The phishing assault on Ireland shows no signs of letting up

ESET Ireland is warning about another pair of phishing emails doing the rounds, one trying to grab Eircom passwords, the other pushing a trojan infection

I really wish we could once send out an email saying “nothing to worry about” and one day (perhaps when temperatures in Hell drop substantially) we might be able to, but that day is not today. Today we have to report two new phishing attacks on Irish email addresses.

The first is titled “Dear eircom Subscriber” and pretends to come from Eircom Web Team warning users of being infected with a virus, prompting them to give up their login details to their account to “stop the spread of the virus”:

eircom1

It is, of course, all rubbish, and the scammers just want to get hold of users’ usernames and passwords to abuse their Eircom accounts, steal identity and commit various forms of fraud.

The second one is even a bit more malicious. This one claims to be from the Royal Bank of Canada, and tries to lure potential victims to click on links, with the promise of updates to their user accounts. But the links are actually infected with a drive-by download of Win32/TrojanDownloader.Waski.A trojan, a nasty piece of malware that makes computers vulnerable to cybercriminals, who can infect them with password-grabbing or bank-account-stealing spyware or use them to dispatch more malware or various illegal content:

rbc1

ESET Ireland recommends Irish computer users to be vigilant when receiving emails, tagging them as spam and deleting them immediately, without replying or clicking any links they contain. Also make sure your operating system and antivirus software are updated to the latest, to prevent possible infections.

by Urban Schrott, ESET Ireland

What to do about Shellshock Bash bug on Mac OS X?

A serious software vulnerability called the “Bash Bug” or “Shellshock” has just come to light and it affects a wide range of computers and digital devices, many of which will need to be fixed to prevent them leaking information or being taken over by malicious persons. The systems affected include Mac OS X computers, many web servers, and some home networking devices like routers. This blog post offers some preliminary advice about what to do in response to Shellshock, as well as links to more in-depth resources that should be helpful to more technically-minded readers.

The official name of this vulnerability is the GNU Bash Remote Code Execution Vulnerability (CVE-2014-6271) and it is a serious one, on a par with Heartbleed, and it could enable an attacker to gain control over a targeted computer. Of course, all of that might sound irrelevant to the average Internet user who has never heard of bash. So I will let my colleague Cameron Camp, an experienced Linux user, set the scene with five main points. After that we will offer some advice for different groups of people affected by this bug. Here’s Cameron:

  1. Bash is short for Bourne-again shell and it is the command line interface that most folks use on a Linux and sometimes BSD Mac servers and computers. So basically Bash is the primary way you give your Linux server commands, turn stuff on and off, start web servers and so on: it’s how you manually manage your server 90% of the time. Think of it as what your desktop is to a Windows or Mac machine, but for servers. But Bash is more than that, it’s also the nuts and bolts of how a large chunk of the Linux server itself launches and controls operations that it executes all the time like scheduling tasks, doing updates, and the like.
  2. Bash doesn’t just run on normal Linux serverish things, it’s loaded on a significant percentage of home routers, smart meters, smart appliances, smart cars, and other stuff that you don’t really think of as running Linux. Basically a huge chunk of things that route Internet traffic run bash. This extends to the core routing of data centers and facilities like that around the world.
  3. Right now we are at the very beginning of the “what could this break” cycle. Already we know that it could break CGI scripts running on Apache boxes. Okay, but there’s a ton of other exploits possible once someone weaponizes this, and before folks have a chance to patch their devices. Some vulnerability scanning is now going around, undoubtedly lots more will follow. Keep in mind that some BSD/Linux boxes haven’t been rebooted in five years or more! They often lag behind on updates to fix security issues.
  4. I’m watching the traffic stream on some trust groups right now and the messages are flying around, with folks sharing data back and forth about active exploit attempts, so that’s good, but these groups are very technical, so that information has to be translated for public consumption accompanied by practical advice.
  5. Lastly, in simple terms, breaking Bash means you can tell a server to execute something without really authenticating, so it’s sort of like telling bash to go do stuff without being logged in, which definitely fits the definition of “a very bad thing”.

For more technical details we think these resources are very helpful:

Here is what we think this bug means for different people:

  • Windows users: your machines are fine, but you could be at risk of malicious code infection when visiting web servers compromised by exploitation of Shellshock. Now is a good time to make sure your anti-malware is up-to-date.
  • Mac users: sadly the bash that comes with Mac OS X is vulnerable until patched. We are awaiting a patch from Apple. Look for this and install it right away. Now is a good time to make sure your anti-malware is up-to-date.
  • Home Internet users, domestic network operators: We do not yet have a definitive list of which devices are affected. For now, assume that yours is and stand by for updates from your ISP or the router manufacturer while monitoring sites like We Live Security for more information about active threats exploiting this vulnerability. If you want to be pro-active, check out the support forum for your ISP or router vendor. Email or phone them to find out if your device is affected. Also, check that your anti-malware is up-to-date.
  • SOHO and SMB: Same as above if you are doing your own IT. If you use a Managed Service Provider, check with them.
  • IT departments: Review all systems that use bash and follow appropriate remediation steps as reported by Linux distributors, such as RedHat and Debian and Ubuntu. There is a lot of information on this NGINX page and this Cisco page.
  • Anyone with a website hosted by web hosting company: Check their support page for news and updates.
  • Anyone with a virtual private server: Check with your provider’s support page. You may need to tackle this issue yourself, in which case engage an appropriate expert.

We are monitoring developments related to the Shellshock bash bug vulnerability and will post updates to the We Live Security blog.

by Stephen Cobb, ESET

Back in BlackEnergy*: 2014 Targeted Attacks in Ukraine and Poland

A large number of state organisations and private businesses from various industry sectors in Ukraine and Poland have been targeted in recent attacks using malware designed for network discovery and remote code execution, and for collecting data from targets’ hard drives. What makes these attacks interesting – aside from the tense current geopolitical situation in the region – is that they were carried out using new versions of BlackEnergy, a malware family with a rich history, and also the various distribution mechanisms used to get the malware onto the victims’ computers.

BlackEnergy is a trojan that has undergone significant functional changes since it was first publicly analysed by Arbor Networks in 2007. Originally conceived as a relatively simple DDoS trojan it has evolved into a sophisticated piece of malware with a modular architecture, making it a suitable tool for sending spam and for online bank fraud, as well as for targeted attacks. BlackEnergy version 2, which featured rootkit techniques, was documented by Dell SecureWorks in 2010. The targeted attacks recently discovered are proof that the trojan is still alive and kicking in 2014.

The latest variants of BlackEnergy are dated September 2014.

BlackEnergy Lite: Less is more?

While the ‘regular’ BlackEnergy trojan is still actively circulating in the wild, we have discovered variants of the malware family, which are easily distinguishable from their older brothers.

We nicknamed the BlackEnergy modifications – first spotted in the beginning of 2014 – as BlackEnergy Lite, due to the absence of a kernel-mode driver component, less support for plug-ins, and an overall ‘lighter’ footprint.

Interestingly, the malware was named similarly by the malware writers themselves, as illustrated by the export directory of an early version of the main DLL:

Blackenergy Lite

Note that even the ‘regular’ BlackEnergy samples detected this year have evolved in such a way that the kernel mode driver is only used for injecting the payload into user mode processes and no longer contains rootkit functionality for hiding objects in the system. The light versions go a step further by not using a driver at all. Instead, the main DLL is loaded using a more ‘polite’ and ‘official’ technique – by simply loading it via rundll32.exe. This evolution was previously mentioned in blog posts by F-Secure.

The omission of the kernel mode driver may appear as a step back in terms of malware complexity: however it is a growing trend in the malware landscape nowadays. The threats that were among the highest-ranked malware in terms of technical sophistication (e.g., rootkits and bootkits, such as Rustock, Olmarik/TDL4, Rovnix, and others) a few years back are no longer as common.

There could be several reasons behind this trend, ranging from the technical obstacles that rootkit developers now face, like Windows system driver signing requirements, UEFI Secure Boot – which will be covered by Eugene Rodionov, Aleks Matrosov and David Harley in their VB2014 presentation Bootkits: past, present & future – to the simple fact that it is difficult and expensive to develop such malware. Also, any bugs in the code have a bad habit of blue-screening the system. All the while, possibly even raising suspicion of the presence of malicious code rather than hiding it in the system.

There are several other differences that separate BlackEnergy Lite from the ‘big’ BlackEnergy, in the plugin framework, plugin storage, configuration format, and so forth.

BlackEnergy campaigns in 2014

The BlackEnergy malware family has served many purposes throughout its history, including DDoS attacks, spam distribution, and bank fraud. The malware variants that we have tracked in 2014 – both of BlackEnergy and of BlackEnergy Lite – have been used in targeted attacks. This fact is demonstrated both by the plugins used and the nature and targets of the spreading campaigns.

The purpose of these plugins was mainly for network discovery and remote code execution and for collecting data off the targets’ hard drives.

We have observed over a hundred individual victims of these campaigns during our monitoring of the botnets. Approximately half of these victims are situated in Ukraine and half in Poland, and include a number of state organizations, various businesses, as well as targets which we were unable to identify.

The spreading campaigns that we have observed have used either technical infection methods through exploitation of software vulnerabilities, social engineering through spear-phishing emails and decoy documents, or a combination of both.

In April we discovered a document exploiting the CVE-2014-1761 vulnerability in Microsoft Word. This exploit has also been used in other attacks, including MiniDuke.

In this case the successful execution of the exploit shellcode resulted in dropping two files to the temporary directory: the malicious payload named “ WinWord.exe” and a decoy document named “Russian ambassadors to conquer world.doc”. These files were then opened using the kernel32.WinExec function. The WinWord.exe payload served to extract and execute the BlackEnergy Lite dropper. The decoy document contained controversial but obviously bogus text as shown below:

Blackenergy-lite-document1

At the same time, another document appeared also exploiting CVE-2014-1761. The text was less controversial than the previous example, but still related to foreign relations. The subject was the GlobSEC forum held in Bratislava this year.

Blackenergy-lite-document

One month later, in May, we spotted another file crafted to install BlackEnergy Lite. This time, however, no exploit was used – the file, named “список паролiв ,”  which means “password list” in Ukrainian, was simply an executable file with a Microsoft Word icon.

blackenergy-lite-icon

Despite being an executable, this file also contained an embedded decoy document with – you guessed it – a list of passwords. This case was also described by F-Secure in their blog post.

http://en.wikipedia.org/wiki/Back_in_Black

1 123456
2 admin
3 password
4 test
5 123
6 123456789
7 12345678
8 1234
9 qwerty
10 asdf
11 111111
12 1234567
13 123123
14 windows
15 123qwe
16 1234567890
17 password123
18 123321
19 asdf123
20 zxcv
21 zxcv123
22 666666
23 654321
24 pass
25 1q2w3e4r
26 112233
27 1q2w3e
28 zxcvbnm
29 abcd1234
30 asdasd
31 555555
32 999999
33 qazwsx
34 123654
35 q1w2e3
36 123123123
37 guest
38 guest123
39 user
40 user123
41 121212
42 qwert
43 1qaz2wsx
44 qwerty123
45 987654321
46 pass123
47 trewq
49 trewq321
49 trewq1234
50 2014

More recent campaigns for spreading BlackEnergy Lite were active in August and even currently in September, according to ESET LiveGrid® threat telemetry system. In one case, specially crafted PowerPoint documents were used, while other attempts to disseminate the malware appear to have been using unidentified Java vulnerabilities, or the remote control software Team Viewer.

More details about these cases will be given on Thursday at the Virus Bulletin conference and published afterwards.

by Robert Lipovsky, ESET

Italian job? Tax refund scam as Gaeilge in Irish mailboxes

Are we all getting €138.50 back from the taxman? No. But scammers with an Italian link are trying to convince Irish recipients they’re legit by sending a mail as Gaeilge.

ESET Ireland has detected many samples of an email, targeting Irish mailboxes, which has a subject “Tax Refund Application” and reads:

From: Revenue – Irish Tax <xxxxx@revenue.ie>

Revenue – Cin agus Custaim na hireann

Tar is na romhanna bliantil deireanach de do ghnomhaocht fioscach, n mr dinn a chinneadh go bhfuil t i dteideal a fhil ar aisoc cnach de € 138.50 EUR. Cuir do Iarratas Aisoc Cnach ag lonadh an eForm135. Beidh do aisoc a chur chuig do chuntas bainc sa 2-4 seachtaine seo chugainn.

Nta: Is fidir aisocaocht a moill ar chiseanna agsla, mar shampla, a chur isteach taifid neamhbhail n a bhfuil feidhm i ndiaidh an spriocdhta.

_______________________________________________

Revenue – Irish Tax and Customs

After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of € 138.50 EUR. Complete your Tax Refund Application by filling the eForm135. Your refund will be sent to your bank account in the next 2-4 weeks.

Note: A refund can be delayed for various reasons, for example submitting invalid records or applying after the deadline.

The email prompts potential victims to fill a form, which, unsurprisingly, leads to a website at http://www.comunespoleto.gov.it, which is an Italian address, then redirects to an Australian-hosted fake website, registered in USA, equipped with all the official markings of Irish Tax and Customs, which asks for personal, bank and card details, which the scammers can then rob.

revenue

(click for full size image)

Any Irish speaker would quickly recognise the translation as a poor Google Translate job, and the scammer’s sloppy copy-paste even removed all the accented characters from the text, which makes it rather useless, but an average unfamiliar user could still be fooled by the fact the mail and forged website are rather official-looking. Phishing mails like this one, using a relatively rare language to address potential victims, show how the cybercriminals are targetting even small countries, just for a chance of profit. The long global path of the scam (Irish targets via Italian link via Australian site with an American site registration) on the other hand shows the complexity of the global business that is cybercrime.

ESET Ireland recommends Irish computer users be on the lookout for scams like this one. Do not reply to the email, do not follow its bad links and never ever give your personal and banking details to such online forms.

by Urban Schrott, IT Security & Cybercrime Analyst, ESET Ireland

Five million Gmail credentials posted online

According to reports that started to appear on Reddit and other forums on September 9, some five million account credentials were published that have a Gmail address as the user name. For example, if you subscribed to a newsletter on the finegardenz.com site using gthumb99@gmail.com as your user name and the password thumbsup then it is is possible this may have been made public. How? Possibly finegardenz.com was hacked at some point in the past.

The site where the data was published referred to itself as Bitcoin Security and the language of the site that published the email addresses with matching passwords is Russian.

Some people who reviewed the data said that in most cases, the passwords were five years old and did not allow access to their accounts. However, apparently some were still current and reports of attempts to use the credentials have been seen. The assumption is that this compromised data is a collection of credentials obtained by phishing campaigns or malware attacks over recent years.

A website called isleaked.com appeared during the day purporting to allow people to check if their Gmail address had been compromised. However, as of right now, it does not appear to be functioning correctly and frankly I would not go there. Instead, you can check your email address at this site — Have I been pwned — which is run by Troy Hunt, a trusted Microsoft MVP.

The Russian site CNews was the first to publish a story about the credentials and connected them to other recent leaks such as the one affecting Yandex, a popular search engine in Russia. Later TheDailyDot published a screenshot of leaked credentials belonging to Spanish, English and Russian speakers.

Representatives from Google and Yandex issued assurances that their systems had not been compromised, but as mentioned above, the keys had been stolen by phishing campaigns and unauthorized access to user accounts (in other words, not leaked by the system for which the credentials were created, but by users of those systems).

Obviously, Gmail account credentials themselves are of great value, given that they provide access to so many Google services, such as Google+ and Google Maps. Access to those two services alone could potentially reveal your home address and allow a stranger to see who your friends are. The lesson here is that if you use a Gmail address as a user name at some site or online service, you should NOT use your Gmail password with that. Remember: different passwords for different sites/services.

For safety’s sake, I just went and changed my Gmail password and I suggest you consider doing the same, even though it is a real pain. I already have two-factor authentication enabled on my Google account and recommend you do this for Google and other accounts that support it. Here is a handy list for some popular services that offer 2FA:

I hope this helps. I also hope we see some arrests of the criminals who keep exposing other people’s private information: doing so is illegal in most countries and a total jerk move wherever you live.

by Stephen Cobb, ESET & Sabrina Pagnotta, ESET LATAM

About life, universe, radio, trojans, cybercrime and everything…

cry

…ok, maybe a bit less about the universe and everything, but definitely about radio, trojans and cybercrime. :)

Yesterday I was again given the opportunity to talk to their listeners about cybersecurity by Community Radio Youghal 104FM. As I have already pointed out in a previous blog ’Listen to the radio’, along with my gratitude for giving me a chance to help their listeners stay safe online, it is very important for people to stay informed about latest threats, so that they may better know how to avoid them.

It is the cybercriminals’ job to keep coming up with new tricks (and new variations of old ones) all the time, in order to keep making money off their victims. According to one of our surveys, one in four Irish has lost money because of cybercrime, with total damages going into hundreds of millions. On the other side, in the IT security business, it is our job to prevent that from happening. A cat and mouse, cops and robbers game, but one in which computer users can actually make a huge difference if they take proper defensive measures.

In yesterday’s radio chat, the most attention was paid to a Trojan, that’s been hitting Irish mailboxes lately, disguised as a purchase order email. As was pointed out, the cybercriminals are using people’s curiosity to get them to install the malware on their own computers, but the scary thing about the Trojan itself is that people won’t even know it’s there. It doesn’t crash or slow down their computer; it just sits there quietly, making their computer completely vulnerable to cybercriminals to remotely control it for whatever nefarious purposes they chose. They could make it into a ‘zombie’, a part of a botnet, used to send spam mail, participate in hacking attacks or for distributing illegal content. All without the owner knowing anything about it, until, possibly, the law enforcement shows up at their door…

So, this is just one of the many types of threats preying on the unwary, there are many new ones being devised by the bad guys as we speak. But the internet is not that unlike the real world. Sure there are dangers and bad people around, but if you act responsibly and are aware of your surroundings, it is a fun and pleasant thing to explore. So rather than imagine the cyber-world as a dangerous place, know its bad sides and avoid them. Want to know ‘how to’? ESET Ireland’s blog’s ‘how to’ selection is a good place to start. Or listen to the radio. ;)

by Urban Schrott, ESET Ireland

Monthly Threat Report: August 2014

Top_10_ELG_ago_14_1200x627eng-01

The Top Ten Threats

 

1. Win32/Bundpil

Previous Ranking: 1

Percentage Detected: 2.18%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address, and it tries to download several files from the address. The files are then executed and the HTTP protocol is used.  The worm may delete the following folders:
*.exe
*.vbs
*.pif
*.cmd
*Backup.

 

2. JS/Kryptik.I

Previous Ranking: 2

Percentage Detected: 1.83%

JS/Kryptik is a generic detection of malicious obfuscated JavaScript code embedded in HTML pages; it usually redirects the browser to a malicious URL or implements a specific exploit.

 

3. Win32/Adware.MultiPlug

Previous Ranking: 7

Percentage Detected: 1.53%

Win32/Adware.Multiplug is a Possible Unwanted Application that once it’s present into the users system might cause applications to displays advertising popup windows during internet browsing.

4. Win32/RiskWare.NetFilter

Previous Ranking: 3

Percentage Detected: 1.46%

Win32/RiskWare.NetFilter is an application that includes malicious code designed to force infeted computers to engage in unwanted behaviour. It allows an attacker to remotely connect to the infected system and control it in order to steal sensitive information or install other malware.

 

5. LNK/Agent.AK

Previous Ranking: 4

Percentage Detected: 1.4%

LNK/Agent.AK is a link that concatenates commands to run the real or legitimate application/folder and, additionaly runs the threat in the background. It could become the new version of the autorun.inf threat. This vulnerability was known as Stuxnet was discovered, as it was one of four that threat vulnerabilities executed.

 

6. Win32/Sality

Previous Ranking: 5

Percentage Detected: 1.38%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature: http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

7. INF/Autorun

Previous Ranking: 8

Percentage Detected: 1.2%

INF/Autorun is generic detection of the AUTORUN.INF configuration file created by malware. The AUTORUN.INF file contains the path to the malware executable. This file is usually dropped into the root folder of available drives in an attempt to autorun a malware executable when the infected drive is mounted. The AUTORUN.INF file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer

 

8. HTML/ScrInject

Previous Ranking: 6

Percentage Detected: 1.13%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

 

9. Win32/Ramnit

Previous Ranking: n/a

Percentage Detected: 1.1%

It is a File infector that executes on every system start. It infects dll and exe files and also searches htm and html files to write malicious instruction in them. It exploits vulnerability on the system (CVE-2010-2568) that allows it to execute arbitrary code. It can be controlled remotley to capture screenshots, send gathered information, download files from a remote computer and/or the Internet, run executable files or shut down/restart the computer.

 

10. Win32/Conficker

Previous Ranking: 9

Percentage Detected: 1.08%

Win32/Conficker is a worm that spreads by exploiting a vulnerability in Server Service. The file is run-time compressed using UPX. When executed, the worm copies itself into the %system% folder using the name %variable%.dll.

The worm starts a HTTP server on a random port and it connects to remote machines to port TCP 445 in attempt to exploit the Server Service vulnerability. If successful, the remote computer attempts to connect to the infected computer and download a copy of the worm.

The worm will attempt to download several files from the Internet, and then they are executed. The worm contains a list of (1) URLs. Windows Firewall is disabled. This vulnerability is described in Microsoft Security Bulletin MS08-067.

Follow

Get every new post delivered to your Inbox.

Join 73 other followers