Mar 31 2014

Agnitio v2.1 Released – Manual Security Code Review Tool

A tool to help developers and security professionals conduct manual security code reviews in a consistent and repeatable way. Agnitio aims to replace the adhoc nature of manual security code review documentation, create an audit trail and reporting. It hasn’t been updated for a fair while sadly, and v2.1 was released in 2011 – but...

Read the full post at darknet.org.uk
Mar 31 2014

Report: RSA endowed crypto product with second NSA-influenced code

Security provider RSA endowed its BSAFE cryptography toolkit with a second NSA-influenced random number generator (RNG) that's so weak it makes it easier for eavesdroppers to decrypt protected communications, Reuters reported Monday.

Citing soon-to-be-published research from several universities, Reuters said the Extended Random extension for secure websites allows attackers to work tens of thousands of times faster when breaking cryptography that uses the Dual EC_DRBG algorithm to generate the random numbers that populate a specific cryptographic key. Dual EC_DRBG is a pseudo-random number generator that was developed by cryptographers from the National Security Agency and was the default RNG in BSAFE even after researchers demonstrated weaknesses so severe that many suspected they were introduced intentionally so the US spy agency could exploit them to crack encrypted communications of people it wanted to monitor. In December, Reuters reported that the NSA paid RSA $10 million to give Dual EC_DRBG its favored position in BSAFE.

Extended Random was a second RNG that would presumably make cryptographic keys more robust by adding a second source of randomness. In theory, the additional RNG should increase the entropy used when constructing a new key. In reality, the algorithm made protected communications even easier for attackers to decrypt by reducing the time it takes to predict the random numbers generated by Dual EC_DRBG, which is short for Dual Elliptic Curve, Reuters reported Monday.

Read 2 remaining paragraphs | Comments

Mar 31 2014

CryptoDefense, the CryptoLocker Imitator, Makes Over $34,000 in One Month

On the back of Cryptolocker’s (Trojan.Cryptolocker) perceived success, malware authors have been turning their attention to writing new ransomcrypt malware. The sophisticated CryptoDefense (Trojan.Cryptodefense) is one such malware. CryptoDefense appeared in late February 2014 and since that time Symantec telemetry shows that we have blocked over 11,000 unique CryptoDefense infections. Using the Bitcoin addresses provided by the malware authors for payment of the ransom and looking at the publicly available Bitcoin blockchain information, we can estimate that this malware earned cybercriminals over $34,000 in one month alone (according to Bitcoin value at time of writing).

Imitation
Imitation is not just the sincerest form of flattery - it's the sincerest form of learning” – George Bernard Shaw.

CryptoDefense, in essence, is a sophisticated hybrid design incorporating a number of effective techniques previously used by other ransomcrypt malware authors to extort money from victims. These techniques include the use of Tor and Bitcoins for anonymity, public-key cryptography using strong RSA 2048 encryption in order to ensure files are held to ransom, and the use of pressure tactics such as threats of increased costs if the ransom is not paid within a short period of time. However, the malware author’s poor implementation of the cryptographic functionality has left their hostages with the key to their own escape.

Infection
Symantec has observed CrytoDefense being spammed out using emails such as the one shown in Figure 1.

Figure1_9.png

Figure 1. Malicious spam email example

Network communications
When first executed, CryptoDefense attempts to communicate with one of the following remote locations:

  • machetesraka.com
  • markizasamvel.com
  • armianazerbaijan.com
  • allseasonsnursery.com

The initial communication contains a profile of the infected computer. Once a reply is received from the remote location, the threat then initiates encryption and transmits the private key back to the server. Once the remote server confirms the receipt of the private decryption key, a screenshot of the compromised desktop is uploaded to the remote location.

Ransom demand
Once the files are encrypted, CryptoDefense creates the following ransom demand files in every folder that contains encrypted files:

  • HOW_DECRYPT.TXT
  • HOW_DECRYPT.HTML
  • HOW_DECRYPT.URL

Figure2_5.png

Figure 2. Example of HOW_DECRYPT.HTML file

As can be seen in Figure 2, the malware authors are using the Tor network for payment of the ransom demand. If victims are not familiar with what the Tor network is, they even go as far as providing instructions on how to download a Tor-ready browser and enter the unique Tor payment Web page address. The use of the Tor network conceals the website’s location and provides anonymity and resistance to take down efforts. Other similar threats, such as Cryptorbit (Trojan.Nymaim.B), have used this tactic in the past.

Payment
Once the user opens their unique personal page provided in the ransom demand using the Tor Browser, they will be presented with a CAPTCHA page.

Figure3_3.png

Figure 3. Example of CAPTCHA shown to victim

Once they have filled in the CAPTCHA correctly, the user will be presented with the ransom payment page.

Figure4_4.png

Figure 4. CryptoDefense ransom payment page

Of note here is the ransom demand of 500 USD/EUR to be paid within four days or the ransom doubles in price. The use of time pressure tactics by the cybercriminals makes victims less likely to question the costs involved when evaluating potential losses. The cybercriminals offer proof through a “My screen” button, included on the payment page, that they have compromised the user’s system by showing the uploaded screenshot of the compromised desktop. They also offer further proof that decryption is feasible by allowing the victim to decrypt one file through the “Test decrypt” button. They then proceed to educate their victim on how to get hold of Bitcoins to pay the ransom.

Encryption
CryptoDefense employs public-key cryptography using strong RSA 2048 encryption. This means that once the files have been encrypted, without access to the private key, victims will not be able to decrypt the files. With Cryptolocker, the private key was only ever found on servers controlled by the attacker, meaning the attackers always maintained control over the encryption/decryption keys. On investigating how CryptoDefense implemented its encryption, we observed that the attackers had overlooked one important detail: where the private key was stored.

As advertised by the malware authors in the ransom demand, the files were encrypted with an RSA-2048 key generated on the victim’s computer. This was done using Microsoft’s own cryptographic infrastructure and Windows APIs to perform the key generation before sending it back in plain text to the attacker’s server. However, using this method means that the decryption key the attackers are holding for ransom, actually still remains on the infected computer after transmission to the attackers server.

Earnings
Symantec is aware of the following Bitcoin addresses being used in CryptoDefense ransom demands:

The first known Bitcoin transaction for these addresses was on February 28, 2014. This corresponds with the first detection of a CryptoDefense sample by Symantec. At this time, based on the number of received transactions for both Bitcoin addresses, Symantec can estimate that the cybercriminals behind CryptoDefense have earned over $34,000 in just one month.

Prevalence
Symantec telemetry shows that we have blocked over 11,000 unique CryptoDefense infections in over 100 countries. The United States makes up the majority of these detections followed by the United Kingdom, Canada, Australia, Japan, India, Italy, and the Netherlands.

Figure5_1.png

Figure 5. Heatmap for CryptoDefense detections

Protection
Although not related, such were the similarities seen between CrytoDefense and Cryptolocker that Symantec initially detected this threat as Trojan.Cryptolocker along with numerous other detections. Symantec detects CryptoDefense under the following detection names:

Antivirus detections

Heuristic detections

Reputation detections

Intrusion prevention signatures

Symantec customers that use the Symantec.Cloud service are also protected from the spam messages used to deliver this malware.

For the best possible protection, Symantec customers should ensure that they are using the latest Symantec technologies incorporated into our consumer and enterprise solutions. To further protect against threats of this nature, it is recommended that you follow security best practices and always backup your files using a product such as Symantec’s Backup Exec Family. Finally, always keep your systems up to date with the latest virus definitions and patches.

Mar 31 2014

Who’s Behind the ‘BLS Weblearn’ Credit Card Scam?

A new rash of credit and debit card scams involving bogus sub-$15 charges and attributed to a company called “BLS Weblearn” is part of a prolific international scheme designed to fleece unwary consumers. This post delves deeper into the history and identity of the credit card processing network that has been enabling this type of activity for years.

onlinelearningaccess.com, one of the fraudulent affiliate marketing schemes that powers these bogus micropayments.

onlinelearningaccess.com, one of the fraudulent affiliate marketing schemes that powers these bogus micropayments.

At issue are a rash of phony charges levied against countless consumers for odd amounts — such as $10.37, or $12.96. When they appear on your statement, the charges generally reference a company in St. Julians, Malta such as BLS*Weblearn or PLI*Weblearn, and include a 1-888 number that may or may not work (the most common being 888-461-2032 and 888-210-6574).

I began hearing from readers about this early this month, in part because of my previous sleuthing on an eerily similar scheme that also leveraged payment systems in Malta to put through unauthorized junk charges ($9.84) for “online learning” software systems. Unfortunately, while the names of the companies and payment systems have changed, this latest scam appears to be remarkably similar in every way.

Reading up on this latest scam, it appears that the payments are being processed by a company called BlueSnap, which variously lists its offices in Massachusetts, California, Israel, Malta and London. Oddly enough, the payment network used by the $9.84 scams that surfaced last year — Credorax — also lists offices in Massachusetts, Israel, London and Malta.

And, just like with the $9.84 scam, this latest micropayment fraud scheme involves an extremely flimsy-looking affiliate income model that seems merely designed for abuse. According to information from several banks contacted for this story, early versions of this scam (in which fraudulent transactions were listed on statements as PLI*WEBLEARN) leveraged pliblue.com, formerly associated with a company called Plimus, a processor that also lists offices in California and Israel (in addition to Ukraine).

The very first time I encountered Plimus was in Sept. 2011, when I profiled an individual responsible for selling access to tens of thousands of desktop computers that were hacked and seeded with the TDSS botnet. That miscreant — a fellow who used the nickname “Fizot” — had been using Plimus to accept credit card payments for awmproxy.net, an anonymization service that was sold primarily to individuals engaged in computer fraud.

Apparently, the Internet has been unkind to Plimus’s online reputation, because not long ago the company changed its name to BlueSnap. This blog has a few ideas about what motivated the name change, noting that it might have been prompted in part by a class action lawsuit (PDF) against Plimus which alleges that the company’s marketing campaigns include the “mass production of fabricated consumer reviews, testimonials and fake blogs that are all intended to deceive consumers seeking a legitimate product and induce them to pay. Yet, after consumers pay for access to any of these digital goods websites, they quickly realize that the promotional materials and representations were blatantly false.”

Damon McCoy, an associate professor of computer science at George Mason University, allowed that the bogus charges coming from BlueSnap’s payment network could be little more than abuse generated by a handful of bad guys who just happen to be using the company’s network. Then again, McCoy said, Plimus has long been associated with these schemes.

“Plimus has been doing processing for criminals for a while,” McCoy said. ”Most of it seems to have been on the criminal-to-criminal side of payments.”

BlueSnap did not immediately respond to requests for comment. I will update this story in the event that they do.

As with the $9.84 scheme, this latest round of phony charges appears tied to an affiliate marketing scheme for “online learning” (hence, the “Weblearn” notation on victims’ credit card statements). One site that’s connected to the Weblearn scheme is onlinelearningaccess.com, which actually includes commented-out code hidden in its HTML content stating that “the charge will appear on your credit card as WebLearn8884612032.”

That same site is closely tied to a network of other flimsy affiliate learning systems, including greatweblearning.com, jnselearning.com, and learnonlinemembers.com. As we can see from the checkout page at onlinelearningaccess.com, the base price of the “system” is $8.83, but different checkout totals can be achieved ($11.08 and $10.78, e.g.) simply by selecting different items to add to your shopping cart.

Unfortunately, these types of schemes are as old as the Internet, and will be with us as long as there are companies willing to engage in so-called “high-risk” credit card processing — handling transactions for things like online gaming, rogue Internet pharmacies, fake antivirus software, and counterfeit/knockoff handbags and jewelry.

There is an entire series on the sidebar of this blog called “Pharma Wars,” which chronicles the exploits of perhaps the most infamous high-risk processor of all time — a Russian company called ChronoPay and its now-imprisoned CEO. While ChronoPay was most known for processing payments for spam-advertised pill shops and fake antivirus affiliate programs, it also was caught up in a micropayment scheme that for years put through bogus, sub-$10 transactions on consumers credit cards (usually for some kind of software or ebooks program).

If you see charges like these or any other activity on your credit or debit card that you did not authorize, contact your bank and report the fraud immediately. I think it’s also a good idea in cases like this to request a new card in the odd chance your bank doesn’t offer it: After all, it’s a good bet that your card is in the hands of crooks, and is likely to be abused like this again.

For more  on this scam, check out these posts from DailyKos and Consumerist.