unicode numbers from the so-called full-size range. Normally, it is used with hieroglyphic languages so that Latin letters and numbers do not look too small and narrow compared to the hieroglyphics. We also came across figures from other ranges – figures in a circle, figures that are underscored, etc.: Obfuscation of domains As mentioned above, this trick also works with domains. Unicode has even more letter ranges than numerical. Spammers often used multiple ranges in a single link (changing them randomly in every email, thereby increasing the variability within a single mass mailing). To make the links even more unique, rather than obfuscating the spammer site itself the scammers obfuscated short URL services where the links to the main site were generated in large quantities: Interpreting URL symbols URLs contain special symbols that spammers use to add ‘noise’. Primarily, it is the @ symbol which is intended for user authentication on the site. A link such as http://login:password@domain.com means that the user wants to enter the site domain.com using a specific username (login) and password. If the site does not require authentication, everything that precedes the @ symbol, will simply be ignored. We came across mass mailings where spammers simply inserted the @ symbol in front of the domain name and mass mailings where the @ symbol was preceded with a random (or non-random) sequence: It is interesting that this technique was used to obfuscate links; that is usually the prerogative of phishers. This method of presenting URLs can be used by fraudsters to trick users into thinking that a link leads to a legitimate site. For example, in the link http://google.com@spamdomain.com/anything the domain that the browser accepts is spamdomain.com, not google.com. However, in order to trick users, spammers have used another domain-related technique: they registered lots of domains beginning with com-. With third-level domains the links in emails looked like this: http://learnmore.com-eurekastep.eu/find If you don’t look carefully, you might think that the main domain is learnmore.com, whereas it is in fact com-eurekastep.eu. In addition to the @ symbol, scammers filled links with other symbols: www.goo&zwj.g&zwjl/0Gsylm. For example, in the case above the “&zwj” fragment in the goo.gl domain has been inserted randomly in different parts of the domain making the link unique in each email. This insertion is called a zero-width joiner; it is used to combine several individual symbols in the Hindi languages as well as emoticons in one symbol. Within the domain, it obviously carries no semantic meaning; it simply obfuscates the link. Yet another method of obscuring links is the use of a “soft hyphen” (SHY). In HTML, SHY is a special symbol that is not visible in the text, but if a word containing a special symbol doesn’t fit in at the end of a line, the part after the special symbol is moved to the next line, while a hyphen is added to the first part. Typically, browsers and email clients ignore this symbol inside links, so spammers can embed it anywhere in a URL and as often as they like. We came across a mass mailing where soft hyphens had been inserted in the domain more than 200 times (hexadecimal encoding): As well as the soft hyphen there are other special symbols used in domains – the sequence indicator (& ordm;), the superscripts 1 and 2 (& sup1 ;, & sup2;) – that can be interpreted by some browsers as the letter “o” and the figures “1” and “2” respectively. Reiteration of a popular domain name Another original way of adding noise to links used by spammers in 2015 was the use of a well-known domain as a redirect. This trick is not new, but this time the fraudsters added the same well-known domain several times: Emails without a URL It is also worth mentioning those cases where no domains were used at all. Instead of a URL, a number of spam mailings contained a QR-code. Other mass mailings prompted the user to enter a random sequence in a search engine; the link to the site appeared at the top of the search results: World events in spam The next Olympic Games in Brazil only take place in the summer of 2016, but already in 2015 fraudulent notifications of lottery wins dedicated to this popular sporting event were being registered. These included emails containing an attached PDF file that informed recipients that their address had been randomly selected out of millions of email addresses. In order to claim the prize it was necessary to respond to the email and provide specific personal information. In addition to the text, the attachments contained different graphical elements (logos, photos, etc.). The fake lottery win notifications, which were of a considerable length, were often sent out with attachments to bypass spam filtering. In 2015, ‘Nigerian’ scammers exploited political events in Ukraine, the war in Syria, the presidential elections in Nigeria and earthquake in Nepal to convince recipients that their stories were genuine. The authors primarily sought help to invest huge sums of money or asked for financial assistance. These so-called Nigerian letters made use of the customary tricks to deceive recipients and extort money from them. Emails about the war in Syria often mentioned refugees and Syrian citizens seeking asylum in Europe. Some emails were made to look as if they had been sent directly from refugee camps and contained complaints about the poor conditions. Statistics Proportion of spam in email traffic In 2015, the proportion of spam in email traffic was 55.28%, which is 11.48 percentage points lower than the previous year. The proportion of spam in email traffic, 2015 The most noticeable drop was registered in the first months of 2015 – from 61.86% in January to 53.63% in April. The fluctuations throughout the rest of the year were inconsiderable – within 1-2 percentage points. Sources of spam by country Sources of spam by country, 2015 In 2015, there was a slight change to the top three sources of spam: China (6.12%) dropped to fourth although the proportion of spam distributed from that country actually increased by 0.59 percentage points. Replacing it in third place was Vietnam (6.13%), which saw 1.92 percentage points added to its share. Russia (6.15%) remained in second place with an increase of 0.22 percentage points, while the US (15.16%) remained the undisputed leader despite a decrease of 1.5 percentage points. In 2015, users in USA were targeted by 4.92% of worldwide malicious emails #KLReportTweet As was the case in 2014 Germany came fifth (4.24%), with its contribution increasing by 0.24 percentage points. The rest of the Top 10 consisted of Ukraine (3.99%, +0.99 p.p.), France (3.17%, +0.62 p.p.), India (2.96%, no change), Argentina (2.90%, -0.65 p.p.) and Brazil (2.85%, +0.42 p.p.). The size of spam emails The size of spam emails in 2015 The proportion of super-short spam emails (under 2 KB) grew in 2015 and averaged 77.26%, while the share of emails sized 2-5 KB fell to 9.08%. The general trend of 2015 was a reduction in the size of emails. Malicious attachments in email The Top 10 malicious programs spread by email in 2015 The notorious Trojan-Spy.HTML.Fraud.gen remained the most popular malicious program sent by email. This program is a fake HTML page sent via email that imitates an important notification from a large commercial bank, online store, or software developer, etc. This threat appears as an HTML phishing website where a user has to enter his personal data, which is then forwarded to cybercriminals. Trojan-Downloader.HTML.Agent.aax was in second, while ninth and tenth positions were occupied by Trojan-Downloader.HTML.Meta.as. and Trojan-Downloader.HTML.Meta.ay respectively. All three are HTML pages that, when opened by users, redirect them to a malicious site. Once there, a victim usually encounters a phishing page or is offered a download – Binbot, a binary option trading bot. These malicious programs spread via email attachments and the only difference between them is the link that redirects users to the rigged sites. Third was Trojan-Banker.Win32.ChePro.ink. This downloader is a CPL applet (a Control Panel component) that downloads Trojans designed to steal confidential financial information. Most malicious programs of this type are aimed at Brazilian and Portuguese banks. Email-Worm.Win32.Mydoom.l was in fourth place. This network worm spreads as an email attachment via file-sharing services and writable network resources. It harvests email addresses from infected computers so they can be used for further mass mailings. To send the email, the worm directly connects to the SMTP server of the recipient. Next came Trojan.JS.Agent.csz and Trojan-Downloader.JS.Agent.hhi, which are downloaders written in JavaScript. These malicious programs may contain several addresses (domains) which the infected computer consecutively calls. If the call is successful, a malicious EXE file is downloaded in the temp folder and run. Trojan-PSW.Win32.Fareit.auqm was in eighth position. Fareit Trojans steal browser cookies and passwords from FTP clients and email programs and then send the data to a remote server run by cybercriminals. Malware families Throughout the year, Upatre remained the most widespread malware family. Malware from this family downloads the Trojan banker known as Dyre/Dyreza/Dyzap. MSWord.Agent and VBS.Agent occupied second and third places respectively. To recap, these malicious programs are DOC files with an embedded macro written in Visual Basic for Applications (VBA), which runs on opening the document. It downloads and runs other malware, such as Andromeda.VBS.Agent. As the name suggests, it uses the embedded VBS script. To download and run other malware on the user’s computer the malicious programs of this family utilize the ADODB.Stream technology. The Andromeda family came fourth. These programs allow the attackers to secretly control infected computers, which often become part of a botnet. Noticeably, in 2014 Andromeda topped the rating of the most widespread malware families. In 2015, #Japan (21.68 %) took the lead in the ranking of unique users attacked by phishers #KLReportTweet The Zbot family came fifth. Representatives of this family are designed to carry out attacks on servers and user computers, and also for capturing data. Although ZeuS/Zbot is capable of carrying out various harmful actions, it is most often used to steal banking information. Countries targeted by malicious mailshots Distribution of email antivirus verdicts by country, 2015 For the previous three years, the Top 3 countries most often targeted by mailshots has remained unchanged – the US, the UK and Germany. However, in 2015, spammers altered their tactics and targets. As a result, Germany came first (19.06%, +9.84 p.p.) followed by Brazil (7.64%, +4.09 p.p.), which was only sixth in 2014. The biggest surprise in Q3, and the whole of 2015, was Russia’s rise to third place (6.30%, +3.06 p.p.). To recap, in 2014 Russia was ranked eighth with no more than 3.24% of all malicious spam being sent to the country. We would like to believe that despite the trend seen in recent quarters, the number of malicious mass mailings sent to Russia will decrease. As for the total number of malicious attachments sent via email, their number is likely to grow in 2016 and the theft of personal information and Trojan ransomware will occupy the top places. Special features of malicious spam In spam traffic for 2015 we registered a burst of mass mailings with macro viruses. The majority of emails containing macro viruses in Q1 were sent in attachments with a .doc or .xls extension and belonged to the Trojan downloader category designed to download other malicious programs. As a rule, the malicious attachments imitated various financial documents: notifications about fines or money transfers, unpaid bills, payments, complaints, e-tickets, etc. They were often sent on behalf of employees from real companies and organizations. In 2015, 34.33% of phishing attacks targeted clients of financial organizations #KLReport #bankingTweet The danger posed by macro viruses is not restricted to their availability and ease of creation. A macro virus can infect not only the document that is opened initially but also a global macro common to all similar documents and consequently all the user’s documents that use global macros. Moreover, the VBA language is sufficiently functional to be used for writing malicious code of all kinds. In 2015, cybercriminals specializing in malicious spam continued to distribute malware in non-standard archive formats (.cab, .ace, .7z, .z, .gz). These formats were introduced long ago and are used by specialists in software development and installation, but they are largely unknown to ordinary users, unlike ZIP and RAR. Another difference is the high degree of file compression, which is used to reduce email sizes to a minimum and bypass spam filtering. These malicious archives were passed off as a variety of attachments (orders, invoices, photographs, reports, etc.) and contained different malicious programs (Trojan-Downloader.Win32.Cabby, Trojan-Downloader.VBS.Agent.azx, Trojan-Spy.Win32.Zbot .iuk, HawkEye Keylogger, etc.). The vast majority of emails were in English, though there were messages in other languages. In 2014, cybercriminals were particularly active in sending out fake emails from mobile devices and notifications from mobile apps containing malware and adverts. In 2015, the mobile theme continued: malicious programs were distributed in the form of .apk and .jar files, which are in fact archived executable application files for mobile devices. Files with the .jar extension are usually ZIP archives containing a program in Java, and they are primarily intended to be launched from a mobile phone, while .apk files are used to install applications on Android. In particular, cybercriminals masked the mobile encryption Trojan SLocker behind a file containing updates for Flash Player: when run, it encrypts images, documents and video files stored on the device. After launching, a message is displayed telling the user to pay a fee in order to decrypt his files. Another .jar archive contained Backdoor.Adwind written in Java. This multi-platform malicious program can be installed not only on mobile devices but also on Windows, Mac and Linux. The attackers who send out malware in files for mobile devices are most probably hoping that recipients using email on a mobile device will install the malicious attachment. With every year, cybercriminals are becoming more interested in mobile devices. This is primarily due to the constant increase in activity by mobile users (using messengers and other methods of exchanging data) and the migration of different services (e.g., financial transactions) to mobile platforms, and of course, one user may have several mobile devices. Secondly, it is due to the emergence of various popular apps that can be used by cybercriminals both directly (for sending out spam, including malicious spam) and indirectly (in phishing emails). For example, users of the popular messenger WhatsApp fall victim to not only traditional advertising spam but also virus writers. Mobile users should be especially careful because cybercriminal activity in this sphere is only likely to increase. Phishing Main trends In 2015, the Anti-Phishing system was triggered 148,395,446 times on computers of Kaspersky Lab users. 60% (89,947,439) of those incidents were blocked by deterministic components and 40% (58,448,007) by heuristic detection components. Methods of distributing phishing content The methods used by cybercriminals to spread phishing content have long gone beyond the framework of email clients. For example, one of the most popular ways of distributing phishing pages is pop-up ads. In 2015, we came across a variety of fraudulent schemes utilizing this simple trick: the fake page automatically opens in the browser when a user visits certain sites, including legitimate ones, but uses pop-up advertising. Cybercriminals used this technique to attack customers of Russian banks in the third and fourth quarters of 2015. The fraudulent page to which the victim is redirected by a pop-up advert Other popular themes of the year As we mentioned in Q1, the contribution of the ‘Delivery company’ category is very small (0.23%), but it has recently experienced a slight increase (+0.04 p.p.). In addition, DHL, one of the companies in this category, was among the Top 100 organizations most often targeted by phishers. This method – an email sent on behalf of a delivery firm – is often used by fraudsters to distribute malicious attachments, gather personal information and even collect money. Phishing email sent on behalf of FedEx The attackers are especially active in this category in the run-up to holidays when people tend to buy presents using popular delivery services. Email tricks Scammers have long made successful use of PDF attachments in phishing attacks. These files are usually a form for entering personal information that is sent to the fraudsters by pressing a button in the file. However, in 2015 we saw a surge of emails in which the text message and the link to the phishing page were included in the PDF document. The text in the body of the message was reduced to a minimum to bypass spam filtering. These tricks are used against organizations in all categories. In 2015, many attacks of this type targeted banking and mail organizations. Example of a phishing email. The body of the message contains only the text imitating the heading of the email to which this email is allegedly responding. The email has an attached PDF file that contains the link to the phishing page. We came across numerous PDF files that redirected victims to phishing websites. The fraudsters encouraged the user to click on ‘View pdf File’ to read the contents of the file. A phishing email with an attached PDF file containing a redirect to a phishing website The geography of attacks Top 10 countries by percentage of attacked users Japan had the highest proportion of users subjected to phishing attacks (21.68%), a 2.17 p.p. increase from the previous year. The percentage of users on whose computers the anti-phishing system was triggered out of the total number of users of Kaspersky Lab products in the country, 2015 Top 10 countries by percentage of attacked users Japan 21.68% Brazil 21.63% India 21.02% Ecuador 20.03% Mozambique 18.30% Russia 17.88% Australia 17.68% Vietnam 17.37% Canada 17.34% France 17.11% Last year’s leader, Brazil (21.63%), fell to second place with a drop of 5.77 percentage points in the number of attacked users. It was followed by India (21.02%, -2.06 p.p.) and Ecuador (20.03%, -2.79 p.p.). The distribution of attacks by country Russia accounted for the greatest share of phishing attacks, with 17.8% of the global total, an increase of 0.62 percentage points compared to the previous year. Distribution of phishing attacks by country in 2015 Behind Russia in second place was Brazil (8.74%, +1.71 p.p.), followed by India (7.73%, +0.58 p.p.), the US (7.52%, +0.32 p.p.), with Italy rounding off the Top 5 (7.04%, +1.47 p.p.). Organizations under attack The statistics on organizations used in phishing attacks are based on the triggering of the heuristic component in the anti-phishing system. The heuristic component is triggered when a user tries to follow a link to a phishing page and there is no information about the page in Kaspersky Lab’s databases. Distribution of organizations subject to phishing attacks by category, 2015 In 2015, we saw significant growth in the proportion of phishing attacks on organizations belonging to the ‘Online finances’ category (34.33%, +5.59 pp): they include the ‘Banks’, ‘Payment Systems’ and ‘Online stores’ categories. Of note is the increase in the percentage of targeted organizations in the ‘Telephone and Internet service providers’ (5.50%, +1.4 p.p.) and ‘Social networking sites and blogs’ (16.40%, +0.63 p.p.) categories. Top 3 organizations attacked Organization % of detected phishing links 1 Yahoo! 14.17 2 Facebook 9.51 3 Google 6.8 In 2015, Yahoo! was once again the organization targeted most by phishers, although its share decreased considerably – 14.17% vs 23.3% in 2014. We presume this decrease is a result of the company combating these fake domains. We see that Yahoo!, as well as many other organizations, registers lots of domains that could theoretically be used by the attackers as they are derived from the original domain name. Conclusion and forecasts In 2015, the proportion of spam in email traffic decreased by 11.48 percentage points and accounted for 55.28%. The largest decline was observed in the first quarter; from April the fluctuations stabilized and were within a few percentage points. This reduction was caused by the migration of advertising for legal goods and services from spam flows to more convenient and legal platforms (social networks, coupon services, etc.), as well as by the expansion of the “gray” zone in mass mailings (mass mailings sent both to voluntary subscribers and to people who have not given their consent). We assume the share of spam will continue to decrease in 2016, though the decline will be insignificant. The number of malicious and fraudulent messages, however, will increase. It is possible that the attackers will once again make use of their customary tricks as was the case in 2015 (mass mailings of macro viruses and non-standard attachment extensions). The mobile theme may also become yet another weapon in the cybercriminals’ arsenal to spread malware and fraudulent spam. The number of new domains created by spammers especially for distributing mass mailings will continue to grow. We also expect to see an expansion in new domain zones used as spammer resources.

Newly Fired CEO Of Norse Fires Back At Critics

Critics maintain that Norse Corp. is peddling threat data as threat intelligence.A massive and potentially company-ending shakeup at security vendor Norse Corp. in recent weeks amid controversy over its practices may be a signal that the threat intelligence industry is finally maturing.KrebsonSecurity last week reported that Norse had fired its CEO Sam Glines after letting go some 30% of its staff less than a month earlier.

The blog quoted unnamed sources as saying Norse’s board of directors had asked board member Howard Bain to take over as an interim CEO. The remaining employees at the Foster City, Calif.-based threat intelligence firm were apparently informed they could continue showing up for work, but there would be no guarantee they would be paid, KrebsonSecurity reported. Shortly thereafter, Norse’s website went dark and remained unavailable through the week -- prompting some speculation on whether the company had been shuttered.

A spokesperson for a PR agency representing Norse today said the company is still operational, but she did not elaborate. The KrebsonSecurity article, which was contested by Glines and former Norse chief architect Jason Belich, blamed Norse’s problems on a fast and loose business culture focused on taking quick advantage of the booming interest in threat intelligence rather than on delivering real value for customers. One former employed quoted by Krebs described Norse as a "scam" operation designed to suck in investors. Norse, once a rising star in the threat intelligence industry and which as recently as Sept 2015 received an investment of over $11 million from KPMG, has been in the news for wrong reasons before. As KrebsonSecurity noted in its blog, a Norse report last year on growing attacks against critical industrial control systems in the US was soundly trashed for being grossly exaggerated and unsubstantiated by facts.

A subsequent review of the report showed that what Norse had described as dangerous attacks was really network scans conducted from locations in Iran against honeypot systems.

Another Norse report that claimed Sony’s massive data breach was the result of an insider attack was similarly slammed for being unsubstantiated. In comments to Dark Reading today, Glines accused his critics of harboring an agenda against Norse. He described Krebs’ article as causing “incredible damage in very short order” and confirmed that Bain had been named interim CEO. “The quality of Norse's threat intelligence data is extremely good,” says Glines. “The company has one of the largest malware pipelines in the industry and just one of the sinkholes in use has over 1 billion callbacks, after being in operation for less than 3 months,” he says. He described the sinkhole as just one example of the many techniques used by the company to collect threat intelligence. Glines downplayed the criticisms about Norse’s threat intelligence reports being over the top, but conceded to Norse being beaten up in the media over the past year. He says that was mainly the result of handful of individuals complaining about the company’s practices; others have jumped on the bandwagon because Norse chose not to respond, he says. Critics have accused Norse of going to market too soon with the data in had, and of drawing conclusions not actually supported by the data. “I’d respond that the entire cyber threat intelligence industry is still young, growing, but relatively immature,” Glines says. “But I’d also add that our customers and partners were getting tremendous value from the data.

Every product, every application, every service, is a work in process.” Robert M. Lee, founder and CEO of critical infrastructure security firm Dragos Security and one of Norse’s strongest critics, says Norse’s problem is that it is tries to make too much of the data it has. A lot of the raw data that Norse collects from its sensors around the world is threat information, not threat intelligence, he told Dark Reading. “Data is just data without context,” Lee says. Some of it can help organizations answer fundamental questions like whether their systems are infected or not.

But that is not the same thing as threat intelligence, which involves the ability to take data from multiple sources, analyze it and predict with a high degree of confidence, he says. “Real threat intelligence is not something you can plug into a firewall," he says.
It requires a much higher degree of expertise both technical and domain, than simply gathering and looking at threat data. “If Norse had used their data for what it was, it would have helped companies simplify what they were looking at,” he says. “Instead they were taking threat data and billing it as actionable intelligence.” The questions being raised over Norse’s practices pointing to a maturing overall of the threat intelligence industry, Lee says. “I don’t see this as impacting the larger threat intelligence industry.
I see this as an indicator that the market won’t accept bad threat data anymore.” Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ...
View Full BioMore Insights

WordPress Hacks Silently Deliver Ransomware To Visitors

If you're a gamer (or anyone else), this is not a screen you want to see.Bromium LabsIt's still not clear how, but a disproportionately large number of websites that run on the WordPress content management system are being hacked to deliver crypto ransomware and other malicious software to unwitting end users. In the past four days, researchers from three separate security firms have reported that a large number of legitimate WordPress sites have been hacked to silently redirect visitors to a series of malicious sites.

The attack sites host code from the Nuclear exploit kit that's available for sale in black markets across the Internet. People who visit the WordPress sites using out-of-date versions of Adobe Flash Player, Adobe Reader, Microsoft Silverlight, or Internet Explorer can then find their computers infected with the Teslacrypt ransomware package, which encrypts user files and demands a hefty ransom for the decryption key needed to restore them. "WordPress sites are injected with huge blurbs of rogue code that perform a silent redirection to domains appearing to be hosting ads," Malwarebytes Senior Security Researcher Jérôme Segura wrote in a blog post published Wednesday. "This is a distraction (and fraud) as the ad is stuffed with more code that sends visitors to the Nuclear Exploit Kit." According to a Monday blog post published by website security firm Sucuri, the compromised WordPress sites he observed have been hacked to include encrypted code at the end of all legitimate JavaScript files.

The encrypted content is different from site to site, but once decrypted, it looks similar to that shown in the image below: EnlargeSucuri To prevent detection by researchers visiting the compromised site, the code takes pains to infect only first-time visitors.

To further conceal the attack, the code redirects end users through a series of sites before delivering the final, malicious payload. Sucuri said Google's Safe Browsing mechanism—which browser makers use to help users avoid malicious websites—had blacklisted some of the Internet domains used in the ruse.

A post published Thursday by Heimdal Security, however, listed a different domain, leaving open the possibility that the attackers are regularly refreshing as old ones get flagged. Heimdal Security also warned that antivirus programs may do little to protect end users.

During the latest leg of the campaign, for instance, the exploit code was detected by just two of the 66 leading AV packages, while the payload it delivered was also limited (the blog post didn't provide specifics). Driveby attacks not just on porn sites anymore The attacks are the latest reminder that people can be exposed to potent malware attacks even when visiting legitimate websites they know and trust.

The best defense against such driveby attacks is to install security updates as soon as they become available. Other measures include running Microsoft's Enhanced Mitigation Experience Toolkit on any Windows-based computers and using the 64-bit version of Google's Chrome browser if possible. It's not yet clear how the WordPress sites are getting infected in the first place.
It's possible that administrators are failing to lock down the login credentials that allow the site content to be changed.
It's also feasible that attackers are exploiting an unknown vulnerability in the CMS, one of the plugins it uses, or the operating system they run on. Once a system is infected, however, the website malware installs a variety of backdoors on the webserver, a feature that's causing many hacked sites to be repeatedly reinfected.

As Sucuri researcher Denis Sinegubko wrote: The malware tries to infect all accessible .js files.

This means that if you host several domains on the same hosting account all of them will be infected via a concept known as cross-site contamination.
It’s not enough to clean just one site (e.g. the one you care about) or all but one (e.g. you don’t care about a test or backup site) in such situations – an abandoned site will be the source of the reinfection.
In other words, you either need to isolate every site or clean/update/protect all of them at the same time! People running WordPress sites should take time to make sure their servers are fully patched and locked down with a strong password and two-factor authentication.

This post will be updated if researchers uncover a cause of this ongoing hack campaign. Until then, admins and end users alike should stay vigilant for signs one of their systems is being targeted and follow the usual best practices listed earlier.

Cybersecurity Smackdown: What Side Are You On?

Analytics vs.

Encryption. Prevention vs.

Detection. Machine Learning: Promise or Hype? The Firewall: Dead or Still Breathing? The sharpest minds in the security industry debate some of the industry's most contentious issues.It’s debate season – at least in the political realm. So to get into the spirit of the US primary election, Dark Reading has put together in one place excerpts from our ongoing series of great cybersecurity debates about four hot new information security technologies versus their legacy counterparts.
Industry leaders make impassioned arguments for the new versus the tried and true, or a combination of the two.   ANALYTICS VS.

ENCRYPTION Encryption Has Its Place But It Isn’t Foolproof By Doug Clare, Vice President of Product Management, FICO Encryption technology is improving, as are best practices in deploying it; and everyone should embrace these improvements.

But encryption alone is not enough, and may induce a false sense of security among those who depend on it. Read more. As Good As They're Getting, Analytics Don't Inherently Protect Data By Scott Petry, Co-Founder & CEO of Authentic8 The suggestion to “use analytics to secure your system” is flawed, and the argument to shift away from data security systems like encryption and move to analytics is fallacious.
In fact, analytics is not an either-or-choice with encryption. Suggesting that firms choose between the two is like a doctor telling a patient to choose either vitamins or exercise.

Both have their place in a healthy lifestyle. Read more.   MACHINE LEARNING: HYPE VS. PROMISE    Machine Learning Is Cybersecurity's Latest Pipe Dream By Simon Crosby, co-founder and CTO at Bromium There is a huge difference between being pleased when Netflix recommends a movie you like, and expecting Netflix to never recommend a movie that you don’t like. So while applying machine learning to your security feeds might deliver some helpful insights, you cannot rely on such a system to reliably deliver only valid results. Read more. Machine Learning: Perception Problem? Maybe. Pipe Dream? No Way! By Mike Paquette, VP Products, Prelert In the most common misperception, machine learning is thought to be a magic box of algorithms that you let loose on your data and they start producing nuggets of brilliant insight for you.
If you apply this misperception to the use of machine learning for cybersecurity, you might think that after deploying it, your security experts will be out of a job since algorithms will be doing all their important threat detection and prevention work.

The reality is that ML is a practical way to use newer technology to automate the analysis of log data to better detect cyberthreat activity, under the direction and guidance of an organization's security experts. Read more.    PREVENTION VS.

DETECTION Time’s Running Out for the $76 Billion Detection Industry By Simon Crosby, co-founder and CTO at Bromium Enterprises spend a mind-boggling $76 billion each year to “protect” themselves from cyber-attacks, but the bad guys keep winning because most protection solutions are based on detection instead of prevention. What’s wrong? The answer is the same today as it was in ancient Troy when the Greek army suddenly disappeared, leaving behind an innocent-looking horse that the Trojans willingly brought inside the gates. Read more. Detection: A Balanced Approach For Mitigating Risk By Josh Goldfarb, VP and CTO - Emerging Technologies, FireEye Prevention is necessary, but not sufficient, for a robust and mature security program. Only detection and response can complete the security picture that begins with prevention. Read more.    THE FIREWALL IS DEAD. LONG LIVE THE FIREWALL. Why the Firewall is Increasingly Irrelevant By Asaf Cidon, Co-Founder & CEO, Sookasa Firewalls only protect what work used to be, not what it is today, a distributed collection of employees connected by mobile devices, in turn connected to the cloud.

The only way to secure all company data, then, is to extend enterprise-grade security to these employees’ devices and cloud applications. Read more. Firewalls Sustain Foundation of Sound Security By Jody Brazil, Co-Founder & CEO, FireMon Effective security management will always retain a multi-layered approach necessitating mechanisms that control and limit access. While this may not someday require dependence on network security devices, in today’s environment the firewall remains one of the critical building blocks of network security. Read more.   Find out more about cutting edge security at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full BioMore Insights

New Kid On The Block: Cyber Threat Analyst

Drawing from the financial service industry, this new role uses the "art of the intelligence cycle" to drive efficiency in the security operations center. With the rapid rise, frequency, severity and cost of cyber attacks, many companies today are looking to the government military intelligence industry for the skills, talent and experience to run their security operations center. Leaders in the financial markets were the first to realize that an SOC driven by intelligence could be a force multiplier in achieving operational efficiency and effectiveness.

Early adopters such as JPMorgan Chase & Co. used this expertise to restructure personnel into new tiers with new priorities and job functions. One of the newest roles to emerge from this shift is that of the cyber threat analyst.  What is the exact role of the cyber threat analyst and how does the analyst’s work help prevent attackers from stealing critical data or causing other harm to a business? What the cyber threat analyst brings to the table is the “art of the intelligence cycle.” This is where information is directed, collected, processed, analyzed, produced, and disseminated. For example, in an organization where I once worked as a cyber analyst, my team was tasked with finding a better way to identify insider threats within the company.

First, I identified the relevant sources of data by which could identify insider threats, in this case, badge logs, web proxy traffic, and print logs.

Then I began determining the patterns likely to be associated with malicious activity.

These patterns allowed me to narrow down potential suspects to only .0001% of the employee pool. After we disseminated our report, others on the security operations team became much more effective in monitoring insider threats.
Intelligence truly began to drive operations – which was the optimal outcome. Worth the effortBuilding the capability of cyber threat analysis is a challenging endeavor that will yield tangible results – but it takes time and discipline. Here are three key principles for developing a successful cadre of analysts: The rule of three.

Cyber threat analysis is composed of three distinct skillsets, and very rarely will one individual maintain all three.

To properly learn cyber threat analysis, an analyst must learn information security (e.g. network defense, information assurance), intelligence analysis (e.g. the mastery of the intelligence cycle), and forensic science (e.g. investigations, evidence handling, discovery).
It is essential to recruit individuals strong in one or two of these areas and also facilitate a training program to compliment skillsets.  Intelligence is a journey, not a destination.

Building an intelligence program is an iterative process.

The maturation of the program should be laid out in a phased approach, where simple “quick wins” can be achieved early on in the process.

For example, a four-phased approach would include: ad hoc analysis, integration of non-traditional data into security analysis, increasing speed of searches in addition to higher tier threats, and finally, continuous feeds of real-time data and automated detection analytics. Knowledge is cumulative and must be nurtured over time.

Cyber threat analysis is like many other professions where practice is necessary to continue learning the craft.

Consider a surgeon: after eight full years of classroom education, can a newly minted physician walk into an operating room and conduct surgery? No, they must enter a five to eight year residency where they learn the craft under a seasoned, attending surgeon. Similarly, cyber threat analysts learn best under a “master operator;” a recent college graduate simply cannot operate close to the same level as a seasoned pro.

During my experience in the intelligence community, it took over a decade to develop a cadre of cyber threat analysts with the requisite skillsets. Companies implementing any of the three principles outlined above will see a reduction in the severity of cyber attacks impacting their organizations.

But those implementing all three will see the best results.  Bob Stasio is currently a Senior Product Manager at IBM i2 Safer Planet. Prior to this role, Bob worked in the private sector standing up threat intelligence programs at Bloomberg and global financial firms. He accomplished these efforts as the owner of his own consulting ...
View Full BioMore Insights

Google Lumps MalwareBytes With A Bad Security Report

GOOGLE'S SECURITY street gang Project Zero has been kicking sand in the face of Malwarebytes and picking the firm's protection precautions apart. Malwarebytes usually wears the boot in this kind of thing, but Project Zero has taken a punt in the security firm's direction and accused it of all sorts of bad things. This is not the first time that Project Zero has pointed fingers, as the gang only recently made Microsoft, FireEye and Trend Micro look bad. Malwarebytes has "multiple security issues" that can open users to man-in-the-middle attacks and other things that you might choose to avoid, according to a Project Zero report from researcher Tavis Ormandy. The post said that the problem has been fixed, but a lot of the details have been redacted which, of course, makes things more interesting. Ormandy claimed that Google told the firm about the problem last year, and gave it 90 days before getting the sandwich board out and marching round the community. "Malwarebytes fetches their signature updates over HTTP, permitting a man-in-the-middle attack. The protocol involves downloading YAML files over HTTP for each update from http://data-cdn.mbamupdates.com. Although the YAML files include an MD5 checksum, as it's served over HTTP and not signed an attacker can simply replace it," he wrote. "It's possible the developer believed that an attacker cannot tamper with the data as it's encrypted with the hardcoded RC4 key [redacted] for configuration data, and [redacted] for definitions. However, this is not the case. Openssl commands can be used to decrypt, edit and then re-encrypt the definitions and configuration data." We asked Malwarebytes to talk about this by email, and are waiting for a response. It was only last week that the firm proudly announced a bug bounty reward programme which, presumably, will pay for itself. Malwarebytes did contact us over Twitter, however, to publicly acknowledge its shame and share its thanks to Google and apologies to users. The tweet led us to a blog post where the reward programme is revealed to be a reaction to such alerts. "Unfortunately, vulnerabilities are the harsh reality of software development. In fact, this year alone our researchers have found and reported several vulnerabilities with other software," wrote Marcin Kleczynski, CEO at Malwarebytes. "A vulnerability disclosure programme is one way to accelerate the discovery of these vulnerabilities and empower companies like Malwarebytes to fix them. "We are taking steps like the bug bounty programme as well as building automatic vulnerability-finding software to mitigate any potential for a future vulnerability. "In addition, our engineers have used this discovery to create new processes and methodologies that will help us continue to scrutinise our own code, identify any weak lines or processes and build additional tests and checkpoints into our ongoing development cycle." µ

eBay Refuses To Fix Flaw Exposing Users To Malware And Phishing...

A major flaw on eBay's online sales platform is being used to target customers with malware across Android, iOS and Windows devices, but eBay has said that it has no intention of fixing the vulnerability. Security company Check Point uncovered evidence of the flaw last year. It involves exploiting the ‘active content’ capability of eBay that is mostly used for nothing more than adding basic HTML on seller pages to emphasis text. eBay has a filter in place to ensure that sellers do not use anything more complex than this, such as JavaScript or iFrames, so that pop-ups and app download prompts cannot run, whether on Android, iOS or Windows machines. However, Check Point discovered that using a version of JavaScript termed JSF**K, cyber crooks are able to bypass these filters and trick users into downloading malicious apps, or present pop-up boxes asking for information. The video below shows the attack in action on an iPhone, tricking the user into downloading a malicious app. [embedded content] The fact that iOS users are at risk is particularly notable, as Apple's stringent app vetting process usually stops this kind of threat. However, Check Point explained that the crooks appear to have fraudulent mobile device management credentials, allowing them to push apps to devices when a request is received. Oded Vanunu, security research group manager at Check Point, who has previously uncovered flaws affecting Apple, WhatsApp and Google, told V3 that the flaw is surprisingly basic. "Anyone can open an online store but usually once you open it you are very restricted with the functions you can use," he said. "However, with JSF**K we found that the eBay infrastructure is blind to this so cyber criminals can bypass the filter and redirect users to their malicious servers." This is a veritable gold mine for crooks as it allows them to infect user devices and gather information that could be used for phishing scams. Worryingly, considering the scale of the risk, Check Point informed eBay of the problem in December and was told in January that eBay will not fix the problem as it wishes to keep the active content capability. "I must say I was disappointed by their handling of this. We provided them with the entire back story and proof-of-concept, but based on their feedback they’ve just said: ‘Thanks, but we allow active content," Vanunu said. “We said: 'That’s OK but your filters are being bypassed by this JSF**K language that they are blind to.' But it still hasn’t been fixed.” V3 contacted eBay for a statement on the situation and received a fairly stock response that made no direct reference to the vulnerability or whether it would be fixed. “As a company, we’re committed to providing a safe and secure marketplace for our millions of customers around the world," the firm said in a statement. "We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure.”

Hidden tear and its spin offs

Background A while ago Turkish security group Otku Sen created the hidden tear ransomware and published the source code online. Idea behind it was to “teach” security researchers how ransomware works. Right from the beginning the reaction of various security professionals was negative. And we were right, it didn’t take long before the first ransomware variants arrived based on the hidden tear source code ([1], [2]) and of course, things escalated a bit.Wondering what else there was, I decided to analyze the samples in the Trojan-Ransom.MSIL.Tear class and was amazed to find 24 additional samples. The spin offs Hidden tear only encrypts files located on the user’s desktop in the “test” directory. If such a directory doesn’t exist, then no files are encrypted and no harm is done. In one of the first samples we classified as hidden tear Trojan-Ransom.MSIL.Tear.c, they removed the “test” directory, so in this case all the files (with a certain extension) located on the Desktop are encrypted. Another sample, Trojan-Ransom.MSIL.Tear.f calls itself KryptoLocker. According to the message, public key cryptography was used, but when we look at the code, we see something different. The author also didn’t use a CnC this time, but asked the victims to e-mail him, so he could ask for the ransom. The next variants, Trojan-Ransom.MSIL.Tear.g and Trojan-Ransom.MSIL.Tear.h , are the first versions that use a proper CnC (previous samples used a server with an internal IP address as the CnC server). Other samples, such as Trojan-Ransom.MSIL.Tear.i and Trojan-Ransom.MSIL.Tear.k share the same CnC, while Trojan-Ransom.MSIL.Tear.j uses another one. Interesting is also Trojan-Ransom.MSIL.Tear.m. This variant is specifically looking for files located in the “MicrosoftAtom” directory. Variants Trojan-Ransom.MSIL.Tear.n , Trojan-Ransom.MSIL.Tear.o, Trojan-Ransom.MSIL.Tear.p, Trojan-Ransom.MSIL.Tear.q, on the other hand just encrypt your files and doesn’t store the key anywhere. Variants Trojan-Ransom.MSIL.Tear. r to Trojan-Ransom.MSIL.Tear.v are all more or less the same. The location of the c2 is often example.com. This of course does not work. The last samples, Trojan-Ransom.MSIL.Tear.w, Trojan-Ransom.MSIL.Tear.x and Trojan-Ransom.MSIL.Tear.y all store the password on the hard drive and was also described earlier here. Conclusion As always, when malware gets open sourced, we see an increase in variants of that specific malware. We can therefore conclude that hidden tear completely missed its purpose. Researchers don’t need hidden tear to understand how ransomware works. Luckily enough, in this case, the copy cats didn’t fix the bugs in hidden tear. Therefore it is actually possible (with some computation) to recover your key and decrypt your files for free. More worrisome is when copy cats use well developed and sophisticated malware and start using that.The samples discussed in this post were all samples that were not often spotted in the wild. This means the number of victims remains relatively low. Nevertheless, bugs can be fixed and the malware can be enhanced without much effort. After this point, it is just waiting for future victims who might lose their files forever.

From Linux to Windows – New Family of Cross-Platform Desktop Backdoors...

Background Recently we came across a new family of cross-platform backdoors for desktop environments. First we got the Linux variant, and with information extracted from its binary, we were able to find the variant for Windows desktops, too. Not only that, but the Windows version was additionally equipped with a valid code signing signature. Let´s have a look at both of them. DropboxCache aka Backdoor.Linux.Mokes.a This backdoor for Linux-based operating systems comes packed via UPX and is full of features to monitor the victim’s activities, including code to capture audio and take screenshots. After its first execution, the binary checks its own file path and, if necessary, copies itself to one of the following locations: $HOME/$QT-GenericDataLocation/.mozilla/firefox/profiled $HOME/$QT-GenericDataLocation/.dropbox/DropboxCache One example would be this location: $HOME/.local/share/.dropbox/DropboxCache. To achieve persistence, it uses this not very stealthy method: it just creates a .desktop-file in $HOME/.config/autostart/$filename.desktop. Here’s the template for this: Next, it connects to its hardcoded C&C Server. From this point, it performs an http request every minute: This “heartbeat” request replies with a one-byte image. To upload and receive data and commands, it connects to TCP port 433 using a custom protocol and AES encryption. The binary comes with the following hardcoded public keys: The malware then collects gathered information from the keylogger, audio captures and screenshots in /tmp/. Later it will upload collected data to the C&C. /tmp/ss0-DDMMyy-HHmmss-nnn.sst (Screenshots, JPEG, every 30 sec.) /tmp/aa0-DDMMyy-HHmmss-nnn.aat (Audiocaptures, WAV) /tmp/kk0-DDMMyy-HHmmss-nnn.kkt (Keylogs) /tmp/dd0-DDMMyy-HHmmss-nnn.ddt (Arbitrary Data) DDMMyy = date: 280116 = 2016-01-28HHmmss = time: 154411 = 15:44:11nnn = milliseconds. This part of the code is able to capture audio from the victim’s box. However, audio capturing is not activated in the event timer of this binary, just like the keylogging feature. Since the authors have statically linked libqt, xkbcommon (the library to handle keyboard descriptions) and OpenSSL (1.0.2c) to the binary, the size of the binary is over 13MB. The criminals also didn’t make any effort to obfuscate the binary in any way. In fact, the binary contains almost all symbols, which is very useful during analysis. There are also references to the author’s source files: Apparently, it’s written in C++ and Qt, a cross-platform application framework. According to the binary’s metadata it was compiled using “GCC 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04)” on Ubuntu 14.04 LTS “Trusty Tahr”. According to the qt_instdate  timestamp, the last time the Qt sources were configured was on 2015-09-26 (qt/qtbase.git: deprecated), which implies the compilation time of the malware to be not earlier than end of September 2015. We detect this type of malware as Backdoor.Linux.Mokes.a. OLMyJuxM.exe aka Backdoor.Win32.Mokes.imv Just a few days ago, we came across a rather familiar looking sample, although it was compiled for machines running Microsoft Windows. It quickly turned out to be a 32-bit Windows variant of Backdoor.Linux.Mokes.a. After execution, the malware randomly chooses one of nine different locations in %AppData% to persistently install itself on the machine. The binary also creates a “version”-file in the same folder. As its name implies, it stores just version information, together with the full installation path of the malware itself: Then the corresponding registry keys are created in HKCUSoftwareMicrosoftWindowsCurrentVersionRun to ensure persistence in the system. After the malware has executed its own copy in the new location, the SetWindowsHook API is utilized to establish keylogger functionality and to monitor mouse inputs and internal messages posted to the message queue. The next stage in its operation is to contact the hardcoded C&C server. Besides the different IP addresses and encryption key, we see almost identical behavior. However, this particular variant uses a slightly different implementation and tries to obtain the default Windows user-agent string. If this is not successful, the sample uses its hardcoded version: Like the Linux variant, it connects to its C&C server in the same way:  once per minute it sends a heartbeat signal via HTTP (GET /v1). To retrieve commands or to upload or download additional resources, it uses TCP Port 433. It uses almost the same filename templates to save the obtained screenshots, audiocaptures, keylogs and other arbitrary data. Unlike the Linux variant, in this sample the keylogger is active. Below you can see the content of a keystroke logfile, located in %TEMP% and created by this sample: And again, we spotted some unexpected code. The following screenshot shows references to code which is able to capture images from a connected camera, such as a built-in webcam. Similar to the Linux version, the author left quite a number of suspicious strings in the binary. The following string is surprisingly honest. From the criminal’s point of view, it’s important that the software looks legitimate and that Windows doesn’t asks the user for confirmation prior to execution of unknown software. On Windows machines this can be achieved by using Trusted Code Signing Certificates. In this particular case, the criminal managed to sign the binary with a trusted certificate from “COMODO RSA Code Signing CA”. We detect this type of malware as Backdoor.Win32.Mokes.imv. What’s next Since this software was intentionally designed to be platform independent, we might see also corresponding Mac OS X samples in the future. Update (2016-02-01 10:45 UTC): We just got Backdoor.Win32.Mokes.imw. This is the first time we see a variant of Mokes, which comes with the audio capture module activated. The malware creates a new audio file every 5 minutes. IOCs Backdoor.Linux.Mokes.a c9e0e5e2aeaecb232120e8573e97a6b8 $HOME/$QT-GenericDataLocation/.mozilla/firefox/profiled$HOME/$QT-GenericDataLocation/.dropbox/DropboxCache$HOME/.config/autostart/profiled.desktop$HOME/.config/autostart/DropboxCache.desktop /tmp/ss0-$date-$time-$ms.sst Backdoor.Win32.Mokes.imv & .imw f2407fd12ec0d4f3e82484c027c7d149 (imw)91099aa413722d22aa50f85794ee386e (imv) %AppData%SkypeSkypeHelper.exe%AppData%Skypeversion%AppData%DropboxbinDropboxHelper.exe%AppData%Dropboxbinversion%AppData%GoogleChromenacl32.exe%AppData%GoogleChromeversion%AppData%GoogleChromenacl64.exe%AppData%GoogleChromeversion%AppData%MozillaFirefoxmozillacache.exe%AppData%MozillaFirefoxversion%AppData%Hewlett-Packardhpqcore.exe%AppData%Hewlett-Packardversion%AppData%Hewlett-Packardhpprint.exe%AppData%Hewlett-Packardversion%AppData%Hewlett-Packardhpscan.exe%AppData%Hewlett-Packardversion%AppData%AdobeAcrobatAcroBroker.exe%AppData%AdobeAcrobatversion %TEMP%aa$n-$date-$time-$ms.aat (imw)where $n is a decimal hash-value calculated from the soundcard’s name %TEMP%ss0-$date-$time-$ms.sst%TEMP%dd0-$date-$time-$ms.ddt%TEMP%kk$date.kkt HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “%PERSISTENT-FILENAME%”, “%PERSISTENT-FILEPATH%” where %PERSISTENT-FILENAME% is one of the filenames aboveand %PERSISTENT-FILEPATH% is the corresponding path

Angler Exploit Kit Now Hooking Execs With Xmas Flash Hole

The Angler exploit kit is again sailing the cyber seas and pillaging with impunity, adding one of the more recent machine-hijacking Flash holes to its arsenal. The integration of Adobe Flash vulnerability (CVE-2015-8651) patched last month solidifies Angler's position as the most popular and effective exploit kit on underground criminal markets. Chinese security researcher known as ThreatBook reports the exploit kit is being used in phishing attacks under the so-called DarkHotel campaign. Those attacks also involve the compromising of hotel networks in order to compromise executives who connect to Wi-Fi. Successful exploits will drop a trojan named update.exe disguised as SSH key generation tools. It will also search for the presence of anti-virus platforms and researcher sandbox analysis tools. The exploit kit is also being used to drop the dangerous Cryptowall ransomware. The respected independent researcher known as "Kafeine" revealed the Flash exploit update. "[The update] is not yet pushed to all Angler exploit kit threads, but is widely spread," Kafeine says. The exploit works against Flash version 20.0.0.235 and Firefox. Kafeine says authors of rival exploit kits Nuclear, Magnitude, and Neutrino are likely unable to mimic Angler's exploit integration thanks to its use of encryption. Those three are stuck using an October Flash vulnerability (CVE-2015-7645), while RIG and Sundown flounder with Adobe holes (CVE-2015-5122) from July. ® Sponsored: Building secure multi-factor authentication

Kaspersky DDoS Intelligence Report for Q4 2015

Q4 events Of all the Q4 2015 events in the world of DDoS attacks and the tools used to launch them, we picked out those that, in our opinion, best illustrate the main trends behind the evolution of these threats. Emergence of new vectors for conducting reflection DDoS attacks; Increase in number of botnets composed of vulnerable IoT devices; Application-level attacks – the workhorse behind DDoS attack scenarios. Attacks using compromised web applications powered by WordPress Web resources powered by the WordPress content management system (CMS) are popular with cybercriminals who carry out DDoS attacks. This is because WordPress supports the pingback function that notifies the author of a post published on a WordPress site when someone else links to that post on another site running the same CMS. When the post containing the link to the other web resource is published on a site with the enabled pingback function, a special XML-RPC request is sent to the site where the link leads and that resource receives and processes it. During processing, the recipient site may call the source of the request to check for the presence of the content. This technology allows a web resource (victim) to be attacked: a bot sends a specially formed pingback request specifying the address of the victim resource as the sender to a WordPress site with the pingback function enabled. The WordPress site processes the request from the bot and sends the reply to the victim’s address. By sending pingback requests with the victim’s address to lots of WordPress resources with pingback enabled, the attackers create a substantial load on the victim resource. This is why web resources running WordPress with the pingback function enabled are of interest to cybercriminals. In Q4 2015, resources in 69 countries were targeted by DDoS attacks #KLReportTweet In the fourth quarter of 2015, cybercriminals did not limit their activities to sites supporting pingback; they carried out a mass compromise of resources running WordPress. This was probably caused by the emergence of “zero-day” vulnerabilities either in the CMS or one of its popular plugins. Whatever the cause, we registered several cases of JavaScript code being injected into the body of web resources. The code addressed the victim resource on behalf of the user’s browser. At the same time, the attackers used an encrypted HTTPS connection to impede traffic filtering. The power of one such DDoS attack registered by Kaspersky Lab experts amounted to 400 Mbit/sec and lasted 10 hours. The attackers used a compromised web application running WordPress as well as an encrypted connection to complicate traffic filtering. IoT-based botnets In October 2015, experts registered a huge number of HTTP requests (up to 20,000 requests per second) coming from CCTV cameras. The researchers identified about 900 cameras around the world that formed a botnet used for DDoS attacks. The experts warn that in the near future new botnets utilizing vulnerable IoT devices will appear. Three new vectors for carrying out reflection DDoS attacks Reflection DDoS attacks exploit weaknesses in a third party’s configuration to amplify an attack. In Q4, three new amplification channels were discovered. The attackers send traffic to the targeted sites via NetBIOS name servers, domain controller RPC portmapper services connected via a dynamic port, and to WD Sentinel licensing servers. Attacks on mail services In Q4 2015, mail services were especially popular with DDoS attackers. In particular, activity was detected by the Armada Collective cybercriminal group, which uses DDoS attacks to extort money from its victims. The group is suspected of being involved in an attack on the ProtonMail secure e-mail service in which the cybercriminals demanded $6000 to end the DDoS attack. In Q4 2015, the largest numbers of DDoS attacks targeted victims in China, the US and South Korea. #KLReportTweet As well as the ProtonMail encrypted email service, the FastMail and the Russian Post e-mail services were also targeted. Statistics for botnet-assisted DDoS attacks Methodology Kaspersky Lab has extensive experience in combating cyber threats, including DDoS attacks of various types and levels of complexity. The company’s experts monitor botnet activity with the help of the DDoS Intelligence system. The DDoS Intelligence system (part of Kaspersky DDoS Protection) is designed to intercept and analyze commands sent to bots from command and control (C&C) servers, and does not have to wait until user devices are infected or cybercriminal commands are executed in order to gather data. This report contains the DDoS Intelligence statistics for the fourth quarter of 2015. In the context of this report, a single (separate) DDoS attack is defined as an incident during which any break in botnet activity lasts less than 24 hours. If the same web resource was attacked by the same botnet after a break of more than 24 hours, this is regarded as a separate DDoS attack. Attacks on the same web resource from two different botnets are also regarded as separate attacks. The geographic distribution of DDoS victims and C&C servers is determined according to their IP addresses. In this report, the number of DDoS targets is calculated based on the number of unique IP addresses reported in the quarterly statistics. It is important to note that DDoS Intelligence statistics are limited to those botnets that were detected and analyzed by Kaspersky Lab. It should also be highlighted that botnets are just one of the tools used to carry out DDoS attacks; therefore, the data presented in this report does not cover every DDoS attack that has occurred within the specified time period. Q4 Summary In Q4, resources in 69 countries were targeted by DDoS attacks. 94.9% of the targeted resources were located in 10 countries. The largest numbers of DDoS attacks targeted victims in China, the US and South Korea. The longest DDoS attack in Q4 2015 lasted for 371 hours (or 15.5 days). SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios. The popularity of Linux-based bots continued to grow: the proportion of DDoS attacks from Linux-based botnets in the fourth quarter was 54.8%. Geography of attacks By the end of 2015, the geography of DDoS attacks narrowed to 69 countries. 94.9% of targeted resources were located in 10 countries. Q4 saw a considerable increase in the proportion of DDoS attacks targeting resources located in China (from 34.5% to 50.3%) and South Korea (from 17.7% to 23.2%). Distribution of unique DDoS attack targets by country, Q3 vs Q4 2015 The share of DDoS targets located in the US dropped by 8 percentage points, which saw it move down to third place and South Korea climb to second. Croatia with 0.3% (-2.5 percentage points) and France, whose share fell from 1.1% to 0.7%, left the Top 10. They were replaced by Hong Kong, with the same proportion as the previous quarter, and Taiwan, whose share increased by 0.5 percentage points. The statistics show that 94% of all attacks had targets within the Top 10 countries: Distribution of DDoS attack by country, Q3 vs Q4 2015 In the fourth quarter, the Top 3 ranking remained the same, although the US and South Korea swapped places: South Korea’s contribution grew by 4.3 percentage points, while the US share dropped by 11.5 percentage points. The biggest increase in the proportion of DDoS attacks in Q4 was observed in China – its share grew by 18.2 percentage points. Changes in DDoS attack numbers In Q4 2015, DDoS activity was distributed more or less evenly, with the exception of one peak that fell in late October and an increase in activity in early November. The peak number of attacks in one day was 1,442, recorded on 2 November. The quietest day was 1 October – 163 attacks. Number of DDoS attacks over time* in Q4 2015. * DDoS attacks may last for several days. In this timeline, the same attack may be counted several times, i.e. one time for each day of its duration. Monday and Tuesday were the most active days of the week in terms of DDoS attacks. In Q4, the number of attacks carried out on a Monday was 5.7 percentage points more than in the previous quarter. The figure for Tuesdays changed slightly (-0.3 percentage points). Distribution of DDoS attack numbers by day of the week, Q4 2015 Types and duration of DDoS attacks 97.5% of DDoS targets in Q4 2015 (vs. 99.3% in Q3) were attacked by bots belonging to one family. In just 2.4% of all cases cybercriminals launched attacks using bots from two different families (used by one or more botnet masters). In 0.1% of cases three or more bots were used, mainly from the Sotdas, Xor and BillGates families. The longest DDoS attack in Q4 2015 lasted for 371 hours (or 15.5 days). #KLReportTweet The ranking of the most popular attack methods remained unchanged, although SYN DDoS (57%) and TCP DDoS (21.8%) added 5.4 and 1.9 percentage points respectively. The distribution of DDoS attacks by type Once again, most attacks lasted no longer than 24 hours in Q4 2015. The distribution of DDoS attacks by duration (hours) The maximum duration of attacks increased again in the fourth quarter. The longest DDoS attack in the previous quarter lasted for 320 hours (13.3 days); in Q4, this record was beaten by an attack that lasted 371 hours (15.5 days). C&C servers and botnet types In Q4 2015, South Korea maintained its leadership in terms of the number of C&C servers located on its territory, with its share growing by 2.4 percentage points. The US share decreased slightly – from 12.4% to 11.5%, while China’s contribution grew by 1.4 percentage points. In Q4 2015, SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios. #KLReportTweet The Top 3 ranking remained the same. The countries in fourth and fifth switched places – Russia’s share increased from 4.6% to 5.5%, while the share of the UK declined from 4.8% to 2.6%. Distribution of botnet C&C servers by country in Q4 2015 The proportion of DDoS attacks from Linux-based botnets in Q4 2015 was 54.8% #KLReportTweet In Q4, the correlation between active bots created from Windows and Linux saw the proportion of attacks by Linux bots grow from 45.6% to 54.8%. Correlation between attacks launched from Windows and Linux botnets Conclusion Events in Q4 2015 demonstrated that the cybercriminals behind DDoS attacks utilize not only what are considered to be classic botnets that include workstations and PCs but also any other vulnerable resources that are available. These include vulnerable web applications, servers and IoT devices. In combination with new channels for carrying out reflection DDoS attacks this suggests that in the near future we can expect a further increase in DDoS capacity and the emergence of botnets consisting of new types of vulnerable devices.