Viry a Červi

40,000 Tinder pics scraped into big data service

The Register - Anti-Virus - 2 hodiny 29 min zpět
Trove then disappears, as folks point out the privacy problem

Amid a storm of criticism, a set of facial images built by scraping the Tinder dating service has been pulled from Kaggle.…

Kategorie: Viry a Červi

CIA tracked leakers with hilariously bad Web beacon trick

The Register - Anti-Virus - 5 hodin 23 min zpět
WikiLeaks finds the spooks' work experience kids' Scribbles

Web beacons are objects such as transparent, single-pixel GIFs planted in emails and web pages to phone-home when users access the content. They're trivially easy to expose – simply forcing an e-mail client to show URLs instead of links can do the trick.…

Kategorie: Viry a Červi

WikiLeaks Reveals CIA Tool ‘Scribbles’ For Document Tracking

VirusList.com - 29 Duben, 2017 - 00:52
The CIA is planting web beacons inside Microsoft Word documents to track whistleblowers, journalists and informants, according to WikiLeaks.
Kategorie: Viry a Červi

NSA pulls plug on some email spying before Congress slaps it down

The Register - Anti-Virus - 28 Duben, 2017 - 23:54
Curious time to stop listening to Americans talking about foreigners, eh, Donald?

Updated  The NSA has, in theory, stopped snooping on American citizens' private communications that loosely involve foreigners in some way.…

Kategorie: Viry a Červi

Linux Mint-using terror nerd awaits sentence for training Islamic State

The Register - Anti-Virus - 28 Duben, 2017 - 19:54
Paranoid fella hid operating system, weapons manuals in USB drive cufflinks, no less

A paranoid Welsh Muslim who wore gloves while typing on his laptop, admitted being part of Islamic State, and, gasp, harbored a copy of Linux Mint, has been described as a “new and dangerous breed of terrorist.”…

Kategorie: Viry a Červi

Facebook admits it is being used as propaganda tool by ‘malicious actors’

Sophos Naked Security - 28 Duben, 2017 - 18:13
Facebook's soul-searching report sets itself the challenge of knowing itself

Threatpost News Wrap, April 28, 2017

VirusList.com - 28 Duben, 2017 - 16:28
Mike Mimoso and Chris Brook recap this year's SOURCE Boston Conference and discuss the week in news, including the long term implications of the NSA's DoublePulsar exploit, and the HipChat breach.
Kategorie: Viry a Červi

VB2016 video: Last-minute paper: A malicious OS X cocktail served from a tainted bottle

Virus Bulletin News - 28 Duben, 2017 - 15:34
In a VB2016 last-minute presentation, ESET researchers Peter Kalnai and Martin Jirkal looked at the OS X malware threats KeRanger and Keydnap, that both spread through a compromised BitTorrent client. A recording of their presentation is now available to view on our YouTube channel.

Read more
Kategorie: Viry a Červi

Lawmaker calls on ISPs to stop customers being hit by viruses

Sophos Naked Security - 28 Duben, 2017 - 14:39
Australian minister says government is considering moving towards 'active defence ... blocking or diverting malicious traffic'

Sneaky 'fileless' malware flung at Israeli targets via booby-trapped Word docs

The Register - Anti-Virus - 28 Duben, 2017 - 14:27
Spies, bank raiders gravitate to growing stealth technique

A newly uncovered cyber-espionage campaign targeting Israeli organisations relies on "fileless" malware hidden in Microsoft Word documents, a hacker tactic that's becoming a growing menace.…

Kategorie: Viry a Červi

Sports fans protest at plans to scan their faces as they head for the match

Sophos Naked Security - 28 Duben, 2017 - 13:11
Police to use facial recognition to match Champions League fans to 'persons of interest' as they arrive for the UEFA Cup final

FCC: net neutrality is ‘politically motivated government overreach’

Sophos Naked Security - 28 Duben, 2017 - 12:27
FCC chief signals assault on rules from the days of Ma Bell used by Obama to guarantee net neutrality

Use of DNS Tunneling for C&C Communications

Kaspersky Securelist - 28 Duben, 2017 - 11:59

Say my name.

127.0.0.1!

You are goddamn right.

Network communication is a key function for any malicious program. Yes, there are exceptions, such as cryptors and ransomware Trojans that can do their job just fine without using the Internet. However, they also require their victims to establish contact with the threat actor so they can send the ransom and recover their encrypted data. If we omit these two and have a look at the types of malware that have no communication with a C&C and/or threat actor, all that remains are a few outdated or extinct families of malware (such as Trojan-ArcBomb), or irrelevant, crudely made prankware that usually does nothing more than scare the user with screamers or switches mouse buttons.

Malware has come a long way since the Morris worm, and the authors never stop looking for new ways to maintain communication with their creations. Some create complex, multi-tier authentication and management protocols that can take weeks or even months for analysists to decipher. Others go back to the basics and use IRC servers as a management host – as we saw in the recent case of Mirai and its numerous clones.

Often, virus writers don’t even bother to run encryption or mask their communications: instructions and related information is sent in plain text, which comes in handy for a researcher analyzing the bot. This approach is typical of incompetent cybercriminals or even experienced programmers who don’t have much experience developing malware.

However, you do get the occasional off-the-wall approaches that don’t fall into either of the above categories. Take, for instance, the case of a Trojan that Kaspersky Lab researchers discovered in mid-March and which establishes a DNS tunnel for communication with the C&C server.

The malicious program in question is detected by Kaspersky Lab products as Backdoor.Win32.Denis. This Trojan enables an intruder to manipulate the file system, run arbitrary commands and run loadable modules.

Encryption

Just like lots of other Trojans before it, Backdoor.Win32.Denis extracts the addresses of the functions it needs to operate from loaded DLLs. However, instead of calculating the checksums of the names in the export table (which is what normally happens), this Trojan simply compares the names of the API calls against a list. The list of API names is encrypted by subtracting 128 from each symbol of the function name.

It should be noted that the bot uses two versions of encryption: for API call names and the strings required for it to operate, it does the subtraction from every byte; for DLLs, it subtracts from every other byte. To load DLLs using their names, LoadLibraryW is used, meaning wide strings are required.

‘Decrypting’ strings in the Trojan

Names of API functions and libraries in encrypted format

It should also be noted that only some of the functions are decrypted like this. In the body of the Trojan, references to extracted functions alternate with references to functions received from the loader.

C&C Communication

The principle behind a DNS tunnel’s operation can be summed up as: “If you don’t know, ask somebody else”. When a DNS server receives a DNS request with an address to be resolved, the server starts looking for it in its database. If the record isn’t found, the server sends a request to the domain stated in the database.

Let’s see how this works when a request arrives with the URL Y3VyaW9zaXR5.example.com to be resolved. The DNS server receives this request and first attempts to find the domain extension ‘.com’, then ‘example.com’, but then it fails to find ‘Y3VyaW9zaXR5.example.com’ in its database. It then forwards the request to example.com and asks it if such a name is known to it. In response, example.com is expected to return the appropriate IP; however, it can return an arbitrary string, including C&C instructions.

Dump of Backdoor.Win32.Denis traffic

This is what Backdoor.Win32.Denis does. The DNS request is sent first to 8.8.8.8, then forwarded to z.teriava[.]com. Everything that comes before this address is the text of the request sent to the C&C.

Here is the response:

DNS packet received in response to the first request

Obviously, the request sent to the C&C is encrypted with Base64. The original request is a sequence of zeros and the result of GetTickCount at the end. The bot subsequently receives its unique ID and uses it for identification at the start of the packet.

The instruction number is sent in the fifth DWORD, if we count from the start of the section highlighted green in the diagram above. Next comes the size of the data received from C&C. The data, packed using zlib, begins immediately after that.

The unpacked C&C response

The first four bytes are the data size. All that comes next is the data, which may vary depending on the type of instruction. In this case, it’s the unique ID of the bot, as mentioned earlier. We should point out that the data in the packet is in big-endian format.

The bot ID (highlighted) is stated at the beginning of each request sent to the C&C

C&C Instructions

Altogether, there are 16 instructions the Trojan can handle, although the number of the last instruction is 20. Most of the instructions concern interaction with the file system of the attacked computer. Also, there are capabilities to gain info about open windows, call an arbitrary API or obtain brief info about the system. Let us look into the last of these in more detail, as this instruction is executed first.

Complete list of C&C instructions

Information about the infected computer, sent to the C&C

As can be seen in the screenshot above, the bot sends the computer name and the user name to the C&C, as well as the info stored in the registry branch Software\INSUFFICIENT\INSUFFICIENT.INI:

  • Time when that specific instruction was last executed. (If executed for the first time, ‘GetSystemTimeAsFileTime’ is returned, and the variable BounceTime is set, in which the result is written);
  • UsageCount from the same registry branch.

Information about the operating system and the environment is also sent. This info is obtained with the help of NetWkstaGetInfo.

The data is packed using zlib.

The DNS response prior to Base64 encryption

The fields in the response are as follows (only the section highlighted in red with data and size varies depending on the instruction):

  • Bot ID;
  • Size of the previous C&C response;
  • The third DWORD in the C&C response;
  • Always equals 1 for a response;
  • GetTickCount();
  • Size of data after the specified field;
  • Size of response;
  • Actual response.

After the registration stage is complete, the Trojan begins to query the C&C in an infinite loop. When no instructions are sent, the communication looks like a series of empty queries and responses.

Sequence of empty queries sent to the C&C

Conclusion

The use of a DNS tunneling for communication, as used by Backdoor.Win32.Denis, is a very rare occurrence, albeit not unique. A similar technique was previously used in some POS Trojans and in some APTs (e.g. Backdoor.Win32.Gulpix in the PlugX family). However, this use of the DNS protocol is new on PCs. We presume this method is likely to become increasingly popular with malware writers. We’ll keep an eye on how this method is implemented in malicious programs in future.

MD5

facec411b6d6aa23ff80d1366633ea7a
018433e8e815d9d2065e57b759202edc
1a4d58e281103fea2a4ccbfab93f74d2
5394b09cf2a0b3d1caaecc46c0e502e3
5421781c2c05e64ef20be54e2ee32e37

Last year's ICO fines would be 79 times higher under GDPR

The Register - Anti-Virus - 28 Duben, 2017 - 10:03
TalkTalk's £400,000 penalty was big – how about £59 MILLION?

Fines from the Information Commissioner's Office (ICO) against Brit companies last year would have been £69m rather than £880,500 if the pending General Data Protection Regulation (GDPR) had been applied, according to analysis by NCC Group.…

Kategorie: Viry a Červi

Kali Linux can now use cloud GPUs for password-cracking

The Register - Anti-Virus - 28 Duben, 2017 - 09:02
Kali's a favourite for white hats, but that doesn't stop black hats guys from using it too

Think passwords, people. Think long, complex passwords. Not because a breach dump's landed, but because the security-probing-oriented Kali Linux just got better at cracking passwords.…

Kategorie: Viry a Červi

Ransomware, Cyberespionage Dominate Verizon DBIR

VirusList.com - 28 Duben, 2017 - 00:19
Verizon's Data Breach Investigations Report for 2017 shows big growth in the reported number of ransomware attacks and incidents involving cyberespionage.
Kategorie: Viry a Červi

Lack of Communication Achilles’ Heel for Ransomware Fighters

VirusList.com - 27 Duben, 2017 - 23:12
A member of law enforcement acknowledged at SOURCE Boston that the lack of communication around ransomware remains a serious problem.
Kategorie: Viry a Červi

Republicans want IT bloke to take fall for Clinton email brouhaha

The Register - Anti-Virus - 27 Duben, 2017 - 22:39
Not quite 'lock her up,' but they'll take what they can get – like formal criminal charges

US House Republicans are demanding prosecutors bring charges against the IT chap who hosted Hillary Clinton's private email service.…

Kategorie: Viry a Červi

Facebook decides fake news isn't crazy after all. It's now a real problem

The Register - Anti-Virus - 27 Duben, 2017 - 22:12
Once dismissed by Zuck, misinformation now merits revised security strategy

Analysis  Last November at the Techonomy Conference in Half Moon Bay, California, Facebook CEO Mark Zuckerberg dismissed the notion that disinformation had affected the US presidential election as lunacy.…

Kategorie: Viry a Červi
Syndikovat obsah