Attack for Flash 0day goes live in popular exploit kit

If you've been meaning to disable Adobe Flash, now might be a good time. Attacks exploiting a critical vulnerability in the latest version of the animation software have been added to a popular exploitation kit, researchers confirmed. Attackers often buy the kits to spare the hassle of writing their own weaponized exploits.

Prolific exploit sleuth Kafeine uncovered the addition to Angler, an exploit kit available in underground forums. The zero-day vulnerability was confirmed by Malwarebytes. Malwarebytes researcher Jérôme Segura said one attack he observed used the new exploit to install a distribution botnet known as Bedep.

Adobe officials say only that they're investigating the reports. Until there's a patch, it makes sense to minimize use of Flash when possible. AV software from Malwarebytes and others can also block Angler attacks.

Read on Ars Technica | Comments

Did feds mount a sustained attack on Tor to decloak crime suspects?

Last week's arrest of a man alleged to help run the Silk Road 2.0 online drug bazaar has touched off speculation he was identified using a controversial attack that for six months last year systematically worked to deanonymize users of the Tor privacy service.

In a search warrant affidavit filed earlier this month, a special agent with the Department of Homeland Security said the Silk Road follow-on site was accessible only as a hidden service on Tor, a measure that typically would have made it impossible to identify the IP addresses hosting the underlying servers, as well as IPs used by end users who accessed them. Despite the use of Tor, FBI investigators were able to identify IP addresses that allegedly hosted and accessed the servers, including the Comcast-provided IP address of one Brian Farrell, who prosecutors said helped manage SR2. In the affidavit, DHS special agent Michael Larson wrote:

From January 2014 to July 2014, a FBI NY Source of Information (SOI) provided reliable IP addresses for TOR and hidden services such as SR2, which included its main marketplace URL (silkroad6ownowfk.onion), its vendor URL (vx3w763ohd256iyh.onion), its forum URL (silkroad5v7dywlc.onion) and its support interface (uz434sei7arqunp6.onion). The SOI's information ultimately led to the identification of SR2 servers, which led to the identification of at least another seventeen black markets on TOR.

The SOI also identified approximately 78 IP addresses that accessed a vendor .onion address. A user cannot accidentally end up on the vendor site. The site is for vendors only, and access is only given to the site by the SR2 administrators/moderators after confirmation of a significant amount of successful transactions. If a user visits the vendor URL, he or she is asked for a user name and password. Without a user name and password, the vendor website cannot be viewed.

The timeframe of the information leak bears a striking resemblance to a deanonymization attack uncovered in July by Tor officials. For six months, the people behind the campaign exploited a previously unknown vulnerability in the Tor protocol to carry out two classes of attack that together may have been enough to uncloak people using Tor Hidden Services. The decloaking effort began in late January 2014 and ran until early July when Tor officials shut it down. The Tor officials said the characteristics of the attack resembled those discussed by a team of Carnegie Mellon University researchers who a few weeks earlier canceled a security conference presentation on a low-cost way to deanonymize Tor users. The Tor officials went on to warn that an intelligence agency from a global adversary also might have been able to capitalize on the vulnerability.

Read 4 remaining paragraphs | Comments

The Rise of Backdoor-FCKQ (CTB-Locker)

By Raj Samani (@Raj_Samani) and Christiaan Beek (@ChristiaanBeek),

In the McAfee Labs Report published in November 2014, Senior Vice President Vincent Weafer commented that 2014 will be remembered as “the year of shaken trust”.  Indeed almost every single threat measured saw notable increases in Q3 which pointed to a rather ominous 2015.  There was however one notable exception; ransomware.


The above figure provided a respite against the threat of ransomware, but as predicted in the McAfee Labs threat predictions “Ransomware will evolve its methods of propagation, encryption, and the targets it seeks.”

For many, this prediction appears to be ringing true with the rise in Backdoor-FCKQ (aka known as CTB-Locker) being distributed via multiple channels including IRC, peer-to-peer networks, newsgroup postings, email spam, etc. 


“Backdoor-FCKQ” is a new crypto malware delivered through email that encrypts data files present in the target system.

It copies itself to the following folder:

  • %temp%< 7 random characters>.exe
  • %temp%wkqifwe.exe

It also creates job task containing random 7 random characters:

  • %windir%Taskscderkbm.job

The following registry keys have been added to the system:

  • %ALLUSERSPROFILE%Application DataMicrosoft<7 random characters>

It will inject code into svchost.exe and svchost.exe will launch file from the following:

  • %temp%<7 random characters>.exe

The code injected into svchost.exe will encrypt files with following extension:

  • .pdf
  • .xls
  • .ppt
  • .txt
  • .py
  • .wb2
  • .jpg
  • .odb
  • .dbf
  • .md
  • .js
  • .pl

Once infected, the malware will display the following image on the system:


The newly created process create a mutex named:

  • BaseNamedObjectslyhrsugiwwnvnn

An interesting angle in this new round of Backdoor-FCKQ malware is the usage of a well-known ‘Downloader’, known as Dalexis). There are several versions of this downloader around, a simple query in our internal database resulted in more than 900 hits of this downloader and variants of it.  To circumvent anti-spam tools, the downloader is hidden in a zip file that contains a zip and eventually unpacks to a .scr (screensaver) file.

The function of the downloader is to download additional malware from certain locations, unpack the Xor coded malware and execute it. In this case the additional malware, the actual CTB’ was packed in a file called ‘pack.tar.gz’:

code 1

Figure 1 ‘pack.tar.gz’

As can be retrieved from the above screenshot, there’s no file-header present that represents a known file-type. For example if this was an executable file, the first two characters (aka the Magic Number’ would have been ‘MZ’. This is one of the ways in which malware authors try to circumvent gateway-detection of malware. Some other tricks we have seen a lot recently is to put the payload of the malware up on Pastebin or Github.

In this case, the ‘pack.tar.gz’ file was using different XOR keys for encrypting parts of the file, once this puzzle was cracked, the ‘unpacked’ code of ‘Backdoor-FCKQ’ is revealed:

code 2

Figure 2 Unpacked code of Backdoor-FCKQ

With multiple samples of Backdoor-FCKQ (CTB-Locker) as comparison material, immediately code parts were recognized.

As a quick Yara detection-rule, the following could be used:

code 3

Bitcoin trail

While tracing the bitcoin trail and possible transactions, no value on the account was found and no transactions were made to other accounts.

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

A special thanks to Sanchit Karve for his assistance in the analysis.

The post The Rise of Backdoor-FCKQ (CTB-Locker) appeared first on McAfee.