Targeted information stealing attacks in South Asia use email, signed binaries

May 20, 2013 Leave a comment

In the past few months, we have analyzed a targeted campaign that tries to steal sensitive information from different organizations throughout the world, but particularly in Pakistan. During the course of our investigations we uncovered several leads that indicate this threat has its origin in India and has been going on for at least two years. The journey began with a code-signing certificate and an exploit and the scope of the investigation has widened ever since. In this blog post, we will highlight several interesting artifacts of the campaign, but more will be revealed in my upcoming presentation at the 7th International CARO Workshop in mid-May.

Code signing certificate

For part of this campaign a code signing certificate was used to sign malicious binaries and improve their potential to spread. This certificate was issued in late 2011 to an Indian company called Technical and Commercial Consulting Pvt. Ltd., based in New Delhi.
Code signing cert used to improve the spread of malware
When we started our investigation, the certificate had been revoked for files signed after March 31st 2012. We contacted VeriSign with evidence that this certificate had been used maliciously since it was issued and they promptly revoked the certificate unconditionally. Overall, we found more than 70 signed malicious binaries using this certificate. Since each signed sample comes with an authoritative timestamp, it is possible to draw a timeline depicting when these binaries were produced:

Figure 1 Timeline of signing times. Black lines represent one sample signing time

From the information we gathered, the attackers were actively signing malicious binaries from March until June 2012. Then, there is a gap in the timeline, from the beginning of July until the beginning of August 2012. We then see another spike in certificate usage (even though it had already been revoked) in August and September 2012. There are several possible explanations as to why there is a gap during the summer of 2012, but it is likely that this was the off-season for both the attackers and their targets.

Although the investigation started with this code signing certificate, we then discovered several similar unsigned samples that were used in this campaign. Some of them were collected as far back as early 2011.

Droppers and decoy documents

The first infection vector we saw was using the famous CVE-2012-0158 vulnerability. This vulnerability can be exploited by a specially crafted Microsoft Office documents and allows arbitrary code execution. In the case we analyzed, a two-stage shellcode is executed when the user opens an RTF document. First, the shellcode sends information about the system to the domain feds.comule.com and then downloads a malicious binary from digitalapp.org.

The other infection vector we found used PE files disguised as Microsoft Word or PDF documents, most likely distributed through email. When the user executes the file, the malicious program downloads and executes additional malicious binaries (more on these executables below). To evade suspicion by the victim, a decoy Word document is shown to the user. We have identified several different documents that followed different themes.

One of these themes is the Indian armed forces. We do not have inside information as to which individuals or organizations were really targeted by these files. However, based on our detection metrics, it is our assumption that people and institutions in Pakistan were targeted.

The text in this first document seems to be a collage of various sources. The fake PDF document was delivered through a self-extracting archive called “pakistandefencetoindiantopmiltrysecreat.exe”:


This other PDF document was delivered through an executable called “pakterrisiomforindian.exe”:

In this case, the text comes from the Asian Defence blog, a blog aggregating Asian military news. Our telemetry data shows that this file was first seen in August 2011 on a system in Pakistan.

Payloads

We found many different types of payloads installed by the droppers, all of them were geared towards exfiltrating data from an infected computer to the attackers’ servers. The following table groups the binaries in different families and details their general characteristics.

Category Description
Downloader Downloads executables from C&C and executes them.
Document uploader Searches and uploads documents (csv, pdf, doc, docx, xlsx, etc) found in the trash and in the “My Documents” folder.
System information gathering Sends information about the infected system to the C&C using GET requests. It uses WMI to gather information on the infected system such as: Antivirus installed on machine; OS version; Presence of files to upload
Keylogger Records keystrokes and sends log to attacker server using POST requests.
Screenshot Takes a screenshot of the desktop and sends it to the C&C.
Connect-back shell Continually tries to connect back to an hardcoded IP address and allows the attacker to open a remote command shell.
Public Tools We found two public tools (WebPassView and Mail PassView) from NirSoft and signed by the malicious certificate. These legitimate tools can be used to recover passwords used in email clients or stored in browsers.
Self-replication through removable drives Monitors removable drive insertion events and copies different malware files to the inserted drive. It tries to lure the user into executing one of the copied files by renaming it with an existing folder name and hiding the latter.

The information stolen from an infected computer is uploaded to the attacker’s server unencrypted. The decision not to use encryption is puzzling considering that adding basic encryption would be easy and provide additional stealth to the operation. The screenshot below shows a typical keylogger log:

The logs are very verbose and display the active window, the characters typed and the special keys in brackets. Since these logs are sent unencrypted, it is easy to detect the presence of an infected machine on your network by examining your HTTP network traffic.

In terms of persistence, many binaries we have analyzed add an entry in the Windows startup menu with a deceptive name. The screen shot below shows an example of such a startup menu:

While this technique allows the different components of the attack to be launched after each system reboot, it cannot be labelled as stealthy. Since targeted attacks usually try to stay under the radar as long as possible, we were surprised to see this technique used in this case.

C&C infrastructure

Most of the analyzed binaries contain a URL from which additional components are downloaded or to which an infected system’s content is uploaded. Sometimes, the C&C URL appears unencrypted in the binary. Other times, it is trivially encoded using a simple one-character rotation (ROT-1) as depicted below:

“gjmftbttpdjbuf/ofu” encrypted to “filesassociate.net”

We uncovered more than 20 domains linked to this campaign. While some still had an active DNS record, most of them did not resolve to an IP address. Using historical data around these domains, we were able to discover where these sites were hosted. It turns out that almost a third of all domains were hosted by OVH. This web hosting service has a reputation for hosting malware and spam content. In a recent HOSTExploit report it was ranked number 5 in the top 50 hosts for concentration of malicious activity served from an Autonomous System.

Most of the domain names are very close to real site or company names. This is a common tactic to try to conceal the true purpose of the C&C server. Two examples are “wearwellgarments.eu” and “secuina.com”. The former is very close to a real website called “wearwellgarments.com” while the latter looks like a misspelling of information security firm Secunia.

Origins of the malicious files

Analyzing this campaign allowed us to identify a few key indicators pointing to the geographic origin of these malicious files. We believe they all come from India. First, the code signing certificate was issued to an Indian company. In addition, all the signing timestamps are between 5:06 and 13:45 UTC, which is consistent with 8-hour work shifts falling between 10:36 and 19:15 in Indian Standard Time. This might seem a bit late, but considering that signing the binary is the last step in the development effort, it is likely that the malware authors were living in this time zone.

We also found several strings in the binaries that are related to Indian culture. In several scripts, a variable called ramukaka is used:

Ramu Kaka is a typical Bollywood-style servant in a house. Considering that this variable is responsible for achieving persistence on the system, this definition is a good fit.

The most compelling argument is found in our telemetry data. We found that many malware variants tied to this campaign appeared in the same location over a very small period of time. Each variant had only minor differences from each other, strongly suggesting an attempt by a malware creator to evade detection by our product. These files all appeared in the same region of India.

Infection statistics

Our telemetry data shows that Pakistan is heavily affected by this campaign. The following graph shows the detection distribution we have observed for all the malicious files we linked to this campaign in the last two years.

Thanks to our sinkholing of three domain names used by this campaign, we were also able to gather statistics on the geographical location of infected hosts.

As one can see, the regional distribution presented in the last two graphs is very different. Ukraine and Kazakhstan account for three quarters of all IP addresses seen during the sinkholing operation. This difference can be explained by the possibility that unique domains are only for specific sub-operation in this campaign. If that was the case, the sinkhole data we are seeing would only be a very partial view of the whole campaign.

Conclusion

This post examined evidence of a far-reaching targeted campaign aimed at different targets throughout the world. Our analysis indicates that the entire campaign originates from India. Although we have seen a number of infections throughout the world, it seems that the most prominent target is Pakistan. Targeted attacks are all too common these days, but this one is certainly noteworthy for its failure to employ advanced tools to conduct its campaigns. String obfuscation using simple rotation (a shift cipher), no cryptography used in network communication, persistence achieved through the startup menu and use of existing, publicly-available tools to gather information on infected systems shows that the attackers did not go to great lengths to cover their tracks. On the other hand, maybe they see no need to implement stealthier techniques because the simple ways still work.

SHA1 Hashes

CVE-2012-0158 RTF Document:                  3b1d9d65159bea24ab1060e5603f9e3c2d38d08d
pakterrisiomforindian.exe:                   d859f1cf99049f89258c1faa59dcd97f587e45ac
pakistandefencetoindiantopmiltrysecreat.exe: 1db89237ef786c7f22a8d4cd7eccda8f6286a6de
Downloader:                                  08ce405f0a0277de355454862b164ffd94a7ea36
Document uploader:                           DB22E7DEA0C1CAF203072693485DE4E4FD2CB56A
System information gathering:                0D610F3F51750EADCF426E10E6DE5313605400FA
Keylogger:                                   AE7B9CFB10CD65B98C59DC012D6726B66BE92897
Screenshot:                                  A0DD0B8FD0C98E917BFDC96182088CAB5505CCD2
Connect-back shell:                          09D4ECA67B1D071E57C5951D97FE9DD9C62F1580
Self-replication through removable drives:   20A29D1F89C07BAFBB4C61CE208531D68125C8E

Detection Names

Below are ESET threat names related to this case:

Win32/Agent.NLD worm
Win32/Spy.Agent.NZD trojan
Win32/Spy.Agent.OBF trojan
Win32/Spy.Agent.OBV trojan
Win32/Spy.KeyLogger.NZL trojan
Win32/Spy.KeyLogger.NZN trojan
Win32/Spy.VB.NOF trojan
Win32/Spy.VB.NRP trojan
Win32/TrojanDownloader.Agent.RNT trojan
Win32/TrojanDownloader.Agent.RNV trojan
Win32/TrojanDownloader.Agent.RNW trojan
Win32/VB.NTC trojan
Win32/VB.NVM trojan
Win32/VB.NWB trojan
Win32/VB.QPK trojan
Win32/VB.QTV trojan
Win32/VB.QTY trojan
Win32/Spy.Agent.NVL trojan
Win32/Spy.Agent.OAZ trojan

Filed under CyberThreats Daily Tagged with , ,

Cybersecurity is “as important” as nuclear deterrent, says top U.S. admiral

May 14, 2013 Leave a comment

Cybersecurity is among the top defense priorities of the United States, the U.S. Navy’s top admiral said this week – on the same level as strategic nuclear defense.

Admiral Jonathan Greenert, the Navy’s chief of operations, said that spending on cyber defense had continued even against a broader background of spending cuts.

Speaking to Reuters in Singapore before the Reuters Cybersecurity Summit in Washington this week, Greenert said, “The level of investment that we put into cyber in the department is as protected or as focused as it would be in strategic nuclear. It’s right up there, in the one-two area, above all other programs.”

Last week the Pentagon said for the first time that cyber attacks on the United States were directly attributable to China. “In 2012, numerous computer systems around the world, including those owned by the US government, continued to be targeted for intrusions, some of which appear to be attributable directly to the Chinese government and military,” a Pentagon report said. China vigorously denied the reports, saying that the U.S. was “the real hacking empire.”

Greenert said that the Navy put particular importance on cybersecurity because its ships and planes depend heavily on computer networks.

“We’ve got to understand how to defend them, how to exploit them ourselves and how to, as necessary, be able to do offensive effects,” said Greenert. “Many people who look at the future of warfare say it’s bound to start in cyber. The first thing you’d want to do is shut down their sensors, interrupt their power grid, confuse them – and presumably guard against that kind of thing and recognize if it’s starting.”

Filed under CyberThreats Daily Tagged with ,

Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole

April 29, 2013 Leave a comment

Last week, our friends at Sucuri sent us a modified version of an Apache webserver redirecting some of its requests to the infamous Blackhole exploit packs. Sucuri has published a blog post on this attack.

Our analysis of this malware, dubbed Linux/Cdorked.A, reveals that it is a sophisticated and stealthy backdoor meant to drive traffic to malicious websites. We urge system administrators to check their servers and verify that they are not affected by this threat. Detailed instructions to perform this check are provided below. (You can find more about Blackhole here.)

In fact, Linux/Cdorked.A is one of the most sophisticated Apache backdoors we have seen so far. Although we are still processing the data, our Livegrid system reports hundreds of compromised servers. The backdoor leaves no traces of compromised hosts on the hard drive other than its modified httpd binary, thereby complicating forensics analysis. All of the information related to the backdoor is stored in shared memory. The configuration is pushed by the attacker through obfuscated HTTP requests that aren’t logged in normal Apache logs. This means that no command and control information is stored anywhere on the system.

Technical analysis of Linux/Cdorked

Here we provide the first technical analysis of Linux/Cdorked, which seems to be affecting hundreds of webservers right now. In the Linux/Cdorked binary all the important or suspicious strings are encrypted. As shown in the following image, a function is responsible for decrypting the strings on demand with a static XOR key.

The version of Linux/Cdorked that we have analyzed contains a total of 70 strings that are encoded this way. As shown in the following screenshot, the key used for encoding the data is 27A4E2DADAF183B51E3DA7F6C9E6239CDFC8A2E50A60E05F.

As mentioned before, Linux/Cdorked does not write any files on the disk. Instead, it allocates around six megabytes of shared memory to keep its state and configuration information. This memory block, a POSIX shared region of memory (shm), is used by all Apache subprocesses but can also be accessed by any other process since the malware authors didn’t limit its permission.  The following screenshot shows the (read, write for everyone) permission rights assigned to the shared memory region.

There are two ways the attacker can control the behavior of the backdoored server: through a reverse connect shell or through special commands, all of them are triggered via HTTP requests.

The Linux/Cdorked.A backdoor

The HTTP server is equipped with a reverse connect backdoor that can be triggered via a special HTTP GET request. It is invoked when a request to a special path is performed with a query string in a particular format, containing the hostname and port to connect. The client IP of the HTTP dialog is used as a key to decrypt the query string as a 4 byte XOR key. Additionally, IP specified in X-Real-IP or X-Forwarded-For headers will override the client IP as the XOR key. This means we can craft a X-Real-IP header that will in effect be a “\x00\x00\x00\x00” key. Query string also needs to be hex-encoded before sending.

While the shell is used by the attacker, the HTTP connection creating it is hung (the backdoor code does not implement forking). This implies that malicious shells can be found if one has access to the server and checks for long-running HTTP connections. On the other hand, the HTTP request does not appear in Apache’s log file due to the way the malicious code is hooked into Apache.

Redirection in Linux/Cdorked.A

When redirecting a client, the malware adds base64 encoded string to the query containing information like the original visited URL and whether or not the request was originally to a javascript file so the server could provide the right payload.

An example redirection looks like:

Location: hxxp://dcb84fc82e1f7b01. xxxxxxgsm.be/index.php?j=anM9MSZudmNiaW11Zj1jY3
Zja3FqdSZ0aW1lPTEzMDQxNjE4MjctMzYwNDUzNjUwJnNyYz0yMzImc3VybD13d3cuaW5mZWN0ZWRzZXJ2
ZXIuY29tJnNwb3J0PTgwJmtleT0xM0Q5MDk1MCZzdXJpPS9mb3J1bS93Y2YvanMvM3JkUGFydHkvcHJvdG
9hY3Vsb3VzLjEuOC4yLm1pbi5qcw==

After decoding, the following parameters appear:

js=1&nvcbimuf=ccvckqju&time=1304161827-360453650&src=232&surl=www.infectedserver
.com&sport=80&key=13D90950&suri=/forum/wcf/js/3rdParty/protoaculous.1.8.2.min.js

The “surl” parameter shows the infected host and the “suri” indicates what the original requested resource was.

After the redirection, a web cookie is set on the client so it is not redirected again. This cookie is also set if a request is made to a page that looks like an administration page. The backdoor will check if the URL, the server name, or the referrer matches any of the following strings : ‘*adm*’, ‘*webmaster*’, ‘*submit*’, ‘*stat*’, ‘*mrtg*’, ‘*webmin*’, ‘*cpanel*’, ‘*memb*’, ‘*bucks*’, ‘*bill*’, ‘*host*’, ‘*secur*’, ‘*support*’.  This is probably done to avoid sending malicious content to administrators of the website, making the infection harder to spot. The following screenshot shows part of the code responsible for handling the web cookie.

A few other conditions must be met before redirection happens; for example, a check is done for the presence of the Accept-Language, Accept-Encoding, and Referrer header.

Other Linux/Cdorked.A commands

We found 23 commands in Linux/Cdorked.A that can be sent to the server via a POST to a specially crafted URL. The request must also contain a cookie header starting with “SECID=”. The query string value must hold 2 hex encoded bytes that are encrypted with the client IP, using the same technique as the shell. The SECID cookie data will be used as arguments to some of the commands. We believe that the URLs to redirect clients are sent to the backdoor using this method. The redirection information will be stored encrypted in the allocated shared memory region. We also believe that the conditions for redirection are set this way, for example, a white list of user agents to redirect can be preconfigured and a black list of IPs to avoid redirection.

This is the complete list of commands found in the binary we have analysed:  ‘DU’, ‘ST’, ‘T1′, ‘L1′, ‘D1′, ‘L2′, ‘D2′, ‘L3′, ‘D3′, ‘L4′, ‘D4′, ‘L5′, ‘D5′, ‘L6′, ‘D6′, ‘L7′, ‘D7′, ‘L8′, ‘D8′, ‘L9′, ‘D9′, ‘LA’, ‘DA’.

Finally, some information about the status of the backdoor is returned in the ETag HTTP header, as shown in the screenshot below. We are still investigating the purpose of each of the commands and will publish our results as soon as the analysis is completed. In short, they all either add content to, or remove it from, the configuration in the shared memory region.

Linux/Cdorked.A Remediation

As previously mentioned, the permissions on the shared memory allocation are loose. This allows other process to access to memory. We have made a free tool (dump_cdorked_config.py) to allow systems administrators to verify the presence of the shared memory region and dump its content into a file. We also recommend using debsums for Debian or Ubuntu systems and `rpm –verify` for RPM based systems, to verify the integrity of your Apache web server package installation. (However, remember to temper this advice with the reality that the package manifest could have been altered by an attacker.) Checking for the presence of the shared memory is the recommended way to make sure you are not infected. We would be interested in receiving any memory dumps for further analysis.

At the time of writing, the ESET Livegrid monitoring system is showing hundreds of webservers that seem to be affected by this backdoor with thousands of visitors being redirected to malicious content. We will publish more information on the scale and complexity of this operation in the days to come.

SHA1 of the analyzed binary: 24e3ebc0c5a28ba433dfa69c169a8dd90e05c429

By Pierre-Marc Bureau

Filed under CyberThreats Daily Tagged with , , ,

Boston Bombings Scams

April 16, 2013 Leave a comment

ESET Ireland have to issue practically the same warning whenever a tragedy occurs, but unfortunately it has to be done, as after every tragedy the same scams appear and people still fall for them and suffer financial damages and computer infections.

Shortly after the Boston Marathon tragedy news hit, an unverified Twitter account was already spotted asking for re-tweets, claiming that they will donate $1 for each. Though it was soon taken down, it was not the only one and in the coming days we expect many more scams to appear, all using the same tragedy as bait on their hook.

twitscam

Search engine poisoning is another favourite tactic by scammers, to direct people looking for information to their websites, where, again, several sorts of attacks are waiting for curious viewers.

Fake charity websites have appeared after every major disaster. While many get taken down quickly, some stay on just long enough to scam some compassionate people, trying to help the unfortunate victims.

Facebook posts, similar to the usual “I can’t believe what she did” fake videos, in this case offering “shocking unseen footage of blasts” or something similar, are the usual companions of pretty much every tragedy that has occurred in the recent years. These usually lead to survey scams or infected websites.

What to do?

If you want news on the matter, rely on known news sites and avoid unknown or shortened URLs as these may lead you to infected websites.

For charity aid, use known, trusted charities and preferably deal with them in person or on the phone.

Do not give your credit card number or any personal details to unknown websites asking you for them for any reason, whether it is charity donations, unlocking content, etc.

Be very careful about clicking “shocking footage” links on social media, as most footage is relayed by mainstream media anyway.

Do not repost or re-tweet chain letters or posts from unknown senders, as these often include malicious links and you can end up infecting your friends.

As always and with any online content, think before you click.

Filed under CyberThreats Daily Tagged with , , ,

High cybercrime levels and worrying youth cyber-bullying, latest Irish survey shows

April 4, 2013 Leave a comment

New survey by ESET Ireland reveals what terrible things befall the Irish with regards to their computers and smartphones. One in five Irish had laptop, smartphone or tablet stolen and over 50 per cent had a computer virus infection.

ESET Ireland, the distributor of ESET NOD32 Antivirus, has commissioned a survey to find out what endangers Irish computer and smartphone users the most. The research was carried out by Amárach research on 1018 Irish adults.

We asked Irish computer, smartphone and tablet users if they’ve experienced any of the following, and these are the results we got:

irishcybercrime

54% of Irish computer and mobile device users have admitted to having had their computers infected with various viruses. Although we have no way to prove the correlation with results of a survey we did a few months ago, where 45% of Irish computer users admitted to using free antivirus and 8% using pirated or no antivirus at all, these two numbers do add up to 53%, which being nearly exactly the percentage of the infected too, is an interesting coincidence.

We also didn’t quite expect the relatively high numbers of other distressing things that happened to Irish users. One in five had their laptop or device stolen, about one in seven had their credit card abused, their emails or social media account hacked, fell victim to a scam and 4% even had their identity stolen online. With over three million estimated Internet users in Ireland, we can guesstimate that up to a half a million people were victimized in this way.

A smaller, but not negligible 9% of people have also been victims of unauthorised use of their emails and social media by friends or family, colloquially known as “fraping” (a combination of Facebook and rape), something that usually occurs when people forget to log out. While usually only used to embarrass the victim and not for serious cybercrime, if it occurs with malicious intent among children, it can also be classified as or lead to cyber bullying.

Here it stops being funny, as 5% of all surveyed have admitted to being victims of some form of cyber bullying. Since the survey includes all age groups, the group most affected needed to be looked at more closely. And in the demographic breakdown the age group 15-24, a shocking 13% have said they were cyber bullied. Since the phenomenon is predominant in even younger age groups, we can imagine the results of a survey focusing only on teenagers would give even scarier results. This should be very worrying for parents and teachers across Ireland. Over a year ago, we did a survey where we asked Irish parents if they leave their children unauthorised online, and with up to 73% of children being left unsupervised, we find this very concerning, since Ireland has had some very publicised experience with cyber bullying.
Anti-theft and anti-scam technology can counter these threats, but can’t take over common sense and parenting responsibility

The high level of laptop and device theft is one of the reasons ESET introduced anti-theft GPS tracking technology to the latest version of their security products. To combat scams, ESET introduced anti-scam monitoring as well. But just like with all the safety features in a car and on roads, most still depends on the driver. With computers it is no different. ESET cannot make users be more responsible with their credit card info online, nor force them to use safer passwords to prevent email or social media abuse. We can also not make people log out of their accounts or falling for scams if they ignore the warnings. And most importantly, no software can replace actual parenting or prevent children bullying each other, if those responsible don’t go about it in a cyber-aware manner themselves.

Online security is more than just installing an antivirus and a firewall. It is also knowing about threats and staying informed, as well as acting responsibly when using computers, smartphones and other devices, since, as can be seen from the statistics above, threats come in many shapes and forms and some can also have terrible consequences.

Urban Schrott
IT Securit & Cybercrime Analyst
ESET Ireland

Filed under CyberThreats Daily Tagged with , , ,

Job Scams: Nice Work If You Can Get It

March 25, 2013 1 Comment

The ESET blog format must be striking a real chord with people. At any rate, job offers are just pouring in. Except that they don’t seem to be jobs for security bloggers, or for web developers like the team that maintains this site.

What qualifies us for an unspecified role in a hotel in Canada, I wonder? Perhaps they need someone to polish their emails. Some of the wording has a strong whiff of the West African 419, and after all, we’re not short of editing talent round here. But as our colleagues at ESET Ireland pointed out recently, at a time when the global economy is in crisis, there are all too many people solving their own employment and financial problems by scamming the unemployed, and job scams are an obvious way of grabbing their attention.

Let’s take a look at the danger signs we can see in some recent examples. Some text has been redacted and reformatted, but I haven’t corrected spelling or grammar – I’m not here to make scammers look better.

Dear Sir/Madam,

Lack of personalization usually suggests spam, if not an outright scam. In this case the message was sent to a contact address, not a real person, which in itself indicates that the message was sent to a list of randomly harvested email addresses in the hope of finding a few victims. I can’t say I’m not pestered from time to time by agencies wanting me to apply for positions that have very little to do with my skillset and employment history, but at least they usually know my name. Sometimes, however, the scammer does know something about you because he found your details on Craigslist or CareerBuilder, so the use of your real name is by no means a guarantee that the offer is genuine.

I am Miss Eliza Johnson from Canada,am The Manager Of Travelers Inn Hotel,The Hotel Need Man And Woman Who Can Work And Live In Traveler Inn Hotels here in Canada.

The lack of information on what these jobs actually are is highly suspicious. There are jobs that don’t require any specific experience or vocational qualifications, of course, but if they can’t even be bothered to invent a job title, that suggests that all they’re interested in is in making money out of applications for a job that doesn’t exist.

On the other hand, it’s not unusual to see other versions of this scam where there’s a long list of available jobs from pool attendant to restaurant manager. (The list below is extracted from one such message: hence the different text colour.) But is unemployment really so low in Canada that hotels are prepared to offer a packages like the one below for jobs that (in some cases at least) require no particular skills?

**Free Air Ticket To Canada
**Paid Vacation benefit
**Regular training and promotion
**Study scholarship to one child of each Employee
**Medical care and accommodation for full time employees pension and Gratuity

The hospitality industry must be a heck of a lot more generous than it was when I worked in pubs and hotels in the 70s… In fact, I’ve held senior management positions – rather more recently – that didn’t include a relocation package as generous as that.

Contact Email : [hotel_related_name]@worker.com

This is a major red flag. While worker.com sounds like an appropriate domain for the content, it’s actually one of around 200 domains offered by mail.com, a provider of free email accounts associated with a popular website provider. While this is an entirely legitimate service, the availability of addresses on domains like lawyer.com and accountant.com has obvious attractions for scammers looking for credible email addresses. (Though it’s hard to imagine an address at politician.com inspiring much trust, but maybe that’s just me.) Next time you’re halfway tempted by an email with a confidence-inspiring reply address, that list of free address domains is worth *checking.

The yahoo.ca mail from which the mail appears to have been sent is not the address to reply to. This is a common feature of 419s. It’s sometimes suggested that this is because they want a fallback address in case the other is closed down. (Yes, sometimes they are closed down, though not often enough.) In fact, the sender address is often forged. In such a case, the initial mail doesn’t really come through a major mail service like Gmail because of the risk that it will be picked up by outgoing spam filters. (It may be that the scammer doesn’t just send the first mail from his mail.com address because that service also has spam/AV filtering.)

The Hotel management will take care of your accommodation & flight ticket . Also exercise on your visa processing.

Scams like this almost invariably offer help with visa processing. In fact, if you follow one of these through (though that’s not generally a good idea), you’ll usually find that they insist on processing your visa. Not to ensure legality, but because this is advance fee fraud, and this is one of the fees they’ll want to charge you for. However, there will probably be all sorts of other administrative fees and charges for purely imaginary services. I particularly like an example here where a job offer is dependent on the payment of £990 for an Active Secret UK Security Clearance Certificate and Affidavit of Oath of Terrorism. No doubt via Western Union, another legitimate service that scammers love.

If you have interest to work in the Hotel with us , please write to us back as soon as possible by copy and paste the email contact below :In order for us to move ahead in our selection process, could you please send your resume directly to the H.O.D Human Resources Department via their official email address been;

[name]@worker.com

Who would have thought that an organization large enough to have a Human Resources Department would be so tightfisted as to restrict it to a free email account on mail.com? The poor English is also an indication of malfeasance. However, there are variations on this theme that look far more convincing than this, better written and with graphical content that resembles real hotel site content.

they shall send to you the Hotel Official Application Form along with the job description details for you to choose the best position you can fit in for processing of your invitation and employment letterafter your resume/CV screening

Applicants Personal Information
Full Names……………..
Date of Birth…………..
Sex …………………..
Country of Origin……….
Occupation……………..
Marital Status………….
Job applied for…………
International passport no……
One passport photograph….. (scan & attach)
Phone number………………….
Residence Address………….
Resumes/Qualifications … (if you have any)

I’m not sure why you would want to fill this in as well as the Hotel Official Application Form. I’d certainly worry about giving away any information that might be useful for identity theft. (A criminal could carry out a successful impersonation with a lot less than this.) Especially at the very beginning of the job interview process. Though in fact, there’s no indication of an actual interview here, which is a big red flag in itself. However, sometimes there is a fake interview, usually over the telephone, so the offer of an interview is no guarantee that the job is genuine.

We wish you every success.

Best regards
Eliza Johnson
Good luck,And Welcome to Canada

Heartwarming. Unless you realize that this is a scam aimed at a particularly vulnerable social group, i.e. those who are desperate to find work. There’s something particularly chilling about the fact that this kind of exploitation is so often carried out by people who use their own poverty and lack of employment to justify their criminal activities.

There’s some good advice on the UK’s Crimestoppers site for dealing with this kind of employment scam, which I’ve paraphrased here with some added thoughts.

  • Check that the company exists
  • If it does, check with the company directly that the jobs exist
  • Be suspicious of poor English and presentation
  • Get information about the visa process and costs from the embassy of the country where the job is offered. (Unfortunately, some countries do have a convoluted and outsourced visa application process: in such a case, though, I’d expect the embassy to be able to confirm the bona fides of an officially approved agency.)
  • If they won’t let you make independent travel and visa arrangements, be deeply suspicious. Actually, run like the wind in the opposite direction.
  • Look out for email addresses from providers who offer free addresses with minimal or no identity checking.

Let’s be careful out there…

* By the way, I’d love to know why chemist.com and atheist.com are considered suitable domains for musicians. Feel free to contact askeset@eset.com with your suggestions, but there’s no prize. Not even iTunes credits. Scammers wishing to avail themselves of our editing services are also encouraged to write in: a good chuckle helps brighten a security blogger’s day.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Filed under CyberThreats Daily Tagged with

Social media makes scams and hoaxes harder to spot

March 19, 2013 Leave a comment

Can we trust our friends not to make questionable decisions on social media? Apparently not, because our friends might actually be scammers in disguise, or just not well-informed. In this article we freshen up three top tips for staying safe on social networks. But just in case you’re in any doubt about how important it is to proceed with caution on social media, consider these three factors:

  • The web is a dangerous place: The security company Sucuri scanned about 10 million websites and found 26% of them were compromised (hosting malicious injections or otherwise blacklisted).
  • People are sharing more personal data than ever: That’s not just a hunch, that was the finding of a seven-year study by researchers at Carnegie Mellon University: Silent Listeners: The Evolution of Privacy and Disclosure on Facebook.
  • Consumers are not the only victims: Criminals conducting cyber attacks against companies are finding social media a great resource (there are several social media attack scenarios in the recently published Trustwave 2013 Global Security Report).

So what are some strategies for staying safe and minimizing risk while using social media (assuming you’ve decided you can’t live without social networks, which is understandable for many people and companies)?

The sanity check

Don't fall for links like thisWhat do you do when you see a link in a friend’s tweet, Facebook or LinkedIn update, Instagram or Snapchat posting? Do you click on it right away or do you think before you click? Hopefully your brain is wired to follow a pre-click thought process that includes these questions:

  • How sensible/relevant is this link? If your friends know you’re not interested in Justin Bieber or Selena Gomez, you should be suspicious of postings about them that seem to come from friends.
  • Do I trust the person who posted it? Some people expand their social networking connections by accepting every friend request they get. That is not a good idea. You should not accept requests to connect from people with whom you have connection. Here’s one way to explain this, particularly if you have kids: Would you invite every one of your social media friends over for dinner? If not, who would you not invite? Should those uninvited guests be friends?
  • How likely is this post to be from that person? Hopefully you do know your friends on social media well enough to tell if an update is out of character for them. If you see such a post, question them. Their account might have been hacked, or it could be a fake. (Bear in mind their are more than 70 million fake Facebook accounts out there right now and several million of those are thought to be malicious.)
  • Can I get to the linked content through a more trusted channel? If you see a news report on social media that a famous person has died please check the facts before spreading the story. Phoney news stories are often laced with links that lead you to places you don’t want to go.

The out-of-band strategy

No, I’m not talking about quitting your garage band. The term “out-of-band communication” refers to using one channel of communication to verify what is said in a different channel. Social media is not the only way to communicate. If you have any doubts about anything you see on social media why not verify it via a different communication channel, like the telephone, or SMS, or email, or even face-to-face. Think of the number of ways you can ask your friend Joe this question: “Hey Joe, did you really post that link to a Justin Bieber video?” If Joe really posted it, you have something to talk about. If he didn’t, then he is probably going to thank you for pointing out someone else is posting on his behalf (hint: he should change his password on that account right away).

If you are suspicious about a news story you see breaking on social media, go to a legitimate news website and see it you can confirm it. Most people I know think it’s a lot smarter to be the person who does not spread stories that are wrong or totally made up. In the long run you’re not going to keep a lot of friends if you get a reputation for always repeats everything without doing some kind of fact checking.

The stay informed strategy

If you use social media a lot it makes sense to stay informed about new developments, particularly in the area of scams. Even if you are not keen on social media yourself but work in IT security–or maybe you are your family’s IT security person, riding herd on kids or elderly parents–it is a good idea to keep your finger on the pulse of social media developments.

One website I find useful for this is Facecrooks. In fact, I subscribe to their updates via email to make sure I don’t miss any (just to go the bottom of the main page to sign up). You can also get updates from the Google Alerts service. Try setting one up for social media scams. That’s how I learned about this article describing kids using Instagram and Snapchat to avoid parental oversight.

Bonus tip: The social media scanner strategy

If all of the above sounds like a lot of mental effort, you’re right. The benefits of social media are many, but exemption from critical thinking is not one of them. However, there is some technology that can help you with this task of weeding out the flaky from the factual: social media scanning. As my colleague Righard Zwienenberg described in some detail last month, a social media scanner can protect you against common scams. He recounts the way the ESET Social Media Scanner flagged a “scandalous” Justin Bieber posting on Facebook that was part of a click-jacking scam (a time-wasting and potentially infectious type of scam we have described before).

The ESET Social Media Scanner is free. I recommend using it if you use Facebook. Even well-informed friends have been known to spread links that really should be banned, not for salacious content but for their infectious and deceptive nature.

By Stephen Cobb
ESET Security Expert

Filed under CyberThreats Daily Tagged with , , ,

Scam conference invites: a tale of several cities

February 27, 2013 Leave a comment

It’s not been a good week for spam, in my mailbox at any rate. Mostly, just half-hearted lottery scams like this:

Congratulations! Your Email was confirmed as winner of the 
Raffle draw Held in February, 2013 in Europe.
FOR CLAIMS
Send Name....
Phone..
( euroraffle1@bresnan.net )
Await response for claims.
Regards

Does anyone ever fall for scams this feeble? Well, just in case, I’ve warned all my email accounts that while I’m not an expert on legal matters, I’m pretty sure that email can’t win lotteries and they certainly shouldn’t be sending my money to pay registration fees, taxes, bribes, or whatever other excuse the scammer makes for taking money in advance. (It’s not called Advance Fee Fraud for nothing.)

I’m far more impressed by the little beauty below. Who wouldn’t be impressed by a conference that managed to get the famous Angelina Ballerina to organize it? Fortunately, Wikipedia told me that Angelina is a fictional dancing mouse, so I escaped being scammed by a whisker. But I avoided making a faux pas in the pas seul, so to squeak. Okay, I’ll stop now and let you read this gem:

Dear Sir/Madam,
It is a great privilege for us to invite you for the upcoming 
International combined conference meeting on Human Right and 
Global Financial Crisis, taking place from May 6th to 
10th May 2013, here in United States of America, California.
The aims of the conference is to bring together researchers and
practitioners in an effort to lay a ground work for future 
collaborative research, advocacy, and program development as well 
as to educate social service, health care and global financial sectors.
An expert faculty of speaker from Australia, Europe, Asia, Africa
and USA will present a comprehensive review of leaders to discuss 
relevant, timely topics related to Global Financial Crisis with 
dynamic educational sessions, invaluable networking functions, 
career advancement opportunities and cutting-edge resources. 
The 3rd Annual ECD Conference & Exhibition offers the most 
comprehensive learning experience in the field.
Registration is freely open to all interested participants; 
interested participants should contact the conference s
ecretariat via Email below for more information for 
registration and accommodation.
Secretariat Email: wfpbca@aim.com
If you are a holder of passport that may require visa to enter 
the United States, you are to inform the conference secretariat 
at the time of sending your detail for registration, as the organizers
of the event is responsible for all visa arrangements 
and travel assistance.
Once again we thank you for taking out your time in your busy 
scheduled to attend this conference meeting and we hope 
to see you at the event venue.
Yours Sincerely,
Ms. Angelina Ballerina
Program Coordinator

There were one or two other scam indicators of course:

  • The fact that a little googling found a very similar spam claiming that the very same conference was taking place in New York in March. (Don’t be too upset if it turns out that you live in one of the few American cities where it isn’t taking place. Though in this instance, it appears they forgot to mention which city in California was the chosen site.)
  • Then there’s the fact that Angelina also goes by the name Osmar Buzinhani, the proud (apparent) possessor of a gov.br email address. Is there no end to this mouse’s versatility?
  • No web site, no contact details apart from a free AIM address.
  • And the suggestion that the conference is responsible for organizing visa and travel assistance: this is a standard ploy for fake conferences, as a precursor to demands for an application processing fee (or something similar)

If you get something like this, don’t let your natural concerns over human rights issues and the fragile economy cloud your judgment. Not that these are the only topics used as a hook to draw you into the scam: variations on the conference theme include human trafficking, child abuse, racism, war-affected children and so on. They also misuse the names of entirely legitimate organizations such as the International Economic Development Council, UNESCO, and the UN, in order to target other NGOs and ‘people of conscience’.

Still, I must admit, Ms Ballerina’s English isn’t bad at all, for a Brazilian mouse.  I bet she leads the authorities a merry dance. (Sorry, couldn’t resist.)

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Filed under CyberThreats Daily Tagged with ,

Code certificate laissez-faire leads to banking Trojans

February 25, 2013 Leave a comment

Code signing certificates are used to authoritatively identify a software publisher and to guarantee that the content the certificate signs has not been tampered with between the time it was signed and the time the user executes it. Unfortunately, we see more and more malware signed using fraudulently obtained or stolen code signing certificates. We recently witnessed such a case with a series of malicious binaries, all signed with the same digital certificate. This blog post will present some background on the signing certificate involved as well as a technical analysis of two distinct malware threats written by the author of this operation.

Digital certificate

The digital certificate used in this campaign was issued on November 19, 2012 by DigiCert to a company named “NS Autos”. According to www.societe.com, a company running by that name briefly existed in France, but was dissolved in 2011, way before the digital certificate was issued.


We searched our entire sample database looking for all the binaries signed by this particular digital certificate. We found a total of 70 different files. Time to do some serious work.

Most of the files were written in .NET and perform several different types of malicious activities. There were droppers, downloaders, a screen locker and a banking Trojan. We have also found samples of Win32/Remtasu and Win32/Zbot. Win32/Remtasu is a Trojan that steals sensitive information, notably using a keylogger.

Analyzing the .NET samples made it obvious that they were all written by the same person, as the coding style is the same and variable names and classes are re-used across different assemblies. Looking at the code, it is quite obvious who wrote it and we were able to track his actions in many places across the web. After researching the virtual identity of this malware author, it appears that he originates from the Maghreb. One can see a progression in his creations and some refinement of his methods.

Sample analysis

We present analysis of two examples of this malware author’s work.

MSIL/Spy.Labapost.A

The first sample we will look at is a Trojan with Man in the Browser and webinject functionality. This sample is targeting a French bank and tries to fraudulently transfer money by automatically adding a money transfer recipient and stealing the account credentials.

Although the methods used to steal money from compromised accounts are not new, we don’t see them often in malware coming out of the Maghreb. Attacks on francophone bank users hailing from this region have historically been more focused on phishing attempts than banking Trojans [1]. Of course, they benefit from an additional advantage as they speak French fluently. Let’s take a brief look at the functionality of this Trojan.

The dropper for this Trojan tries to install itself on the system by mimicking an adobe Flash Player update:

This technique is widely used and was seen in the infamous OSX/Flashback. Once the malware is installed on the system, it will periodically monitor browser processes. Once it detects that the user is browsing the targeted bank webpage, it will kill the browser window and open a .NET browser inside a new window.

Implementation wise, it uses the .NET WebBrowser class to allow the user to browse the web inside a form. This new form is trying to spoof the browser skin through an image, trying to make the user believe that he is still in his browser. All menu items and even the navigation bars are there just for the looks, no menus or buttons are actually working. Once this is in place, the user is effectively browsing its bank account in a browser totally controlled by the attacker. Opera, Internet Explorer, Chrome and Firefox have their own skins implemented.

As one can see from the stacked screenshots, the malware author didn’t make much effort with the Internet Explorer skin, just reusing the Chrome one. Once the fake browser is started, a video capture process using Hycam2 is started. This is done to capture the user PIN as it must be entered through an onscreen numeric keypad.

As soon as the user accesses his account, a second browser will be started and will automatically try to add a new money transfer beneficiary. The new recipient information, such as his account number, country and name, are downloaded through an external server using a GET request. As an extra security measure, the targeted bank can ask for a SMS-sent passcode before adding a new recipient. To bypass this security measure, the malware presents an input form to the user, trying to get the code the user just received on his mobile.

Once this is completed, the credentials harvested in the first step, as well as the compressed captured video, are sent to the malware author through FTP or mailed to a Gmail address. The overall coding techniques of this malware is not on par with what we usually see in the banking Trojan scene, but some of the features that are proven to work, such as Man-in-the-Browser and webinjects, are nevertheless present. Maybe the author was inspired by some of the major banking Trojans that implement these functions such as Win32/Zbot.

Once the new recipient is added, the criminal can later log back in with the leaked credentials and attempt to perform the fraudulent transfer. As was noted earlier, this is far from being new stuff, but it is interesting to see that this particular malware, author coming from the Maghreb, wrote some of these features from scratch.

MSIL/PSW.Stealock.A

The second particularly interesting sample is a screen locker. The following screenshot is what is displayed to the user once the binary is executed. It is then impossible to dismiss this screen or to access any other program on the computer.

Was the author inspired by some of the more prevalent ransomware families like Reveton? The price is certainly not steep at $4. Of course, if a user enters credentials, their credit card information is sent to the malware author.

If the user proceeds and enter his information, he will be sent to another website, regcon.com, trying to automatically buy a downloadable software for $49.99. This software is of course another malware signed by the same certificate. Regular readers of We Live Security will know that such a ransom should never be paid. Like many ransomware variants, this one can be cleaned easily by rebooting Windows in safe mode and removing the registry key values that the malware sets for persistence, that is, to regain control of the machine after each reboot).

Conclusion

Malware signed by a fraudulent certificate, like the one we are describing here, are increasingly common these days. In order to obtain a code signing certificate, the applicant must go through a validation process.

The Certificate Authority (CA) issuing the code certificate is responsible to run these checks in order to verify the applicant’s identity. The details of this vary from CA to CA, but usually entail verifying information provided by the applicant through publicly available information. In this particular case, it appears that a company that no longer existed was used to obtain the certificate.

Although a code signing certificate is only meant to make sure that a particular piece of software is coming from the right source and has not been tampered with during transfer, it can give a false sense of security to the user. Also, running a digitally signed binary displays less warnings to the user before he can actually run it. Consider these two screenshots of the User Account Control dialog in Windows shown to the user when they execute the installer for the MSIL/Labapost.A threat. The first screenshot is what the user sees when the executable is signed with a trusted certificate while the second one shows what appears after the certificate was revoked.

ESET notified DigiCert that it issued a fraudulent certificate and they were very responsive: the certificate was revoked in a matter of hours.

SHA1 Hashes

MSIL/Spy.Labapost.A: 341af6a41078035845cd22ee35057c8a03c86bb4

MSIL/PSW.Stealock.A: f26e2b09e3c135dd87602013b13867b7616a0c8f

[1]    Goutal, Sébastien, “Francophile Phishers”, Virus Bulletin Magazine, April 2012

By Jean-Ian Boutin

Filed under CyberThreats Daily Tagged with ,

NBC.com infected with malware for more than 24 hours?

February 22, 2013 Leave a comment

Another high profile website has been hacked to redirect visitors to malicious URLs, websites that seek to infect visitors for further scamming and cyber fraud. Last week it was Facebook, this time it is the website of the National Broadcasting Company (NBC). The major American television network’s site at NBC.com was blocked for a time today by some web browsers, but untold thousands of visitors were exposed to infection.

Early indications are that the NBC.com site was in this infectious state for at least 24 hours.

Through ESET’s LiveGrid we can see the first reports of this infection were received February 20, at roughly 17:00 CET. Then there was a long gap until noon on February 21 (CET) when the reports started flooding in. It’s not clear whether the site was or was not infected during all of this time, but it could have been infected for a while with the iframe pointing to a non-existent location (in which case our backend processes would not have encountered any malicious content).

These attacks are employing iframes like the one seen here on NBC.com, to redirect legitimate visitors from NBC.com to an infected site that serves up an exploit kit.

A series of different websites have been compromised during this attack and are pointed to by the iframe. The above is just one of them. ESET has been updating its blocking of these sites throughout the duration of the campaign. These include but are not limited to:

During the attack, ESET products blocked the main NBC website to prevent users being compromised. Now that the site has been completely cleaned, ESET has removed the block. Several other related sites are still infected, exposing the users to risk. These will stay blocked until the site is cleaned. Here is what happens when an ESET Smart Security user tries to go to one of those blocked sites, or is directed there by an iframe:

In this particular case, the dangerous content referred to in the ESET warning is the RedKit exploit kit, one of a rapidly growing number of software packages used by criminal hackers to exploit common software vulnerabilities such at the Java vulnerability (CVE-2012-0507) that led to last year’s Flashback Trojan outbreak on Macs.

The exploit is trying to download multiple files to victim machines. Not surprisingly these files are dubious in character. One of the files being served up is a downloader called Win32/TrojanDownloader.Vespula.AY which, again not so surprising, attempts to download some more artifacts that are currently being analyzed. Other downloads are detected as Trojan.JS/Exploit.Agent.NCX.

Most of the URLs on the compromised NBC suite pointed to Redkit affected sites, but at least one of them was pointing to a Styx Exploit Pack affected site.

We suggest all users make sure their antimalware program is up to date and web filtering is turned on. If you see a browser warning that says don’t go to a site, heed that warning, don’t go there, even if the site is a well-known one like NBC.

We will be updating this story as it develops, here and via Twitter @ESETNA.

Sébastien Duquette (ESET Malware Researcher, Canada) and Righard Zwienenberg (ESET Senior Research Fellow, Netherlands) provided screenshots and key data points for this article. Thanks!

Filed under CyberThreats Daily Tagged with ,

Older posts

Follow

Get every new post delivered to your Inbox.

Join 32 other followers