jQuery.com is Running Outdated and Insecure Version of WordPress

Today it was reported that website of the JavaScript library jQuery was recently hacked. When a high profile website like this is hacked what is important to find out is how it was hacked, since a high profile websites are sometimes hit with new exploits that will later be exploited more widely and making sure that others are warned early can help to limit further successful exploitation. Unfortunately that has not been determined so far, the article states that “The bad news is that they still don’t know how the compromised happened, so it just might happen again.”.

Right now the jQuery website has a pretty obvious security problem. They are running an outdated version of WordPress:

The jQuery Website is Running  WordPress 3.9.1

The next version of WordPress, 3.9.2, which was released on August 6, included a number of security fixes and users were “strongly encourage you to update your sites immediately”. We are not aware of a mass exploitation of those vulnerabilities (or any others in older versions of WordPress in years), but some of the vulnerabilities fixed might be exploitable in a targeted attack. Back in WordPress 3.7, a new feature was introduced that automatically applies maintenance and security updates, like WordPress 3.9.2, so most websites that had been running WordPress 3.9.1 would have been upgraded within a day of the release of 3.9.2. That means that either the jQuery web developers disabled that feature or their server has some issues preventing the automatic updates from occurring. (Those automatic updates can be extended to plugins with our Automatic Plugin Updates plugin.)

Unfortunately the use of outdated software on the jQuery website isn’t an uncommon occurrence, when we looked at data from one of our tools earlier this year we found that 60 percent of WordPress were running a version below the then current version (we also found widespread use of outdated version of Drupal and Joomla.). A good way to keep track of the update status of websites you manage is with our Up to Date? Chrome app.

Kali NetHunter turns Android device into hacker Swiss Army knife

Free to download, ready to customize, NetHunter puts the power of a pen-tester's Linux desktop on a Nexus phone or tablet.

One of the tools we've leaned on heavily in some of our lab testing of software privacy and security is Kali Linux. The Debian-based operating system comes packaged with a collection of penetration testing and network monitoring tools curated and developed by the security training company Offensive Security. Today, the Kali developer team and Offensive Security released a new Kali project that runs on a Google Nexus device. Called NetHunter, the distribution provides much of the power of Kali with the addition of a browser-driven set of tools that can be used to launch attacks on wireless networks or on unattended computers via a USB connection.

NetHunter is still in its early stages, but it already includes the ability to have the Nexus device emulate a USB human interface device (HID) and launch keyboard attacks on PCs that can be used to automatically elevate privileges on a Windows PC and install a reverse-HTTP tunnel to a remote workstation. It also includes an implementation of the BadUSB man-in-the-middle attack, which can force a Windows PC to recognize the USB-connected phone as a network adapter and re-route all the PC’s traffic through it for monitoring purposes.

A demonstration of NetHunter's HID Keyboard attack on a Windows 8 computer.

In a phone interview with Ars, Offensive Security’s lead trainer and developer Mati Aharoni said that while NetHunter can be compiled to run on Android devices other than the Nexus family, “part of the reason we chose Nexus devices was because of the specific kernel sources we were able to get from Google. "The Nexus devices supported by NetHunter include the Nexus 5 ("hammerhead"), Nexus 7 (both 2012 and 2013 versions), and the Nexus 10 ("mantaray").

Read 3 remaining paragraphs | Comments

Middle-East Developer of SpyGate Struts His Stuff Online

Malware authors have a tendency to conceal themselves so that they can continue their actions uninterrupted. However, we have observed the opposite trend when some authors, who like to show their swagger when writing malware—in particular remote access tools (RATs). They proudly spread their work and post videos on YouTube to demonstrate them. In this post we focus on two samples that are very popular in the Middle East. These particular malware authors are very vocal about the malicious software they created, posting details on social media and other hacker forums. The malware executables are extremely user friendly; anyone with basic computing experience can generate an entire set of new customized malware to steal data from targeted users.

The first campaign is SpyGate, a fully functional RAT written in Visual Basic. The malware author openly advertises the tool on social media, with a download link included.

SpyGate Beek 1

Combining the data we have found, we have a profile of a young man living in Riyadh, Saudi Arabia, who studied in Dubai and seems to like the game “Dragon City.” Although he seems to change his desktop wallpaper often (as seen on YouTube), he’s clearly developing this RAT.

Once the RAT is downloaded and executes, we see the following window:

SpyGate Beek 2

The malware has a proper GUI that provides the user with various options, such as monitoring the victim’s screen, obtaining all the keylogs, etc.

One interesting option is the “build/compile malware” tab, which is the source of most copies of SpyGate on the web. This option lets script kiddies or malware users compile their own “customized” malware. In the host address window they can add their own web addresses to receive the stolen data.

The malware author also has options to statically alter the top level info of the binary, such as changing the filename, extension, and even the icon. These steps are useful to mislead antimalware vendors and escape static clustering and detection. The final output after this compilation is a new zero-day binary with an entire set of password-stealing capabilities. The malware author’s goal is to steal as much data as possible.

On execution, SpyGate creates two temp files: melt.tmp, which stores the malware’s execution path (for tracking purposes); and oosuacodersoo.tmp, which stores all the keylogs from the victim’s system. For example, typing “Hello Spygate!! How are you” logs all keystrokes and spaces.

SpyGate Beek 3

But SpyGate is more than just a keylogger. It attempts to steal Google Chrome login data, Internet Explorer autocomplete forms data, FTP passwords, and other data.

SpyGate Beek 4 SpyGate Beek 5 SpyGate Beek 6

SpyGate also checks for antimalware programs. The list is long and contains about 50 vendors, including McAfee.

While examining the spread of this RAT, we discovered several control servers hosted in the Middle East, and targeting numerous users around the globe.

SpyGate: the source of KingRAT

We saw a tremendous variety of new Zeus variants when its source code was leaked, and now we’ve seen similar development based on SpyGate. The open exchange of information among forum members leads often to modified and even more ferocious RATs. One such offshoot of SpyGate is KingRAT 0.1, which has been made public by the malware author “Hacker Syria DZ.” We observed communication between the RAT authors in this article on social media.

SpyGate Beek 8

The executable is hosted on a Middle East site as a RAR archive. Upon execution, we see a GUI that gives various options.

SpyGate Beek 9

Under the build option, a user can compile a binary to suit custom needs. For example, the user can block sites such as Virustotal.com, disable debuggers like OllyDbg, and even decide whether to incorporate USB-infection capabilities.

After we compiled a new RAT, we found the file YmzdHViIGdlbaW9uPTEuMC4wLjAsIGN1bHR1cmU9bmVmVyYXRvciB2MS4wLCJhbCw.log in templates folder. This file stores the keystrokes. Although the keylogging module is good for tracing the process name, the keystroke module appears to be buggy. Only partial keystrokes are stored.

SpyGate Beek 10

Despite its different and stylish GUI, KingRAT does nearly the same work as SpyGate. The author has tried to hide the reference to SpyGate in the front end. However, a binary analysis makes it evident that this malware uses the same SpyGate code. Below we see the “no-ip” and “Paltalk” password-stealing modules for SpyGate (on the left) and KingRAT, respectively. The code is the same; only the password-stealing module is left out by the KingRAT author.

SpyGate Beek 11

We have more evidence of KingRAT’s origins in this reference to SpyGate:

SpyGate Beek 12

Although the authoring of tools such as RATs, cryptors, and malware seems to be “l33t” and earn status in the Middle East underground, the danger remains that many teenagers play with these tools without understanding the risks. Not only do some of these kits contain backdoors, but hacking into victims’ computers is a crime in most countries.

McAfee detects the parent compiler as SpyGateCompiler! and the resultant compiled malware as SpyGate!

A Yara rule to detect SpyGate:

rule SpyGate_v2_9


date = “2014/09”
maltype = “Spygate v2.9 Remote Access Trojan”
filetype = “exe”


$1 = “shutdowncomputer” wide
$2 = “shutdown -r -t 00″ wide
$3 = “blockmouseandkeyboard” wide
$4 = “ProcessHacker”
$5 = “FileManagerSplit” wide




The post Middle-East Developer of SpyGate Struts His Stuff Online appeared first on McAfee.