Feb 28 2013

Exploit lets websites bombard visitors’ PCs with gigabytes of data

A Web developer has demonstrated a simple-to-execute exploit that allows websites to surreptitiously bombard visitors' storage devices with gigabytes of junk data.

As its name suggests, FillDisk.com loads an almost unlimited amount of data onto hard drives of people who access the site. It requires no user interaction and works with the Google Chrome, Microsoft Internet Explorer, and Apple Safari browsers. It adds 1GB of data every 16 seconds on a MacBook Pro Retina equipped with a solid state drive, according to Feross Aboukhadijeh, the Web developer and computer science grad student who created the proof-of-concept site.

FillDisk.com manipulates the Web Storage standard included in the HTML5 specification. This standard is designed to make websites easier to use by allowing them to store data on visitors' hard drives. The functionality can be useful when end users are filling out long forms; if the browser crashes before the form has been completed, the data that's already been entered will be available when the person visits the site later. The creators of the standard specifically warn that browser developers should take steps to ensure websites can't abuse the feature by writing unlimited amounts of data.

Read 3 remaining paragraphs | Comments

Feb 28 2013

Oakland mayor apologizes for promoting local lockpicking class

The City of Oakland is both wonderful and problematic, as Ars editor Joe Mullin and I can attest, given that we're both denizens of this fine city. It has incredible natural beauty and vibrant culture, but also a notoriously mismanaged police department and a climbing crime rate.

It’s understandable, then, that some Oakland residents would be slightly annoyed at an upcoming workshop entitled “Introduction to Lockpicking,” which was mentioned in Mayor Jean Quan’s weekly newsletter (PDF) this week. The class is one of a larger "Workshop Weekend," to be held at Tech Liminal, an Oakland co-working space, and Sudoroom, a relatively new hackerspace in downtown Oakland. (Disclosure: I am a paying member at Sudoroom.)

According to the Oakland Tribune, some Oaklanders are miffed that the city would seem to endorse such a practice—the mayor has subsequently apologized.

Read 5 remaining paragraphs | Comments

Feb 27 2013

Fake Adobe Flash Update Installs Ransomware, Performs Click Fraud

Adobe Flash is one of the most widely distributed products on the Internet. Because of its popularity and global install base, it is often a target of cybercriminals. Cybercriminals are using social engineering methods to distribute their malware through fake Flash update sites, often compelling unsuspecting users, who may be in need of a software update, to unknowingly install malware.

Recently, we came across the following site masquerading itself as an Adobe Flash Player update page:

http://16.a[REMOVED]rks.com/adobe/
 

Figure 1. Fake Adobe Flash update page
 

The attacker has created what appears to be a rather convincing landing page; however, there are a few inconsistencies. Most of the links resolve back to the attacking domain and all of the links within the page—besides the link to the malware itself—resolve back to the root directory of the site, resulting in a 404 error.

The attacker’s main goal is to make sure that a successful installation occurs, and presents two options to the user for maximum return.

Option 1 is a pop-up message that requests the user to download a file named flash_player_updater.exe.

Option 2 is the “Download Now” button that requests the user to download a file named update_flash_player.exe.

Symantec currently detects both of these files as Downloader.Ponik.

During our analysis we found that, in addition to stealing passwords, these files appear to be looking for FTP/telnet/SSH credentials for all of the popular clients currently in use. They also monitor for SMTP, IMAP, and POP3 credentials.

Although these files are the same, they exhibit different behaviors. Option 1 installs ransomware, while Option 2 installs an ad-clicking component, both for illegal revenue generation.
 

Option 1
 

Figure 2. Command-and-control (C&C) server
 

The flash_player_updater.exe file opens a /POST request on port 8080 to the following URL:

http://lum[REMOVED]th.com/forum/viewtopic.php

The Trojan then receives commands to download files from the following locations:

  • http://ocean[REMOVED]ba.co.za/
  • http://sys[REMOVED]55.info/
  • http://topaz[REMOVED]al.net/

All three files are identical and are used by the attacker to enhance the resilience of the threat by providing further locations for the threat to contact should any one particular site be inaccessible for any reason. Symantec detects these files as Trojan.Ransomlock.Q.

Once these files are executed on the computer, a new variant of Trojan.Ransomlock.Q appears on the compromised computer.

Next, the Trojan connects to the following command-and-control (C&C) server in order to download an encrypted file onto the compromised computer before the computer is locked:

http://c[REMOVED]l.ru
 

Figure 3. Downloading an encrypted file
 

Figure 4. Ransomlock screen displayed after several minutes
 

Figure 5. Note the misspelling of “cibercrime” at the bottom of the page
 

Another interesting observation is that the malware will detect what brand of antivirus is running on the compromised computer, and will overlay the default Windows logo with the logo of relevant anti virus company. As we already have protection in place for this threat, to test this feature properly we had to temporarily disable Norton 360 during analysis.
 

Figure 6. Ransomware with the Norton logo overlaying the Windows logo
 

Out of curiosity, we wanted to see what would happen if we were to enter some random 14-digit code, as MoneyPak uses 14 digits. A random 14-digit code was entered and the following screen was displayed:
 

Figure 7. A promise to unlock the computer that will be unfulfilled
 

This communication data is then sent back encrypted to the C&C server at the following location and stored for retrieval:

http://c[REMOVED]l.ru

Good luck getting your computer unlocked.
 

Option 2

The update_flash_player.exe file opens a /POST request on port 8080 to the following URL:

http://lum[REMOVED]th.com/forum/viewtopic.php

The Trojan then receives commands to download files from the following locations:

  • twinp[REMOVED] ng.com/
  • labos[REMOVED]ra.eu/
  • ftp.calm[REMOVED]ge.com/

These files are then installed on the compromised computer and run silently in the background to perform click fraud.
 

Figure 8. Click-fraud traffic
 

Symantec has protection in place and detects these files as Trojan Horse.

To ensure that you do not become a victim in the first place, please ensure that your antivirus definitions are constantly updated and that your software packages are also regularly updated. Do not download updates from third-party sites and always double check the URL of the download that is being offered.

Feb 27 2013

Bizarre old-school spyware attacks governments, sports Mark of the Beast

One of the Twitter feeds MiniDuke-infected machines use to locate a command-and-control server.

Unidentified attackers have infected government agencies and organizations in 23 countries with highly advanced malware that uses low-level code to stay hidden and Twitter and Google to ensure it always has a way to receive updates.

MiniDuke, as researchers from Kaspersky Lab and Hungary-based CrySyS Lab have dubbed the threat, bears the hallmark of viruses first encountered in the mid-1990s, when shadowy groups such as 29A engineered innovative pieces of malware for fun and then documented them in an E-Zine by the same name. Because MiniDuke is written in assembly language, most of its computer files are tiny. Its use of multiple levels of encryption and clever coding tricks makes the malware hard to detect and reverse engineer. It also employs a method known as steganography, in which updates received from control servers are stashed inside image files.

In another testament to the skill of the attackers, MiniDuke has taken hold of government agencies, think tanks, a US-based healthcare provider, and other high-profile organizations using the first known exploit to pierce the security sandbox in Adobe Systems' Reader application. Adding intrigue to this, the MiniDuke exploit code contained references to Dante Alighieri's Divine Comedy and also alluded to 666, the Mark of the Beast discussed in a verse from the Book of Revelation.

Read 11 remaining paragraphs | Comments