Every year around the holidays we begin seeing fake E-Cards laden with malware hitting our filters. This year is no exception. The bad guys know that this little disguise of theirs just may get their intended victims to drop their guard for just long enough to be successful. Some people prefer the ease of creating and sending these electronic versions of holiday cards in lieu of licking all of those envelopes. As a result many people are used to receiving these, sometimes en masse, during this time of the year. This is just the cover that the malware authours thrive on.
One of the more common themes that cybercriminals like to spoof is from a company that is well known for its greeting cards, Hallmark. A big wave of them came in not too long ago that were missing some of their graphics, but usually they're dressed to the 9's and can be quite convincing. A couple of the dead giveaways here are, the aforementioned lack of graphics, and more importantly, the use of an attachment. I personally have never seen a legitimate ecard sent via attachment, always a link to "open" the card. Now, with that being said, I must clarify that just because you receive an ecard with a link, doesn't always make it legitimate, quite the contrary. Many of these are dressed up much better than this most recent example and utilize these links to get you to malware that is remotely hosted.
This particular malware behaves a little like Zeus in that it injects itself into running processes to hide itself and waits for account credentials. In addition, this malware makes a firewall exception for a newly created file by the name of AdobeARME.exe and adds this file to all startup areas so that if the victim computer is shut down, the malware will reload when it's turned back on. The malware then modifies the security settings by disabling security notifications and begins to search for and disable any active Anti-Virus on its new host.
As is always the case, be on the look out for these malicious ecards. Only click on links that you know are safe and are from known sources and you will help make sure that your holidays will remain cheerful ones.
It has recently come to light that millions of passwords for major accounts such as Facebook, Google, LinkedIn, ADP, and Twitter have been stolen over the past month according to Trustwave researchers. This is in thanks to malicious keylogging software that had found its way onto hundreds of thousands of victim computers and leached away at private data. No one is completely sure at how this malware was successful at making its way onto all of these computers but what's important to know at this point is what to do in order to protect oneself in case you were one of those affected.
First things first, change your passwords! Make sure you interrupt any access that the thieves may have had to these accounts as soon as possible. Alot of these companies have warned their users that their accounts may have been compromised, but some have not, air on the side of caution here. If you have an acount with Facebook, GMail, Google+, YouTube, Yahoo, Twitter, Odnoklassniki, ADP or LinkedIn, it's possible that the bad guys may have access to your accounts, change all of these passwords.
A couple of very important password rules come to mind here as well:
Use Different Passwords- There is a great deal of damage that can occur after an intrusion if you are using the same password for all of your online accounts. Doing this places all of your online accounts behind a single entry point or single point of failure. If a hacker somehow gets their hands on your email password (for example) they will commonly attempt to access other accounts using the same credentials. So, though it can be cumbersome at first, make the extra effort to use different passwords for different accounts.
Stronger Passphrase- In the wake of recent data breaches where the attackers have posted stolen passwords online, it is still quite evident that while most people are aware of the importance of a strong password, not all are practicing this. A strong passphrase should consist of upper and lower case letters, numbers and symbols. It is also critical that it be no less that 8 characters in length (the longer the better). An easy way to come up with one is to start with a phrase that you can easily remember. Take “chicken and waffles” for example. You could use something like” ch1ck3n@ndWaffl3S!”. Also remember to avoid using the same password across multiple accounts.
Do your best to prevent this malware from getting onto your machines in the first place by practicing strong security procedures through layers such as a strong (properly configured) firewall, anti-virus, and email filtering, but also know what to do in case all of those layers didn't work.
It comes as no surprise that as holiday shoppers begin to flood the internet looking for deals, the bad guys will be right behind them hoping to swoop in on an unsuspecting victim. Fake invoice scams are year round, but they are so much more effective during that time of year that most everyone is actually expecting packages in the mail from their online purchases.
Amazon.com has recently been pushing their 30 day free trial to their Amazon Prime services. This service, among other perks, allows Amazon shoppers to receive free two days shipping on all purchases. Offering free shipping during the shopping season must seem like a dream come true to people that prefer the peaceful trample-free option to shop from the comforts of their own homes as opposed to the chaos at the local shopping center.
This obviously looks like it was seen as a great opportunity by the cyber criminals out there too as floods of fake Amazon.com "Order Details" notifications are hitting our filters.
In possible haste a lot of these are broken. Some aren't formed properly so the intended payload attachment isn't viewable to the average recipient. Some of the attachments that made it are corrupted. However, a great deal of them are fully functional and aim to lighten that holiday wallet.
Among other things this piece of malware takes inventory of all running processes on the infected machine, steals all auto-complete passwords from Mozilla Firefox and makes attempts to download additonal malware from its C&C server.
Be on the look out for these and many other attempts to take advantage of the season. They are out in full force.
There have been widespread reports that the latest update for Android (version 4.4 also known as Kit-Kat) is causing Exchange ActiveSync connectivity issues. The problems vary from not being able to authenticate to the server when setting up an Exchange account to synchronization stopping for ActiveSync accounts that are already on the device. A thread on the Android issue tracking site about this problem has been closed and there is a statement that the issue will be addressed in a future release of Android. No further details have been given as to when this fix will be made available.
At this time, it would seem that the best option would be to bypass upgrading to Kit-Kat until the patch is rolled out. However, if you are one of the unfortunate people that have already applied the update, reverting back to the previous version is not an easy task and is not recommended for most users. As an option, there are numerous apps that are available that can be used to access your Exchange account. Some of the more popular client apps are:
Touchdown for Exchange
The update has only been released to a small number of newer Android devices. The Nexus 4,5, and 7, the Google Play Editions of the HTC One and Samsung Galaxy S4, and the Motorola Moto X are part of this group. However, the phone manufacturers and wireless carriers are announcing that Kit-Kat will be made available for other models soon, so the number of devices that are affected will continue to grow until the patch is available for download.
More on this issue can be found here.
When you get right down to it, a major focus of cybercriminals is on social engineering. It's with these tools and techniques that they are able to separate their targets from their money or data (which also ends up translating to money in the end). It has become a very common occurrence to attach a malicious file to an email that's been cleverly themed in order to trick its recipients into executing the attachment. Often times the authour tries to use fear as their motive. Such is the case when they send fake invoices for things the recipient never ordered prompting a stressed out feeling that perhaps someone has gotten a hold of one of their credit cards and is making fraudulent charges on their account.
Other times, however, they're more subtle instead trying to fly under the radar. Such is the case with one of several techniques we're seeing hit our filters as we speak. This particular campaign is looking to target users of the cloud communications company RingCentral. RingCentral is a VoIP communications system hosted in the cloud. Companies will use services like this when they're trying to avoid purchasing extra hardware or the staff required to operate a new phone/communications network. One great feature of today's VoIP systems such as RingCentral's is the ability for the system itself to collect missed messages and send them to your email address so that if you're out of the office you can still get your missed voice mails or faxes in near real time and continue with business without missing a beat. This malware campaign is mimicking notifications from RingCentral. The idea here is not to alarm the recipient, as a receipt for a thousand dollar purchase would do, but instead to get the intended victim on auto-pilot and just click through as they normally would when they received one of these common notification emails.
This particular attack comes with an attachment built to look like a pdf document named "fax.pdf". However, there is another hidden extension at the end making it "fax.pdf.exe" which is never a normal thing. Notifications will never be in an executable file.
This file has all of the same characteristics as a Zeus downloader, checks for a debugger, injects itself into running processes, copies itself into startup areas, modifies the local firewall policy and makes a connection to its command and control server for further payloads and instructions.
Concurrent with this campaign we're also seeing similar themes posing as JConnect, eFax, Xerox, and DocuSign all pretending to be voicemails and faxes but in reality have something a little more sinister in mind. Currently we at AppRiver have all of these blocked and our clients won't have to see these.
The term “malware” is thrown around to cover a wide variety of software. It’s a very broad term in the realm of bad things for computers. It covers a variety of software like viruses, keyloggers, adware, and worms. One particular type of malware known as a Trojan Downloader has been a choice delivery method for malware orchestrators though.
A Trojan Downloader is a type of virus that infects a computer like any other virus, but the key difference is that it is usually much smaller in size and does not carry the actual virus payload the campaign is aiming to infect computers with. Instead a Trojan Downloader infects a computer and is programmed to reach out to a remote server to download and run other malware.
A recent case of this has been all of the events happening with CryptoLocker. The CryptoLocker virus is a ransomware that has gained a lot of hype lately in the news. It’s a pretty nasty virus that will encrypt many common files on a computer and not decrypt them until you pay them about $300 to get the private keys. The virus itself has not been sent in any emails that we have seen so far though. Instead, there have been many Trojan Downloader variants sent that when they are opened, reach out to a remote server and download CryptoLocker on to the computer directly.
This means blocking just a virus itself is not enough when there are other delivery methods like this. There can be many variations of the downloaders or even other viruses that can install more malware. A Trojan Downloader can be configured to download a multitude of malware and many of these downloaders are reused for later campaigns (same downloader; different virus). By blocking a trojan downloader, it’s possible that rule could block some similar strain or even a completely new virus campaign in the future. This is why it’s important to focus on a complete method by blocking many different vectors associated with a virus. This includes us blocking the virus executable itself, the Trojan Downloaders it may be using, and any webservers associated with the virus. Often times we will see a virus blocked months ago resurface and start getting caught by the same old rules that were in place. There will always be new malware being created though. This is why it is always important to keep anti-virus up to date and use a software or service that can react immediately to any new threats.
Cyber Monday is just one week away and with so many people shopping online, many tactics used cybercriminals to socially engineer users will be more effective than at other times during the year. Spammers and malware distributors have often crafted messages to appear as legitimate messages from the likes of UPS, FedEx, PayPal and many other online shippers and/or retailers. This is such an effective technique, that they use it year round. However, during the holidays these messages can be much more effective. It stands to reason that anyone who is expecting shipping confirmations or payment confirmations will be much more susceptible to these threats and what better time than the holiday season when this is the reality for most people. These messages pose as the real thing but often contain malicious payloads designed to infect your machine.
Here is a look at one of those messages:
Despite the fact that these messages look very believable there are some common elements that should not appear in a legitimate shipping or payment confirmation emails. Frequently these messages will include attachments, which should be a red flag to most people. Additionally, if the message directs you to click on a link, you should at the very least ‘mouse-over’ the link to reveal the true destination. Or better yet… just ignore it and navigate to the company’s website directly in the browser. Of course this is just one form of the multitude of attack techniques that cybercriminals will be using this holiday season so be safe out there.
For a slight change of pace the botnet that has been delivering the "What's My App" multi-platform malware we wrote about here has been delivering a smaller differently themed campaign to coincide with the masses of the aformentioned.
This campaign is coming in the form of a wedding evite, specifically from the White Wedding Agency. This tactic has been used a couple of times this year already, but it hasn't quite as sophisticated as this latest run. If the link is clicked, the viewer is taken to one of a number of infected websites that, as mentioned in the previous article, wait to see what the user is using to connect before making a decision on what its actions will be. This version seems to prefer PC's more than mobile devices however as all of the infected sites I have tested have reacted the same way. If the website detects the victim is using Firefox or IE to connect it will first use the connecting IP to determine where the victim is located using IP geolocation and then it will push down a file customized with the victim's city in its name. The ones we pulled here in sunny Florida were named as such "Wedding_Invitation_Gulf_Breeze(.exe)". If the infected weebsite detected that the victim was using Androis OS, iOS, or Safari to connect that same site would serve up a 404 Not Found Page. I would have to believe that the mobile malware exists in this campaign as it does in the What's My App campaign, but I have yet to see one that accepts a mobile connection.
The file that the PC victim receives is compressed in a zip file of the same name, different extension of course. The executable uses a packer by the name of AsPack to help jumble its code and to make it a little more difficult to reverse engineer. Once executed the malware injects itself into a generic process svchost.exe from there it makes a sleep call and then begins checking to see if it's in a debugger. Once this process is complete and it feels safe to move on, it creates the file okqfduln.exe in the C:\\%AppData\Local% directory and the original service deletes itself. Finally, the malware goes to town on the browser scraping browsing history, cookies, and modifies the browser proxy settings to redirect future http requests by the victim. This malware then sends info back to its command and control server and waits for further commands.
Stay alert and avoid scams like these. AppRiver and SecureTide have you covered on this one.
Over the past several years, we have seen the proliferation of malware targeting mobile devices such as Android and IOS. The vast majority of the malware has been designed to target the former as Android’s “open” policy has provided a broader attack surface and has been much more relaxed (than IOS) in policing their app market. This matters because the majority of mobile malware has been disguised as an app. Cyber-criminals have often designed mobile apps to appear to have one purpose when in fact there was a great deal of hidden functionality that could take advantage of the user. Lately though, Android has been putting an increased effort into to policing their app market. And though malware is still lurking on these download sites, the malware distributors are looking to other methods to ramp up the distribution. One method they have turned to is the tried and true technique of spamming.
Over the past several months we have been seeing a unique malware campaign that poses a threat to PC users, Android users and some IOS users alike. The messages pose as notifications from WhatsApp (a smartphone messenger available for Android and other smartphones).
The messages attempt to lure the victim with a link to a “voice message”. Interestingly, these message not only target PC users but also Android and IOS users (if the phone has been jail-broken). Clicking the links in these messages from an Android device will lead to the install of a malicious app that will secretly send text messages to premium numbers and the victim will be left holding the tab. This infection will also effect IOS users but only if their phone has been jail-broken, since Apple only allows apps to be installed from their own app store. By distributing their malware in this fashion cyber-criminals can reach the masses and without having to get past app store safeguards.
There is another wrinkle. Many of these links also contain functionality to initiate a malware install for Windows PC users as well. Some of the links we visited from the Windows OS resulted in a file being offered for download. The file being offered was personalized (presumably using geo-location) and was aptly named as
Voicemail_NAMEOFCITY_randomnumbers.zip. So depending on where the machine that is being used to access the web page, you will be served with a file that is named accordingly. This is an effective technique since it provides some added customization that serves to make the whole process seem more legitimate. Inside the zipped file is a Trojan Downloader that can infect the system with many forms of malware in the future.
We have quarantined millions of these messages over the past several months but they are still coming in, which indicates that they must be “working” to an extent that is acceptable to the sender. Of course, we are blocking all variants of this threat.
What we saw in October
Certainly some of the biggest news from the past month has been the growing buzz from one of this year’s most concerning pieces of malware known as CryptoLocker. If you haven’t heard yet, CryptoLocker belongs to a type of malware known as Ransomware. If a victim becomes infected with CryptoLocker, the malware first encrypts all files with certain extensions with a locally stored 2048-bit RSA key and then again asymmetrically with a 256-bit AES encryption key which it obtains from its command and control server. After all of the encryption takes place, the malware offers the newly infected with a pop-up demanding a ransom for the now un-viewable files. The cost for which is roughly $300 dollars U.S. The victim is also given a time limit for which to pay which seems to vary slightly depending on certain factors but is right around 100 hours. If the payee offers up incorrect payment information within that time, their time to pay is cut in half, if they don’t pay at all, the malware uninstalls itself and takes with it the registry entry that contains the public RSA key leaving all files encrypted and unusable. There are many reports of people paying up and receiving the necessary private key and successfully unencrypting their files, but because the malware utilizes a domain name generating algorithm to locate and communicate with its C&C server, the actual time it takes to receive this key can take a very long time, days in fact.
Most recently CryptoLocker has been paired with the Zeus Trojan which is a family of malware that excels at stealing banking credentials. Initially a downloader will exploit a vulnerability on the victim’s machine and download Zeus when it gains a foothold, and following that, Zeus will then download CryptoLocker to create an eloquent yet dangerous one two punch. CryptoLocker will go to work and do its thing and if the victim tries to pay, Zeus is there to steal their credentials.
While paying the ransom has worked for some, this is a really ill-advised route to take especially now that Zeus has gotten involved. The only way to make sure you or your organization is not affected by CryptoLocker is to keep proper backups. Removing CryptoLocker is trivial, but removing the encryption is not. Having the ability to simply revert to a healthy backup is the key to winning this particular battle.
Here are some of the other highlights from the month of October:
Ross Ulbricht, the owner/creator of The Silk Road, an online illegal drug and contraband website only accessible via the TOR network was arrested early in October along with several others who were big time vendors on the site. Officials were able to locate and seize the domain as well as the servers that housed The Silk Road which then allowed them to see private messages to and from the domain to its vendors and customers thereby defeating the anonymity of the “anonymous” network.
At the beginning of October Adobe announced that it had suffered a major breach in which criminals were able to access customer data including logins, encrypted passwords, and credit card information along with around 40GB of Adobe source code which could allow those who stole it the ability to easier create zero-day exploits in Adobe products, although this has yet to be proven or disproven.
The creator of the Blackhole Toolkit has been arrested this month. Blackhole has been the most prevalent of all toolkits utilized by internet crime rings since early 2012. It seemed that the majority of the large malware bursts during this time linked to the Blackhole Exploit Kit. Almost immediately following the arrest of its author and his partners, the criminal landscape discontinued its use and migrated quickly over to a new exploit kit known as Magnitude.
A look at metrics:
In the past 30 days we have quarantined 56.6 million emails containing a virus as an attachment. This rate increased for the fourth consecutive month and was the highest total amount we have seen since March of this year.