In order to emphasize on the growing trend of cybercriminals abusing legitimate infrastructure for their malicious purposes, last week, I profiled a DIY SMS flooder using Skype’s SMS-sending capability to launch a DoS (denial of service attack) against a user’s mobile device.
This week, I’ll continue providing factual evidence for the emergence of this trend, by profiling yet another recently released DIY SMS flooder, this time abusing ICQ’s sms-sending feature.
More details:
Over the past 24 hours, cybercriminals have launched yet another massive spam run, this time impersonating FedEx in an attempt to trick its customers into clicking on a malware and exploits-serving URL found in the malicious email.
More details:
No matter what people think about it, the increasing exposure of Linux and OS X to malicious code is strictly related to the worldwide exposure of those operating systems on desktops and laptops. In the last couple of years, more and more home users decided to switch to Linux (e.g. Ubuntu Linux, just to name one of the best known Linux distributions) or OS X. Most of these users, when questioned about why they switched from Windows to another operating system, usually answer by blaming Windows’ critical exposure to malware.
However, this increasing trend has been followed by many virus writers as well, who started writing malicious code able to target these alternative operating systems. This shouldn’t be a surprise though, as it’s the expected response of cybercrime: the more users there are using Linux and OS X, the more virus writers are interested in infecting them as well.
This is the main reason why the security industry in the last year saw a rising trend of malware attacks involving OSX. Apple also chose to include a basic malware scanner in their operating system, turned on by default and regularly updated by Apple through the system update mechanism. To be fair, we are not yet seeing the same complexity level already reached by Windows-based malware – which clearly is a good thing. On the other hand it means that malware writers have plenty of room to improve their malware capabilities on such operating systems. Things are actually quickly changing, as trojan Wirenet may show us.
First isolated by Russian security company Dr.Web, Wirenet is a trojan with backdoor features able to hit Linux and Mac users in a way that looks way similar to what trojans are currently doing on Windows. Wirenet is among the first cross-platform password stealing trojans, able to steal sensitive data from Linux and Mac environments as well as from Windows and Solaris.
How the infection reaches the operating system is still unknown, though it’s easy to assume that social engineering and unpatched flaws in Java and/or Flash plugins could have played a key role in its spreading.
When executed, the infection runs as a standard executable (ELF on Linux and Solaris, Mach-O on OSX, PE on Windows) located in the current user session. It’s easy to spot the infection (if you know what to look for) though. It’s behavior allows the infection to get access to all the user’s sensitive data it wants. Don’t forget that even ZeuS and SpyEye infections on Windows-based environments are pure user-mode infections, though they have been able to steal a critical amount of sensitive data worldwide and they are still among the most common banking infections.
The architecture of the infection is similar to most trojans on Windows: the trojan’s configuration is embedded inside its body and it’s RC4 encrypted, so that the average user can’t read any plain text data from the file. The configuration contains, among all the settings, the address to the command and control (C&C) server, where the trojan uploads all the stolen data from the infected PC. The connection to the server is AES encrypted, though the password for the encryption can be easily recovered from the local configuration data, after it has been decrypted. The current C&C server address is 212.7.208.65 (remote port 4141) and the AES password used is “sm0k4s523syst3m523” (without quotes), though this can easily change as we’ve found earlier samples of this infection using the remote address “xyl2k.no-ip.biz” and AES password “Password” (without quotes). Before stealing data, the trojan sends an authentication packet to the C&C server which contains the string: “RGI28DQ30QB8Q1F7”. It creates a mutex to make sure that just one instance of the trojan is running: on Linux the mutex is named vJEewiWD, on OSX it’s named lbOOjfsO.
Wirenet searching for sqlite database
The Linux (and Solaris) variants of Wirenet look for user profiles created by Google Chrome, Mozilla Firefox, Mozilla Thunderbird, Mozilla SeaMonkey, Opera, Pidgin and, if any of them is found, it tries to steal them and the passwords stored in them.
With Mozilla products, it decrypts the passwords stored in the encrypted signons.sqlite database by “exploiting” the same routine used by Mozilla to decrypt them (PK11_GetInternalKeySlot, PK11_Authenticate, NSSBase64_DecodeBuffer, PK11SDR_Decrypt). When looking for Opera’s wand.dat, it extracts the whole file and uploads it to its command and control server. With Google Chrome (and Chromium), it locates the Login Data folder (.config/google-chrome/Default/Login Data, .config/chromium/Default/Login Data) and decrypts the SQlLite database. When looking for Pidgin, it steals whole .purple/accounts.xml configuration file.
On OS X, on the other hand, the trojan looks for just Mozilla and Opera products, and if they are found, Wirenet uses the same techniques to steal the passwords saved in their password managers. On Windows, like on Linux, it targets Chrome, Chromium, Mozilla products, Opera, Pidgin, Internet Explorer and Microsoft Live accounts.
On all the operating systems the trojan can receive commands from the C&C server, which could be either upload data, download and execute other malicious code, steal system information, kill processes, hide windows, change window titles, enumerate all windows on the desktop (CGSGetOnScreenWindowList on OSX, XQueryTree on Linux, EnumWindows on Windows) and much more.
Wirenet taking screenshots on OS X
On both operating systems, Wirenet can take screenshots of the desktop and upload them to the C&C server. On Linux, it exploits the X11 APIs XGetGeometry, XGetImage andSaveXImageToBitmap. On OSX, the trojan exploits the Quartz Display Services APIsCGMainDisplayID, CGDisplayCreateImage, CGImageDestinationCreateWithData,CGImageDestinationAddImage, CGImageDestinationFinalize. Wirenet contains a routine able to convert BMP images to JPEG format.
To improve the stealing routine, Wirenet includes a keylogger feature on its Linux (and Solaris) and Windows versions. This isn’t really a surprise as keylogger proof of concepts on Linux are widely available online. Point here is that a keylogger can run on Linux in the same easy way as it’s run on Windows, even without root privileges. The same applies to Windows, where a simple keylogger can be written by using just a single API and it could easily intercept everything even without administrator privileges – this was the situation in Windows XP, before Windows Vista and Windows 7 where Microsoft introduced UAC, MIC and UIPI technologies, which allow the operating system to better isolate processes from each other even if they are sharing the same user session.
On Linux, Wirenet opens a handle to the Display by calling XOpenDisplay(), and callsXQueryExtension(), looking for the XInputExtension extension. It then enumerates all the devices by calling XListInputDevices(), looking for the device named “AT” or “System keyboard“. When found, it opens a handle to that device by invoking XOpenDevice() and selects the keyboard events it wants to log by calling XSelectExtensionEvent(). In the end, in a infinite loop, it logs all the keyboard events with the XNextEvent() API. Few easy steps and the keylogger is working perfectly, able to steal passwords written on a bank’s login webpage or anything else. On its Windows release, the keylogger routine exploits the RegisterRawInputDevices()/GetRawInputData() APIs – I won’t spend too much time on this as it’s a very basic keylogging routine, already widely known.
Keylogging on Linux
On OS X, it steals the system information from the following unexported system variables:_kCFSystemVersionBuildVersionKey, _kCFSystemVersionProductNameKey,_kCFSystemVersionProductVersionKey
The path where the trojan installs itself on Linux is: %home%/WIFIADAPT, while on OSX is%home%/WIFIADAPT.app
Finally, on all operating systems it is able to bind a shell to allow remote access (the backdoor feature) and it’s able to simulate keyboard and mouse activity from remote (keystrokes and mouse movements). On Linux and Windows it acts as a SOCKS4/5 proxy server as well.
Shell binding
As you may spot from the analysis of this trojan, the similarities between a classic Windows trojan and Wirenet are quickly increasing. The idea is that Wirenet looks like a real attempt to port Windows infections to Linux and OS X. In some ways it reminds me of the first password stealing trojans on Windows NT, when it was enough for Windows-based malware to implement a classic keylogger using GetAsyncKeyState() to steals keystrokes, far before they started using hook-based techniques.
It was a long time ago on Windows. Perhaps it is the beginning of a new era on Linux and Mac?
PHP is an incredibly popular language for creating dynamic web applications — websites such as Facebook are built on it. This can be attributed to many reasons; it is easy to learn, easy to install and does not require the user to compile code. An unfortunate side effect of the ease of development with PHP is a tendency to ignore security during the development process.
In this post, I will discuss some of the ways to make your PHP apps more secure. I will go through creating a PHP web app that connects to a MySQL back end database. The application will be a simple address book. The approach I will take to secure the PHP code is one of layered security. There is no sure fire quick method of blocking all attacks, but using the layered security approach we severely limit our exposure.
What happens when a cybercriminal cannot efficiently gain access to thousands of working accounts at popular Web services, either through data mining a botnet’s population, or through phishing campaigns?
He’ll just start systematically abusing the legitimate services by automatically and efficiently registering thousands of bogus accounts, thanks to the easy to use India based CAPTCHA-solving operations.
In this post I’ll profile a recently launched Russian based service, offering access to thousands of automatically registered accounts at popular Russian social networking sites, and free email services.
More details:
Cybercriminals are masters of abusing legitimate infrastructure for their malicious purposes. From phishing sites and Black Hole exploit kit landing URLs hosted on compromised servers, abuse of legitimate web email service providers’ trusted DKIM verified ecosystem, to the systematic release of DIY spamming tools utilizing a publicly obtainable database of user names as potential “touch points”, cybercriminals are on the top of their game.
In this post, I’ll profile a recently advertised DIY SMS flooder using Skype’s infrastructure for disseminating the messages, and assess the potential impact it could have on end and corporate users.
More details:
Remember the recently profiled 123greetings.com themed malicious campaign?
It appears that over the past 24 hours, the cybercriminals behind it have resumed spamvertising millions of emails pointing to additional compromised URls in a clear attempt to improve their click-through rates.
More details:
It didn’t take long before the cybercriminals behind the recently profiled ‘Intuit Marketplace’ themed campaign resume impersonating Intuit, with a newly launched round consisting of millions of Intuit themed emails.
The theme this time? Convincing users that in order to access QuickBooks they would have to install the non-existent Intuit Security Tool. In reality though, clicking on the links points to a Black Hole exploit kit landing URL that ultimately drops malware on the affected hosts.
More details:
Over the past 24 hours, cybercriminals started spamvertising millions of emails impersonating the United Parcel Service (UPS) in an attempt to trick end and corporate users into previewing a malicious .html attachment. Upon previewing it, a tiny iFrame attempts to contact a client-side exploits serving a landing URL, courtesy of the Black Hole web malware exploitation kit.
More details:
Cybercriminals are currently mass mailing millions of emails impersonating the United Parcel Service (UPS) in an attempt to trick users into downloading and executing the malicious file hosted on a compromised web site.
More details:
Cybercriminals are currently spamvertising millions of emails impersonating PayPal, in an attempt to trick PayPal users into executing the malicious attachment found in the emails.
Using ‘Notification of payment received‘ subjects, the campaign is relying on the end user’s gullibility in an attempt to infect them with malware. Once executed, it grants a malicious attacker complete control over the victim’s PC.
More details:
Over the past 24 hours, cybercriminals have spamvertised millions of emails impersonating Intuit Market, in an attempt to trick end and corporate users into clicking on the malicious links found in the emails.
Upon clicking on them, users are exposed to the client-side exploits served by the Black Hole web malware exploitation kit.
More details: