Google’s Safe Browsing Now Includes Protection Against Deceptive Download Buttons
Google’s Safe Browsing API is designed to protect web users by posting a warning page before a user potentially enters an insecure website. The service defends against phishing and other threats by checking URLs against a database that Google maintains of malicious sites and also checks for sites that are suspected of serving malware. That includes sites that use untrusted certificates, harbor malware, foist deceptive software, or those suspected of tricking users with social engineering, such as phishing sites.
Now Google has announced the latest enhancements to the service, with new features that protect users from deceptive embedded content, including ads. Safe Browsing will determine the deceptive embedded content on a webpage as social engineering, which includes fake media player update requests embedded in ads, or deceptive download/play buttons that purport to show users streaming content and have the same look and feel as the rest of the page.
T9000 Malware Records Skype Calls and Steals Data
Palo Alto Networks researchers have discovered a new strain of sophisticated malware capable of recording victims’ Skype calls and stealing data off removable drives. Dubbed T9000, a variant of the Plat1 T5000 malware family, its unique capabilities involve going to great lengths to avoid being detected. T9000 works to identify 24 known security products then alters its installation procedure to avoid the installed products.
A system becomes infected with T9000 when a victim clicks on an .RTF file that is attached to a spear-phishing email message. That file exploits two Microsoft Office vulnerabilities, CVE-2012-1856 and CVE-2015-1641, in order to create a shellcode that loads the embedded malware payload and saves it to a temporary file. Once embedded, the main goal is to collect information about the targeted victim by recording Skype video calling software. After the malware has hooked into Skype, it records video calls, audio calls, and chat messages then stores them in a directory specially created by the Trojan called “Intel”, which the attackers can mine for data.
Scareware Campaign Targets MAC OS X with Fake Flash Updates
A unique scareware campaign targeting Mac OS X machines has been discovered which involves hosting malicious ads with fake Adobe Flash updates. The developer behind the installer that drops the scareware has been digitally signed with a valid Apple developer certificate, which apparently has yet to being revoked by Apple. In an attempt to prevent malicious code from infecting computers running OS X, the operating system by default only allows users to run programs that have been downloaded from the official App Store or that have come from “identified developers.”
But by using a valid Apple developer certificate, the scareware is able to bypass Apple’s Gatekeeper security feature and tricks OS X into believing that it can be trusted and the code is allowed to execute. If the user clicks on the download button in the popup warning users of an out-of-date Flash Player, the scareware is installed as well as a legitimate and current version of Flash Player. At the end of the installation process, scareware or other potentially unwanted applications have been installed on the user’s computer and will pop up fake security warnings, redirect victims to attackers’ websites, or install malicious browser extensions.
New Version of CryptoWall 4.0 Possibly on the Horizon
Heimdal Security believes that CryptoWall 5.0 could emerge within the next several months due to recent aggressive spam campaigns with fake invoices or orders from Salesforce that tricks users to download a CryptoWall 4.0 payload. CryptoWall has been one of the most successful ransomwares in the exploit market, with four iterations already created. As per approximate estimates, CryptoWall has earned its creators more than $300 million since it went live and generates most of its revenue from attacking vulnerable SMB companies.
Lastline published an in-depth analysis of the latest version of CryptoWall 4.0. When Cryptowall is first unpacked, the code peels back several layers in order to reveal the malware payload, which overwrites the PE image memory. From the unpacked malware payload recorded from Lastline’s memory snapshots, it has a list of hashes it uses to resolve the address of all APIs it needs to call. This is used as opposed to storing API names as strings or referring to an import table enhances CryptoWall 4.0’s ability to conceal itself from antivirus software.
Next, the malware products a machine identifier system_info_hash which computes the MD5 hash pieces of system information such as “ComputerName,” “Username,” “Number of CPUs,” and “Keyboard Layout.” The malware then uses those identifiers along with data regarding the command and control (C&C) network configuration and a hardcoded string, to produce a second MD5 hash system_info_network_hash.
Once it has completed the setup process, Cryptowall 4.0 injects itself into two processes – explorer.exe, and svchost.exe. At the same time during injection, Cryptowall 4.0 will generate two RC4 keys, used for identifying the client, OS make, information determining whether the processor is running in 32-bit or 64-bit mode, and if the malware is running with administrative privileges. Cryptowall 4.0 then sends this encrypted information to a C&C server .If the server is running, it will respond with a message that sends the ransomware a public key used to protect another key that scramble the victim’s data. The message also includes payment address that the malware can later incorporate into its ransom notes.
Afterwards, now it is time to encrypt the victim’s files. CryptoWall 4.0 generates a random AES key using local Win32 APIs, used to encrypt both files and filenames. Once encrypted, CryptoWall 4.0 adds metadata to its files, including the hash of the publish key and an AES key encrypted with the publish key. It then purges the AES key, which obliterates the original files beyond recovery. Once the victim has paid the ransom amount, they are given access to a private key used to encrypt the publish key. They can use that private key to decrypt the AES key, and as a result, decrypt their files.
Apache mod_status Error Can Reveal Hidden Dark Web Sites
Dark web sites (or .onion sites) use the sophisticated, multi-layered encryption of Tor network to hide themselves and the source of their traffic. However, they also happen to run on the same web server software just like normal web browsers. The most widely used web server software Apache comes with a feature called mod status, a page that displays statistics such as uptime, resource usage, total traffic, enabled virtual hosts, and active HTTP requests.
However, Facebook’s Alec Muffet observed that while the mod_status is only accessible from localhost by default for security reasons, the Tor daemon also runs on localhost. Consequently, any hidden server that uses Apache’s default configuration has /server-status data completely exposed. The HTTP requests displayed on server status page include details about each page (URL path and query string) that the server has been asked for. And Muffet discovered that a popular .onion search engine that easily exposed session IDs and specific dark web searches.
Malware-as-a-service platform AlienSpy RAT Attacks Over 400,000 Users Worldwide
AlienSpy is a Remote Access Tool (RAT) based on Java which is distributed as a single malware-as-a-service platform, which means that anyone can pay for the and use the malware service to their advantage. Kaspersky researchers reported that AlienSpy has attacked at least 443,000 users and businesses worldwide between 2013 to 2016, with revenue bringing in $200,000 a year. The RAT is sent as a payload to potential victim machines via phishing campaigns.
If a victim opens an email attachment loaded as a malicious AlienSpy JAR file, the malware installs itself on the PC and attempts to communicate with the operator’s C&C server for additional instructions. From there, the malware is able to collect keystrokes, steal cached passwords and data submitted through Web forms, take screenshots and pictures, as well as record video and sound. In addition, AlienSpy is able to transfer files without a victim’s consent, collect general system information and VPN certificates, manage SMS systems in Android-based operating systems and steal the keys required to access cryptocurrency wallets holding funds such as Bitcoin.