Fake Antimalware Applications

September 8, 2008

As we have been monitoring the threat landscape during the last couple of weeks we have noticed an increase in fake anti-malware applications being used to defraud users. While these applications themselves do not provide any level of security for the user in terms of detecting and removing malware; the application itself is designed to trick the user into thinking that they are infected via the use of pop-ups and enticing them to purchase a full version as a means of cleaning the system.

The objective is always financial motivation and this is one way they are making money by sending out Spam with Trojan downloaders hidden behind the links designed to install fake security software, in a majority of the cases Anti-virus XP 2008.


Fake Windows XP Vista Update – Installs AV XP 2008

August 28, 2008

This morning the AV XP 2008 spammers were at it again with another round of spam messages claiming to offer an update to Microsoft Windows Vista (we have seen similar attacks before offering false updates). However, when the user clicks the link he/she is directed to a malicious .swf that will download the file install.exe which essentially is a downloader Trojan designed to install AV XP 2008.

File size: 203776 bytes
MD5…: 0f44ed00c0b67d9e5062b8e2c3574345
SHA1..: 4d9b42bbd950ea0c253a483ea2db3f888055c1c6
SHA256: e5885411c5ab7dbf2846b3b0606f6b294bbc9203ec8065d13560470ceab07c07
SHA512: b1b437a2df0023e1af019e6a06c31d298063f156819ea5b1de4047ad5766c6f8
00db13161056c7db223737cfc8fe00ce58d7756ebe33e4042627d6c9fbee8a6f
PEiD..: –
TrID..: File type identification
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.2%)
Clipper DOS Executable (9.1%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)


Attack of the greeting card malware

August 12, 2008

This morning another spam run was detected containing a link to a fake e-greeting card. While the use of the social vector of greeting cards is not a new thing, spam attacks using malcode is on the rise and in the last two weeks a number of new spam runs were detected (CNN spam, Fake IE 7.0, etc).

The latest contains a Trojan in the form of a greeting card.

File size: 304128 bytes
MD5…: ffddb929536b28128e5b6ebdeb83c199
SHA1..: 7431aeadbef92cc8906ea33af3acbd5189b7ff9a
SHA256: 707c4d11d307fca514cc814d50096e22fc6944567c70359cc6b2c44cde766c9a
SHA512: db348242eafb55eded15538dd0b896c1aef73e5b2d874fe8f9a2a830a9cfa084
6f656e76550a62966ec33058083b901cce176c554f325b5d03acd37d39734695


Detecting malware in CNN spam generically with PEiD

August 11, 2008

Recently I have been investigating the adobe_flash.exe files associated with the latest round of CNN spam. During my analysis all of the binaries appeared to look and behave the same; however, some of the files are actually quite different. Therefore, using PEiD and Signature Explorer 3 I created two generic detection signatures for variations of the adobe_flash.exe file.


Point-of-Sales Vulnerabilities

July 24, 2008

The Target: the wireless point-of-sale (POS)

The wireless POS system consists of one or more networked wireless POS end-points located at check-out stands and the internal on-site transaction server which connects the system to the payment authorization source. The transaction server also interfaces with the inventory control system.

• Transaction initiated at wireless POS checkout stand

• Transaction information sent to wireless access point, to transaction server, to authorization source

• Transaction authorization returns to POS checkout to complete transaction

Note there are vulnerabilities at each point.

 

From an architectural perspective a POS end-point runs an operating system, either a version of Windows or Linux designed to limit functionality – meaning not all O/S functions are available to the logged-in user. These devices are physically divided into two different components:

• Card Reader – system that reads the card as it is swiped.

• Transaction Unit – system that sends the card information to an authorization source.

The information read at the POS will be sent to an authorization source (e.g., Amex) through the transaction unit. In addition the transaction information of the purchase (payment, item, quantity, etc.) is sent over the network to a branch server for inventory control and auditing purposes.

Normally the information sent between the retailer and the authorization source will use strong encryption to protect the information; however, network security between the POS and the internal branch servers may or may not be encrypted and really depends on the configuration.

Assuming that the retailer does encrypt the information sent between the POS and the branch server, the real vulnerabilities then exist at the POS end-point, the wireless access point, and the branch server itself.

• Because a POS terminal reads the card information, performs the transactions and receives the authorization code, information may be stored for short periods either in flash, static ram or the hard-drive (e.g., a few hours until close of register, etc). Therefore, malware could be installed directly on the POS to intercept the transaction data as it is being sent to the authorization source or the internal branch server for storage.

• Branch servers are normally used to collect information from multiple POS terminals, thus, they often will be running a database of some form or another. A hacker wishing to obtain access to this information would have to compromise the server first, and then likely exploit database encryption vulnerabilities.

Because the target is often cardholder information, hackers are developing strategies that involve breaching wireless networks – mainly because a POS requires either direct physical access or access via the network, thus, it’s easier to penetrate than cracking the corporate firewall and obtaining access via the external gateway.

Penetrating a wireless network and planting targeted malware only recently emerged on the scene and is expected to increase; especially being that cardholder information is one of the primary targets of interest when it comes to data of value.

Once the intruder has accessed the wireless network the next challenge would be to compromise the POS or the Branch server. There are a number of ways and vectors in which this can be accomplished in a relatively short period of time:

• Privilege escalation: Elevating user privileges is a method that hackers use to gain access to other parts of the system that may require a higher level of validation. Vulnerabilities that allow this condition to occur are often the culprit behind most escalation attacks.

• Hacking specific Windows services (IIS, SQL, Apache, etc): Gaining access via Windows services by exploiting specific vulnerabilities that allow remote arbitrary code execution.

• Buffer overflow attacks: Overflowing the buffer of an application will cause a condition to occur, that in some cases will allow for arbitrary code to execute with remote shell binding capabilities. Many of these methods if done correctly and the systems are somewhat vulnerable, often will work.

One popular method being used today is the development of targeted malware to extract credit card information and other sensitive data directly from the wireless POS, AP, or the Branch server .

Some recent breaches have led to malware being physically installed on key servers and the avenue for attack was through a wireless network at a field office.

One theory on how this malware would work, is by capturing the details in real-time by installing Trojans that directly interact with the application on the POS terminal, thus, capturing the customer’s information in real-time as it is sent to the authorization source or the branch server.

Once the malware has captured the necessary data it can open a channel with a command and control server and upload the stolen information – it is often found that the C&C server will also be connected to thousands of compromised PCs; subsequently distributing the stolen data to be stored on a consumer’s PC. The chilling part is any consumer’s PC can instantly become a drop-box for stolen corporate information once it has been compromised by hackers.

Hiding the evidence

A next step for the attacker after compromising the POS would be to hide the obvious signs that the system had been tampered with, thus, installing a root-kit is one way to hide any traces associated with the attack. Full kernel mode persistent root-kits are the hardest form to detect.

Therefore, the hacker is completely eliminating the possibility of detection by the means of security scanners, anti-virus applications or any other security tool focused on finding vulnerabilities. This way the breach can remain hidden for as long as possible before anyone considers the possibility a POS is breached.


Anatomy of a Data Breach Part 3 – The Wireless Hack

July 17, 2008

Wireless networks and endpoints offer convenience and connectivity. Unless properly secured, they also offer a means of egress into the network. This article will describe the vulnerabilities and strategies for mitigation.

In the wake of undiscovered data breaches and subsequent public exposure, hackers have begun to turn their eye towards breaching wireless networks and taking advantage of the many weaknesses incumbent. Furthermore, we are seeing a trend towards stealing cardholder information from retailers such as TJ Max and Hannaford Brothers as a quick way to gain profit.

The use of mobile networks is not an uncommon way of providing access for employees anywhere anytime throughout the corporate campus. However wireless networks come with several often ignored dangers:

• Exploitation of WEP and WPA protocols.

• Impersonation and interception of wireless traffic.

• Access points being deployed with little or no security enabled.

All of these vulnerabilities can eventually lead to the exposure of private information if not properly secured and accounted for when implementing a data security policy. The weaknesses of a wireless environment can often lead to violations of PCI, HIPAA & SOX if an exposure were to occur through one of those vulnerabilities. Regulations such as SOX, HIPAA and PCI were ultimately designed to protect specific classes of information that if exposed can cause serious ramifications such as: fines, potential jail time and a host of other unwanted aftereffects.

The Target: Wireless Point-of-Sales (POS)

For example the protection of cardholder information as covered under PCI-DSS includes a number of guidelines to aide in the development of policy that (a) protects cardholder information stored on servers and (b) protects cardholder information that may be in transit via transactions that occur between front-end point-of-sales terminals, to backend merchant processing servers (the machines that handle and authorize transactions when a credit card is swiped at a store location).

 

Because the target is often cardholder information – meaning it has a higher raw value on the black-market then other information like a social security number, hackers are developing strategies that involve breaching wireless networks – mainly because it is much easier to penetrate then cracking the corporate firewall and obtaining access via the external gateway.

This is a stepping ground to harvesting data at rest, but in motion as well. The methodology behind this goes in tangent with the “low hanging fruit” theory and part of an overall emerging trend towards gaining access to cardholder information.

Cracking the Wireless Network

Wireless hacks attributed to around 9% of the security incidents documented in a recent report published by the Verizon Business Risk team. This is likely due to incorrectly configured access points or the use of weak authentication ; WPA-PSK in some cases can be vulnerable to offline dictionary attacks if given enough time to decode the captured traffic. WEP on the other hand can be cracked in less than 10 minutes using commercially available tools on the market.

For wireless hacks to be successful without investing a large amount of time and resources the access point either has to have a vulnerable encryption protocol enabled such as WEP or WPA-PSK or not have security enabled at all – which has been seen in the field numerous times.

As data security issues become the number one problem, hackers will continue to innovate and find additional ways of accessing the information they want. Penetrating a wireless network and planting targeted malware only recently emerged on the scene and is expected to increase; especially being that cardholder information is one of the primary targets of interest when it comes to data of value.

Thus, one popular method being used today is the development of targeted malware to intercept transmissions and to extract credit card information and other sensitive data directly from these streams .

However; it all starts with penetrating the wireless network and obtaining the ability to access its resources – as we have seen the weaker link in the chain is often targeted first (stores or regional offices in the field). Some recent breaches have led to malware being physically installed on key servers and the avenue for attack was through a wireless network at a field office.

Theories on how this malware would work would be using filters to detect certain packets with specific information (e.g. credit numbers, social security numbers, authorization codes and pin numbers all of which are of value). Another theory is capturing the details in real-time by installing Trojans that directly interact with the application on the POS terminal, thus, capturing the customer’s information in real-time as it exits the POS to the payment authorization gateway.

 

Once the malware has captured the necessary data it can open a channel with a command and control server and upload the stolen information – it is often found that the C&C server will also be connected to thousands of compromised PCs; subsequently distributing the stolen data to be stored on a consumer’s PC. The chilling part is any consumer’s PC can instantly become a drop-box for stolen corporate information once it has been compromised by hackers.

As mentioned before hackers will target wireless networks located at smaller regional offices as they did with Hannaford and TJX Max This is done under the assumption that security is weaker then at corporate HQ and fits part in parcel with them being “low hanging fruit”. This is probably true given the technical resources available and the diversity that smaller locations have.

Discovery and Prevention

Determining if you have been breached is somewhat difficult as the intruders have likely covered their initial entry by hiding any physical traces (deleting or hiding audit logs, etc). Therefore, your best approach is to adopt a strategy for detecting and mitigating the effects of a breach such as:

• Database monitoring: Technologies exist to monitor SQL and Oracle databases for suspicious activity (access from unauthorized users, insertion of scripts, execution of SQL statements, etc). Monitoring is only part of the equation to detecting an actual breach in progress. If hackers subsequently decide to access cardholder information stored in your databases in addition to extracting the data in real-time; database monitoring will increase the odds of discovering unauthorized access.

• Network Intrusion Detection: Intrusion detection technologies in addition to other methods can be used to detect anomalous traffic and behavior that might be associated with an attack.

• Hardening critical assets: You can minimize your exposure & risk by hardening critical assets (in this case the POS terminal); in other words you are removing non essential functionality such as services, applications and ports that not only adds to the complexity, but introduces additional risk.


From Traditional AV to Security-as-Service

May 20, 2008

Over the past five years the anti-virus market has experienced tremendous growth with the advent of new technologies to adapt to current conditions. What was once a market consisting of a very few players has now evolved into a global enterprise consisting of dozens of companies with an assortment of anti-virus products varying in degrees of quality.

 

The global anti-virus market is forecast to grow substantially from now until 2010 with the introduction of emerging technologies (data loss prevention, virtualization security, security-as-a-service and many others).

 

However the market in its present state has changed: the technology behind

Anti-virus is highly inefficient when it comes to protecting against modernized threats. Considering that vendors are under a constant overload of unique malware that resulted in a breakdown in the quality and effectiveness of their underlying core technology.

 

This is evident in today’s high-profile security incidents. According to the Identity Theft Resource Center (an organization that tracks incidents relating to exposure of confidential information) the number of recorded breaches more then doubled in the first quarter of 2008.

 

This problem is even more visible when you take into account the current application delivery model employed by various end-point technologies today.

 

This model introduces several challenges not only on the side of administration, management and ease of use, but to the degree necessary to provide an adequate level of protection against zero-day, zero-hour, and zero-minute threats.

 

This traditional model is described as follows:

 

* Upgrades require time and effort to implement leaving a dangerous window of opportunity to become infected. Remarkably true if the upgrade includes engine revisions to detect new strains of malware.

 

* Enterprise protection suites require deployment of a dedicated management infrastructure that in some cases will require additional hardware.

 

* Some end-point protection suites that use a policy driven system are particularly complex to manage and maintain, therefore; the total cost of ownership will increase overtime.

 

* Anti-malware intelligence has traditionally resided on the end-point, thus, the trade-off between security and resource consumption has always been a challenge. The memory and CPU foot-print is directly proportional to the size of the signature file. Therefore; the growth of new threats will directly affect the user’s experience.

 

On average the foot-print for leading products is anywhere from 100MB to 150MB depending on the modules enabled (i.e. firewall, anti-virus, anti-spam, host intrusion prevention, etc).

 

* Most end-point products on the market today have a very narrow short sighted view of the threat-landscape and do not provide protection for all malware currently in circulation and affecting users.

 

* Nodes do not share intelligence amongst themselves, thus, reducing the overall efficiency to detect and prevent against targeted attacks.

 

When we look at this further the SMB market will be affected the most. This introduces significant challenges for SMBs who have tight budgets for security. This is especially true as they do not necessarily have the expertise or the resources in-house to manage and administer complex anti-malware solutions.

 

The best alternative that an SMB can take when it comes to security is out-sourcing their services to a hosted infrastructure and adopting a Security-as-a-Service model. This helps reduce complexity and time to market when implementing new security technologies and will not require a high degree of skill to maintain the solution.

 

Security-as-Service revolves around the concept known as Software-as-Service. SaaS changes the way that applications are currently delivered to customers by hosting the applications “in the cloud” and providing a web interface to interact with them; whereas before software had to be installed directly within the customer’s premise.

 

Customers of a SaaS solution benefit from real-time up-to-minute content provided on a continuous basis through a subscription model making life a lot easier.

 

Therefore; it’s my pleasure to announce Panda Security for Managed Office Protection.

 

http://www.bizjournals.com/prnewswire/press_releases/California/2008/05/19/LAM041