Report: Shadowy Russian hacker group hijacked 1.2 billion usernames, passwords

Dan Goodin

A Wisconsin security firm claims that a Russian criminal group has accumulated the largest known collection of stolen online usernames and passwords via SQL injections, according to a new report in The New York Times on Tuesday.

Hold Security, which did not immediately respond to Ars’ request for comment, apparently has 1.2 billion usernames and passwords across 420,000 sites. It declined to tell The Times which companies were affected, nor name the group specifically.

In February 2014, Hold Security also discovered 360 million compromised login credentials for sale in underground crime forums. The haul, which included an additional 1.25 billion records containing only e-mail addresses, came from multiple breaches. In October 2013, the same firm discovered the circulation of 153 million user names and passwords stolen during a massive breach of Adobe's corporate network. A month later, the security firm uncovered 42 million plaintext passwords taken during a hack on niche dating service Cupid Media.

Read 4 remaining paragraphs | Comments

Trailing the Trojan njRAT

One Trojan that just won’t go away is the remote access tool njRAT. Microsoft recently took down a leading domain associated with the malware, but that action did not come off as smoothly as the company hoped. We closely track this remote access tool (RAT) and see a rise in its popularity every year.

The malware is very popular in the Middle East with the Syrian Electronic Army and other hacktivists. There are plenty of tutorials and videos online that explain its use, thus making it the de facto choice for cyber espionage.

This RAT is coded using the Microsoft .Net framework and can remotely access a victim’s machine, operate the webcam, log keystrokes, steal credentials stored in browsers, upload and download files, and update itself. The malware has a GUI-based builder and controller tool that allows its users to create malicious binaries and remotely control all infected machines.

Tracking the control servers

A major aspect of this RAT is its popularity with dynamic domain name system (DNS) services such as no-ip.com. A dynamic DNS service is a method of automatically updating a name server in the DNS, often in real time, with the active DNS configuration of its configured hostnames, addresses, or other information.

This feature allows attackers without a dedicated static IP, such as DSL or broadband connection, to use a DNS-based hostname. This helps the malicious actors to use any IP or Internet connection and still keep the client connections alive.

Based on the activity we observed in our monitoring systems, here is a map of the global coverage of njRAT’s control servers during the last six months:

njRAT_goedist

All the dots signify distinct IP addresses used by njRAT as a control server. The green dots signify active campaigns, which mean the attacker was controlling machines as we took this snapshot. Here is a close-up of its popularity in the Middle East:

njRAT_goedist2

Morocco, Algeria, and Iraq have the highest usage, with Algeria hosting the largest number of control server IPs (more than 4,000). The dynamic DNS service provider no-ip is owned by Vitalwerks, which offers various domain name options to its customers. During this period, we saw more than 80,000 unique domains used for njRAT that belonged to Vitalwerks. Here is the distribution: njRAT_domaindist

Domain distribution of njRAT control servers.

Clearly, most njRAT users prefer using the domain no-ip.biz, which leads the pack with more than 47,000 distinct entries in our database.

Obfuscation and antivirus evasion

One of the reasons njRAT remains so popular is the Trojan’s ability to stay under the radar and prevent antivirus detections. There are plenty of obfuscation tools available for .Net that easily allow users to obfuscate the .Net binaries.

Similar to a packer, a .Net obfuscator tool renames the meta-information in the assembly code such that it is not possible for anyone to statically figure out the functions, yet they remain useful to execute the intended operations. The obfuscator was designed to protect against the reverse-engineering of .Net executables, but here it is put to use for nefarious purposes.

Plenty of tutorials on YouTube explain how to make an njRAT binary undetectable by antivirus solutions, and hence the success rate of infection with njRAT is pretty high. However, the network signature remains same. This is what we use to track the threat.

In the past year, we have collected more than 88,000 unique binaries. Using our advanced automation, we monitor this threat closely.
njRAT_incoming

For a RAT, the preceding numbers are pretty high. They demonstrate how easy it is to build and deploy this malware. But what surprises us most is the count of samples received each month that have no antivirus detection:

njRAT_noav

The preceding chart of  samples are not detected by any antivirus vendor at the time of submission. We refer to these as zero-day samples. But from their network communication we can confirm that they all belong to the njRAT family. We have used the malware’s network signature to track this threat for more than a year.

Due to the plethora of tutorials and information, there are some popular obfuscators for njRAT. However, we also saw some of the binaries using custom obfuscation algorithms. Based on our analysis, we found that “RedGate SmartAssembly” was one of most popular obfuscators used with njRAT, followed by “Yano” and others:

njRAT_packerdist

Desktop antivirus solutions have limitations, and .Net obfuscation takes advantage of that. Every month we get samples of this malware that continue to evade antivirus software. The njRAT tool is still under development on various forums and its author continues to create new versions.

All McAfee Network Security Product (NSP) customers are already protected from this threat.

The post Trailing the Trojan njRAT appeared first on McAfee.

Chinese Worm Infects Thousands of Android Phones

Last weekend, it was reported in China that an SMS worm was wildly spreading among Android mobile phones, with more than 500,000 devices infected. The malware spread by sending SMS texts to a phone’s contacts with a message body such as:

XXX看这个,http://cdn.<removed>.com/down/4279139/XXshenqi.com

SMS message to spread

This malware is much more than just a worm. It is actually a worm plus a Trojan. The Trojan component resides in another install package in the original one.

Once the malware is installed, it checks whether the Trojan is installed. If not, it ask the user to install it.

Install the "Torjan" component

After installing, the malware sends a text message to a control server phone number, which we believe belongs to the author of this malware, to let him know that a new victim is infected.

Reports "installed" to malware author

The installation then asks the user to input his or her ID and name, which will also be posted to the control number.

User's Identity and name leaking

The Trojan monitors incoming SMS messages, forwards all incoming SMS messages to the control number, and executes the following commands:

  • readmessage: Reads all SMS messages, and send them to the malware author’s mail address
  • sendmessage: Sends messages to the number in the message body
  • test: Sends a test message to the malware author
  • makemessage: Makes a fake message, and inserts it into the inbox
  • sendlink: Sends the user’s contact list to the malware author’s email address

With the user’s identity card number, real name, and SMS messages, the malware author is one step closer to stealing the user’s bank account information, hijacking an online trade, or even transferring money. In China, some banks allow customers to access their accounts with an identity card number and password.

User's information sent via mail

We have seen two versions of this sample. The payloads are almost the same, except that the first one has no payload for spreading, no worm function. It appears the author wanted to infect more devices by adding the worm.

McAfee Mobile Security detects both of these threats as Android/XShenqi.A.

According to reports, the author of this malware is a college student who created this malware just to prove he can do something. Seems like a curious way to impress people.

 

The post Chinese Worm Infects Thousands of Android Phones appeared first on McAfee.

PayPal 2FA is easily bypassed, teenage whitehat hacker says

A teenage whitehat hacker said he has found a simple way that attackers can bypass the two-factor authentication system PayPal uses to protect user accounts.

The circumvention requires little more than spoofing a browser cookie set when users link their eBay and PayPal accounts, according to Joshua Rogers, a 17-year-old living in Melbourne, Australia. Once the cookie—which is tied to a function PayPal identifies as "=_integrated-registration"—is active in a user's browsing session, the two-factor authentication is circumvented, Rogers reported. That means attackers who somehow acquire someone else's login credentials would be able to log in without having to enter the one-time passcode sent to the account holder's mobile phone.

Rogers said he reported the vulnerability privately to PayPal on June 5. He said he went public two months later after receiving no response. He went on to write:

Read 3 remaining paragraphs | Comments