Guardian backtracks, says Whisper doesn’t spy on its users after all

The Guardian last year made headlines with a multitude of claims about anonymous social media platform Whisper. In its reporting, it claimed that Whisper tracked even those users that had opted out of its location tracking, shared personal data with suicide prevention groups, and stored personal data in non-US servers. Further, the newspaper claimed that Whisper was updating its terms of service and privacy policy as a reaction to its reporting.

A lengthy correction published today acknowledges that much of this was untrue or misleading. The newspaper now says that Whisper was working on its new ToS and privacy policies months before any reports were published, and that it doesn't store data on non-US servers.

Critically, the Guardian also clarified that Whisper cannot ascertain either the identity or location of Whisper users unless those users explicitly choose to share that information. Whisper does know users' IP addresses, but the correction notes that this is a "very rough and unreliable indicator of location." This undermines the Guardian's most significant claim: that Whisper tracked the location even of users who have opted out of its location feature, and that the latitude and longitude of such users was both available to technical staff, and shared with Whisper executives. This isn't possible with IP addresses alone.

Read 2 remaining paragraphs | Comments

Targeted Attack Campaign Against Indian Organizations Continues With More Exploits Focused On National Events

In November last year, McAfee Labs researchers reported about Operation Mangal, an ongoing targeted attack campaign against several Indian domestic and overseas organizations. We have actively tracked the campaign since last year. In our previous analysis of this attack, we uncovered several exploits that were closely connected to India’s developmental agenda. These exploits lure victims into opening malicious documents that compromise their machines and steal confidential data. We found that this targeted campaign has been going on since 2010 with periodic variations in the malware families.

The recently appointed government and heightened activity on the domestic front has led to considerable interest from organizations and consumers. Since January this year, we have seen a steady flow of similar exploits as part of this campaign. These exploits continue to closely follow national events.

Following are some recent exploit filenames or themes:

  • Indian Diplomacy At Work–UNSC Reforms.doc (MD5: faa97d7c792e3d8e7fffa9ea755c8efb; first seen: Oct 31, 2014).
  • Vibrant Gujarat Summit 2015.doc (MD5: b44a0ebddabee48c1d18f1e24780084b; first seen: Jan  6).
  • U.S.,_India_to_formulate_smart_city_action_plans_in_three_months.doc (MD5: b0ae36bcf725d53ed73126ed56e55951; first seen: Jan 28).


During late 2014 and early 2015, the attackers modified the shellcode and the dropped malware family, continuously changing their tools and techniques. Some of the recent exploits involved in this campaign drop PlugX malware. The following images show how the shellcode has been modified between exploits observed on January 6 (at left) and January 28 (at right).

image_12While researching this campaign, we gained access to one interim control server, which appears to be the short-term registration server that the compromised host communicates with after decoding the first-stage URL. The directory structure of the control server is:


This directory holds all the client data in JavaScript Object Notation from compromised machines connected to this server. The following image shows the directory structure and the information stored in the file:

Filename: h_HOST-NAME_TIMEVAR_t. All the machine information (IP, MAC, OS type, hostname, OS version, infection time stamp, etc.) was recorded on the remote server with this filename.

image_13Next we see how the machine information looks on the control server, highlighting the infection time stamp from late last year:


image2Filename: r_off_PCNAME_TIME_TIME_t. This holds base-64-encoded data for command-line outputs that ran on the compromised host.

image_14Decoding this data reveals the command executed on the compromised host and also exposes the list of documents and files on the machine that could have been stolen.



Filename: c_HOSTNAME_TIME_t. This file holds an encoded WMI script or script variables in the following form:


which turns out to be a readable WMI script when decoded:


Filename: d_rdown_HOSTNAME_TIME_t. This file is uploaded from the compromised host to the control server.

Filename: rdown_HOSTNAME_TIME_t. This file is downloaded from the control server to the compromised machine. It could contain postexploitation tools to run on the host.








The tools directory hosts several postexploitation tools and malware to be downloaded from the control server to run on compromised machines. We found malicious DLLs, rootkits, encoded JavaScript malware, and cab files. One of the WMI scripts is an installer for other malware:

image_18We have tracked down the location of many of this campaign’s control servers, primarily in the United States and China. More than 60% of the servers were hosted in the United States and more than 20% were hosted in China.



McAfee Advanced Threat Defense

McAfee Advance Threat Defense provides coverage for all of these exploits as well as for the dropped files involved in this attack.



Attackers are continuously on the lookout for social engineering opportunities. Influencing targeted users to open malicious documents following national events is one the most effective and effortless ways of performing these attacks. Users need to exercise extreme caution when opening documents from unknown sources, and use patched software.

I would like to thank my fellow researcher Brad Arndt for assistance in researching and tracking this campaign.

The post Targeted Attack Campaign Against Indian Organizations Continues With More Exploits Focused On National Events appeared first on McAfee.

Google’s Bad Instructions for Upgrading Zen Cart

Google started out just providing text snippets and links to other websites in their search results and then overtime started adding more information directly in to the search results. For example, you can get sports scores right on the search results page. Sports scores are simple factual data so it hard to get those wrong, but more complex information is easier to get wrong. We recently made aware example where they are providing quite bad information.

Currently if you do a search related to upgrading Zen Cart you will get shown the following instructions above the results:

Google Zen Cart Upgrade Instrutctions

The instructions are taken from a page on GoDaddy’s website.

What sticks out to us is that not only are the instructions wrong, but they seem to have been written by some who doesn’t have any actual familiarity with Zen Cart.

Let’s start with the note above the instructions on GoDaddy’s page:

NOTE: If you are using Zen Cart schema 1.3.8a, you need to upgrade to 1.3.9 before upgrading to version 1.5. Otherwise, you will get errors.

This just doesn’t make any sense as the Zen Cart installer, which is used to upgrade the database schema, doesn’t have a problem doing an upgrade from 1.3.8a to the latest version, 1.5.4, without going to 1.3.9 first. Below is screenshot when doing that, you can see that not only does it allow you upgrade going back to that version, but it allows you to start from version 1.2.7:

Zen Cart Database Upgrade Selections

The next thing that stands out is step 5, “Disable all plugins and set your theme to the default.” The way Zen Cart handles addons is different than a lot of other software. With WordPress for example, plugins are stored separately from the core software and you have the ability to enable and disable them from a central location. With Zen Cart addons they are more tightly connected to Zen Cart. In some cases the addons are modification to core Zen Cart files, which cannot be disabled short of removing the code. For other addons the addon itself would have to provide a mechanism for disabling, which many do not. We get the sense that the person writing took this advice from some other software, without understanding that it wasn’t applicable to Zen Cart.

Finally, the biggest problem with the instructions is the lack of any actual instructions on doing the upgrade. The entirety of GoDaddy’s instruction is “Upgrade Zen Cart to 1.5.0. For more information, see this Zen Cart help article.” The “more information” implies that “Upgrade Zen Cart to 1.5.0.” actually provided some information, which it didn’t. If you follow the link you land on Zen Cart’s 1,200+ word upgrade instructions that are nothing like GoDaddy’s. The whole thing comes across as attempt to write something around the link to the actual instructions, which they filled with incorrect information. Google’s inclusion directly in the search results then compounds this.

When we do Zen Cart upgrades we use the patch files we have created, which can make it easier to do the upgrade than using the official Zen Cart method.

Stuxnet leak probe stalls for fear of confirming US-Israel involvement

A criminal leak investigation into a top military official has stalled out of concern it could force US officials to confirm joint US-Israeli involvement behind the Stuxnet worm that targeted Iran's nuclear program, according to a media report published Wednesday.

Federal prosecutors have been investigating whether retired Marine Gen. James E. "Hoss" Cartwright leaked highly sensitive information to New York Times reporter David Sanger. A 2012 book and article authored by Sanger said Stuxnet was among the crowning achievements of "Olympic Games," a covert program jointly pursued by the US and Israel to curb Iran's attempts to obtain nuclear weapons. As reported in author and Wired reporter Kim Zetter's book Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, Stuxnet was first seeded to a handful of carefully selected targets before taking hold inside Iran's Natanz enrichment facility. From there, the malware caused computer-controlled centrifuges to spin erratically, an act of sabotage that forced engineers to scrap the damaged materials.

According to an article published Wednesday by The Washington Post, the probe into Cartwright's suspected leak to Sanger is generating tension between national security concerns and the Obama administration's desire to hold high-ranking officials accountable to disclosing classified information.

Read 1 remaining paragraphs | Comments