SSCC 72 – DigiNotar, DNS hijacking and Firesheep v2

Sophos Security Chet Chat logoThis week my guest for the podcast was Mike Wood, a Senior Threat Researcher at SophosLabs in Vancouver, Canada.

Mike is our expert on digital certificates and how malware authors try to use and abuse digital certificates for their own purposes.

I talked briefly about this month’s Patch Tuesday, which fortunately is a small one compared to others this year.

I also briefly mentioned the compromise at DNS registrar NetNames. The attacker pointed the DNS for The Register, UPS and others to a Turkish hacker web site.

We discussed the latest version of Firesheep and how it is now able to steal your Google search history due to a flaw in how some Google sites handle cookies.

The meat of this Chet Chat was spent discussing the recent breach and impact of the hacker(s) who compromised certificate authority DigiNotar.

Mike went into some detail of how certificates have been abused and what these attackers might accomplish if they were to use bogus certificates they purloined from DigiNotar.

(8 September 2011, duration 27:22 minutes, size 12.5 MBytes)

You can also download this podcast directly in MP3 format: Sophos Security Chet Chat 72 or subscribe to our RSS.

Spitmo vs Zitmo: Banking Trojans Target Android

SpyEye and Zeus are probably the most prevalent and active Trojan “banker” families seen in the wild. (Bankers steal bank passwords and other financial data.) At the beginning of the year there was a rumor about the “merger” of both toolkits into a new generation of banking Trojan. It is not clear yet whether leaked Zeus source code has been included in the new version of SpyEye, but it is clear that both families are quite active, especially targeting Android, one of the most popular operating systems for mobiles.

Despite serving the same purpose as the Zeus version for Android (known as Zitmo, for Zeus in the mobile), SpyEye (dubbed Spitmo, for SpyEye in the mobile) has some interesting differences. Both work to defeat a second factor of authentication in an electronic transaction–in this case an mTAN (mobile transaction authentication number)–by forwarding all incoming SMS to a remote server after the username and password have been captured from the infected computer. But SpyEye offers three new interesting characteristics:

1. SpyEye and Zeus use the same distribution method (a computer infected with SpyEye will suggest the user enter a URL in a mobile device to download the malicious Android app), but the user interaction is different. SpyEye does not look like a security tool, as ZeuS for Android does. SpyEye also does not run in the background as a service; it is not active until a predetermined number (325000) is dialed or an SMS is received:

SpyEye might take this step to reduce the presence of the malware in the device. It will not have a user interface and will not appear in the Running tab of the Manage Applications window. Another difference is that instead of seeing the IMEI on the screen, the user (of the infected computer) is instructed to call a specific number to get a fake “authentication code” that will always be the same (because it is hardcoded in the application):

2. With SpyEye the intercepted messages can be transferred via SMS or HTTP. This configuration is stored in a file in the original app called Settings.xml:

The malware will check if the value in “Send” is 1 (HTTP) or 2 (SMS). If it is 2, then it will forward the SMS to the number specified in the telephone tag:

Sending an SMS to the attacker can affect victims because the forwarded SMS can generate additional expenses. Also, given that the configuration lies outside the malicious code, the delivery method can be different among the variants of the malware. Unlike Zeus, SpyEye carries its URLs for receiving the stolen information in one settings file. For this reason it is more flexible because the URLs can be changed among variants.

3. The stolen SMS are sent without encryption to the attacker’s URL. Unlike Zeus for Android  (which uses a JSON object in a POST request to send the stolen information), SpyEye uses URLEncoder to “encode” the data by converting some characters (except letters, numbers, and some special characters) into hexadecimal values preceded by “%.” Thus the data is basically being transmitted in clear text (so it can be easily intercepted by a sniffer on the Internet):


Zeus and SpyEye share the same objective–to obtain the mTANs sent in an SMS to perform electronic transactions that require this second factor of authentication. But the new version of SpyEye for Android adds interesting functions to slow down the analysis process, provide flexibility, and affect the user in different ways. These additions show that this kind of banking malware is in constant evolution. With the increasing popularity of Android and mobile banking, we expect to find more of this kind of malware in the wild. This malicious application is detected in VSE/VSO as Android/Spitmo and in VSM as Android/Spitmo.B.

Nude Scarlett Johansson pictures – hacker blamed, but when will celebrities learn?

Scarlett JohanssonThe FBI are once again investigating reports that nude photos of a famous celebrity have been leaked onto the web.

Twitter was ablaze earlier today with messages claiming to link to naked pictures of film actress Scarlett Johansson, which were allegedly stolen from her iPhone by a hacker earlier this year.

The photographs may or may not be of Scarlett Johansson, but I would suggest that every hot-blooded male exercises some restraint as it’s extremely possible that cybercriminals might exploit the interest to post dangerous links on the web designed to infect computers or steal information.

Of course, Scarlett Johansson isn’t the first celebrity to have fallen victim to a nude photo hacker.

Nude photos and videos of Vanessa Hudgens, the star of “High School Musical”, surfaced on the net earlier this year, after it was claimed the actress’s Gmail account was hacked.

Other victims in the past have included Christina Aguilera, Lady Gaga and Miley Cyrus.

Late last year, German investigators alleged that two hackers had
broken into the accounts of over 50 pop stars, including Lady Gaga, Kelly Clarkson, and Justin Timberlake.

In that instance, prosecutors claimed that hackers infected computers with malware in order to steal celebrities’ credit cards details, private pictures, emails and unreleased songs.

Celebrities may be very privileged, but they deserve privacy as much as the rest of us when it comes to their personal phone and email messages.

And like the rest of us, they are just as capable of being foolish about their computer security.

There’s a very simple lesson that celebrities should learn: if you must take nude photos of yourself, don’t leave them on your phone or store them in your email.

Trojan targets Japanese bank customers through spam

Recent malware trends clearly show that financial gain is one of the top reasons to be on the dark side of the Internet. Countless threats targeting banking information come and go each day. Stealing banking information is now easier than ever with the availability of toolkits such as Spyeye and Zbot that allow malware authors to target banks of their choice. It is believed that trillions of dollars are deposited in Japanese banks. Furthermore, the Japanese nation is well known to be a nation of savers, thus making Japanese banks and their customers a potentially lucrative target.

A recent spam attack targeting customers of a leading bank in Japan arrives with an .exe file attachment named with the abbreviation of the bank. When we first observed this attack, we thought that it was a typical spam attack customized through Spyeye. However on closer inspection, we found that this was not the case. It is, in fact, Infostealer.Jginko.

The email appears legitimate except for the sender portion of the bank’s name in the email id, which clearly demonstrates that the email did not come from the bank as the domain in this case is not valid; it is just "". This is a second level domain and not a fully qualified domain name. The email asks the recipients to renew a "code card". The code card is a card that is provided by the bank to its customers. It contains a matrix of numbers that is used to finalize online transactions (TAN). This is a type of two-factor protection that is used to help protect against straight forward unauthorized account access or transactions. Two-factor protection is widely used by online banking systems and in some cases three-factor authentication is used. To renew the code card as requested by the email, the recipient is asked to open the attachment.

Running the attachment displays a form which the user is requested to fill in. When the form is filled in and the send button is clicked, the threat takes a screenshot and sends it to the IP address of using a predefined user name and password. At the time of investigation, we did not see any screenshots at the remote location. This may indicate that few users are affected by the threat or that the attacker is copying and deleting data on a regular basis.

Social engineering attacks such as this one are effective against users with little security knowledge. The affected bank has posted a message on their website warning users of these types of spam attacks.