The FBI is willing to pay top dollar to download some malware

FBI

The Federal Bureau of Investigation is willing to pay top dollar for the malicious, infectious software the rest of us pay to keep out of our computers, according to the Federal Business Opportunities website.

A Monday price quote request by the Investigative Analysis Unit of the agency’s Operational Technology Division is asking computer security developers and retailers to help the agency build a library of malware for an undisclosed reason, letting the companies name their price.

“The IAU has a team of highly trained technical analysts, specialists and engineers providing on-scene technical support, employing innovative, custom developed analytical methods and tools to analyze collected data,” the request reads. “Critical to the success of the IAU is the collection of malware from multiple industry, law enforcement and research sources.”

The agency’s minimum specifications for malware to purchase include 35 gigabytes of shareable malware per day, updated every 24 hours, across a wide range of file types.

“The collection of this malware allows the IAU to provide actionable intelligence to the investigator in both criminal and intelligence matters,” the request states, describing the acquisition of malware as ”critical to the success of the IAU’s mission to obtain global awareness of malware threat.”

The request also indicates the FBI will test any such malware before purchase, and that it will notify vendors when and where to send the software, after which the test products will be deleted due to “the nature of the solicitation.”

Initial descriptions and quotes for malware packages are due on Feb. 14.

Boston Marathon Bombing Links May Hide Java-Based Exploits

382410-boston-marathon-emailsPCMag: My social media accounts and email inbox are full of links to stories about the horrific incident in Boston earlier this week. I am reading about the victims, the bystanders and first responders that rushed to help, and looking for updates on the investigation.

It turns out I should be careful about what links I click on, as cyber-criminals have already started exploiting the tragedy for their own nefarious purposes, security experts told SecurityWatch.

“Nothing is faux pas for cyber-criminals when it comes to spreading their malware,” said Troy Gill, senior security analyst at AppRiver.

Spammers Are Brazen
Less than 24 hours after the attack, spammers were in action, according to researchers from antivirus outfit Avira and email security provider AppRiver. The subject lines for these messages included “Explosion at Boston Marathon,” and “Boston Explosion Caught on Video,” according to Avira. AppRiver flagged other subject lines such as “Runner Captures,” and variations such as “Marathon Explosions” and “2 Explosions at the Boston Marathon.” AppRiver believes a botnet is behind the spam campaign as the messages originated from various machines around the world.

“This social engineering technique is not new. We see this every time there is something happening in the world (war, natural catastrophe, social events) that is potentially interesting for a lot of people,” said Sorin Mustaca, IT security expert at Avira.

The emails contain only the link, an IP address followed by index.html. Clicking on the link redirects the victim to three other sites while trying to download a malicious Java file from a randomly generated site on to the computer. If the user is not running a fully-patched version of Java and has Java enabled in the browser, the file is downloaded and executed. While the malware is being downloaded, the user will be able to view a video clip on the page, the researchers said.

Some of the Web pages containing the actual malicious payload appear to have already been taken down, said Gill. The malware itself appears to be a Trojan horse capable of installing a backdoor to the infected machine, giving attackers remote access for future attacks.

Email isn’t the only attack vector, as Avira also found posts on Facebook with links to various websites that appear to be malicious.

Beware What You Click
Boston-Marathon-Malware-21To be honest, I shouldn’t have been surprised. The criminals and scammers love tragedies because people are searching for updates and information and are likely to click on links. On a normal day, a news report from the city of Troy’s Patch.com site probably would not have crossed my radar, but today it did. While my instinct is to click to get more insights, punditry, and stories, now is also a time I have to be cautious lest I wind up on a malicious site. Stick with a list of sources you generally use, and above all, don’t click on shortened links on social media. Better safe than sorry.

“Anytime there is widespread attention to a single event in the media and public interest, you will see parasitic cybercriminals coming out of the woodwork and attempting to capitalize on the event,” Gill said.

urlsWhile this round of spam is easy to identify since the URL is not using a domain name but an IP address, similar campaigns are likely, so users should remain vigilant.

“While most people know by now not to click on links in unsolicited emails, human emotions still get the better of us at times and these types of attacks prey on that human element,” Gill warned.

And if you still haven’t updated Java, now really is a good time to do so, especially since Oracle released a new update yesterday. If you aren’t using Java regularly, please, just disable the plugin inside your browser.

Russian malware spies on US ATMs

atm[4]Security firm Group-IB has identified a malware program called Dump Memory Grabber that can take debit and credit card data from point-of-sale (POS) terminals and ATMs. The researchers say that the program has already been used to steal data from clients of US banks including Chase, Capital One, Citibank, and Union Bank N.A. as well as from clients with Nordstrom-branded cards.

SecurityWeek reports the author of Dump Memory Grabber has put a video online to teach other hackers how it works. The Windows program written in C++ reads the target system’s memory using an external tool called mmon.exe.

Dump Memory Grabber uses FTP to pass card and account numbers, user names, and card expiry dates on to a control server that is most likely run by Russian attackers. Group-IB says that several hundred POS terminals and ATMs in the US have been infected with the program.

Hints in the video lead to a Russian hacker who goes by “Wagner Richard” online and also offers denial-of-service attacks on a number of forums. According to the web site Security Affairs, Wagner Richard is a member of a seven-person cybercriminal group.

The Group-IB researchers believe that most of the POS terminals and ATMs were infected on site with help from insiders. Only a few of the systems – ones running Windows XP or Windows Embedded – were compromised from a distance. In some cases, the attackers made use of security vulnerabilities in the banks’ networks.

Just a few days ago, McAfee reported on a similar trojan, called VSkimmer, that is being sold on cracking forums. The developer of VSkimmer has already announced a successor to their creation that can apparently read chips on cards.

In Germany, for example, the Central Credit Committee does not allow any POS terminals or ATMs that use Windows. With a middleman or manipulated terminals, however, it certainly wouldn’t be impossible to get access to card data and even PINs there, either.

Cross-posted from Heise Security.

Backdoor Uses Evernote as Command-and-Control Server

EvernoteWith its rich functionality and accessibility, Evernote is a popular note-taking tool for its many users. Unfortunately, it may also provide the perfect cover for cybercriminals’ tracks.

We recently uncovered a malware that appears to be using Evernote as a communication and control (C&C) server. The malware attempts to connect to Evernote via https://evernote.com/intl/zh-cn, which is a legitimate URL.

Evernote-backdoor-strings

The sample we gathered consists of an executable file, which drops a .DLL file and injects it into a legitimate process. The said .DLL file performs the actual backdoor routines.

Read the rest of story in TrendMicro blog: http://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-uses-evernote-as-command-and-control-server/

Turkish FlashPlayer? no! It’s malware

shot_130328_212458[3]I recently came across the file “FlashPlayer.exe” during the course of regular research.

The file had been distributed with the file name FlashPlayer.exe and not surprisingly, when executed, it shows the following GUI, partly written in Turkish:

shot_130328_212835[6]

Obviously, it’s disguised as an Adobe Flash Player 11 installer.

Here is more info about the file:

File Name: FlashPlayer.exe
MD5: e2856b1ad6c74c51767cab05bdedc5d1
SHA1: 1ac150ddb964722b6b7c96808763b3e4d0472daf
CRC32: a8464606
SHA-256: b5f37cc44365a5a1b240e649ea07bbb17959ceddc3f8b67a793df694a6f03a88
SHA-512: e2d1388bd5feec51227cfa10a5606f7d3bc58f12ea95d688acb5178ff31a156a1092f739e7dd276f4c5368d89c33ed6a15b08ff5df294b9c3647905c1083921d
SHA-384: 5d622afcf87e33334a446df5dfd2be7769cab596cc9a121bfd6269bc85ee980f75e1a2d1472f0eb379788845230d883b
File Size: 561,152
Version: 2.01
Source: hxxps://flash-player-download.com/FlashPlayer.exe
VirusTotal: Latest Report

Read the rest of analyze in Microsoft TechNet: http://blogs.technet.com/b/mmpc/archive/2013/03/26/there-was-a-flash-and-then-my-startpage-was-gone.aspx

Stuxnet Missing Link Found, Resolves Some Mysteries Around the Cyberweapon

Cross-posted from WIRED.

Ahmadinejad-at-Natanz-in-2008

As Iran met in Kazakhstan this week with members of the UN Security Council to discuss its nuclear program, researchers announced that a new variant of the sophisticated cyberweapon known as Stuxnet had been found, which predates other known versions of the malicious code that were reportedly unleashed by the U.S. and Israel several years ago in an attempt to sabotage Iran’s nuclear program.

The new variant was designed for a different kind of attack against centrifuges used in Iran’s uranium enrichment program than later versions that were released, according to Symantec, the U.S-based computer security firm that reverse-engineered Stuxnet in 2010 and also found the latest variant.

The new variant appears to have been released in 2007, two years earlier than other variants of the code were released, indicating that Stuxnet was active much earlier than previously known. A command-and-control server used with the malware was registered even earlier than this, on Nov. 3, 2005.

Like three later versions of Stuxnet that were released in the wild in 2009 and 2010, this one was designed to attack Siemens PLCs used in Iran’s uranium enrichment program in Natanz.

But instead of changing the speed of spinning centrifuges controlled by the PLCs, as those later versions did, this one focused on sabotaging the operation of valves controlling the flow of uranium hexafluoride gas into the centrifuges and cascades — the structure that connects multiple centrifuges together so that the gas can pass between them during the enrichment process. The malware’s goal was to manipulate the movement of gas in such a way that pressure inside the centrifuges and cascade increased five times the normal operating pressure.

“That would have very dire consequences in a facility,” says Liam O’Murchu, manager of security response operations for Symantec. “Because if pressure goes up, there’s a good chance the gas will turn into a solid state, and that will cause all sorts of damage and imbalances to the centrifuges.”

The new finding, described in a paper released by Symantec on Tuesday (.pdf), resolves a number of longstanding mysteries around a part of the attack code that appeared in the 2009 and 2010 variants of Stuxnet but was incomplete in those variants and had been disabled by the attackers.

The 2009 and 2010 versions of Stuxnet contained two attack sequences that each targeted different models of PLCs made by Siemens being used in Iran’s uranium enrichment plant — the Siemens S7-315 and S7-417 models of PLC.

In these later variants of Stuxnet, however, only the 315 attack code worked. The 417 attack code had been deliberately disabled by the attackers and was also missing important blocks of code that prevented researchers from determining definitively what it was designed to do. As a result, researchers have long guessed that it was used to sabotage valves, but couldn’t say for certain how it affected them. There were also mysteries around why the attack code was disabled — was it disabled because the attackers had failed to finish the code or had they disabled it for some other reason?

The 2007 variant resolves that mystery by making it clear that the 417 attack code had at one time been fully complete and enabled before the attackers disabled it in later versions of the weapon. And because the 2007 variant only contained the 417 attack code — with no code attacking the Siemens 315 PLC — it appears that the attackers disabled the 417 code in later versions because they wanted to change their tactics, dropping their focus on sabotaging the valves in order to focus instead on sabotaging the spinning centrifuges.

Natanz_Satellite2Symantec discovered the 2007 variant a few months ago during a routine search of its malware database while looking for files that matched patterns of known malware.

Though the variant was only recently found, it had been in the wild at least as early as Nov. 15, 2007, when someone uploaded it to VirusTotal for analysis. VirusTotal is a free online virus scanner that aggregates more than three-dozen brands of antivirus scanners and is used by researchers and others to determine if a file discovered on a system contains signatures of known malware. It’s not known who submitted the sample to VirusTotal or in what country they were based, but Symantec believes the 2007 version was very limited in its reach and likely only affected machines in Iran.

Until now, the first known variant of Stuxnet uncovered was released in June 2009, followed by a second variant in March 2010 and a third in April 2010. Researchers always suspected that other variants of Stuxnet existed, based on the version numbers the attackers gave their code, as well as other clues.

The June 2009 variant, for example, was labeled version 1.001. The March 2010 variant was 1.100, and the April 2010 variant was 1.101. The gaps in version numbers suggested that other versions of Stuxnet were developed, even if they were not released into the wild. That theory bore out when the researchers discovered the 2007 variant, which turned out to be version 0.5.

Though Stuxnet 0.5 was in the wild as early as 2007, it was still active when the June 2009 version was released. Stuxnet 0.5 had a stop date of July 4, 2009 coded into it, which meant that after this date it would no longer infect new computers, though it would still continue to sabotage machines it had already infected, unless it got replaced with a new version of Stuxnet. The 2007 version was also programmed to stop communicating with command-and-control servers on Jan. 11, 2009, five months before the next version of Stuxnet was released. It’s possible that when the June 2009 version was released, which had the ability to update older versions of Stuxnet via peer-to-peer communication, it replaced the older 2007 version on infected machines.

Stuxnet 0.5 was much less aggressive than later versions in that it used fewer spreading mechanisms. The researchers found no zero-day exploits in the malware to help it spread, which is probably one reason it never got caught.

By contrast, the 2010 variants of Stuxnet used four zero-day exploits as well as other methods that caused it to spread wildly out of control to more than 100,000 machines in and outside of Iran.

Stuxnet 0.5 was very surgical and spread only by infecting Siemens Step 7 project files — the files that are used to program Siemens’ S7 line of PLCs. The files are often shared among programmers, so this would have allowed Stuxnet to infect core machines used to program the 417 PLCs at Natanz.

If it found itself on a system that was connected to the internet, the malware communicated with four command-and-control servers hosted in the U.S., Canada, France and Thailand.

The domains for the servers were: smartclick.org, best-advertising.net, internetadvertising4u.com, and ad-marketing.net. All of the domains are now down or registered to new parties, but during the time the attackers used them, they had the same home page design, which made them appear to belong to an internet advertising firm called Media Suffix. A tag line on the homepage read, “Deliver What the Mind Can Dream.”

Like later versions of Stuxnet, this one had the ability to deliver updates of itself to machines that were not connected to the internet, using peer-to-peer communication. Though later versions used RPC for the peer-to-peer communication, this one used Windows mailslots. All the attackers had to do was use the command-and-control server to update the code on one infected machine that was connected to the internet, and others on the local internal network would receive the update from that machine.

Stuxnet-CC-Home-Page

Once Stuxnet 0.5 found itself on a 417 PLC, and determined that it had found the right system, the attack proceeded in eight stages, sabotaging 6 out of 18 centrifuge cascades.

In the first part, Stuxnet simply sat on the PLC watching normal operations in the cascades for about 30 days and waiting for the systems to reach a certain state of operation before the attack progressed.

In the next part, Stuxnet recorded various data points while the cascades and centrifuges operated normally, in order to replay this data to operators once the sabotage began and prevent them from detecting changes in the valves or gas pressure.

Each cascade in Natanz is organized in 15 stages or rows, with a different number of centrifuges installed in each stage. Uranium hexafluoride is pumped into cascades at stage 10, where it spins at high speed for months. The centrifugal force causes slightly lighter U-235 isotopes in the gas (the desired isotope for enrichment) to separate from heavier U-238 isotopes.

Centrifuge-Stages_SymantecThe gas containing the concentration of U-235 is then siphoned out of the centrifuges and passed to stage 9 of the cascade to be further enriched, while the depleted gas containing the concentration of U-238 isotopes is diverted to cascades in stage 11. The process repeats for a number of stages, with the enriched uranium becoming more concentrated with U-235 isotopes at each stage until the desired level of enrichment is achieved.

There are three valves on a cascade that work in unison to control the flow of gas into and out of centrifuges, as well as auxiliary valves that control the flow of gas into and out of each stage in a cascade and into and out of the cascade itself.

When the sabotage kicked in, Stuxnet closed and opened various centrifuge and auxiliary valves to increase the gas pressure, thereby sabotaging the enrichment process. Stuxnet closed valves on six out of 18 cascades and modified other valves on randomly chosen individual centrifuges to prevent operators from detecting a pattern of problems. In the final step of the attack, the sequence was reset to begin the attack over again at the first stage.

It’s long been suspected by some experts that Stuxnet was already sabotaging cascades at Natanz sometime between late 2008 and mid-2009. The new finding from Symantec supports that theory.

Stuxnet 0.5 was looking for a system in which cascade modules were labeled A21 through A28. Natanz has two cascade halls — Hall A and Hall B. Only Hall A was operating in 2008 and 2009 when Stuxnet would have been active on infected machines.

Hall A is divided into cascade rooms that are labeled Unit A21, Unit A22, etc up to Unit A28. Iran began its installation of centrifuges in two rooms in Hall A in 2006 and 2007 — Unit A24 and Unit A26 — and later expanded to other rooms. In February 2007, Iran announced that it had begun to enrich uranium at Natanz.

According to reports released by the UN’s International Atomic Energy Agency, which monitors Iran’s nuclear program, by May 2007, Iran had installed 10 cascades, consisting of a total of 1,064 centrifuges, in Hall A. By May of 2008, Iran had 2,952 centrifuges installed, and Iranian President Mahmoud Ahmadinejad announced plans to increase the number of centrifuges to 6,000. The numbers did increase throughout 2008 and early 2009, with gas being fed into them shortly after they were installed. But the number of cascades that were being fed gas and the amount of gas being fed began to drop sometime between January and August 2009 when Iran appeared to be having problems with some of its cascades. In late 2009, IAEA inspectors noticed that technicians at Natanz were actually removing centrifuges from cascades and replacing them with new ones. All of this would seem to coincide with the timing of Stuxnet.

ISIS-chartOne final interesting detail of note about the new variant — during the installation process of Stuxnet 0.5, the malware created a driver file that caused a forced reboot of a machine 20 days after the malware infected it. It did this by generating a BSoD (Blue Screen of Death) — the infamous blue screen that appears on Windows machines when they crash.

Stuxnet was first discovered in June 2010 because some machines in Iran on which it was installed kept crashing and rebooting. Researchers were never able to determine why those machines crashed and rebooted, because other machines infected by Stuxnet did not respond in this way.

Though the version of Stuxnet found on those machines was not Stuxnet 0.5, it raises the possibility that multiple versions of Stuxnet might have infected those machines even though only one was recovered when they were examined. O’Murchu thinks it’s unlikely, however, that VirusBlokAda — the antivirus firm that first discovered Stuxnet — would have missed another variant on the machines.

Dorkbot worm lurks on Skype and MSN Messenger again

The Dorkbot/Rodpicom worm, which spreads via messaging applications and leads to additional malware infections, is currently doing rounds on Skype and MSN Messenger, warns Fortinet.

skype-msnThe vicious circle starts with potential victims receiving a direct message from a contact, asking “LOL is this your new profile pic? http://goo.gl/[removed]”. Those who follow the link land on a malicious site and are infected with the worm.
Apart from being able to send out the aforementioned message to further potential victims, the malware is also capable of opening a backdoor into the infected system, downloading more malicious software, spamming, reaching out to its C&C server, downloading a new version of itself, and other malicious activities. The computer is essentially enslaved into a botnet and is ready to do the botnet master’s bidding.
It’s interesting to note that the worm waits until the victims log into the chat app they use and then send out the messages. It is also able of changing the language of the message to be consistent with the language of the installed Windows operating system, making it more believable that the message has been sent by the user.
According to FortiGuard Labs researcher Raul Alvarez, the malware is also equipped with a number of evasive and obfuscation techniques aimed at hiding its existence both from AV software and researchers.

Credit: Net-Security.org

Narilam Worm manipulates databases in Iran

narilam-iranh-Online: Security firm Symantec has discovered a specialised worm called W32.Narilam that can compromise SQL databases. Symantec reports that the malware “speaks” Persian and Arabic and appears to target mainly companies in Iran. Narilam is, therefore, reminiscent of Stuxnet and its variants.

Narilam spreads via USB flash drives and network shares. Once inside the system, the worm searches for SQL databases that are accessible via the Object Linking and Embedding Database (OLEDB) API. Rather than steal found target data for intelligence purposes, the worm proceeds to modify or delete the data and can, says Symantec, cause considerable damage. Stuxnet similarly served no intelligence purpose and was designed to sabotage its target – an uranium enrichment facility in Natanz, Iran.

nirlam-infectionThe purpose of Narilam, or that of the worm’s authors, remains unknown. However, Symantec says that its analysis suggest that the saboteurs appear to have targeted corporate data records. Apparently, the worm’s translated instructions include object names such as “sale”, “financial bond” and “current account”. Due to the malware’s level of specialization, Symantec rates the infection risk as low. The security firm notes that current analysis results indicate “that the vast majority of users impacted by this threat are corporate users.”

Some of the worm was written in the Delphi programming language. Symantec says that the worm takes its name from its own attributes, because it searches for SQL databases with three specific names: alim, shahd and maliran.

Source

Crisis malware infects VMware virtual machines

vmware-logov3.co.uk: The Windows version of the Crisis Trojan is far more dangerous than first thought, being capable of infecting VMware virtual machine images, Windows Mobile devices and removable USB drives, research has revealed.

Crisis was originally uncovered targeting businesses with social engineering attacks that trick users into running a malicious Java applet in July.

Symantec has since revealed that the malware has more advanced capabilities, letting it search for and copy itself onto VMware virtual machine images on compromised computers.

Once on the images the malware can reportedly steal and intercept data from virtual machines including financial information.

“We’ve discovered it getting onto VM systems not via exploits but by copying itself into the VM code,” Symantec senior security response manager Peter Coogan told V3.

“We haven’t seen this before […] they’re increasing the amount of information the spyware can gather.”

As well as its VMware capabilities, Symantec also reported discovering the malware installing rogue modules on Windows Mobile devices connected to compromised systems, though the purpose of the modules remains unknown.

Coogan went on to clarify that Crisis “is incredibly complex and likely created by an advanced group”, warning that its full capabilities remain unknown.

Despite its sophisticated nature, Crisis is believed to have infected a select number of systems. Kaspersky Lab has reported discovering the malware on 21 systems located in Italy, Mexico, Iran, Turkey, Iraq, Oman, Brazil, Kazakhstan, Kyrgyzstan and Tajikistan, said Sergey Golovanov, Kaspersky Lab malware expert.

Bogus anti-hacking tool targets Syrian activists

At one point, the AntiHacker malware even had its own Facebook group - now offlineh-online: Syrian activists, journalists and opposition group members are reportedly under attack by malware claiming to be a security tool that will help protect them against hackers. The fake “AntiHacker” tool is being spread through targeted phishing emails and via sites such as Facebook, and claims to provide “Auto-Protect & Auto-Detect & Security & Quick scan and analyzing” functionality.

However, according to the Electronic Frontier Foundation (EFF), the fraudulent tool actually installs a program called DarkComet RAT (remote access tool). The US digital rights advocacy organization says that the new malware is being spread and controlled by pro-government hackers. With DarkComet, these hackers can remotely access users’ systems to steal private data, record keystrokes, disable certain antivirus programs’ notification systems and even obtain images from a computer’s built-in webcam.

Users who believe their systems are infected with the remote access program can download the DarkComet RAT removal tool by developer Jean-Pierre Lesueur, who originally wrote DarkComet. Lesueur stopped development and sales of DarkComet after he learned that it was being used by Syrian government forces against political opponents.

http://h-online.com/-1669262