According to Microsoft’s report, Febipos beacons to a C2 server and receives the following commands:

-    Liking a page
-    Sharing a post
-    Posting messages
-    Joining a group
-    Inviting your friends to a group
-    Sending messages and links via chat
-    Commenting on posts

Febipos is packaged in a self-extracting archive (SFX) and is coded to silently install into the user’s temporary directory (%temp%). The Trojan’s main component is called ‘fbinstupd.exe’, appearing to be shorthand for ‘Facebook Install Update’. All program strings are in Portuguese, Brazil’s official language.

Upon execution you’ll also get a confirmation dialog that translates to ‘Installation completed successfully!’  Glad to know there weren’t any errors =)

In the image below, you’ll also see the results from a regshot capture; notice the installed Firefox extension that was place in my profile directory.  The Chrome extension was dropped in the %temp% directory along with the Trojan and another PE file.

Febipos’ main component is heavily armored, and was passed through a software protection system known as ‘Obsidium’. You can check it out at http://www.obsidium.de/ for more information. While many programs like Obsidium, VMProtect, Themida, intend to protect commercial software products from piracy and reverse-engineering, they’re also used frequently to fortify malware. This has caused some AV vendors to flag files as malicious if they’re been processed by these protection systems.

Unfortunately, I couldn’t get a copy of Febipos that still had a live C2 server, so I wasn’t too interested in doing any further analysis; however, Febipos along with Facbook scams attest to the fact that social media has come under heavy fire from blackhat cyber-criminals. As platforms like Facebook and Twitter allow everyone to be constantly connected, hackers have a new way to ‘connect’ with us.

On underground forums, for instance, it’s very common to see posts offering techniques to hack accounts, generate likes, etc.  A lot of these tricks involve social engineering and sometimes exploiting Facebook’s password recovery options.

This has brought about a whole new market for many, who buy and sell Facbook traffic to the highest bidder. If you remember back in January I did a post on Malwarebiter, a Malwarebytes imitator with a Facebook page containing a suspicious number of likes, probably attributed to this kind of behavior.

With that being said, a word to the wise for our readers: safeguard your social media accounts like you would your email account, bank account, or other online account containing personal information. As sites like Facebook continue to integrate into much of our lives, we find that it’s used for much more than stating what’s on our minds. Now we can login to other websites with our Facebook credentials, and sites like Twitter allow us to retrieve news that may influence our everyday decisions. For example, the Associated Press (AP) Twitter account hack of last month briefly impacted the stock market, causing a noticeable drop in the DOW after a fabricated tweet of White House explosions.

What’s more, the threat of malware targeting social media is becoming more apparent, as evidenced by Febipos. While current threats like Febipos are isolated and aren’t capable of doing irreparable harm, Facebook malware is still in its infancy stages, and is sure to advance given ample time. Reports are already surfacing of users creating Facebook botnets, leveraging the power and connectivity of social media to do their dirty work.

However, in Facebook’s defense, the social media giant hasn’t remained quiet amidst the attacks on its users. In recent times, there have been many security updates to password recovery, account creation, and a huge crackdown on fake profiles. Today if you created a new Facebook profile, you’d notice you have to verify who you are, not only with a captcha, but by providing a phone number to retrieve an SMS code needed for account activation.

We all need to follow ‘common sense’ guidelines to keep our Facebook profile safe, along with other online accounts. For Facebook, this includes ignoring Friend requests from unknown/suspicious persons, and not following any links you don’t trust, even if they’re posted by friends. These could be Clickjack scams or other malicious links that exploit your browser, exposing your private information or your computer to malware. Falling victim to these traps might be easier than you think, as a hyperlink may initially appear harmless on the surface.  Exercise caution when using all forms of social media and make sure you’re using strong passwords, or a Password Manager. Check out this article if you need help with that part.

One final word to our readers: users of Malwarebytes Anti-Malware will be happy to know that JS.Febipos.A is detected as Trojan.Dropper.SFX. Make sure to stay tuned to Unpacked for any updates on social media malware.

_______________________________________________________________________________

Joshua Cannell is a Malware Intelligence Analyst at Malwarebytes where he performs research and in-depth analysis on current malware threats. He has over 5 years of experience working with US defense intelligence agencies where he analyzed malware and developed defense strategies through reverse engineering techniques. His articles on the Unpacked blog feature the latest news in malware as well as full-length technical analysis.  Follow him on Twitter @joshcannell

What you would see

Before we get into malicious advertisements and Ad networks, let us talk about how and when you might come across a blocked advertisement.  First, if you have been using Malwarebytes Anti-Malware PRO for a while, then you might have seen a notice. like the one above, appear while you were surfing legitimate web-sites.  If you were confused or frightened by this, don’t worry, it doesn’t mean that the web-site you are on is malicious.  What it means is that just the advertisements inserted into the web-site might be malicious.

Take for example:

• You navigate to your favorite website CoolStuffFeed.com to check out the latest news
• When your page loads up, you see a notice from Malwarebytes Anti-Malware informing you that it is blocking a potentially malicious website
• You freak out and never visit CoolStuffFeed.com again

What actually happened here is that while you navigated to CoolStuffFeed.com when the notice appeared, it was actually the advertisement provider used by CoolStuffFeed.com that is being blocked for malicious content.  Malwarebytes detected the IP address of the Ad network and its association with malicious ads circulating through websites of its customers. Let us call the advertisement network “BadAd Network.”  Therefore:

• CoolStuffFeed.com hired BadAd Network to provide advertisements to the sites main page to make some money
• BadAd network is known by Malwarebytes to host malicious advertisements so our product blocked any advertisement traffic from our users
• You, the customer, will see a notice from us about something malicious happening on CoolStuffFeed.com
• In reality, we are blocking advertisements from BadAd Network that are trying to show up in your browser when you visit CoolStuffFeed.com.
• You will not be blocked from viewing CoolStuffFeed.com at all and should have no problems reaching the content that you want to see, sans some of the advertisements.

Malicious code from Ad networks might be present in pop-ups or advertisement banners. When the banners attempt to load or the pop-up attempts to navigate to the malicious website, we block it before it has a chance to cause any damage to your system.

Malvertisements

Advertisements that not only look legitimate but also contain malicious code in an effort to infect systems with malware are known as a malvertisements. Cyber-criminals use malvertisements to try to spread their malware to a greater audience of users by submitting them to online advertisement networks that will show the malicious ad on numerous trusted websites.  The ad networks are usually not aware of the cyber criminal’s intent and approve non-malicious ads submitted by the criminals initially.  Once the ad is approved, however, the cyber criminals switch out the legitimate ad for the malicious one, right under the noses of the ad networks.

The networks fail to check modifications made to the advertisements and therefore allow the Malvertisments to be shown on their customers’ webpages. The ad networks also quickly cycle through different advertisements with each view of the customer web-page. The dynamic scrolling of ads makes it difficult not only to flag the existence of a malvertisement circulating on a network but also identifying which advertisement is the culprit!

So now that you know what malvertisements are, you may ask, why doesn’t Malwarebytes Anti-Malware just block the URL of the malicious code rather than the actual ad network? Well, we do, but sometimes that is not enough, because malicious ads have a tendency to change often to avoid detection and use different URLs in the operation of their attacks.

We flag networks that are known by us to host Malvertisments (intentionally or not) as malicious because of their unsafe practices of not doing regular quality assurance checks on the advertisements they are circulating. This, in combination with finding numerous malicious advertisements circulating on their networks and spreading malware, forces us to block not only the malicious advertisements but also the advertisement networks entirely.

Why we block

In order to ensure our users are protected from drive-by advertisement malware, we sometimes block advertisement networks that have a history of allowing malvertisements on their networks.  We, of course, stay in constant communication with the ad networks and inform them of the malicious ads, and sometimes they do something about it; other times they do not.

So since we are blocking the ad network, we are most likely going to be blocking legitimate ads that are in circulation, and as a user of our website-blocking feature in Malwarebytes Anti-Malware PRO, you might see something like the notice above show up from time to time, even when visiting a legitimate web-site. Don’t worry: every time you see that, it doesn’t necessarily mean that the website you are on is malicious, it might just be using an Ad network we don’t find safe for our users.

Examples

Here are a few examples of malvertisements in action:

July 2010: TweetMeme.com

• Malicious Advertisements targeted site visitors after a rogue advertiser spread a malicious advert through y5-media.com.  The result was users redirected to drive-by attack sites that installed fake antivirus malware

April 2010: Facebook Farm Town Game

• An advertisement served on a popular Facebook game was delivering Rogue AV software, claiming that the users system had been infected with malware and their product could help them

May 2012: Malvertisements found on Blogger Website

• Adverting network, Clicksor, was found serving malicious advertisements to users of a Blogger website leading to the BlackHole Exploit Kit

As you can see, Malvertising happens all the time; and while the effort from the community to fight these attacks has advanced greatly over the last few years, the threat is far from gone.

Am I protected

If you are one of the many users of Malwarebytes Anti-Malware PRO, then you are likely already protected with our product. To double-check if you are, though, simply right click on the Malwarebytes Anti-Malware icon in your notification icon bar (opposite from your Start Menu button) and look for Website Blocking.

If you observe that the option for Website Blocking is already checked, you are good to go. If you do not, I HIGHLY recommend that you select it in order to activate that protection feature. We are very strict and prudent when we decide to blacklist a certain website so that our users are protected without blocking their access to the Internet.

Extra protection

Even if you do not use Malwarebytes Anti-Malware PRO and therefore are not receiving the benefit of our website blocking protection, there are other ways to keep you safe. One of these ways is to use ad-blocking software for your browser. This software will ensure that no advertisements reach you, regardless of where they come from.  This is a great way to not only fend off potential malvertisement attacks but also to help you avoid clicking on things like fake download buttons or “special offers.” These types of scams exist in mass amounts and are generally delivered to the user through advertisements and pop-ups.

A little while ago, we posted two blogs that discuss the threats behind advertisements. The first one, “Pick a Download, Any Download”, examines advertisements that display false download buttons on download pages. The second blog “PDAD: Part 2” , goes into detail to explain various methods of installing ad blocking software for your browsers to keep yourself safe from those scams.

Conclusion

In my opinion, malicious advertisements are the most dangerous threat online right now, mainly because you can do everything right as far as safe surfing, but they still might find you.  The best defense is always to arm yourself with as much protection as you can.  Updating Java (or disabling Java in your browser), Flash, your browser and operating system are all great ways to stay ahead of the curve: however, for everything else, using antivirus or anti-malware applications as well as ad-blocking software can keep you well protected against the waves of cyber-attacks headed your way every single day.  Thanks for reading, and stay safe!

The Scam

The scam starts off with a user receiving the following message from one of his or her friends:

hey go to hxxp://www.SkyPremiumSetup.com/ and activate your account, Skype is giving away free premium for life to a few thousand people. Once you have it, you can do group video calls and a ton of other cool stuff. i got to head out now but I’ll ttyl for sure!

After clicking on the link, the user is sent to the site seen below and required to enter his or her username and password to activate the free premium account.  In reality, there is no free premium upgrade and if you had actually fallen for this tactic, the bad guys would now have your Skype log in credentials. In addition, a good tip off that this is in fact a real scam is the incorrect grammar used in the title text. First of all “receive” is spelled incorrectly and Life Long should be one word.  Maybe nothing that you would notice immediately but errors in text and formatting are always a great way to determine the legitimacy of something you come across online.

A new tactic for the bad guys is actually ensuring that the credentials you’re providing are legit! When you enter your Skype log in credentials, they are checked for accuracy using a legitimate Skype authentication service and if you give fake or incorrect log in details, the scam will not proceed. I know this based on my traffic capture , which revealed a Secured Shell (SSH) tunnel being created between my system and a valid Skype application domain. From there it was obvious that the log in prompt was legitimate however, what becomes of your credentials once you press “Sign me in” is another story entirely.

So in order to test this scam without giving up my own personal information, I decided to create a new account with the name “Juan Sanchez villa-lobos Ramirez” and the Skype username Villa-LobosRamirez. (Extra points if you get the reference.) Once I had the new account created I plugged in the credentials and was on my way to the next stage of the scam.

Chief Metallurgist to King Charles V and Anti-Scam Warrior (image copyright 20th century fox)

After legitimate credentials have been provided, you are redirected to a download web page that looks a lot like the official Skype download page.

…that is if the Skype download page were on drugs

The page will attempt to download the recommended installer and launch it in order for the premium activation application to upgrade your account.  At this point it’s just adding insult to injury—you have already given up your Skype log in credentials but now you are also downloading suspicious software.

The Malware

After you download the software and let it execute, a screen pops up that looks a little suspicious, with the Skype logo image not quite fitting in with the rest of the screen—the screen claims that it is activating your life premium package.

In reality, malware is being downloaded and executed on your system while the application is “activating.” You can see the download happening by checking out this screenshot of my Fiddler capture during the “activation” process.

The file is labeled “kickit.lol,” which, unbelievably, is actually a known Banker Trojan.

Now that your Skype credentials have been stolen and you also have malware running on your system, your contacts can expect to see a similar message to the one you received in the near future.

Here are the file properties for anyone who might want to check out these files further:

Kickit.lol

46F7320243320CA494B00C056DA7E7C3

96256

SkypePremiumSetup.exe

ACBCD179C1A72BCC84F2A88C827B5A7A

773632

Fortunately, the domains used in this scam have been taken down however that doesn’t mean that others won’t pop up.

How to Protect Yourself

The term “phishing” has moved beyond the traditionally seen scammer e-mail attack and into the realm of social media and communication tools like Skype.  The reality is that while you may do everything in your power to keep your data safe and secure from cyber criminals, your friends and family might not be so prudent.  With that in mind, it is important that any communication that you are not certain is coming from someone you know be seen as suspicious.

For example, if you received the message referenced in this post from a friend of yours and he or she immediately logged off or you attempted to talk to the friend and he or she did not respond, that is a flag that the message might be malicious, and you should wait until you communicate with your friend further before clicking it. The same goes for messages received on Twitter, Facebook, Google+, or even traditional e-mail.

By keeping your security software such as anti-malware or spam detection software and applications such as Java, Flash and your operating system up to date, you may very well lessen the damage of this attack if you happen to fall victim to it.

Conclusion

It seems like more and more often we are seeing attacks coming at users from all angles and under the guise of trusted contacts and legitimate services. Despite the uncertainty of trusting your friends and their activities online, the one certainty in all this is that the attacks will continue and with mass customization of phishing attacks based on data derived from your online footprint, they are going to get worse.  The key is to always be skeptical and use prudent security approaches with everything you come across.  By double-checking the legitimacy of a single link, you could save yourself some serious heartache.  Thanks for reading and stay safe!

By definition HIPS is an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host. In other words a Host Intrusion Prevention System (HIPS) aims to stop malware by monitoring the behavior of code. This makes it possible to help keep your system secure without depending on a specific threat to be added to a detection update.

Historically HIPS and firewalls are closely related. Where a firewall regulates the traffic to and from your computer based on a rule set, HIPS do more or less the same, but for the major changes made on your computer.

The major changes that can be allowed for a program when creating a rule-set

HIPS solutions protect the computer against known and unknown malicious attacks. In case of attempted major changes by a hacker or malware, HIPS blocks the action and alerts the user so an appropriate decision about what to do can be made. What does the HIPS consider major changes? I made a list of possible major changes and why malware might want to make them. The list is far from complete, but more like a bare minimum of what your HIPS should be guarding:

• Take control of other programs. For example sending a mail using the default mail client or  sending your browser to a certain site to download more malware.

• Trying to change important registry keys, so that the program starts at certain events.

• Ending other programs. For example your virus scanner.

• Installing devices or drivers, so that they get started before other programs

• Interprocess memory access, so it can inject malicious code into a trusted program.

What can you expect of a good HIPS?

At the very least it should have the power (authority) to stop active malware. If it is unable to stall another program while waiting for your decision, the battle is already lost. Additionally it should have a basic set of rules that any user can apply until he is more familiar with the software and/or the need for more elaborate rules emerges. Adapting or creating new rules should be possible (there are always exceptions to be made) and it should be user friendly to do so. For one thing it has to be very clear to the user what the consequences of his changes are, or he will find himself wondering at some point why this or that no longer works. For these cases and other help, I would also check out if there are forums (or other places) where you can find help in individual cases. A knowledge base is not always enough to find all the answers.

The normal method of a HIPS is runtime detection. It intercepts actions when they occur, but some HIPS also offer pre-execution detection. This means that the nature of an executable is analyzed before it runs, to check for suspicious behavior.

Are there any risks?

Risks associated with HIPS are false positives and wrong user decisions. HIPS respond to certain changes that other software wants to make on your system. For example any HIPS will keep an eye on the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and others like that, from where programs are started automatically when Windows boots up. But obviously there are many legitimate programs that use this key as well. So when a change is made to the content of that key (an extra value is added), the user will be presented with a choice, Block or Allow. For this key there are many online resources on which you can base an informed choice, but most users will hit Allow, especially if they are in the process of installing something. Some HIPS will let you know what other users have decided in this particular case, but especially when numbers are still small, this can be deceiving and it is not really a decision based on relevant information. You are only hoping the majority of the users before you was right. The system is only as good as the responses of the user to the popup alert. Even if the HIPS software correctly identifies a threat, the user may inadvertently approve the wrong action and the PC could still become infected.

Conclusions: HIPS can be a valuable part of a layered defense, but I would advise to add at least one detection based security solution. While HIPS should be for everyone, it requires at least a decent knowledge of computing to use them effectively.

Sources :

http://www.techsupportalert.com/content/hips-explained.htm

http://en.wikipedia.org/wiki/Intrusion_prevention_system

Update: GoDaddy has taken action to remove ownership of that domain name.

It all started with a pop up, warning me that my computer was infected. I decided to call to find out more about this scam. Unfortunately, I got a voice mail and was a little disappointed. I still left a few messages so perhaps they would call me back. Anyway, the next morning I tried again and got through that time. The man on the phone was quite nice (all things considered) and did not even bother with the sales pitch: just what I like, straight to the point. Our first step was to launch a legitimate program (TeamViewer) so that he could remotely take control of my PC and run a program to scan for viruses. I’m really excited to see what it’s going to find!

To say these are false positives is an understatement. These entries are made up since I am running a clean system (Virtual Machine). Also, this was the fastest scan(m) ever only taking 2 seconds: clearly not a good sign. The guy had me where he wanted as he’s about to get me to pay. I know this is a critical step and he’s probably going to destroy evidence of the bogus program he just installed and ran. Before he does that, I take control and terminate the TeamViewer session in a hard way:

Surprisingly, he’s not too upset but it is time for me to reveal what is really going on. He tries to claim his innocence (you called us) but was open to talking for a few minutes. After some words of advice we part ways. So, let’s take a deeper look at this scam. the original pop up can be encountered simply while browsing a site. It is meant to be alarming and to trick the user to call the 1-800 number for assistance. How do they get away with that? Well, for starters using the word ‘may’ shows that there is a possibly they could be wrong and thus limiting their liability:

Secondly, by having Terms and Conditions that basically say this is indeed not real. Mind you, they are quite hard to read (tiny black font on blue background):

So here they are in full:

“Terms and Conditions: We are not affiliated in any way with Microsoft, all registered trademarks of their respective owners. All trademarks on this web site whether registered or not, are the property of their respective owners. The authors of this web site are not sponsored by or affiliated with any of the third-party trade mark or third-party registered trade mark owners, and make no representations about them, their owners, their products or services. It is important to note that this site and the image depicted above are to be used as an illustrative example. This website and any page on the website, is based loosely off a true story, but has been modified in multiple ways. Thus, this page, and any page on this website, is not to be taken literally or as a non-fiction story.Allonlinemedia.com distributes advertisements from third party software, toolbars, browser add-ons, game applications, pop-up and other types of applications.”

What about the technician’s analysis? The program he was using to scan my computer is not terribly sophisticated to say the least:

The program was compiled from: c:\Users\Lior\Documents\Visual Studio 2010\Projects\odesk\RegistryScanner\source code\GuardScanner\obj\x86\Debug\Guard Scanner.pdb

One thing is for sure, it is very lightweight and will not use much CPU. However, its database is stuffed with false positives which aren’t just accidents, but clearly used to add some drama. At the end of the road there goes the same PC support plan with a cost of $179.99 in this case:

All of their websites are using private registration to mask their identify and location:

This isn’t the only scam this company is pulling. One of their (poorly configured) website shows multiple landing pages.

Besides the fake virus ones, you will find those “work from home” quick money schemes:

These guys know how to play the game just right so they don’t get into too much trouble. I really despise unethical and misleading marketing practices and it’s really too bad they are able to get away with it. I’ve been scammed once before, when I was much younger, so I know just how it feels and my wish is to spread the word so that innocent people don’t have to go through it.

About the author: Jerome Segura is a Senior Security Researcher at Malwarebytes with experience in both client and server side malware and a focus on web exploits research. He has built high interaction honey-clients to capture drive-by download attacks and has performed hundreds of web server remediations for infected WordPress and Joomla! websites. Follow him on Twitter: @jeromesegura

Malwarebytes Secure Backup

• Eliminates worrying about lost files
• Remembers to back up when you don’t
• Removes the threat of saving or spreading infected files
• Uses backup technology named “The top-rated backup solution” by PC Magazine
• Automatically scans your important files for malware even if you forget to run your usual antivirus/anti-malware scan on your system. It is a malware “fail-safe.”

The threat

While any malware protection application would like to claim that their product could protect you against any malicious software threat, the truth is that sometimes things get through.  When this happens, you might end up losing files to encrypted ransomware or malware that erases your personal files.  If you have not backed up any of your files, well then, you have just lost them, maybe forever.

However, if you have backed up your files using any normal remote backup service, you will remove the malware any way you can then just download the files back to your system and everything can go back to normal, or can it? The reality is that the malicious file that resulted in your system becoming infected might have been backed up with your other normal files. Once you download the files back you also download the malware, and you might end up with the same problem you started with.

The solution

The threat of backed up malware is where Malwarebytes Secure Backup steps in. Knowing that your files are backed up and malware free using Malwarebytes Secure Backup will remove the fear that you have just lost your photos or music collection and/or your important documents.

This is how it works:

1. Malwarebytes Secure Backup scans the file to be uploaded with your copy of Malwarebytes Anti-Malware (PRO or Free).
2. If the file is free of malware, it is encrypted and uploaded to the secure server. If the file is infected, it is skipped, and you are automatically notified that the file is infected.
3. Your clean file is safely stored.

So not only are your files scanned for malware and stored safely but they are also encrypted so you know that your files will be safe and kept private as they travel to our secure cloud server or are stored on your local storage away from the reach of malware. In addition, when you back up files, every file is archived, and every backed up file that is deleted from Malwarebytes Secure Backup is archived, just in case you need to retrieve a deleted file in the future.

Where exactly is your data stored?

Malwarebytes Secure Backup consolidates both online and local backups under one program–so you don’t have to use separate products for each (online and local). For our secure cloud storage users, your data will be stored in a certified data center that includes:

• Manned 24-hour security and video surveillance
• Proximity security badge access
• State-of-the-art smoke and fire suppression
• Temperature-controlled environment systems
• Seismically braced construction
• Redundant backup power systems

In addition to redundant hard drive (RAID) configurations and real-time network monitoring, you can rest assured that even while stored remotely, your data is safe, private and always be available to you.

If you don’t always have access to an Internet connection and would feel more comfortable storing your files on local storage, Malwarebytes Secure Backup offers this option as well, encrypting and archiving the files you need, directly into local storage, in a form that malware can’t get to.

How is my data encrypted?

As stated previously, we encrypt your data before it even leaves your system so it is securely stored and kept private from malware or attackers who attempt man-in-the-middle network attacks to steal your outgoing data.  We encrypt your files at all three stages of the backup process:

1. Before files leave your computer or mobile device they are protected using a first layer of Advanced Encryption Standard (AES) encryption, the same encryption used by banks and military organizations.
2. Files are transferred to our secure cloud using a Secure Sockets Layer (SSL) connection that employs a second layer of AES encryption.
3. Once files reach our data centers, your data is protected with a third layer of AES encryption.

Access from anywhere

Another great features of Malwarebytes Secure Backup is the web portal access that allows you to easily access your shared files from anywhere and download them to another system or share them with your friends.

Can I share my files?

There are many different personal file sharing options out there today, and people use them all the time to share pictures, music or files. However, sharing files puts your reputation on the line, especially if you accidentally share malicious files with the people who trust you.

Malwarebytes Secure Backup also allows you to securely share your personal files with your friends or family in a safe and easy way! Malwarebytes Secure Backup can send an e-mail to the recipient of your files with a download link to the file you want to share. You do not have to worry about copying links or attaching files ever again!

Super Privacy

Malwarebytes Secure Backup provides an option to our users known as UltraSafe.  UltraSafe is for users who do not want anyone but the password holders to have access to their backup credentials– meaning the user will not able to recover their password if it is forgotten or lost. UltraSafe ensures that your data is not available to anyone but you and those who you want to have access to it, however it is not recommended for the casual user who might need to recover their password in the future. Use with caution.

How much does it cost?

There are other secure backup options available to you for different prices, but most of them offer a high storage amount limited to only one device and a much higher price if you want to back up more devices. With Malwarebytes Secure Backup, you can get the right amount of storage for you for all of your devices (computer, tablet, phone, etc.) and all for a single price per year.  Our plans include:

Basic – $29.95/year

• 50 GB
• Unlimited Devices

Standard – $59.95/year

• 100 GB
• Unlimited Devices

Premium – $119.95/year (our best offer)

• 200 GB
• Unlimited Devices

The plan you choose should be based on your needs. If you are the occasional or light user with only personal documents and a few GB of music and photos across numerous devices (Android, PC, iOS, etc) then the basic plan might be best for you. If you are a heavy user with more than one PC and/or numerous devices in your house and lots of music, pictures, documents and other personal files, Premium or Standard would be the best way to go.

Where do I get it / More Info

If you’d like to try out Malwarebytes Secure Backup for free, head over to our product page for a free trial. If you know that Malwarebytes Secure Backup is the right choice for you, click on Buy Now and select one of the buy options we talked about above.

However, if you are still unsure of whether or not our product is right for you and want to learn more about it, you can also check our product page or our datasheet, which lists all the features of Malwarebytes Secure Backup.

Conclusion

Malware will never stop finding new ways to infect your system and steal your personal data or destroy what you cherish on your computer.  While computer security products will always try their best to defend your system from all threats, one of the best ways to ensure that your data stay safe is to take security into your own hands and back up important files on a regular basis.  Using Malwarebytes Secure Backup you can ensure that your files stay safe, secure and protected from current and future threats.

 A few days ago I remember visiting the live site and my browser just crashed, something I did not think about too much since I was using one of our honeypots with out-of-date software.

Fool me once, shame on me. This time I was out to find out, except that now the site had been taken offline and redirects to this information page:

Thankfully, I was able to load the original files from a capture and reproduce the website by copying its files into my own local web server:

With that working I modified my hosts file to ‘trick’ the browser and redirect everything to the local host:

You can watch the exploit in this video. The browser opens up the page before crashing on the ‘cached’ US Department of Labor’s site. This currently affects Windows XP with Internet Explorer 8.

Microsoft has been informed and is looking into this vulnerability. Internet Explorer 8 is the most current version Windows XP users can update to, which makes this zero day a critical issue if it gets out in the wild.

If you have a second browser installed on your computer (Firefox, Chrome), I would strongly recommend using it until this gets patched. Again, this was a targeted attack that only affected few people but since the exploit code has already (inadvertently) been posted and is easy to find on various online resources, it is just a matter of time before it gets added to the mainstream Exploit Kits and does damage on a large scale.

About the author:
Jerome Segura is a Senior Security Researcher at Malwarebytes with experience in both client and server side malware and a focus on web exploits research. He has built high interaction honey-clients to capture drive-by download attacks and has performed hundreds of web server remediations for infected WordPress and Joomla! websites.
Follow him on Twitter: @jeromesegura

A couple of months ago, I did an article on generic obfuscation techniques used to hide malware.  It continues to be no surprise that malware tries to hide using an array of techniques that are easy to implement.

I wanted to elaborate on one of those techniques I mentioned earlier, which was the exclusive or more commonly abbreviated “XOR” logical operation.  In computer science, XOR is a type of bitwise operation used to manipulate values, along with several others to include AND, OR, NOT, etc.  Back when I had my first lesson in Discrete Mathematics, I remember creating what is known as a truth table to help me better understand how these bitwise operations worked.  A truth table uses Boolean logic to compute the value of an expression—here is a simple one for an XOR operation.

XOR Truth Table

Input

Output

0

0

0

0

1

1

1

0

1

1

1

0

 
As you can see from the table above, the input values must differ for the result to be true.  If they are the same, the result is false.

Let’s try a practical example using the XOR operation.  This time we’ll XOR the letter ‘J’ with the letter ‘v’ and observe the results.  The first thing we’ll need to do is consult the standard ASCII table and see which numeric value corresponds to these two letters.

So it looks like a ‘J’ is 0x4A and a ‘v’ is 0×76.  A byte is equal to 8 bits, and a hexadecimal (hex) number is equal to 4 bits, therefore two hex numbers equal a byte.  If we convert 0x4A and 0×76 to binary we have 01001010 and 01110110, respectively.

Now, if you’re looking at the chart and are confused by all the numbers, you may need to brush-up on different numbering systems.  The numbers corresponding to the values here are actually all the same number, just represented differently.  Discussing various numbering systems is outside the scope of this blog, so if you need help understanding the difference, I suggest doing some research on hexadecimal first, since that’s what we’ll primarily be using.

Ok, now we can XOR these two values at the bit level, so let’s go ahead and do that.

01001010  (0x4A)
01110110  (0×76)
00111100  (0x3C)

Our result is 0x3C, which in ASCII is a less-than sign (<).  Pretty neat, huh?

A malicious approach
After reading the examples above, you might have been able to figure out that this same technique could be used as a simple form of encryption/obfuscation in malware.

In fact, most malware I look at nowadays has some form of XOR obfuscation. Whether it’s to decode strings, an embedded file, or self-modifying code, using the XOR operator is good at getting the job done.  Why is it used so much?  Well, when compared to cryptography, bitwise operations and rotations are much easier to implement while programming.

In this article I’m going to cover three examples where files have been obfuscated using an XOR sequence. These three scenarios will all use the XOR operation to obfuscate the malware, but all in different ways.  These obfuscated samples were all found in the wild and have all been identified as some form of malware.

Scenario 1:
I received the file below from a user on our forums and soon discovered something wasn’t right after opening it in a hex editor.

One skill that is useful to have when trying to decrypt a file is pattern recognition.  What is the pattern you see in the image above?  It’s also important to know file structure, especially for a Portable Executable (PE) file.  In some cases, knowing what a byte is supposed to be in its de-obfuscated form can be the difference in finding a reliable pattern or not.

If there is one flaw to using XOR to obfuscate your file, it’s that any byte you XOR with 0 stays the same.  Therefore, if you are going to XOR an entire file with the same byte, anytime you encounter a zero, that byte will then become the XOR key.

Ok, getting back to the point, this first one is pretty easy.  After examining the file it appears that every other byte needs an XOR of 0×33 applied, or a ‘3’ in ASCII.  The easiest way to fix the file is to write a quick script.  I like python, but you could use any language to do this really.  First I renamed the obfuscated file to malware and then I wrote the following code.

It’s a very simple script, and just reads one byte at a time until the end of the file (EOF) is reached, performing an XOR 0×33 against every other byte.  Below we have our decrypted file, which I just called ‘decode’.  As you can see, the decrypted file now looks like a normal PE.

It turned out this file was incomplete, which was kind of a bummer.  Nonetheless, it was still good practice and a good warm-up for what’s coming in our second scenario.

Scenario 2:
This next scenario is going to be a little harder than the first.  I received this file from a researcher, which was dropped by a web exploit.  Unlike most web exploits, this file was written to disk in an encrypted format.  I’m unsure if the exploit went wrong or this was intentional, but after some digging I found it used XOR obfuscation.

When we take our first look, we can immediately see that this is nothing like the first example.  Every single byte is obfuscated, and there are no obvious patterns here.

Since the file is dropped from an exploit and executed, we know it’s likely a PE, which means there should be several zero-value bytes littered throughout the headers.  There is one thing, however, that we can instantly rule out: it’s not a single-byte XOR value, like the first sample.  If it were, we would see the value repeat itself many times sequentially.

Let’s think about those zero-value bytes for a minute.  Recall that I mentioned any value XOR 0 is equal to that value, or in mathematical terms, x ^ 0 = x.  If we look at our decoded file from the first scenario, we see that the third row is nothing but zeros.  When observing the third row in our new file, we have the following values: 96 08 FA EC DE C0 22 84 66 58 4A BC 2E 90 72 54.  Let’s go ahead and search the entire file for this 16-byte sequence and see what we find.

As can be seen from the image, this pattern is found many times.  What can also be seen is a repeating pattern starting with 56 48 BA 2C, and then continuing to make a 128-byte sequence.  Now we’re onto something here; let’s perform a test and take the first 64 bytes of that pattern and try an XOR against the first 64 bytes of the file.  Bitwise operators like XOR are available in most hex editors you’ll find, including one my favorites, ICY Hexplorer.

We have a winner!  Now we just need to write a script and use our 128-byte pattern to decode our file.  I first renamed my file to malware128.exe and then modified my existing script, adding the byte pattern as a list.

This sample was a little more challenging, but still not too difficult.  Our last sample will be the toughest so far, so let’s move on and see what’s in store.

Scenario 3:
For the last scenario, we have something a little more unique than our previous samples.  Every now and then I perform a search on Virustotal to see if I can find any obfuscated malware that may have been uploaded by a user or perhaps a honeypot.  A few days ago I came across a sample that I found particularly interesting.  At first glance, I thought this file would be pretty easy to de-obfuscate.

If you followed the first two scenarios and understood them, you should instantly be able to recognize the 0×29 pattern here.  We’ll go ahead and XOR the file with 0×29 and we should be done.

Hmm…well that’s definitely not right.  I don’t see a DOS stub or a PE header here, but it does look like the zero values are in the right places.  So, we can conclude that zero values need an XOR 0×29 applied, but we’re still unsure about the rest.

After some further inspection, it’s easy to notice this file is a PE file, even though it’s obfuscated.  If you compare the format of this obfuscated file with that of the de-obfuscated one on our first scenario, you’ll notice the similarities in file structure; both might have been passed through the same type of compiler.

Remember, it’s useful to know what values are supposed to be de-obfuscated.  Now we can use a simple equation to determine what the XOR value is for some of these bytes.  Suppose we start with the string ‘This program cannot be run in DOS mode.’ that’s located in the DOS stub.  First we’ll decode the letter ‘o’, which in ASCII is a 0x6F (0xBA in our obfuscated file).

XORKEY = 0x6F ^ 0xBA
XORKEY = 0xD5

After some time I managed to start building a lookup table ranging from 0×00 to 0xFF.  For every byte I encountered in the obfuscated file, I placed a corresponding XOR value to retrieve the de-obfuscated byte.  Here is what I managed to find out after a little work.  Notice you can see the 0xBA value needs an XOR 0xD5 applied, just like we determined above.

If you look at the area I circled, you’ll see that the second hex value in the byte follows a pattern: 1155995511559955…and so on.  Using this pattern and a little trial and error, I managed to fill in the rest of the table and successfully de-obfuscate the file with another script.

The file turned out to be a Zeus Trojan, which is nothing unique.  However, we just learned yet another interesting obfuscation technique that we might see in the future.

Conclusion
While this article focuses mainly on the XOR operator, this is only the tip of the iceberg for binary obfuscation.  As aforementioned, bit rotations and other operators exist that can be used to hide data, but it’s safe to say that XOR is likely the most popular.  For more advanced malware, encryption like DES, RC4, or AES might be used, and if that’s the case, you’re going to need more help than the techniques in this article to break anything that complex.

Regardless, I hope this article has given you some additional insight on how exclusive or (XOR) obfuscation works.  As I hope you gleaned from this article, using the XOR operator is popular for obfuscation since it’s easy to use, does the job well, and offers flexible implementations.  Obfuscating malware using XOR techniques continue to be popular to avoid detection from Antivirus/Antimalware products and other network detection systems.  We can expect to see it used to hide nasty programs for years to come.

_______________________________________________________________________________

Joshua Cannell is a Malware Intelligence Analyst at Malwarebytes where he performs research and in-depth analysis on current malware threats. He has over 5 years of experience working with US defense intelligence agencies where he analyzed malware and developed defense strategies through reverse engineering techniques.  His articles on the Unpacked blog feature the latest news in malware as well as full-length technical analysis.  Follow him on Twitter @joshcannell

]]> http://blog.malwarebytes.org/intelligence/2013/05/nowhere-to-hide-three-methods-of-xor-obfuscation/feed/ 0 http://blog.malwarebytes.org/intelligence/2013/05/tech-support-scams-a-look-behind-the-curtain/?utm_source=rss&utm_medium=rss&utm_campaign=tech-support-scams-a-look-behind-the-curtain http://blog.malwarebytes.org/intelligence/2013/05/tech-support-scams-a-look-behind-the-curtain/#comments Wed, 01 May 2013 16:25:29 +0000 Jerome Segura http://blog.malwarebytes.org/?p=904 My previous post about fake support calls from Microsoft generated a lot of reactions. I was quite astounded by how many other people also had similar experiences and that this was still going strong. In this post, we will try to better understand how such companies operate and why despite so many complaints, they are...

Read more...

Categories:

• Malware Intelligence

Tags: exploitJerome SeguraMalwarebytestech support scams fake microsoftupdate

While no security solution will ever be perfect and cyber-crime will always exist, each individual plays an important part in “facilitating” or not the act of cyber-theft. We will take a look at the most common and efficient ways to safeguard your information and identity. If you want to share some of your own tips, please feel free to leave a comment.

Keep a malware-free system

One of the easiest ways to get your credentials stolen is by typing them from an infected machine. There are countless banking trojans and other key-loggers whose main goal is to capture logins and passwords and send them back to cyber-criminals.

The best defense against malware is a defense that consists of multiple layers rather than one that relies on a single solution. Keep in mind that having the same type of product multiple times (for example having several antivirus products) may result in your computer freezing or behaving poorly. Rather, you want to make sure each product covers a different area (i.e. virus/firewall/browser protection). By the way, our Malwarebytes’ Anti-Malware can be installed along side typical antivirus products and provide an additional layer of coverage.

An extreme solution to having a malware-free system is to use a Live CD where nothing is stored permanently and can be booted off the same every time. It is obviously a very inconvenient solution but some people do use it when banking online.

Use a secure Internet connection

It goes without saying that logging into your account should be done through a secure connection. While most (if not all) providers support HTTPS which encrypts your connection, hackers love to setup rogue WiFi access points where all your computer’s traffic will be sent through them. It is trivial to redirect you to a fake login page that looks like it is encrypted but really isn’t. You type in your password and it is sent in the clear right to them.

To increase the security of your connection when you’re on the go or even at home, you can use inexpensive VPN services that essentially encrypt your data and also guarantee your anonymity.

If, like most people, you have your own WiFi at home please take a few minutes to ensure it is not wide open to intruders. If your are using an old router, it is quite possible the technology it came with is now completely outdated. For example, the WEP encryption still in effect on many models is so weak that any script kiddie can break into your network with ease. Your WiFi network must be locked with a strong password and have a good encryption standard such as WPA/WPA2. To access those settings, look on the actual router for the default link and password (there’s usually a sticker with this information).

Authenticate by following best practices

Password

The traditional password remains the most used method to prove our identity. It is simple and quick for most of our needs. However there are many factors that make the password a security problem:

• we choose weak passwords
• we reuse the same passwords
• we never change our passwords
• we store or share our passwords in clear text

Following the hack on the Associated Press’s Twitter account, the Syrian Electronic Army hacktivist group published a tweet with what they say was the AP’s password:

It that happens to be true, well, it’s a very weak password. If you are looking for tips on how to make and manage great passwords, I recommend you read this article from fellow Malwarebytes blogger Joshua Cannell.

Two-factor authentication – a feature not currently available for Twitter – provides an extra layer of security by requiring an extra piece of information to validate your identity. Typically, it consists of an SMS message containing a temporary access code. Since it still requires the user to type in a code or PIN within their browser, it is susceptible to man-in-the-middle attacks. Put it simply, active malware will be able to intercept both the password and the code either through keyboard input or directly from the browser.

Another method called Out of Band Authentication requires two different channels to login the user. For example that SMS code must be sent back using the phone (second channel) rather than the computer. At the end of the day, it is still irrelevant to keyloggers and phishing pages which are simply waiting for the user to enter their information. We already addressed the malware issue earlier, let’s now look at phishing threats.

Recognize a phishing attempt

Criminals love to social engineer their victims because as humans we tend to believe what we hear or see and we most often follow what we are told. The other advantage is that social engineering goes above all traditional security measures which usually require more work to break through.

Phishing is one type of social engineering where the victim is tricked into giving out personal information on a fraudulent webpage. It doesn’t matter how strong our password is if we are going to spell it out to the bad guys. Phishing scams can be targeted to a particular individual or company, in which case they are called spear phishing scams, or simply spammed out to millions of people with the hope that a small percentage of them will be tricked.

There are usually two components to a phishing attack:

• an email that acts as the social engineering piece
• a webpage that collects the information and sends it out to the bad guys

Both are usually very well crafted and look like the real thing. Various techniques are used to confuse people (legitimate looking links, replicas of the actual websites, etc.)

Tips like looking at the address bar are a good starter but not enough, especially when more and more people use mobile phones where the address bar is too small to fit an entire URL. One technique that works well is to think for one second before entering any type of data online and ask yourself: “Did someone or something asked me to log into my bank/email/Twitter/Facebook?” If the answer is yes, you really need to think twice before going ahead.

Set up a strong primary email account

Email is one of those things we have been using for so long that we almost take it for granted. It is also often a central point where many of our other online accounts report to. For this reason it can be a real pain or nightmare if we lose access to our email or if it gets compromised.

Many people don’t trust that their personal information will be kept secure and therefore often use fake data to register an account. While in itself it is not a bad idea for your own privacy’s sake, it can lead you into some troubles if one day you need to recover your account and one of the questions is for instance, your birthday… something that way back then you filled in completely randomly.

Additional information (phone, second email)

Don’t forget to update your alternate email when it changes! Because it is one of these settings that gets buried deep, we often forget to check it is still current. A classic scenario is when you’re locked out of your account and it wants to send a recovery link to your other email address at the company you no longer work for, oops…

The (in)famous security questions

This is perhaps one of those security measures that can make you less protected than you were to begin with. While a lot of emphasis is put on the password and how it must be long, contain numbers, special characters, etc… nobody really seems to care that the same logic is not applied to your security questions and answers:

In other words these security questions are just too basic and a little bit of googling about you might just reveal all these answers.

Instead I suggest that you create your own question which can actually demand multiple answers (and why not use special characters in there too?). Or you can just try to be a little more creative.

Important emails, documents

We often use our emails to store financial documents, other important data and, heaven forbid, passwords! And with pretty much unlimited storage we don’t really think about ever deleting anything. It is much safer to encrypt these documents and store them somewhere safe out of your inbox, or if they are no longer needed, to delete them.

Remember that the service provider can fail you too

Despite all the added precautions you may have taken, your account could still get hacked. Yahoo! has been in the spotlight for having several security flaws in its webmail client that lead to thousands of accounts getting compromised. Some reports say that the user had to click on a link in order to get hacked, through a cross-site scripting (XSS) attack, while others suggest that accounts were hacked with no user interaction required. I had an old account which I had no logged into for several years and that started sending out spam about a month ago.

When I logged in, I saw several messages in my Sent folder, all with the same format: a single link in the message’s body.

Looking at the email headers I could confirm I never sent those messages because they came out from an IP address located in Malaysia:

The hackers sent out spam to all my contacts and that is in fact how I found out about this. One thing I learned is “if you don’t use it, get rid of it”, in other words a dormant email account can still represent a threat if it has your contact information as well as some of your personal data.

Something you can do (so that at least your friends are not the first to tell you your account has been hacked) is to add yourself to your own contact list. The spammer might just blindly email everybody on there and receiving emails from yourself should tip you off.

Another feature you can check every now and again is your account activity in Gmail, Yahoo! Mail. All logins shown in there should be from your own computer and IP address. Anything else would be suspicious.

 Do damage control

If your account has been hacked, you need to act promptly before more damage is done. One of the things to do is lock out the bad guys before they get a chance to do the same to you. Change your password and security questions immediately from a clean computer or device you trust (an active malware infection could just capture the new password again and again). Find out if your contacts have received email from you that appeared suspicious and let them know you were hacked. If they did click on links or open attachments from you recently, there is a chance they got hacked too.

Don’t stop here as most likely the bad guys didn’t either. Check all your other accounts and update them accordingly. If you are using online banking or do other transactions you will want to keep a watchful eye on those as well.

Share your experience. There is no need to be ashamed and keep that to yourself. Do the right thing by admitting to the facts if you did indeed make some mistakes and draw your own conclusions. The more people know about these things the better we all are. While security practices and technologies aren’t perfect there is no excuse for shooting yourself in the foot by not applying them.

About the author:

Jerome Segura is a Senior Security Researcher at Malwarebytes with experience in both client and server side malware and a focus on web exploits research. He has built high interaction honey-clients to capture drive-by download attacks and has performed hundreds of web server remediations for infected WordPress and Joomla! websites.

Follow him on Twitter: @jeromesegura

URGENT:
Despite a recent critical patch to Java SE, Polish security firm Security Explorations released details of yet another Java vulnerability.  Adam Gowdiak, a researcher from the firm provides a full disclosure of the exploit here.

Submission of Issue 61 to Oracle

 
ACTION:
Same routine here, users should disable java in their browsers using the following instructions (courtesy of Sophos):

• Disable Java in Internet Explorer
• Disable Java in Firefox
• Disable Java in Chrome
• Disable Java in Safari
• Disable Java in Opera

Also, due to recent security flaws with Java, users might consider removing Java temporarily if possible, at least until security improves.

DETAILS:
Gowdiak explains that this issue, dubbed as Issue 61, allows a complete sandbox bypass and affects all versions of Java SE 7, including the new Server JRE.

Security Explorations was also the firm that discovered Issue 54 and 55, as mentioned in a previous advisory back in March.  In the disclosure from yesterday, Gowdiak explains his surprise that Reflection API vulnerabilities are still being discovered one year after the firm’s initial report to Oracle.

While untrusted Java code requires user interaction to execute, some software vendors have made moves to suggest that isn’t enough to protect the end user.  Apple’s growing concern over the security of Java has prompted the company to release an update for their Safari browser, now allowing the user to specify which websites allow the Java plugin.

Clicking “Manage Website Settings” allows users to specify which sites allow Java.

 
Hopefully this will be taken care of quickly with a patch from Oracle, who has yet to release any official statement on this vulnerability.  In the meantime, make sure to disable Java and stay tuned for any updates.

_______________________________________________________________________________

Joshua Cannell is a Malware Intelligence Analyst at Malwarebytes where he performs research and in-depth analysis on current malware threats. He has over 5 years of experience working with US defense intelligence agencies where he analyzed malware and developed defense strategies through reverse engineering techniques.  His articles on the Unpacked blog feature the latest news in malware as well as full-length technical analysis.  Follow him on Twitter @joshcannell

During the course of your life, there are many times when you have to prove who you are.  Whether it’s applying for a loan, getting your driver’s license, or signing into your email account, a process has to occur to “authenticate” your identity.  Otherwise, anybody could be you.

In the 21^st century, we’ve seen a sharp increase in Identity Theft, a term you’ve probably heard a lot in the media.  The idea of pretending to be someone you’re not is nothing new, but in the digital era, fooling a computer is a little easier than your bank teller.  The problem has become so prevalent that companies have emerged dedicated solely to fighting identify theft related crimes.

Companies like LifeLock had emerged amidst the increasing amount of Identity Theft.

 
When it comes to your digital life, passwords hold the keys.  While new technology emerges like biometric scanners and smart cards, the password is still the most commonly used form of authentication since it is both cheap and easy to implement.  Over the years, you’ve probably used a password for virtually all of your online accounts, from your Facebook account, your personal email, and even your bank account (and probably the same password for all of them).

Considering this, it’s no surprise that, since your passwords are so valuable, they’re highly targeted by hackers and malware.  News reports develop almost daily of security breaches where passwords are stolen from private database—just a few days ago, in fact, the co-founder of the infamous “Pirate Bay” bit torrent site was charged with hacking crimes in Sweden, where personal data was stolen from several companies.

In addition, programs like keyloggers are often packaged into much of today’s modern malware to record a user’s keystrokes while using a computer, often for the purpose of obtaining passwords.  With the danger of drive-by downloads, this kind of malware could be installed to your computer without your prior knowledge or consent.  What’s more, there are several password “cracking” programs in existence that use several techniques to brute-force weak passwords.

Cain & Abel, a popular password cracking tool.

 
So what can you, the user, do to protect yourself?  This blog post will talk about password security from all angles, and give you the best tips at protecting your private information.

Step 1: Use a strong password
You’ve probably tried to register an account online before and had the system return with a message that your password isn’t strong enough or doesn’t meet the complexity requirements.  You then might have become frustrated and added “123!” to the end of what you had.  I know I’m guilty of this.

The problem most of us run into is we can’t remember these convoluted passwords.  In fact, some of us resort to keyboard patterns or familiar movie names to help us remember, but that isn’t really going to make your password any “stronger” as it’s vulnerable to shoulder-surfing (someone else watching) and password tables often guess them.

Creating a strong password can seem difficult at first but there are tools available to make it easier.  For instance, go to http://howsecureismypassword.net/ and type in a password you might consider using (don’t worry, it’s safe).  If your password can be cracked instantly or in a short amount of time, it may be time to change it to something more complex.  Try to remember the following when creating your password:

-          Make it long (at least 12 characters)
-          Use numbers, and maybe a special character
-          Consider making random letters in your password uppercase
-          Use words that are memorable to you, but nothing others could easily guess.

Step 2: Change your password periodically
Before getting involved with computer security, I used the same password for years (“taco” to be exact).  Not only was it an extremely weak password that could be cracked instantly, but having a password on my accounts that never changed made them more vulnerable to attack.

A lot of network administrators enforce this by having network users change their passwords every 30-90 days.  This has been considered a security “best practice”, because in theory, your password will be harder to guess or crack if it’s constantly changing.

Unfortunately, this technique isn’t going to help you much if your password is compromised, as some password crackers don’t need much time to brute-force most common passwords, as research suggests.  However, it’s still considered a good idea to change your password at least once a year to keep it changing and therefore slightly less vulnerable.

Step 3: Use a unique password for every account
We both know that you’re likely using the same password on most if not all of your accounts.  As a matter of fact, it’s probably a safe bet that if I had your email password, I’d also have your bank password.  The obvious problem with this is when one account becomes compromised, all of them do.

On the other hand, you may have a lot of online accounts; I can count at least 40-50 that I have.  The issue of remembering this many passwords then come into play.  Sure, you could always write them down on a piece of paper and keep it somewhere safe, but what happens if you lose it?  You’ve then lost access to much of your digital life.

The next step in this process will give you a sigh of relief as we discuss a tool used to manage all of these passwords.

Step 4: Use a password manager
If you’re dreading the thought of remembering all of these complex passwords, consider trying a password manager.  A password manager is a piece of software that helps you organize your passwords.  A big benefit to using this kind of software is that you can store your passwords in one location, and then access them all using your “master password”.  This way, you only need to know your master password and you know now have access to all of your passwords.

Roboform is a great password manager with lots of features.

 
In addition, most password managers have an “autofill” option that automatically fills out web forms on your favorite web sites.  This can be useful if you shop online frequently and don’t like to store your personal information on external servers, but would rather enter it every time.  This sort of feature also protects you from phishing scams, as the password manager will remember the site it needs to autofill and will not work properly if the site doesn’t match.

Password managers also have some drawbacks.  While it may seem convenient to only remember one password to access all of your accounts, this also means your master password is highly sought after by prying eyes, and the results could be devastating if all of your accounts are suddenly compromised.

Even still, password managers are a viable choice by many in a world where we have an account for nearly everything online.  If you’re going to use a password manager, consider the following:

-          ALWAYS use a Password Manager that encrypts your passwords
-          Ensure your master password is both complex and long, impossible to brute-force
-          Do not disclose your master password.  Ever.
-          Protect your computer from malware that could obtain your master password.

Step 5: Consider two-factor authentication if available
In the case of computers, two-factor or two-step authentication requires a password as well as another piece of information to prove you are who you say you are.

Two-factor authentication has become more popular in recent years as more passwords are compromised and another layer of defense is needed to protect users and their personal data.  The second factor can be various things; you may be asked for a special pin number, or a special code may be sent to your cell phone.

2-step verification advertised for Google accounts.

 
Two-factor authentication is a great solution for many, but some might consider it inconvenient.  For example, your workplace may not allow you to bring your phone inside, and your email requires your phone to sign-in.  In addition, two-factor authentication is still susceptible to man-in-the-middle (MITM) type attacks where an attacker may acquire SMS messages containing authentication codes, although this is less likely to occur.

Step 6: Protect yourself from Malware and other attacks, now and always
On a final note, taking the time to create a strong password won’t matter much if you’re infected with malware that targets them.  Unfortunately, no password is “too tough to crack” for a keylogger.

Every computer needs to have ample malware protection.  The malware of today can not only log your keystrokes, but take screenshots of everything you click, defeating protection tools like virtual keyboards, designed to protect against keyloggers.  In addition, hackers often install backdoors onto compromised hosts so they can revisit their victims, oftentimes bringing password cracking tools with them in an attempt to crack other passwords on the network.

The bottom line: protect yourself.  The passwords we use every day safeguard much of our private lives, so take some time to make sure they’re strong enough to withstand an attack.  I hope this article has given you a better idea of how to protect yourself and your personal data, be careful out there!

_______________________________________________________________________________

Joshua Cannell is a Malware Intelligence Analyst at Malwarebytes where he performs research and in-depth analysis on current malware threats. He has over 5 years of experience working with US defense intelligence agencies where he analyzed malware and developed defense strategies through reverse engineering techniques.  His articles on the Unpacked blog feature the latest news in malware as well as full-length technical analysis.  Follow him on Twitter @joshcannell

With that said, I’d like to take a closer look at what we’ve done to prevent false positives in the future.

1. We’ve installed a false positive shim server. This server will have virtual machines running a wide range of different configurations and operating system versions, to mirror the range of setups our customers run. Before an update gets pushed out, it will be tested on this server, on every configuration. If a false positive is detected, it will prevent our research team from uploading a database update.

2. We’ve modified the tools that compress and encrypt our definition updates. The false positives on Monday were not traditional, they were caused by a corrupted file that our encryption tool did not flag. We’ve made immediate changes to the tool and are testing it with a roll-out date to the entire research team by the end of the week.

3. We’ve started hiring for our support team. While I am proud of how our support team handled the situation, they were, and still are, very overwhelmed. We realize that Malwarebytes needs to scale proportionally as a team and the support team needs more members. We’re going to reach out to our community and hire additional forum members as well.

4. Phone support has been on our plate for quite some time. We’ve been exploring several different options and approaches. This incident has opened our eyes to how important this really is and we’re taking all the steps necessary to make it happen.

We remain fully committed to providing the top quality products you expect from Malwarebytes and to earning and keeping your trust.

Marcin

The emails come with a subject line such as “Aftermath to explosion at Boston Marathon” or “Explosions at Boston Marathon” and a single link in the form of an IP address and a html document called news.html or boston.html.

 Spam #1: using news.html

Spam #2: using boston.html

 If you click on the link, it will open a page with multiple YouTube videos of the Boston bombings:

‘Bait page’ with real videos

While this appears legitimate, a malicious iframe silently loads a nasty payload:

Last iframe is unlike the preceding ones…

Let’s take a look at the infection scenario with this Fiddler capture:

1. infected link with Boston bombings videos
2. several YouTube videos
3. malicious iframe (waiq.html)
4. Java exploit 9ns.jar
5. malicious payload (22.html)

This drive-by download uses an Exploit Kit known as Redkit, and the particularity in this case is that it combines two malware payloads (read Redkit does the splits for more info on this). Two files are extracted from this exploit: alifna.exe and coppe.exe (both of them are already detected by Malwarebytes Anti-Malware).

A couple of minutes after watching the YouTube videos, a newly installed program called System Care Antivirus will take over your PC:

System Care Antivirus: don’t let its name fool you, it’s a scam! 

This type of program is known as Fake AV and its purpose is to scare the user with messages like “Warning! Infections found”, “system crash” and get them to register and pay for the bogus software. The scare tactics go even further by disabling core applications and obstructing regular web browsing:

 Since when is Google a malicious site?

For instructions on how to get rid of this and similar rogue antivirus programs, feel free to check out this guide.

As mentioned, we collected a lot of unique IP addresses all leading to this exploit:

While some are hosted in places that would raise a red flag (the Ukraine, Bulgaria, China), there are also some in the US. As far as the Exploit Kit landing page itself, the one used in this particular blog post was hosted on a legitimate website running WordPress.

Another tragedy happened in Texas and the bad guys shifted their attention to it. The same email campaigns are now themed “Texas plant explosion”:

We cannot stress how important it is to be extremely cautious with links within an email. When such a tragic event occurs it’s easy to forget the basic security principles and fall for this dirty trick. The bad guys will use anything they can to spread their malicious creations to make money.

About the author:

Jerome Segura is a Senior Security Researcher at Malwarebytes with experience in both client and server side malware and a focus on web exploits research. He has built high interaction honey-clients to capture drive-by download attacks and has performed hundreds of web server remediations for infected WordPress and Joomla! websites.

Follow him on Twitter: @jeromesegura

I want to offer my sincere apology to our millions of customers and free users. I started this company because I thought everyone was entitled to malware-free computing. We acted overzealously in that mission and realize far superior procedures around updating are needed. More was expected of us, and we failed.

So what’s my promise to you? Working day and night, we are commissioning several new resources to stop this from happening again. We are building more redundancy to check our researchers’ work and improving our peer review.

Here’s what we’ve done to address the issue. We immediately wrote a tool to fix the issue and published instructions on our forums. If you are affected by the issue, please visit the page. If you need assistance or are uncomfortable performing the fix manually, please contact our support team. We have our entire support staff answering tickets feverishly. Tickets are being answered within an hour, and we will reach out to you by phone if e-mail support is not enough.

Please, once again, accept an apology on behalf of our entire company. Let’s get you fixed up and back to a malware-free existence!

Marcin

Moving from a tiny, overly-crowded office to the shiny new Malwarebytes headquarters overlooking downtown San Jose has been pretty sweet, I must say.

Though technically, we’ve been in this new office building for almost three months now, I guess it’s not official until you do a ribbon cutting of the new digs with the Mayor of Silicon Valley.

With the bustling and vibrant downtown area as the backdrop, San Jose Mayor Chuck Reed officially welcomed Malwarebytes as part of the city’s downtown community this past Thursday.

“We’re excited for Malwarebytes to move to downtown San Jose,” said Mayor Reed. “Downtown is an exciting place with lots to do. We’re working hard for businesses so that companies like Malwarebytes could succeed here.”

As part of the ribbon cutting ceremony (giant scissors and all), the San Jose Chamber of Commerce presented us with a letter of congratulations and a plaque.

“We’re excited to be a part of the downtown San Jose business community,” said Marcus Chung of Malwarebytes. “We’d like to thank the millions of customers around the world who have supported us. Without them there is no us.”

As part of the ceremony, Malwarebytes also donated back into the community by presenting The Tech Museum of Innovation with a donation in the form of a comically over-sized check (not to be outdone by the scissors).

Following the ribbon cutting and photo ops, city officials were invited into the office to tour our new HQ and indulge in some cupcakes and bubbly.

We have worked very hard and are excited for more growth.

These telephony scams have been going on for many years and scammers keep robbing innocent people sadly because their success ratio is still worth their time and effort. It happens that I got ‘the call’ while minding my own business on a regular work day. I immediately recognized what this was all about and decided to play the game to see how far this would go.

The caller’s number did not appear on my phone, a sign that they were using some Voice over IP (VoIP) or such technology that both completely hides their identity and costs them nothing for long distance calls.

This scam is a well-oiled machine which starts off with the alleged Microsoft representative asking you to turn on your computer to perform some checks for errors. They essentially make you open different applications which aren’t typically known by regular users.

Step 1: scare tactics 

I was instructed to press the “Windows” and “R” as in Robert keys together to get to the Windows Run dialog box. They then made me type a few more keys to open up Window’s Event Viewer:

Figure1: Run dialog and command to open Event Viewer

Figure2: Event Viewer showing typical errors

Conveniently, the event viewer will always show some warning or error which the scammer can leverage to instill fear. “You can see it in your own eyes”, she continued before asking me to count how many I could see. While we could have stopped right there, she was intent on pursuing the diagnostic further.

Next stop was Windows Prefetch files:

Figure3: Windows Prefetch files

The interesting thing about this is that she called those files spyware and viruses so we went from my computer having some errors to being infected. Yet another lie, as those Prefetch files are simply used by Windows to launch programs faster.

Bad things come in threes, as I was now instructed to open the “System Configuration Utility”, also known as msconfig.

Figure4: Msconfig showing services

She made me focus on the status of each Service and asked me once again to count how many “stopped” ones there were. When I gave her a ball park number, she retorted: “You are just guessing, I want you to count”.

At this point I was ready to beg her to stop and she seemed to think it was enough convincing, that I was ripe enough to move on to the next step. She kindly asked me if I wanted to remediate all these problems and I accepted it. Other than the blatant lies, she had not been too pushy and to her credit gave me the option to decline assistance.

Step 2: the “intervention”

The next part consisted of getting a remote person to fix these “issues” for me. To give them access to my computer I had to download a program called TeamViewer which is totally legitimate software used by many companies and individuals to remote into somebody else’s machine.

Figure5: TeamViewer, a free program to remote into computers

At this point she asked me for the ID and password before telling me she was going to transfer me to her supervisor. I believe this next person’s role is to process victims and to ensure payment goes through. The man on the phone also had a thick Indian accent and sounded quite professional. He told me a remote technician (which quite likely was also him) was ready to get working on my computer but he could not proceed until I actually instructed him to. I think this might be another technique used to cover themselves, as in I willingly asked them to help me. I felt like asking if I should say “open sesame” but instead I refrained from a cheap joke at their expense and asked what the secret word was. He told me to type “renew my warranty” to the technician.

Figure6: Once the magic words have been spoken, it all goes downhill..

‘Sean the technician’ was more than eager to help me but the first thing he did was to open my browser to PayPal’s website so that I could pay the required lifetime fee of $299.

Figure7: A happy scammer ready to go to work

Figure8: they want real money!

At that point, I decided to change my mind and no longer wanted to pay so much money for such a ridiculous scam. So instead I entered a wrong Credit Card number to buy some time.

Figure9: (Un)fortunately, I can’t seem to type my Credit Card number right

After a few other failed attempts I could see the guys were starting to lose patience and then, out of the blue, something very bad happened. Without saying a word, the “remote Microsoft Technician” minimized the PayPal window and took on a mission to destroy all my personal files:

Figure10: Scammer crosses the line big time, deletes all my pictures, documents, music

I could not believe my eyes. He went on exploring directories in search of other things to remove as fast as he could. When he could not find anything else worthy he could delete, he typed his last message:

Figure11: They seem upset that I wasted their time

Before completely disappearing he did do one last thing, which was to remove the driver for my ethernet card. This achieved the expected result of completing cutting out my Internet connection.

Figure12: Cutting me off, the hard way

As this happened, I was still on the line with the “supervisor”, one of the scammer’s identity, to whom I recounted what had just happened. I’m not sure whether it was the language barrier between I (a French man) and him but he solemnly said: “if the technician says something, it must be right. The technician is always correct”. Shortly after, the line was dead.

Unlike many other people (who turn the tables against the scammers by wasting their time) I had entered this phone call with a nice and open state of mind. I wasn’t going to play tricks on them or make fun of them. I just wanted to see for myself how the scam was conducted and learn more about it.

Having seen my fair share of deceptive marketing practices and software over the years, I can say a personal phone call is probably one of the cruelest tricks to play on an innocent victim. It is far too easy to fool someone by showing them “errors” and label them as extremely severe. With a sales clerk in a computer store one day trying to teach me what viruses were and why I so badly needed to purchase an antivirus, this experience ranks high up there in the “you don’t have a clue who you are talking to” category.

While they may legally be walking a fine line with all their sweet talking and magic passphrases, they crossed that line when they deleted documents on my computer and sabotaged the Internet connection. This is destruction of private property plain and simple. At the end of the day, I haven’t really lost any documents since this was a Virtual Machine and not an actual computer. One thing I lost though, was my faith in mankind, not that there was much of it left anyway.

Since these scammers use all sorts of tricks and fake identities, one of the best ways to ruin their business is simply to make it unworthy by spreading the message around so people don’t fall for these scams. Easier said than done because it is touching on things like human nature, social engineering, fear and scare tactics: basically things that have worked for thousands of years. But even if we can make a dent in their profits, let’s do it!

I’ve recorded this scam and uploaded it to YouTube. A minute into the call, I fired up a VM, put the phone on speaker mode and captured everything that was happening.

About the author:
Jerome Segura is a Senior Security Researcher at Malwarebytes with experience in both client and server side malware and a focus on web exploits research. He has built high interaction honey-clients to capture drive-by download attacks and has performed hundreds of web server remediations for infected WordPress and Joomla! websites.

Follow him on Twitter: @jeromesegura

Looking at the reasons to use a proxy will help us further on, when we look at the different kinds of proxies, and related methods. The most common reasons are:

• To hide your identity or location
• Speed, web proxies are commonly used to cache web pages from a web server
• Saving bandwidth for downloads, in cases where more users go through the same proxy to get the same files
• Usage logs, the proxy server keeps track of who goes where
• Security, the server scans the content for malware
• Other filters, in- and outbound

With this in mind we can have a look at the types of proxies.

A proxy server handles several clients. When these clients are unaware of each other and everyone is free to use the proxy server, we call these open proxies. Using an anonymous open proxy allows users to conceal their IP address while browsing the Web or using other Internet services. But here you still have to be careful, because there are levels of transparency in open proxies. Some proxies are transparent and will reveal your IP to the visited sites. One level up are anonymous proxies, that will not reveal your IP, but they do identify themselves as proxies and are therefore banned by some sites. Even stealthier are the distorting proxies that hide your IP and don’t reveal that they are proxies.

When the clients are organized in a closed network, for example in a company there are also several types in use:

• A proxy server that does not change the content is usually called a gateway or sometimes a tunneling proxy. A gateway server usually separates an enterprise network from the outside network and can be supported by a firewall, security software, administrative control and a caching service.
• A forward proxy handles the requests of the clients and forwards it, from the point of view of the internet service, it is the proxy server that issued the request, not the client. So when the server responds, it addresses its response to the proxy. This in turn forwards it to the client that made the request.
• A reverse proxy works more or less the other way around. It is easiest explained with the example of the employee out in the field requesting data from the company servers.  The employee sends his request over the internet to the proxy server, which looks up the requested information on the company servers and sends it back to the employee (preferably encrypted).

Content filters

As listed earlier, content filters are one of the reasons that proxies are used. The common use of a corporate gateway  is adding security and sometimes caching sites that are frequently visited by several clients. You can imagine the server having filters and on-the-fly scanners to take away the need for extra security software on all the client computers.

On the other hand an open proxy can just as easy be used by one of the clients to circumvent the filters that are active on a company gateway. By connecting the clients computer to a proxy the gateway cannot  ”see” that the client is visiting prohibited sites. From the gateway point of view the client is connected to an IP that is allowed. In reality that IP is the proxy the client is using to surf the internet.

If you are travelling or living in a country with strict censorship rules or wish to use a proxy often for other reasons, then it would be advisable to install proxy server software or a VPN (virtual private network) on your computer. A VPN protects your data and identity over the Internet. Various protocols are used to create an encrypted tunnel that transports data securely. VPNs are commonly used when using public WiFi hotspots, common in airports and hotels, these are potential leaks because they offer streams of visible data waiting to be mined. Using a VPN keeps your information secure. And they offer you the option to access websites only available to users from a certain country.

Finding suitable, reliable and fast proxies everyday can be a hassle and proxy server software or a VPN can take care of that for you. Consider for example CyberGhost, user friendly and works like a charm. Originally VPNs were designed to link together LANs and workstations outside the main LAN belonging to one company.

So basically this type of VPN uses the internet to connect several computers and closed networks, but it adds security to the connections. You can find more technical details on the Cisco site.

But “It is very naive to think that by paying a subscription fee to a VPN service you are free to break the law without any consequences.” This statement came from HideMyAss, after they provided logs about the lulzsec hacking group to the FBI. And it would be wise to heed that warning. If you intend to do something illegal, you’ll have to go through more trouble than simply use a third party VPN service, free or paid.

And then there is TOR.

TOR is a service that depends on the “strength in numbers” principle. It is like jumping from a bus into a taxi to the train-station. Shaking of pursuers (traffic analysis) by using random hops. The intermediate stations are unaware of the original sender and the final destination. After mapping out the route when the original request is made, the circuit is extended one hop at a time, and each relay along the way knows only which relay gave it data and which relay it is giving data to. No individual relay ever knows the complete path that a data packet has taken. And the content of the traffic is encrypted. For efficiency, the Tor software uses the same circuit for connections that happen within the same ten minutes or so. Later requests are given a new circuit, to keep people from linking your earlier actions to the new ones.

A great guide on how to install TOR can be found in an earlier blogpost by Adam

Whichever method you decide to use when the need is there, remember that with the complexity of the method, the price you pay is in the speed of your connection.

Summary: this article describes the reasons for using proxies and the different types. It also discusses some more advanced techniques for hiding your identity or location online.

Sources:

http://blog.hidemyass.com/2011/09/23/lulzsec-fiasco/

http://www.jscape.com/blog/bid/87783/Forward-Proxy-vs-Reverse-Proxy

https://www.torproject.org/about/overview.html.en

The below screenshot shows the Redkit Exploit Kit in action:

Let’s dissect it step by step:

The landing page:

Very basic code that references the malicious Java applet and points to the Application class.

The Java exploit:

CVE-2013-0422 and CVE-2012-1723 were spotted within the jar file.

The (encrypted) payload:

What appears to be a singled encrypted file (setup.exe being a bogus name anyway) is not. Instead of having a single payload, we have two binaries:

C:\Documents and Settings\user\Local Settings\Temp\sjskstrk.exe
C:\Documents and Settings\user\Local Settings\Temp\deruaeru.exe

The first clue we got came from a file size discrepancy. Seeing an encrypted payload is not unique but usually the file size matches the dropped binary. The other clue was that we had two drops on disk but only one point of origin.

sjskstrk.exe: Size on disk 94,208 bytes
deruaeru.exe: Size on disk 45,056 bytes
28.html: Size on disk 139,264 bytes

A little math confirmed our suspicions:
94,208 + 45,056 = 139,264

The split happens within the jar file itself, in a class where we see the two (unobfuscated) strings that correspond to our file names:

The bytes from each file are read and then split:

The files are finally executed:

What do we know about the two malware files dropped by this exploit?

sjskstrk.exe is a Urausy, a particular type of Ransomware that asks for a $300 payment to unlock the computer. If the victim is in the US, the following screen will be shown:

deruaeru.exe is a Karagny Trojan Downloader. This one will call the mother infrastructure for instructions:

It could deliver all sorts of payload (banking trojan, spambot, etc).

Both files are detected by Malwarebytes Anti-Malware:

Conclusion:

The malware author willingly chose to package the malicious jar with those two different payloads. Of course this could have be done using separate exploit pages but why bother when you could do it all in one go.

This approach also shows new possibilities to package malware in a way that could evade detection and bypass traffic signatures.

About the author:

Jerome Segura is a Senior Security Researcher at Malwarebytes with experience in both client and server side malware and a focus on web exploits research. He has built high interaction honey-clients to capture drive-by download attacks and has performed hundreds of web server remediations for infected WordPress and Joomla! websites.

Follow him on Twitter: @jeromesegura

As researchers find more security flaws in Oracle Java, the software continues to be used for exploitation and malware delivery.  This year has been a shaky start for the cross-platform web technology, where it seems the number of documented vulnerabilities is hard to number.

If you recall in January, we saw a zero-day later found to be responsible for intrusions into companies like Microsoft, Apple, Facebook, and Twitter.  Then in February, after seeing a Java patch with over 50 security fixes, reports surfaced thereafter that Bit9 was hacked using a separate java zero-day.  Even still in March, an emergency patch was issued to address even more vulnerabilities.

Because we’re seeing java used more in malware, it’s important for researchers to know how to analyze and understand java code.Let’s take a look at one java archive (“jar”) we’ve seen in the wild that not only contains multiple exploits but also has an encrypted malware payload.  This sample was provided by Malwarebytes researcher Jerome Segura and is called “sexy.jar”.  The landing page, “sexy.html”, loads the jar as an applet and points to Q.class, a Java class file within the jar.  To get more details on this, check out Segura’s blog entry on this here.

It’s important to understand that a jar is essentially just a zip archive, a file-format you’ve probably seen since you started using computers.  Inside the archive are various things, most important of which are class files, or compiled java bytecode.  This bytecode is executed within a Java Virtual Machine (JVM), part of the Java Runtime Environment (JRE), a term dubbed by Oracle describing Java’s execution environment.  Many of you with Java installed on your computer use the JRE every day when you visit your favorite websites.

In order to streamline analysis of java class files, we can use a popular tool known as a Decompiler, which attempts to decompile programs into their original source code.  The Java Decompiler project offers a graphical utility called “JD-GUI” for displaying Java sources, and is my personal favorite and one of the best in the field.  Another great tool for those who prefer the command-line is JAD, which essentially does the same thing and can be found here.  Both of these tools are available on Windows, Mac, and UNIX-based systems.

Analysis
Let’s go ahead and take our jar and decompile it using JD-GUI.  After that, we can view the code statically and attempt to understand what’s going on.

When we load sexy.jar into JD-GUI, we see a package called “game” and six class files, along with another file titled “sexy”.  As I mentioned before, the “Q” class in the jar is loaded as an applet, which will reference other packaged class files throughout execution.  The file labeled “sexy” contains an encrypted malware payload that will be dropped to the disk and executed.  This is not a traditional approach as a jar usually doesn’t contain the malware itself.

You’ll instantly notice that all the strings are part of the “O” class.  These are all encrypted using rot13, a simple substitution cipher that I talked about here.  You’ll notice that every string declared in this class is first passed through the rot13 function at the bottom of the code.

Here are the decrypted strings used in this jar:

J
1.7
java.security.AllPermission
com.sun.jmx.mbeanserver.JmxMBeanServer
javax.management.MBeanServerDelegate
declaredMethods
game.N
oZroFxLCOA4Vi6ck_oH
getMBeanInstantiator
add
java.security.CodeSource
java.security.ProtectionDomain
set
java.io.tmpdir
oZroFxLCOA4Vi6ck_oH
sun.org.mozilla.javascript.internal.GeneratedClassLoader
file:
javax.management.MBeanServer
oZroFxLCOA4Vi6ck_oH
com.sun.jmx.mbeanserver.MBeanInstantiator
sun.org.mozilla.javascript.internal.Context
XrwfQ_w.exe
G
java.version
aced0005757200135b4c6a6176612e6c616e672e4f626a6563743b...
java.security.cert.Certificate
java.io.tmpdir
com.sun.jmx.mbeanserver.Introspector
java.security.Permission
findClass
os.name
Windows
P
java.security.PermissionCollection
GWiL2S.exe
java.security.Permissions
elementFromComplex
newMBeanServer
oZroFxLCOA4Vi6ck_oH

The jar uses two exploits against the JVM to run the decrypted payload: CVE-2012-0507 and CVE-2013-0422.

CVE-2012-0507
The CVE-2012-0507 exploit is attempted first, implemented in the C and Z classes.  CVE-2012-0507 is a vulnerability in the JRE that occurs because the AtomicReferenceArray class does not check if an array is of an expected Object[] type (you can read more about this here).

The C class contains a long hex string (as seen above) that decodes to methods used for the exploit.

Eventually the “Z” class creates a new class during runtime (game.N) to drop the malware in %temp%\XrwfQ_w.exe

The new class first has to be decoded in the “W” class XorDecrypt function; this takes a large encrypted bytecode array called encoded and decrypts it as the “N” class.

Finally we can see the file is decrypted and dropped within the “N” class, using the dropFile function.

CVE-2013-0422
The second exploit, CVE-2013-0422 is called if you’re running Java 7 and is implemented in the T class.  The exploit uses a private mBeanInstantiator object and the findClass method to reference arbitrary classes, which in this case is also our embedded “N” class.  If the jar takes this exploit route, the payload is dropped in in %temp%\GWiL2S.exe

Debugging an applet
In some situations you might want to see things dynamically as they execute instead of the plain static view.  This can be accomplished with our jar by debugging it as an applet.

Debugging a jar isn’t as straightforward as a native system binary, like an EXE.  One of the best methods I’ve found is using the Eclipse IDE for Java Developers to step through the code.  However, if you’re going to take this route, you’re going to need to do a little prep work.

First we’ll need to overwrite library files in the JRE install directory with those from the Java Development Kit (JDK), a tool used to assist Java developers.  We need to do this because the library files in the JDK are compiled with debugging information that you’ll need to step into core java classes.  Here are the steps to do this:

• Backup the .jar files from JRE_HOME/lib
• Download and install a JDK for the SAME VERSION as your JRE.
• Copy the .jar files from JDK_HOME/jre/lib to JRE_HOME/lib

Once you’ve completed this step, you can launch Eclipse and create a new project.  You’ll want to set it up in a similar way to the jar you’re analyzing (in this case, a package called game and all the java sources inside).  Here is what mine looked like below.

Next you’ll need to build a Debug Configuration for the applet.  Make sure that you pay attention to any parameters the applet might need to execute properly (in the case of this jar, there are 3).

Now you need to set a breakpoint in your code and you can start debugging.  Also, you may need to add java source files to your project’s build path if you want to step into java system libraries and observe that code.

Notice how I’ve taken a few steps in the code and already retrieved the OS name, Java version, and some parameters.  I can continue to step through the code and terminate the applet when desired.

Conclusion
I hope this article gave you a better understanding of the java exploitation landscape.

Understanding how to analyze java code is necessary as the web technology from Oracle continues to be exploited; there’s no doubt we’ll continue to see jars used in malware, as well new techniques like embedded class files and encrypted malware payloads within the jar to keep researchers on their toes.

With some practice and prior programming knowledge, most java code can be understood when viewing decompiled source code.  Debugging is always an option too, but the setup time can be lengthy, so it may not be worth the effort in some cases.  If you do end up choosing this route, remember to do so in a secure, isolated environment, like a Virtual Machine, to prevent malware infections.  When you analyze and execute malware, you do so at your own risk, so take plenty of precautions.

_______________________________________________________________________________

Joshua Cannell is a Malware Intelligence Analyst at Malwarebytes where he performs research and in-depth analysis on current malware threats. He has over 5 years of experience working with US defense intelligence agencies where he analyzed malware and developed defense strategies through reverse engineering techniques.  His articles on the Unpacked blog feature the latest news in malware as well as full-length technical analysis.  Follow him on Twitter @joshcannell