EU Data Protection Regulation hits a political issue

Under the draft EU Data Protection Regulation, the proposal is to create a “one-stop-shop” for regulation.  This means that data controllers will be regulated on data privacy by the regulator in the EU jurisdiction in which they have their “main establishment”.  This could mean that you will be regulated by a single EU regulator rather than one for each jurisdiction in which you have operations (potentially up to 28 in total; one for each EU member state). So this has to be a good thing (for business).

However, the Council and the Parliament believe that individuals should be able to complain directly to their local regulator rather than having to make a complaint to a far off regulator in, say, Ireland, if that is where the controller’s group has its main EU establishment.  So this, say the Council’s lawyers, is a human rights issue.  The Commission believe that, in the interests of greater harmonisation, the “one-stop-shop” procedure should remain as drafted.  Expect much legal argument and debate to try and resolve this one.

Is this about politics?

Let’s set aside the legal debate and ask ourselves what would happen if we apply the “one-stop-shop” to many of the large corporates operating across Europe today.  The answer would be that many would be regulated in jurisdictions like Ireland and certainly not by, for example, Germany or France. The German and French regulators will be the losers in terms of “regulatory business” under the new rules.  This is clearly causing concern in those jurisdictions.  This is also evidenced by the attempts by the German DPA in Schleswig Holstein to regulate Facebook recently even though Facebook’s establishment is in Ireland.  So far, the German courts have agreed with Facebook.  But if that case can be decided under the current Data Protection Directive, you can see the direction of travel.

Impact on timing

Whatever the legal or political debate, there is no doubt that this additional issue will complicate the “trilogue” discussions between the Commission, the Council and Parliament whose job it now is to agree a final version of the text for the new Regulation.  Although the Commission’s aim is to have this agreed by May 2014, the indications are that this is more likely to happen by the end of 2014 or (…let’s be honest) during 2015.…

What a successful exploit of a Linux server looks like

Like most mainstream operating systems these days, fully patched installations of Linux provide a level of security that requires a fair amount of malicious hacking to overcome. Those assurances can be completely undone by a single unpatched application, as Andre' DiMino has demonstrated when he documented an Ubuntu machine in his lab being converted into a Bitcoin-mining, denial-of-service-spewing, vulnerability-exploiting hostage under the control of attackers.

A security researcher with George Washington University, DiMino noticed several IP addresses attempting to hijack the Linux server by exploiting a now-patched PHP flaw that gave attackers the ability to remotely execute commands on vulnerable machines. DiMino was curious to know what the people behind the attacks intended to do with his machine, so he set up a "honeypot" box that, for research purposes, ran an older version of the Web development language.

The attackers' HTTP POST request contained a variety of commands that in short order downloaded a Perl script that was disguised as a PDF document file, executed it, and then deleted it. To ensure success, the attackers repeated the steps using curl, fetch, lwp-get requests. The Perl script was programmed to sleep for periods of time, presumably to prevent administrators from noticing anything amiss. Eventually, the compromised machine connected to an Internet relay chat channel, where it downloaded another script and executed it. Then he ran forensic software and snapped lots of screen shots so everyone could follow along.

Read 5 remaining paragraphs | Comments

Please Leave Your Hat On

Webcam blackmailing 1.jpg

Recently, we wrote about creepware and how people use it to spy on unsuspecting victims through webcams. As the name implies, this is really creepy. Unfortunately, there are other similar threats on the Internet. Another scam that has become very popular this year is webcam blackmailing. In these cases, the scammers don’t hide the fact that they are using the webcam.

The scam starts with a simple contact request on a social network or dating site. In general, the profile sending the request appears to be the scammer (posing as a woman), and the request is sent to single men. After a bit of small talk, the scammer explains why she fell in love with the man’s profile picture and then changes the topic to one of a more sexual nature. The scammer asks the man to video chat with her, starts stripping, and encourages the man to do the same. If the man joins in, the compromising video is recorded by the scammer until enough incriminating material has been gathered. Once enough video has been recorded, the scammer changes the topic again and indicates that the video will be publicly uploaded and shared with his friends on social networks if he does not pay.

Multiple variations of this scam exist. For example, some scammers ask for photos instead of videos, some use a previously recorded video of a woman stripping to entice the victim, and others ask for money for a better Internet connection or webcam. The scammer promises better video quality if money is sent, they pocket the money right away, and never buy better equipment. To make it even worse, scammers will claim that the victim was chatting with a child, attaching the stigma of pedophilia to the victim. Any personal information that was shared is published along with the video. In some cases a link to a compromised website is sent in order to infect the victim’s computer with a Trojan. The principle behind the scam is always the same. In any case, users should stay vigilant when using social networks or dating sites.

  • Be wary of messages from unknown people who want to befriend you. Especially if the topic of sexual video chatting is brought up quickly.
  • Think twice before performing compromising acts in front of a camera. Limit the personal details that you share with strangers.
  • Don’t fall for prepaid scams. Don’t send money for arbitrary reasons.
  • If someone attempts to extort money from you, don’t pay, and call the police. Don’t be embarrassed. If a compromising video of you has been uploaded, contact the service provider and try to have the content removed.

Reveton Ransomware Hides Behind Encryption

Reveton belongs to a family of ransomware that locks screens and prevents users from using their machines until they pay a certain amount. Reveton may be downloaded to a victim’s machine from malicious site, by an exploit, or through other malware. Reveton variants (DLLs) usually carry extensions such as dss, pss, psv, dat, bfg, or any three random characters. These samples are executed by a batch or link file using rundll32.exe, as shown in Figure 1.


Figure 1. Batch file to launch Reveton.

Reveton comes with various flavors of encryption to evade antimalware detections. In this blog we will give a brief overview of one of the cryptors used by Reveton in recent variants.

Some previous versions of Reveton had random alphanumerical export names, similar to dsde34fefew, which looked suspicious and were easy to identify. Recent versions have new cryptors and use export names that look legitimate.

Some of the new export names can be seen in Figure 2 and in the following list:

  • AndroidDesktoCompression
  • AndroidTerminal
  • DeviceFor
  • OfficeAppKeyBoard


Figure 2. Import table.

The cryptor fakes the version information to look like a legitimate file. In this case it uses the version info of a Microsoft file, as shown in Figure 3.


Figure 3. Fake version information.

Multiple sections of the cryptor can be seen in Figure 4. A decryption key sits in the “.data” section, and the encrypted executable file can be found in one of the other data sections.


Figure 4. Data sections.

“GetProcessheap” followed by “rtlAllocateHeap” APIs reserve a chunk of heap memory to decrypt the data, as shown in Figure 5.


Figure 5. Heap memory allocation.

The first layer of encryption is quite simple. The cryptor stores a key that might be one, six, twelve, or sixteen bytes in size. The key usually lies within the first 500 bytes, followed by zeroes, as shown in Figure 6.


Figure 6. The encryption key.

The data is decrypted to the allocated heap (allocated from RtlAllocateHeap) by subtracting the key from the encrypted bytes. (In this case from the fourth section named .xdata.) If the key is of size n, the key is subtracted from first n bytes of the .xdata section and then is subtracted from the next n bytes.

The decrypted data looks like an executable file; however, it doesn’t look like a completely decrypted file. We can see in Figure 7 that section headers are not completely decompressed and that the UPX and .rsrc section names are jumbled.


Figure 7. A partially decrypted UPX file.

The cryptor calls the RtlDecompressBuffer API to deflate this partially compressed data, as shown in Figure 8.


Figure 8. A call to RtlDecompressBuffer.

This functions supports Huffan and LZ compression. The parameters supplied to this function include compressed buffer, and the size of compressed and uncompressed data.


Figure 9. A completely decompressed UPX file.


Figure 10. A completely decompressed section header.

The section names of the UPX packer are fully visible at this point, as show in Figures 9 and 10. Decompressing the UPX file gives us the decrypted Reveton code. Code around the original entry point of Reveton can be seen in Figure 11.


Figure 11. The malware’s original entry point.

McAfee detects this variant of Reveton with following names:

  • Ransom-FFK!
  • Ransom-FFM!
  • Ransom-FFN!
  • Ransom-FFO!
  • Ransom-FFQ!

Ransomware has become one of the most prevalent threats. Malware writers keep on finding new means to evade detection. As we have seen here, this particular threat employs a few levels of encryption to avoid easy analysis and detection. It’s vital to keep antimalware products updated, and it’s always a good idea to keep a backup of important data.

Thanks to my colleagues Arvind Gowda and Avelino Rico for their valuable support.