Dridex BOTnet 220 Campaign
Like many other financial Trojans, the notorious Dridex malware keeps evolving and strengthening its presence in the financial threat landscape. The Dridex campaign attributed to BOTnet #220 is very UK financials focused and tries to accomplish its scam by utilizing different mechanics. Web Injects For certain targeted banks pages it uses the classic web-injects, where it injects a malicious script from attacker’s domain directly into the original bank page. The injected code has thousands of lines of code and is mostly focused around stealing login credentials, including one-time password, grabbing personal details and account balances. It also contains automatic transaction infrastructure which was not invoked in the malicious scripts that we have analyzed, but could be easily leveraged once the fraudsters decide. A certain bank was targeted by a dedicated malicious script containing slightly different automatic transactions functionality. The injected script ships with two “fake pages” which will be shown to the victim instead of the original page. The first one will ask for the answer to the security question and will ask to generate a security code using a Secure Key device with an excuse that the victim has entered incorrect information in one or more fields. The second page will be presented under the pretense that the user has exceeded the maximum number of login attempts. It will show the last 4 digits of the target mule account number as a “temporary password” and will ask the victim to type it in his Secure Key device (seems like the bank’s process to “confirm” a transaction). Once the user submits the Secure Key device generated secure code the transaction will be automatically submitted. For certain bank pages the Trojan will inject an interesting script called “news-podmena” (“podmena” is “substitution” in Russian), and it will actually replace the bank’s original security best practices guidelines for its customers with its own fake ones. For a certain bank it was intended to trick clients with smart card authentication. However, for most of the banks it will show a generic security warning recommending not to ignore any pop-up windows, and to follow the process step by step, to increase the fraudster’s chances for running their code and installing more components while bypassing all the security warnings. Another injection type is interesting as well, while it is intended to be injected in any page delivered over HTTPs to grab credit card information. This script is not intended to be injected in the targeted banks pages and once injected in an arbitrary page, the first code snippet of the malicious script will try to match the URL against a list of websites (mostly search engines, banks and webmails) andif a match is foundthe script will delete itself. We assume this is done in order to avoid overloading the C&C with unwanted traffic. Fake Pages An attack vector which strongly identified the Dyre malware is massively used now by Dridex authors. To accomplish that, the latest uses its same old “redirection” technique. The malware part which resides inside the browser implementation (“Man-In-The-Browser”) is able to intercept browser’s requests sent to any domain and redirect them to attacker’s controlled server. The redirection details of which requests to redirect and their exact destination are controlled using the “redirect” directive in the malware configuration. By using this redirection technique, attackers could fetch an external malicious script in their code by using the bank’s domain name in the script’s source URL. For example, the malware can inject a script with a source of “www.mybank.com/evil_script.js”. This request will be intercepted by the Trojan in the browser and the bank’s domain name will be replaced with the fraudster’s domain, like “www.evil.com/evil_script.js”. This way the fraudsters could avoid exposing their domain name in the code injected to the bank’s page and make the request to the external malicious script look legitimate. By observing the attributes of the “redirect” directive in the configuration, it seems also to be related to the VNC and Socks functionality of the malware. This redirection functionality was leveraged to redirect also requests for login pages. In the above example we can see that by using the “redirect” directive in the malware configuration, requests that are made to a certain bank login page will be redirected to attacker’s server and will retrieve a fake page of that bank which was manually crafted by the attackers. The F5 Threat Monitor system detected the experimental phase of this fake page techniqueon several UK banks starting from last April (2015). Who is Next? While analyzing the Trojan, one can notice that it is configured to take screenshots of many French banks. We can just assume that those are preparations for their next campaign. A single Spanish and single Australian bank are targeted as well. Mitigation F5 mitigates online identity theft by preventing phishing, malware, and pharming attacks in real time with advanced encryption and identification mechanisms. F5 products and services complement your existing anti-fraud technologies, improving your protection against malicious activity and providing an encompassing defense mechanism. F5 security products are customizable, so you can address your exact needs. F5 WebSafe provides a solution that identifies injected malicious code in the original web pages, the presence of financial malware on the clients’ machines, detects the Dridex “fake pages” fraud technique in a similar way as the Dyre “fake pages”, and identifies fraudulent automatic transactions. Rounding out its offering, F5 provides professional services, advanced research and intelligence capabilities in the field of cybercrime.Fear and Loathing ID Theft
Do you avoid stores that have had a credit card breach? You are not alone. About 52% of people avoid merchants who have had a data breach according to a recent Lowcards survey. They surveyed over 400 random consumers to better understand the impact of identity theft on consumer behavior. 17% said they or a family member was a victim of identity theft over the last year with half the cases being credit card theft. 94% said they are more concerned or equally concerned about ID theft. They estimate that there were 13.5 million cases of credit card identity theft in the United States over the last 12 months. These concerns are also changing the way some people shop. Over half (56%) are taking extra measures to protect themselves from identity theft. Some of these behaviors include using a debit card less (28%), using cash more (25%), ordering online less (26%) and checking their credit report more (38%). These are all reasonable responses to the ever challenging game of protecting your identity and is important since 89% of security breaches and data loss incidents could have been prevented last year, according to the Online Trust Alliance's 2014 Data and Breach Protection Readiness Guide. The game is changing however, and mobile is the new stadium. Let's check that scoreboard. Most of the security reports released thus far in 2014, like the Cisco 2014 Annual Security Report and the Kaspersky Security Bulletin 2013 show that threats to mobile devices are increasing. We are using them more and using them for sensitive activities like shopping, banking and storing personally identifiable information. It is no wonder that the thieves are targeting mobile and getting very good at it. Kaspersky's report talks about the rise of mobile botnets and the effectiveness since we never shut off our phones. They are always ready to accept new tasks either from us or, a foreign remotely controlled server with SMS trojans leading the pack. Mobile trojans can even check on the victim's bank balance to ensure the heist is profitable and some will even infect your PC when you USB the phone to it. Distribution of exploits in cyber-attacks by type of attacked application I guess the good news is that people are becoming much more aware of the overall risks surrounding identity theft and breaches but will the convenience and availability of mobile put us right back in that dark alley? Mobile threats are starting to reach PC proportions with online banking being a major target and many of the potential infections are delivered via SMS messages. Sound familiar? Maybe we can simply cut and replace 'PC' with 'Mobile' on all those decade old warnings of: Watch what you click! ps Related Some consumers changing habits because of data breach, ID theft worries, report finds LowCards Exclusive Study: Identity Theft Concerns Shifting Shopping Habits of Americans Kaspersky Security Bulletin 2013. Overall Statistics for 2013 Mobile Payments and Devices Under Attack An SMS Trojan with Global Ambitions Mobile Malware Milestone Mobile Threats Rise 261% in Perspective Nine Security Best Practices You Should Enforce Technorati Tags: mobile,shopping,breach,malware,idtheft,behavior,silva,trojan Connect with Peter: Connect with F5:
Are You Closing the Door on Financial Trojans?
Come on, really, are folks still amazed by the notion that attackers are using DDoS attacks as a mere distraction from more lucrative malicious activities executed on banks? Well, according to various reports the answer is yes, especially if you consider banks have been slow to adopt strong security and are implementing ineffective custom security measures that leave gaps for sophisticated malware to effectively exploit. In the most recent study titled, “ State of the Financial Trojan 2013 1 ” it was revealed that the number of financial Trojans grew 3 times in just the first 3 quarters of last year. The top 8 attacks included those that use a combination of techniques such as MITB, web injects, proxy, certificates, localization, automatic transaction services, and more. Although Trojans have been around for 10 years, the study claims that many security implementations adopted by financial institutions are inadequate at defending against the modern financial Trojan. Why is this? I am curious to know, given the history, costs of attacks to businesses and technologies available. It seems as though many institutions are lagging in implementing solutions or continuously evolving their security strategy. Continuously updating and improving upon your security strategy is even more important given, rise in attacks targeting mobile device users. Online banking , smart phones and the drive towards mobility has paved the way to Trojans attacks that target mobile device users. Using social media, attackers can trick users into unsuspectingly installing mobile Trojan plugins on their devices. The malware can then hijack sessions, forward any transaction codes received by the device to the attacker, and even suppress text messages from the user. According to the report, some attackers have posted fraudulent one-time password generator applications for mobile devices on third-party app markets. All of this helps to give the attackers the information they need to defraud the victim. Cyber criminals will forever give security experts challenge to step up their tactics and sophistication in protecting against fraud, but I must agree with the report in that as long as institutions persist with weak security measures fraud will continue to be a lucrative enterprise. It is important that organizations susceptible to financial Trojans work with 3rd parties having expertise in addressing security concerns common to online banking, web applications and mobility, and also be open about the risks and continue to educate their customers about the security issues that they encounter. Most importantly Banks must continue to build upon their security strategy with multi-layered protections that includes web-fraud protection, scalable WAF technologies, datacenter security and solutions that fill the gaps in the security infrastructure. 1 "State of the Financial Trojan 2013," Symantec December 2013Custom Code for Targeted Attacks
Botnets? Old school. Spam? So yesterday. Phishing? Don’t even bother…well, on second thought. Spaghetti hacking like spaghetti marketing, toss it and see what sticks, is giving way to specific development of code (or stealing other code) to breach a particular entity. In the past few weeks, giants like Sony, Google, Citibank, Lockheed and others have fallen victim to serious intrusions. The latest to be added to that list: The IMF – International Monetary Fund. IMF is an international, intergovernmental organization which oversees the global financial system. First created to help stabilize the global economic system, they oversee exchange rates and functions to improve the economies of the member countries, which are primarily the 187 members of the UN. In this latest intrusion, it has been reported that this might have been the result of ‘spear phishing,’ getting someone to click a malicious but valid looking link to install malware. The malware however was apparently developed specifically for this attack. There was also a good amount of exploration prior to the attempt – call it spying. So once again, while similar to other breaches where unsuspecting human involvement helped trigger the break, this one seems to be using purpose built malware. As with any of these high-profile attacks, the techniques used to gain unauthorized access are slow to be divulged but insiders have said it was a significant breach with emails and other documents taken in this heist. While a good portion of the recent attacks are digging for personal information, this certainly looks more like government espionage looking for sensitive information pertaining to nations. Without directly pointing, many are fingering groups backed by foreign governments in this latest encroachment. A year (and longer) ago, most of these types of breaches would be kept under wraps for a while until someone leaked it. There was a hesitation to report it due to the media coverage and public scrutiny. Now that many of these attacks are targeting large international organizations with very sophisticated methods there seems to be a little more openness in exposing the invasion. Hopefully this can lead to more cooperation amongst many different groups/organizations/governments to help defend against these. Exposing the exposure also informs the general public of the potential dangers even though it might not be happening to them directly. If an article, blog or other story helps folks be a little more cautious with whatever they are doing online, even preventing someone from simply clicking an email/social media/IM/txt link, then hopefully less people will fall victim. Since we have Web 2.0 and Infrastructure 2.0, it might be time to adopt Hacking 2.0, except for the fact that Noah Schiffman talks about misuse and all the two-dot-oh-ness, particularly Hacking 2.0 in an article 3 years ago. He mentions, ‘Security is a process’ and I certainly agree. Plus I love, ‘If the term Hacking 2.0 is adopted, or even suggested, by anyone, their rights to free speech should be revoked.’ So how about Intrusion 2.0? ps Resources: Inside The Terrifying IMF Hack: Who The Hackers Were And What They Took IMF Hacked; No End in Sight to Security Horror Shows Join the Club: International Monetary Fund Gets Hacked IMF State-Backed Cyber-Attack Follows Hacks of Atomic Lab, G-20 IMF cyber attack boosts calls for global action I.M.F. Reports Cyberattack Led to ‘Very Major Breach’ IMF Network Hit By Sophisticated Cyberattack Where Do You Wear Your Malware? The Big Attacks are Back…Not That They Ever Stopped Technology Can Only Do So Much 3 Billion Malware Attacks and Counting Unplug Everything! And The Hits Keep Coming Security Phreak: Web 2.0, Security 2.0 and Hacking 2.0 F5 Security Solutions2010 Year End Security Wrap
Figured I’d write this now since many of you will be celebrating the holidays over the next couple weeks and who really wants to read a blog when you’re reveling with family and friends. It’s been an interesting year for information security, and for me too. I started the year with New Decade, Same Threats? and wondered if the 2010 predictions of: social media threats, smarter malware/botnets, using the cloud for crime, financial DDoS, rogue software, Mac and Mobile malware, more breaches and a whole host of others would come through. And boy did they. Social media was a prime target for crooks with the top sites as top targets. Users were tricked to accepting and sharing friends that really weren’t friendly and social networks became a new hotbed for malware distribution. As for malware, while many botnets and spam outfits got taken down this year, Stuxnet was certainly the most sophisticated piece of malware researches have seen in a while. Targeting industrial & utility systems along with the ability to reprogram itself, no longer was it my single laptop or a company’s system that had a bull's-eye, although the initial infection is with those systems, it was nuclear facilities, oil refineries and chemical plants that were the ultimate objective. For Cloud Computing, was it Cloud 9 or Cloud Crime when it came to using the cloud for nefarious activities? Many people thought that with the cloud offering a slew of computing power, that it would be a prime way to initiate an attack. We really didn’t see much pertaining to ‘cloud breaches’ even though almost every survey throughout the year indicated that security in the cloud was everyone’s ichiban concern. I covered many of these surveys in my CloudFucius Series, now playing in a browser near you. This article talks about that, the reason we might not have seen much in the way of cloud specific breaches is that many of the data loss repositories do not differentiate between a cloud based and non-cloud attack. In addition, cloud providers are not that willing to spill vulnerabilities that have led to crimes. Share please. Banks and financial institutions were certainly targets this year, why wouldn’t they be, that’s where all the money is. In one incident, about $3 million was stolen from various banks around the world using viruses and more than 100 crooks suspected of running the global cybercrime ring were arrested in the US and UK this September. A 16 year old Dutch kid was arrested last week for a Distributed Denial of Service attack on the MasterCard and Visa websites. And, merging malware, mobile and money stores, the ZeuS Trojan could infect a desktop, capture the user’s bank credentials next time they logged in to their financial institution, popped a dialogue box for the user to ‘include’ their mobile phone for SMS payments, send the phone a fake message & certificate for acceptance and then installed another Trojan on the phone to monitor messages via SMS. Lots of trickery and luck to be successful but still a very scary exploit. And if you think those mobile banking apps are secure, think again. Just last month, a number of those apps were found to have serious vulnerabilities, flaws and holes. Many of those apps have been patched in light of the research but as with any ‘new-ish’ type technology, mobile banking must be locked down before the masses adopt. Too late now. I wrote about corporate espionage both in Today’s Target: Corporate Secrets (2010) and The Threat Behind the Firewall (2009) and this year did not disappoint. Social engineering or convincing someone to give up their info is alive and well but throughout 2010, employees stole secrets from the companies they worked for: Former Goldman Programmer Found Guilty of Code Theft, Greenback engineers guilty of corporate espionage, Ford secrets thief caught red handed with stolen blueprints, and SEC Bares Text of Inept Suspects As They Sold Disney Earnings Info To FBI Agents. These insider events can often be more costly than an external breach. This is by no means an exhaustive list of the breaches, attacks, vulnerabilities, hijacks, frauds, or other cybercriminal activities from 2010. I’d probably be writing through the holidays to get them all. These were just some of the things I found interesting when looking back at my initial blog entry for the year. With 2011 being the Year of the Rabbit, just how much will cybercrimes multiply? ps Resources: Social Life’s a ‘breach’ Security: Malware, Hacks and Leaks: The Top 10 Security Stories of 2010 2010: Looking back at a year in information security Surprising little information about Cloud Computing and Terrorism or Crime Accounts Raided in Global Bank Hack ZeuS attacks mobiles in bank SMS bypass scam Firm finds security holes in mobile bank apps The truth about Mac malware. It's a joke Study: No Hacking Needed when Modern Spies Steal Corporate Data Growth in Social Networking, Mobile and Infrastructure Attacks Threaten Corporate Security in 2011 Ponemon Encryption Trends, 2010 Personal Data For Sale – In time for the Holidays! Synthetic Identity Theft: The Silent Swindler Cybercrime, the Easy Way Dumpster Diving vs. The Bit Bucket
Most Human Viruses are obvious.
We spent the US Holiday Thanksgiving at my Mothers’ house some 500 miles away. We love when we get the chance to see her, and there’s always someone else there. This year one of my wonderful nieces was there with husband and baby in tow. And the baby was sick. Now this is my grand-niece, so of course I wanted to spoil her a bit, but she was out of sorts with a cold and ear infection, so it was tough. The Toddler is at the age where he wants to play with little girls, but beyond tag isn’t certain how to play with them. Sharing toys is one way, but then they don’t want to do it his way. So lots of “irritate the little girl, apologize, then go for a hug and a kiss.” With a sick child. It didn’t take long before nearly everyone in the house was sick, compliments of one of the two kids. The thing is, we all saw it coming. One sick child amongst two playing, in a house with ten people in it… You knew how this was going to end up, and no amount of handwashing was going to prevent it. If only computer viruses were so obvious. Oh, most of them eventually use too many resources, or cause the machine to GPF, giving astute IT pros a chance to start remedial action, but by that point it’s too late, the virus has spread all over the place. To be sure there are human viruses that stay hidden until they’re well entrenched in a community, but the common ones don’t. I guess that could be said about most enterprise level viruses too though – the common ones are stopped early because they have obvious symptoms or a detectable fingerprint (either in-flight or on-disk), while the really nasty ones stay hidden away until they’re well propagated. And it is unfortunate that at first our treatment for viruses is often the same as that for human viruses – treat the symptoms, not the problem. My advice of the day, when there is something odd on one of your systems, track it down remorselessly. Don’t excuse it or make excuses for it, or throw more disk/memory/CPU at it, track it down. I can think of several instances where I brought up anomalies with systems I didn’t own, the owner dismissed them and assured me there was no problem, only to find catastrophically at a later date that there was indeed a problem of the viral kind. I’ve even done it myself, thankfully only at home, but I’m guilty of “this machine is getting old” or “needs a reinstall”… Which of course is not finding the root cause and resolving it, but just a less painful (because it was a home machine) version of the same issue in the enterprise. And infections come from the oddest places, your network is actually in contact with a lot more machines than you think – I’m writing this from a work provided machine over a VPN to corporate HQ. But this machine is also on our local network, and every other Saturday people bring their laptops and put them on our network to game… I have no idea how many other machines they’re exposed to, but I do know that two of them go on Sundays to log in at another person’s house to game, and there are a ton of people there… I think I’ll blog about that later – look for a blog on Thursday titled ‘Vector is no longer adequate”. The point for this blog is that you are open to infection, and a really good infection will go a good long while without detection. Putting in active firewalls is a good idea – both traditional and app firewalls, a VPN with authentication and solid logging, so at least you can track down the source of the infection, and regular reviews of policy, procedure, and active processes on boxes is a good idea. Image Compliments of Centers for Disease Control Like some of the more virulent human viruses, you can of course quarantine infected machines, but like with humans this only works if you have a way to identify all infected machines on your network, which can be difficult, but is a big help to containing an outbreak. The other issue with quarantine is what, ultimately, to do with machines in quarantine. If you can’t clean them safely (and most of the time you can’t), the ultimate solution is generally to wipe them clean and reinstall. But depending upon the machine in question, the quality and age of your backups, and idiosyncrasies in software installed, this can create very real issues both political and in terms of lost productivity. Do I have the golden answer? No, I’d be both wealthy and famous if I did. At least for the fifteen minutes until the next wave of intelligent viruses came along and avoided my golden answer. Put quality tools in place, as automated as possible that you build a plan to keep up-to-date, and then keep diligent in watching your systems. Respond to every anomaly that is not readily explained as if it was an infection – or at least as if it was a threat – and keep your security staff focused on just that – securing the organization. Finally, I can’t stress enough the value of an external penetration test by a really great company. You miss things you see every day because they’re part of the scenery. They’re looking for problems and will likely find some. Better a pentest company than a virus or a hacker. In short, don’t forget the basics. Life is easier with tear-down and restart VMs, but you still need to be diligent.
Turning the Pushdo Bot Into the Push-oh-no-you-don’t Bot
Options to put a stop to the latest mutation of the Pushdo trojan The Pushdo bot is a malevolent little beast that is nothing new to Infosec professionals. What might be new, however, is that it recently changed its code and now creates junk SSL connections. Lots of them. I mean you are likely seeing an unexpected increase in traffic by several million hits spread out across several hundred thousand IP addresses. No you didn't read that wrong that is millions of hits and hundreds of thousands of IP addresses. This might be a big deal if you're used to only getting a few hundred or thousands of hits a day or you don't have unlimited bandwidth. -- ShadowServer 01/29/2010 Pushdo is usually classified as a "downloader" trojan - meaning its true purpose is to download and install additional malicious software. (SecureWorks, Analysis of a Modern Malware Distribution System) That’s something you definitely don’t want to let loose inside your network, right? So the trick is to recognize its new behavior, somehow, and kick it in the derriere before it can do any real damage or consume resources or leave little bot droppings that might clog up the network pipes. Luckily, Pushdo has a recognizable pattern: it sends malformed SSL HELLO requests after the TCP connection is established. This means we have several options for dealing with this new variant.
