Apr 29 2016

FBI Releases Article on Ransomware

Original release date: April 29, 2016

The Federal Bureau of Investigation (FBI) has released an article addressing the proliferation of ransomware campaigns. Ransomware is a type of malicious software that infects a computer and restricts users' access to it until a ransom is paid to unlock it. Individuals and organizations are discouraged from paying the ransom, as this does not guarantee access will be restored.

Users and administrators are encouraged to review the FBI article Ransomware on the Rise for details and refer to US-CERT Alert TA16-091A for more information on ransomware.


This product is provided subject to this Notification and this Privacy & Use policy.


Apr 29 2016

The Fact That Wordfence Couldn’t Clean Up a Hacked Website Doesn’t Stop People From Suggesting That It Will Clean It

When it comes to improving the security of websites one of the biggest problems we see if the shear amount of bad information, including lots of bad advice, that is being put out there. We frequently see people suggesting using the Wordfence plugin for WordPress, which we have hard time believing somebody who is knowledgable about security would recommend due to a number of issues. Those issues include the fact that broad based security plugins like that are not all that useful against real threats, that more than a few security vulnerabilities have been found in the Wordfence plugin itself, that the developers don’t seem to have a good grasp of security, and that the plugin produces some really bad false positives. Usually you have no way of knowing if somebody giving out that advice has a different opinion in regards to those types of things or they are giving advice without really being informed about the situation. In some cases you can see that advice is being handed out uniformed, though.

As part of keeping track of security issues in WordPress plugins for our Plugin Vulnerabilities service, we monitor the wordpress.org forum for threads related to plugin vulnerabilities. In addition to helping to find some more vulnerabilities to include in our data, we run across threads about other security issues related to WordPress and WordPress plugins. In one of those we saw when the use of Wordfence being suggested as a solution, when that clearly wasn’t helpful advice.

The original poster in the thread described the problem they were having cleaning up a hacked website. After trying numerous things, including reverting to a backup copy, malicious files were continuing to be added to the website. At the end of the post they mentioned that they have three WordPress security plugins installed, but that they hadn’t been any help:

Protections plugins I’m currently using (and which can’t find anything wrong with the website)

Despite that one those plugins was Wordfence, the second and third responses suggested that Wordfence could deal with the issue:

Yes, those are not default files. WordFence is the best for scanning once you are already infected.

and

I had the same issue, so far WordFence has done a great job. Two days and no wp-checking.php has showed up. Yet!

In this type of situation what we would recommend, and did later in the thread, is to see if you can determine if the hacker still has some sort of access to the website, which is allowing them to continue to modify the website, and if that is the case, close off that access.

Incidentally, one of the other plugins they were using, AntiVirus, was one that we found was flagging a fresh install of WordPress as having virus back in 2012.

Apr 29 2016

Security Best Practices for Azure App Service Web Apps, Part 1

This post was written by Piyush Mittal.

Microsoft’s Azure App Service is a fully managed Platform as a Service for developers that provides features and frameworks to quickly and easily build apps for any platform and any device. In spite of its ease of use, developers still need to keep security in mind because Azure will not take care of every aspect of security. This post is the first in a short series of articles from Intel Security’s Foundstone Professional Services that offers advice for securing Azure App Service Web app development.

Developers can create four application types using the Azure App Service:

Azure App Service Web Apps take care of the infrastructure and its security. The developer needs to focus only on the application code. Azure App Service is different from typical cloud scenarios in which developers set up their own servers in the cloud, install their own web applications, and take full responsibility for performance and security. With Azure App Service Web Apps, Microsoft owns and manages the infrastructure. The developers need only ensure the security of their application code. Both approaches has their merits.

In this post we will focus on various security guidelines for web apps built using the Azure App Service, which supports major languages such as ASP.NET, PHP, Node.js, Java, and Python.

 

Get a custom domain name with HTTPS

When a web application is created using Azure App Service, it is assigned to a subdomain of azurewebsites.net. For example, if the app name is Demo, the URL is demo.azurewebsites.net. By default, Azure enables HTTPS with a wildcard certificate assigned to the *.azurewebsites.net domain. There creates multiple security issues:

  • A phishing attack can be easily carried out by creating similar-looking web application and domain name, for example, an attacker could create the malicious web app demo1.azurewebsites.net, which is similar to the legitimate name demo.azurewebsites.net. Because the web application is assigned to a subdomain of azurewebsites.net, the name of the malicious application looks very convincing and hard to differentiate from the original name unless one looks very closely.
  • If the DNS record for *.azurewebsites.net is entered by mistake or through DNS cache poisoning, then the application will be adversely affected.
  • The wildcard certificate creates more headaches for the developer because they need to ensure the path and domain of cookies are properly constrained.
  • The certificate is controlled by Microsoft. Thus for any certificate-related errors—such as expiration, strong or weak signing algorithms, trusted or untrusted certificate signing authorities, or certificates not self-signed—the developer will be dependent on Microsoft. Because the certificate is a wild card, extended validation of certificates can’t be enforced, which is preferred for financial applications.

Apart from security issues, most organizations want their customers to see a custom domain name instead a subdomain of azurewebsites.net. Thus it is necessary to create a custom domain name and get a certificate for that domain. Do not use self-signed certificates, rather buy one from a trusted certificate authority. Consider following while buying a certificate for a web app:

  • The name of the certificate should match domain name. The certificate can be a single domain or multidomain but not a wildcard certificate.
  • The certificate should be signed using a strong signing algorithm such as SHA-256.
  • The certificate should be valid and not expired.
  • For financial and other sensitive applications, it is best to have an extended validation for the certificate.

A custom domain name is not available with Microsoft’s free pricing plan, one of five plans. It is available with the other four. A custom domain name with HTTPS is available with the standard and premium pricing plans. To ensure the use of HTTPS, we recommend choosing either the standard or premium pricing plans when creating a web application with Azure App Service. (Microsoft has tie-in with GoDaddy to offer a custom domain name and a certificate from the Azure portal. Or you can buy a custom domain name and certificate from another domain registrar and use it with an Azure web app.)

For custom domain names purchased outside of Microsoft, follow these steps to configure it in the Azure portal:

  • Log in to the Azure portal.
  • Navigate to “App Services” in left navigation pane.
  • Select your web application.
  • Click on “Settings” and select “Custom domains and SSL.”20160420 Azure 1
  • A new frame will open on the right side. Click on “Bring external domains.”
  • Note the IP address located at the bottom. Go to your domain registrar website and create DNS entries using this IP address. It can take some time for the changes to propagate, depending on your DNS provider.
  • In the “Domain Names” text box, enter the custom domain name you bought from the domain registrar.
  • Save the changes.
  • Click on “Upload certificate.”
  • Locate and upload your .pfx certificate file.
  • Under “SSL bindings,” select the domain name to secure with SSL, and the certificate to use.
  • Save the changes.
  • You should be able to access the web app using your custom domain name over HTTPS.

For more details on how to set up a custom domain name and its certificate, follow these links from Microsoft:

https://azure.microsoft.com/en-in/documentation/articles/web-sites-custom-domain-name/

https://azure.microsoft.com/en-us/documentation/articles/web-sites-configure-ssl-certificate/

The post Security Best Practices for Azure App Service Web Apps, Part 1 appeared first on McAfee.

Apr 29 2016

Fake Android Update Delivers SMS, Click Fraud in Europe

Intel Security Mobile Research has been monitoring a mobile malware campaign targeting users in Germany, France, and Russia since the beginning of the year. Several users have complained in forums and social networks about a suspicious file with the name Android_Update_6.apk being automatically downloaded when a website is loaded.
Recently a user tweeted that one of the advertisers in a widely read German-language news website “pushed” this file when the user navigated the website:

Dmisk_Germany_Twitter

User reporting the download of the file Android_Update_6.apk.
Source: https://twitter.com/arminhausf/status/719894019422162944

A month ago, another user reported the same behavior but on a French daily newspaper website and the filename in French:

Dmisk_France_Twitter
User reporting the download of the file mise_à_jour_Android_6.apk on a French newspaper’s website.
Source: https://twitter.com/Baptouuuu/status/708391947937914880

On January 29, another user reported the same incident but this time the report went to what appears to be the source of the download:

Dmisk_Slashdot_Twitter
User reporting the download of the file Android_Update_6.apk.
Source: https://twitter.com/Baptouuuu/status/708391947937914880

Finally, in one of the earliest reports of this campaign, on January 7 another user reported on the website AndroidPolice the download of the suspicious file when visiting the mobile version from Russia:

Dmisk_AndroidPolice
User reporting the download of the file Android_Update_6.apk on the website AndroidPolice.
Source: https://github.com/archon810/androidpolice/issues/69

According to that report, the malicious ad loaded a URL pointing to an APK like the following, triggering the automatic download of the file by the default web browser:

Dmisk_APK_April20Android_Update_6.apk available on a remote server since April 20.

The question that most users asked in forums when they received this suspicious file was: Is this APK file a legitimate Android update? The answer is absolutely not. Each manufacturer and carrier has its own method of delivering and installing Android updates but, so far, none of them has as a distribution method of an automatic download of an APK file when the user visits a random website. This behavior is most likely related to a malicious application, so we took a deeper look at the app to find out its purpose and understand its impact.

Once the app is installed, the following icon appears in the home screen:

Dmisk_Icon
The malware’s icon.

However, as soon as the user executes the app, the icon disappears, tricking the user into believing that the app is no longer on the system. Meanwhile, in the background, the malware sends encrypted data to a remote server in Estonia:

Encrypted traffic sent to a remote server in Estonia.

Some variants of the malware were packed and, even after we unpacked of the payload, the code was very obfuscated. After some static and dynamic analysis we were able to learn that all the communication between the infected device and the control server is encrypted using an RSA asymmetric encryption algorithm:

Dmisk_RSA_PrivateKeyMalware generating a private key using an RSA specification.

Here is the device information that was constantly sent by the malware to the remote control server:

  • Device information: Android version, model, manufacturer, browser user-agent, device identifiers (IMEI, IMSI, android_id), locale (language/country configuration), screen specifications, mobile network operator.
  • Device status: Wi-Fi connectivity, root status, battery status.
  • Malware settings: Version, apiKey, appId (package name), forGooglePlay.

The most recent variant, from April 20, omits sending root status and instead comes with the setting “advertId,” suggesting that in future versions malware authors will include the advertisement identifier that distributed the specific variant to the infected device:

Dmisk_advertId
The “advertId” in the malware’s settings.

In addition to that device information leak, which is normally used by malware authors to register infected devices, the malicious app silently intercepts all incoming SMS messages and forwards them encrypted to the same remote server in the following format:

  • “type”: receive.sms
  • “WiFi”: true/false
  • “text”: body of the message
  • “phone”: origin of the message

The amount of stolen SMS messages could generate a lot of noise in the backend, so the malware can also filter the intercepted messages using regular expressions obtained from the control server. Here’s an extract of the regular expressions filtering the origin of the intercepted SMS:

Dmisk_Regex_Sms_Filter
A list of intercepted SMS filters.

Most of the names in the list belong to mobile phone companies in Russia, Germany, and France. Malware authors are interested in these messages because they are very useful for performing SMS fraud by intercepting confirmation codes received by victims when cybercriminals subscribe users to premium services using SMS spoofing (by sending an SMS while pretending to be the victim). The filtered intercepted incoming SMS messages are sent back to the remote server using the following format:

  • “type”: sms.filter
  • “phone”: origin of the message
  •  “text”: body of the message
  • “phoneExp”: regular expression that matches the origin (for example, “*Orange.*”)
  • “phonetext”: regular expression that matches the content (for example, “.*”)

The malware is also able to report to the control server when the screen is on or off or if the user is present using the following types in the response:

  • screen.on
  • scree.off
  • user.present

If the cybercriminal knows that the user is not present (for example, screen off), the remote server can send the command “webClick”:

Dmisk_webClickThe webClick command.

Judging by the name of the command, it is very likely this function is performing click fraud when the victim is absent. There is another command to execute JavaScript code:

Dmisk_JavascriptA command executing arbitrary JavaScript code.

One of the interesting flags sent to the remote server is “forGooglePlay,” which led us to investigate additional campaigns conducted in the past. We found that at the end of October 2015 malware authors were able to publish an early version of this malware using the developer “Smart Development LLC,” but apparently these apps were quickly removed. Currently they are available only in third-party markets such as apkpure:

Dmisk_GooglePlay
Trojanized apps published on Google Play on October 2015.
Source: https://apkpure.com/developer/Smart%20Development%20LLC

The first versions of this malware implemented only heavy obfuscation and encryption of the source code, but recent ones are packed to make static analysis difficult, encrypting the main payload to decrypt it and dynamically load it in runtime when the app is executed by the user. These efforts show that the malware is still in development. We have seen recent detections from users in France and Germany confirming that this malware campaign is currently active. Intel Security has notified the host of the control server and the Estonia CERT; we hope the control server will be taken down soon.

To protect yourselves from this threat, employ security software on your mobile, and remember that Android updates are not delivered via APK files automatically downloaded when you visit a website. Further, users should not trust applications downloaded from unknown sources.

McAfee Mobile Security detects this Android threat as Android/Dmisk and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit http://www.mcafeemobilesecurity.com.

SHA-256 hashes of the analyzed samples:

  • c60916b79e51182837f4833ae650b2abe2f7fce6eeb2f41f4ff248c6e1ec43a2
  • 40c30ab35455b8920d08989d2695f04178c8145e9929ed7dbcd95acc2507faa7
  • 5bfc6a02d594a8cc22bc4ed7b64e9986105a2a4992bd44cee18738182bafed60
  • e9dfb3a432d9e54d344515ff000d94be48322f2d2c4f102a6a319768b7248c0b
  • 9c177189b981752c9cf89d5435c9d37c3b6441c02efb7d012426885747b7ac99
  • 705aeb71b7134d747853a3e65f0bf492d0af0dc2aab73f1a7ccc66e2a773fa84
  • b44f7ae39cc6320a804174a5825d0f8fd74a6e519985f83397fe25bb12af99b1
  • 0d4ea10179d293666b637bbda385b7d9dd248dc998e5875ed2dddd0280fdff55
  • 95a3db31fc19a90f76a4a27ae87321b4d6b9b0122509258b5b87c1c5ee6f0e09
  • d0f5ab874383a24fac7fcabb9fba2ffcbbafffb7dfe6dbb7b5224ecf7d443aa3
  • 3c9d303e375ee3125593035d4e861ee94b2340b9778c10a9b33871aaa4d727e5
  • 69d93b6e50d7d684af932691c65ab396f8ae6da4a4081a171eb233e3d8dabffd
  • 2a5fba694f60a249bf78d88c73223c60b6528c231b7579f59b8d57c67605cc8f
  • 1593900445f84ffc225fc1399a563644a31e0963aa70bd1317195970706a7942
  • ab8abfe7420777eeb02b8d40c2f012dcea36737ffd616deb20d926cff727fdc0
  • 2b32a6c4aa09209ebe203cc305ca3c6970bd6025d4604a1b7458b1a0bc7f9bf7
  • 1980d5b3d8f1e30fdf0831fa2db059f1f1dd2dc749541ba3792e7093541e7958
  • 771946d95b38b8204562befd427fa45fd29fdfccb987bc0b33e796f4a1cbb5b0
  • f2f2ebe7a709f0456a40dfba8eaf66af09fb2a9ed50845e1a5c24e8b78ddbb0c
  • a9aef90cac11bc1f1635abde02be018a76ef4a876369d46349c5301c742597b3
  • c0a6ec3f8850676c875eb9a151f33c319950f6a8260c469874e5a30fea0b6643
  • d19ff00c8933e8fd23cfa1fb62615d18330fe43bc369492034f5755c69bf4f1c
  • 4ece7dc532ad074837d141c245177ad4ba38215a9dee8093970cd671f998d130
  • 29582ec3eb0fd77ed5a88d4dee68d5ad06299b014fa9d9f5acb35dd2282ae21e

URLs distributing malware APKs:

  • slidetracking[.]ru
  • postway12[.]ru
  • traffic2015[.]ru
  • francia-apk[.]ru
  • traff16[.]ru
  • update-free-andr-6[.]ru
  • 6-androdid[.]ru
  • freeupgrade6[.]ru

Control servers:

  • innotion[.]pw
  • bugtracking[.]biz
  • bugstracking[.]xyz
  • alfabrong[.]eu

The post Fake Android Update Delivers SMS, Click Fraud in Europe appeared first on McAfee.