Slave Malware Analysis
During the last couple of weeks, Nathan Jester, Elman Reyes, Julia Karpin and Pavel Asinovsky got together to investigate the new “Slave” banking Trojan. According to their research, the early version of the Slave performed IBAN swapping in two steps with great resemblance to the Zeus “man-in-the-browser” mechanism. First, the host header is compared to a hard-coded bank name. If the match is successful, the hard-coded HTML tag is searched throughout the request body and the content is swapped if it matches the IBAN pattern. Then, After the browser infection which takes place in the exact manner as the later version, the malware places hooks on the outbound traffic functions. The latest version of the Slave is, of course, much more sophisticated than the first one and include creation of registry keys with random names, IE, Firefox and Chrome infections, kernel32.dll hooks and more. However, one of the most interesting capabilities of the Slave is the timestamp check. As can be seen in the screenshot below, the malware is conditioned to run before April 2015 and not after that so the sample is basically "valid" for two weeks only, probably to avoid research and detection. Click here to download the full technical Malware Analysis Report. Or here for the Executive Summay Report. To learn more about F5 Security Operation Centers, visit our webpage. -- Editors Note: F5 and DevCentral do not condone the usage of the term ‘slave’ in the context of our technology. In this case the term ‘slave’ is a name, used to specify a particular piece of malware. We believe removing or changing the term, here, would only cause confusion and remove information necessary for effective application security.
UAE Cybersecurity Threat Landscape Growing in Intensity and Complexity
Leading UAE IT decision-makers agree that cybersecurity threats are growing in intensity and scale across the region. According to a new survey commissioned by F5 Networks,81% of surveyed IT decision-makers believed their organisation was more vulnerable than ever to cybersecurity threats. 82% ranked their organisation’s vulnerability to cybercrime, hacking and “hacktivism” as “very” or “extremely” vulnerable, and 79% agreed that it is more difficult than ever to protect their organisations from associated security threats. Worryingly, only 8% are completely confident their organisation has consistent IT security measures across its entire IT network. 34% said their marketing and sales efforts were most vulnerable to attacks, 28% cited email, 27% employee data and 24% customer information.Common cybersecurity threats include distributed denial of service (DDoS) attacks, phishing/spear-phishing emails, data theft, “zero-day” software assaults, web application exploits, and website defacement. The top cybersecurity challenges listed in F5 Networks’s survey include changing motivations for hacking (33% of respondents), the virtualization of server desktops and networks (31%), difficulty in managing a variety of security tools (29%), the increasing complexity of threats (29%), the shift from datacentre-focused infrastructure to the cloud (25%) and the move from traditional client-server applications to web-based applications (24%). In order to adapt and cope, 57% of decision-makers wanted a better understanding of the different types of security threats, 24% called for consolidated management of their different security tools, and 20% wanted a stronger focus on security issues from management.Dyre Malware Analysis
Dyre, also known as Dyreza, is a banking Trojan that was first seen around June 2014. With the combination of its ability to steal login credentials by browser hooking and bypassing SSL, its man-in-the-middle (MITM) proxy server, and its Remote Access Trojan (RAT) capabilities, Dyre has become one of the most dangerous banking Trojans. The Dyre Trojan is designed to steal login credentials by grabbing the whole HTTPS POST packet, which contains the login credentials sent to a server during the authentication process, and forwarding it to its own server. The malware downloads a configuration file containing a list of targeted bank URLs. Each URL is configured to be redirected to Dyre’s MITM proxy server, on a different port for each bank. This allows the attacker to make a MITM attack by forwarding any user request to the bank and returning bogus data, including fake login pages, popup windows, and JavaScript/HTML injections. After all the information has been acquired by the attacker, he can remotely access the victim’s computer using a built-in VNC (Virtual Network Computing) module and perform transactions, data exfiltration, and more. How it works malware downloads a configuration file containing a list of targeted bank URLs. Each URL is configured to be redirected to Dyre’s MITM proxy server, on a different port for each bank. This allows the attacker to make a MITM attack by forwarding any user request to the bank and returning bogus data, including fake login pages, popup Malware behavior on a Win7-32bit system Surprisingly, the malware behaves differently on Win7-32bit, most likely due to security implementation differences. The method of registering itself as a system service is implemented on WinXP and 64bit systems (tested on Win7-64bit). On Win7-32bit, Dyre operates more similarly to the known Zeus malware by injecting code in the Explorer.exe process and operating from there. Man-In-The-Middle (MITM) Attack When a user enters his bank’s URL in the browser line, the Trojan is triggered and forwards the URL to the corresponding proxy server as stated in its configuration file. · The MITM proxy server forwards requests to the banks and disguises itself as the real user. · The returning response from the bank is intercepted by the proxy server. · Instead of the real response, the user receives a fake login page which is stored on the proxy server, and contains scripts and resources from the real bank’s page. The scripts and resources are stored in folders named after the unique port configured for each bank. · The information entered by the user is sent to the proxy server and then forwarded to the real bank server, allowing the attacker to log in instead of the user and perform operations on his behalf. The fake login page The fake page contains a script called main_new - , which is responsible for handling the objects presented to the user on the fake page and performing the MITM attack. The fake page contains an array of configuration parameters in the header. Some of the more interesting ones are: · ID. The unique identification of the bank, which is the same as the port number in the configuration file. · Incorrect login error. On each login attempt to the bank, the proxy server will forward the request to the real bank’s server and perform the authentication. If the authentication fails, it will also present an error to the user on the fake page. · Block message. If the MITM attack succeeds, the attacker is able to perform a transaction and block the user from accessing his account. This parameter stores the presented message. The F5 Solution Real-time identification of affected users - F5 WebSafe and MobileSafe are able to detect the user is affected by a Trojan and that the information provided by it to the customer is also sent to an unauthorized drop zone. Identification of malicious script injection – once downloaded to the client’s browser, WebSafe and MobileSafe make sure there has been no change to the site’s HTML. If such a change is detected, the customer is notified immediately. Protection against Trojan-generated money transfers - the combination of recognizing affected users, encrypting information, and recognizing malicious scripts is key to disabling Trojans from performing unauthorized actions within the account. WebSafe and MobileSafe detect the automatic attempts and intercept them. Malware research - F5 has a dedicated Trojan and malware R&D team that searches for new threats and new versions of existing ones. The team analyzes the programming techniques and methodologies used to develop the malware in order to keep the F5 line of products up to date and effective against any threat. To get the full technical detailed Malware analysis report click here. To download the executive summary, click here.iBanking Malware Analysis
Co-Authored with Itzik Chimino. --- iBanking is malware that runs on Android mobile devices. It is delivered via a new variant of the computer banking Trojan Qadars, which deceives users into downloading iBanking malware on to their android device. It can be used with any malware used to inject code into a web app. The malware enables cybercriminals to intercept SMS and bypass the two-factor authentication methods used by several banks throughout the world to authorize mobile banking operations. iBanking malware acts as a spy that can also of grab contact lists, steal bank account details, forward incoming voice calls, and record the victim’s voice, which enables it to overcome voice recognition security features that financial institutions are beginning to implement. Cyber criminals ultimately utilize iBanking malware to transparently complete money transfers on behalf of the infected targeted users. How the attack works Focusing specifically on the new variant of iBanking malware that targets Facebook users, the attack begins by infecting users’ devices with the Qadars banking Trojan via a drive-by download from an unsuspecting website. Qadars then intercepts the webpage and uses JavaScript to inject code into the webpage—in this case, a Facebook page—that presents users with a fake verification pop-up page upon initial login. This page requests the victim’s phone number and Android device confirmation. The victim then receives an SMS message on the verified device, which directs him to a page with instructions to download added security. Once the victim installs the iBanking malware, it cannot be removed if it was given admin rights during the install process. Remote control of the infected device Once the malware is activated by the user on his smartphone, the attacker gains administrator permissions on his device. The attacker can now control a vast amount of functions such as: 1. Allows applications to change network connectivity state. 2. Allows an application to send/read SMS messages. 3. Allows an application to automatically start when the system boots. 4. Allows an application read-only access to phone state. 5. Allows an application to access approximate location derived from network location sources such as WiFi and cell antennas. 6. Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call being placed. 7. Allows an application to open network sockets. 8. Allows an application to write to external storage such as modify/delete SD card contents. 9. Allows an application to read the user's contacts data. 10. Allows an application to record audio such as phone calls and voice messages. Click here to read the full technical iBanking Malware Analysis Report by F5 SOC. To read more about F5 Global Security Operation Centers click here.Tinba Malware – New, Improved, Persistent
As investigated by Pavel Asinovsky, F5 SOC Malware Researcher, Tinba, also known as “Tinybanker”, “Zusy” and “HµNT€R$”, is a banking Trojan that was first seen in the wild around May 2012. Its source code was leaked in July 2014. Cybercriminals customized the leaked code and created an even more sophisticated piece of malware that is being used to attack a large number of popular banking websites around the world. The original Tinba malware was written in the assembly programming language and was noted for its very small size (around 20 KB including all Webinjects and configuration). The malware mostly uses four system libraries during runtime: ntdll.dll, advapi32.dll, ws2_32.dll, and user32.dll. Its main functionality is hooking all the browsers on the infected machine, so it can intercept HTTP requests and perform web injections. The new and improved version contains a domain generation algorithm (DGA), which makes the malware much more persistent and gives it the ability to come back to life even after a command and control (C&C) server is taken down. Tinba configuration file reveals browser injections of several targeted banks, mainly from Australia, but also from Germany, Spain, Finland, and Switzerland. There are multiple injection types, most likely bought in the underground from different Webinject writers. There is a generic VBV grabber, ATSEngine CC+VBV grabber, some specially crafted injections that are adjusted to each bank, and some other miscellaneous injections such as a Bitcoin stealer. Some of the man-in-the-browser (MITB) panels and files are hosted on different servers. The ATSEngine CC+VBV grabber is also widely used by the known Zeus Trojan, and is sold as a toolkit in the underground. This is a dynamic injection that can be updated easily on the server side without sending a new configuration to each bot, and it can be configured to steal credit card and other sensitive information from Google, Yahoo!, Windows Live, and Twitter websites. When an infected user logs in to his banking account, a specially crafted injection may produce a popup requesting additional details, credit card information, PIN/OTP authentication, or other info that may be used for fraudulent activities such as performing transactions, stealing sensitive data, and more. It all depends on the configuration of the malware and the script it injects. Some scripts may present false information in regards to the banking account, such as balance information, history of transactions, out-of-service messages, and more. Download Tinba full technical analysis report from here. Get your Tinba executive summary here.Nearly 5 million Gmail credentials leaked, really?
This month, almost 5 million Gmail credentials published in a Bitcoin security forum by a Russian hacker. According to RIA Novosty (one of the largest news agencies in Russia), this leak comes just a couple of days after the hackers published at the same forum 1.25 million Yandex accounts credentials and over 4.6 million Mail.ru credentials. But does it all true? In an interview published on the International Business Times right after the leak, a Google spokesperson has confirmed what many security experts had already suggested, that many of the passwords in question were likely taken from a website other than Google. “The security of our users’ information is a top priority for us. We have no evidence that our systems have been compromised, but whenever we become aware that accounts may have been, we take steps to help those users secure their accounts.” Also Yandex and Mail.ru published a very similar response to these publications which said that the databases containing the compromised email accounts comprised mostly inactive and hacked accounts which had been collected over a long period of time via phishing and Trojan viruses. The internal security systems of the companies were not compromised, they said. Using various techniques, the F5 SOC team analyzed the leaked database and the most common passwords are still the same as they were in the past. Here is a list of the top 25 passwords and how many times they appeared in the original leaked file: # Times Appeared Password 1 47,779 123456 2 11,524 password 3 11,145 123456789 4 8,083 12345 5 5,908 qwerty 6 5,241 12345678 7 3,515 111111 8 3,008 abc123 9 2,968 123123 10 2,904 1234567 11 2,706 1234567890 12 1,983 1234 13 1,973 iloveyou 14 1,852 password1 15 1,742 000000 16 1,722 27653 17 1,538 zaq12wsx 18 1,534 tinkle 19 1,514 qwerty123 20 1,450 monkey 21 1419 target123 22 1,395 dragon 23 1,384 1q2w3e4r 24 1,340 654321 25 1,326 123qwe If you want to make sure your account hasn’t been compromised, just click here and enter your e-mail address. Later that day, September 10 th , Google published on its security blog that out of the 5 million (so called) compromised accounts no more than 10,000 combinations of usernames and passwords are real. “We found that less than 2% of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts. We’ve protected the affected accounts and have required those users to reset their passwords.” F5 customers who use the WebSafe application level encryption have already taken an additional step forward to protect their end users. WebSafe encryption component encrypts the sensitive data sent by the end-user to the organization’s servers from the application level – meaning 100% of the way and not just on the network level (SSL level). When implemented on the organization’s website, WebSafe prevents theft of credentials and foils a Trojan’s abilities. F5 SOC recommends taking the following steps in order to keep all you private online accounts safe, from e-mail accounts to your online banking accounts: 1) Create a very strong password that contains at least two capital letters, 6 numbers & letters and two symbols. 2) Don’t wait to be asked by your provider to change your password! Change it on a regular basis every couple of weeks. 3) Don’t use the same passwords for all your accounts. 4) If offered, use second factor authentication for each account. 5) If you don’t remember all your passwords, do not keep them in one file on your laptop and make sure to add a password to each file. 6) Do not keep your passwords as a ‘Notes’ on you iPhone or iPad!! 7) Last but not least - be aware to which public Wi-Fi networks you are connecting to when traveling. You don’t want to be a victim to the next Man In The Middle attack…Neverquest Malware Analysis
Since the beginning of 2014 F5 SOC Malware investigations resulted in some new methods of Malware attacks operations, mainly in Eastern Europe where the Neverquest Malware was detected. Neverquest, also known as Vawtrak, is a banking Trojan that has been active since around July 2013, and is being used to attack a number of popular banking websites. Similar to the known Zeus banking Trojan, after infecting a system, the malware steals login credentials and sensitive information from the infected machine, gaining the ability to inject scripts to the victim’s browser and perform transactions. It also gives the attacker VNC access and SOCKS proxy server on the victim’s computer in order to gain full control of the infected machine. Neverquest uses social engineering to urge the victim to install a malicious application on his mobile device, which will forward sensitive SMS messages used for second factor authentication. Once the infected user enter the bank login page the MITB attack is getting activated and the victim is asked to enter his/her mobile phone number to download a “security certificate.”After the user enters his phone number, an SMS containing a link for downloading the malicious APK is sent to his phone. Each targeted entity has its own specially crafted APK. Here is a sample of the Android APK with the easy step by step installation guide. To download the full F5 SOC Neverquest Malware Analysis Report click here. An Executive Summary of the report can be downloaded here.Is your organisation a tempting target for DDOS?
PSN and similar services have huge customer bases and, due to their global nature, have a need to be available 24/7. This makes them very tempting targets for entities looking to create highly visible disruption or to steal large numbers of customer details. The challenge for these organisations and for any other large enterprise is twofold: - How to defend against ever evolving threats - How to do so effectively Typically, enterprise organisations use a multi-layered approach to defence comprising of cloud based mitigation to help with volumetric attacks and on-premise mitigation to protect their network perimeter using technologies such as firewalls and intrusion prevention systems. This would be considered best practice. The second challenge is how to defend effectively. The issue is companies typically have multiple autonomous systems in place, with limited integration and some key functional limitations at each layer. Cloud based solutions, for example, cannot process encrypted traffic unless the enterprise is willing to give the cloud provider access to their private certificate keys (which most are not), hence this traffic gets passed through. Therefore if an attack is encrypted it is already past the first layer of defence. Most on-premise firewalls have the same limitation: encrypted traffic is allowed through because the firewall typically does not have the capability to inspect the traffic at an application level and so the attack traffic breaches the on-premise protections too. Finally when we add volume to these attacks and blended attacks - multiple different attacks types at once - to the picture it’s easy to see how enterprises struggle to cope. So what’s the answer? Contextually-aware defence. In other words, defences that are aware of your applications, how they function and have visibility into the traffic going to and from them including that which is encrypted. Ideally this awareness will span both the cloud and on-premise components, giving better integration and the best possible chance of mitigating attacks before they start impacting service.“Anonymous” may attack World Cup 2014 sponsors
As it’s not enough for Brazil 2014 world cup organizers. In addition to the civilians protests against the local government for spending around $11.5 billion on an eight weeks football (soccer) tournament, now the worldwide hacktivists group ‘Anonymous’ has announced that they are planning to initiate dedicated DDOS attacks against World Cup 2014 corporate partners websites. “We have already conducted late-night tests to see which of the sites are more vulnerable," said the hacker who operates under the alias of Che Commodore, an Anonymous leading hacktivist. "We have a plan of attack, this time we are targeting the sponsors of the World Cup," he said in a Skype conversation with Reuters from an undisclosed location in Brazil. These sponsors have been written up on a hit list and include major corporations such as Coca Cola, Budweiser, Emirates Airlines and Adidas. This is not the first action to be taken by Anonymous as part of their protests against the Brazilian government extravagant policy. Early last week, in what could be the biggest cyber-security breach since the US National Security Agency allegedly spied on President Dilma Rousseff's personal communications, Anonymous posted over 300 documents extracted from the Foreign Ministry's computing network. They include a briefing of talks between Brazilian officials and US Vice President Joe Biden during a visit to Brazil in May 2013 and a list of sport ministers that plan to attend the World Cup. A hacker known as “AnonManifest” used a phishing attack to break into the Foreign Ministry's databases and eventually access its documentation system, Che Commodore told Reuters - "Until yesterday afternoon the hacker still had access to the system," he said. As a result, the Foreign Ministry closed down its email system after the attack and instructed its 3,000 email account holders to change their passwords. Federal police is still investigating the breach. A Foreign Ministry official told Reuters last week that only 55 email accounts were hacked and the only documents that were obtained where attached to emails and from the ministry's internal document archive. "The problem has been resolved. Nothing important was leaked," said the official, who asked not to be identified because he was not authorized to discuss the matter. However, Brazilian diplomats abroad were left without email communications with their headquarters for several days. Anonymous international hacktivists group does not stop in Brazil. Few days ago, another leader of the group, “AN0N AL AQSA”, has announced that yet another Cyber-Attack would be initiated against vast amount of Israeli financial institutions and other organizations as part of the few years old “#Op Israel” group. According to ‘AN0N’, the attack would be initiated on two different dates: June 7 th & June 20 th . The attacks methods that will be in use are DDOS, defacements, leak databases, hacking to Israeli websites and more. In order to gather all hacktivists worldwide, Anonymous created Facebook events calling all members to get together and unite for one purpose – take action against social justice and free Palestine. This new planned attack named ‘OpIsrael Reloaded V2’ and have over 500 attendees approved their participant in the attack. “We will strike any and all websites that we deem to be in Israeli Cyberspace in retaliation for the mistreating of people in Gaza and other areas. Anonymous has been watching you, and you have received fair warning of our intent to seize control of your cyberspace in accordance with basic humanitarian rights of free speech and the right to live”, written in one of the events. Read more at: http://www.huffingtonpost.co.uk/2014/05/31/anonymous-cyber-attack-world-cup-brazil_n_5423337.html http://www.independent.co.uk/news/world/americas/world-cup-2014-hacktivist-group-anonymous-plan-cyberattack-on-world-cup-sponsors-9467786.html
DNS Protection and Performance, Have Both!
There has never been a better time to cripple the Internet by exploiting the vulnerabilities of DNS systems. The proliferation of mobile devices coupled with vulnerabilities of open source DNS systems is keeping a lot of organizations awake at night, amongst them, the large enterprises, financial services institutions and carrier service providers. Existing firewalls were insufficient to protect DNS infrastructure from the fast-evolving attacks. To counter the attacks and to enhance security protections, proven solution architecture and comprehensive design considerations ought to be put in place for DNS infrastructure. Let’s discuss further on the solution design considerations for a more secured DNS infrastructure. Performance vs. Traffic Analysis There are generally two schools of thoughts on how we should counter the overwhelming DNS attacks – by increasing protection through traffic analysis and packet inspection or by increasing the DNS performance. Both approaches are resource intensive and require heavy investment. Prior to the massive growth of mobile devices, open source DNS systems such as BIND were able to cope with the DNS traffic and pockets of attacks. The recent upswing of mobility trend has multiplied the DNS traffic by tens-of-fold, leaving DNS systems extremely vulnerable to even small-scale attacks. For the camp who advocated for stronger security through packet inspection and analysis on DNS traffic, the process is resource intensive and ineffective as IP addresses for UDP traffic can be easily spoofed. The inspection process will also create higher latency for DNS responses. Despite implementation of resource intensive packet inspection mechanism, the low query response rate (~30K QPS per instance) of BIND - the open source DNS systems is deemed to be the Achilles heel of a well-protected DNS system. Based on various sharing from enterprises and carrier service providers, overwhelming DNS traffic with mixed and spoofed IP addresses can easily kill their DNS infrastructure. Personally, I am more inclined to the latter approach. The latter approach of increasing DNS performance for better security argues that non-malicious DNS request should be responded regardless of their genuinity. Instead of utilizing computing resources for packet analysis, the resource can be put into better use by improving the DNS query response rate. With F5’s DNS Express patented technology, DNS records will be stored in memory (RAM) and queries are responded at higher speeds. This increases the DNS performance dramatically and allows F5 VIPRION to support up to 10 million queries per second on a single hardware platform. The high performance DNS platform hence serves as a deterrent and effective protection against DNS DoS and spam attacks. So, let’s rethink about the DNS operation team’s mission for a second, isn’t that to keep DNS alive at all times? Diagram 1: F5 DNS Express offloads the DNS servers from answering query responses, hiding Controller DNS Servers from DoS and other attacks Security attacks and its counter measures are ever-lasting battles which require innovation and proper solution design to stay ahead of the game. In my subsequent posts, I will share more about countering Cache Poisoning attacks and DNS Amplification/Reflection attacks. Stay tuned.
