Monthly Archives: July 2016

AdGholas Malvertising Campaign Leveraged Steganography, Filtering

For over a year attackers were able to carry out a malvertising campaign that managed to draw between one and five million client hits a day, according to researchers. The scam infected thousands a day using a one-two-punch of filtering and steganography, the art of hiding information inside messages or image.

The attackers behind the campaign suspended their operation last week, according to experts at Proofpoint, who have been tracking their moves since October 2015. While the researchers first honed in on the group, which it calls AdGholas, in October, they claim that evidence points to it having been in operation as early as 2013.

While using steganography to conceal attacks isn’t new – malware authors have been using the practice for years – this is reportedly the first time its been seen used in a drive-by malware campaign like this.

Researchers claim that hidden in JavaScript filtering code used by the campaign was more code that used an API to read a PNG and extract even more JavaScript. Users would get infected by browsing a site, after which they’d get redirected to a cloned version of a legitimate site, tricking victims into thinking everything was normal.

The campaign, at least for a while, was dependent on exploit kit traffic Proofpoint acknowledged. When Angler went offline in early June, AdGholas went silent for two weeks before reemerging at the tail end of that month, spread by the Neutrino exploit kit. Ten to 20 percent of the millions of hits it got a day were ultimately redirected back to an exploit kit.

“Recent observations suggest that AdGholas or close distribution partners might have started operating the reverse proxies serving the involved instance of exploit kit at the end of April. These were the only instances featuring “gzipped” Angler EK traffic, and lately their Neutrino traffic was gzipped as well,” Proofpoint researchers wrote Thursday.

The campaign also dropped region-specific Trojans on victims. Computers in Canada were hit with the banking Trojan Gozi ISFB, Australian computers were hit by Terdot.A, while computers in Spain received another banking Trojan, Gootkit.

Proofpoint notified a handful of advertising network operators of the campaign who were apparently quick to address it.

“We would also like to thank all the contacts in the advertising industry (directly involved or not) who were swift to react upon notification and helped us take action on this malicious activity. It appears their action was strong enough to have all AdGholas campaigns suspended as of the morning of July 20, 2016,” the researchers wrote.

Last fall at Black Hat Europe researchers from two different firms partnered to give a presentation on campaigns that were using steganography to prosper . Pierre-Marc Bureau, a senior security researcher at Dell SecureWorks and Dr. Christian Dietrich, a senior researcher with Crowdstrike acknowledged that the medium had arrived as a legitimate way for attackers to obscure interactions with command and control servers.

A strain of malware found by Dell last summer, Stegoloader, hid malware in images. After a machine had been compromised it used a deployment module that called on a PNG to grab malware from a legitimate hosting site.

from Threatpost – English – Global – thr…

WhatsApp may leave deleted chats behind in your iCloud backups

Popular online messaging service WhatsApp has made all sorts of security news in recent years.

One of WhatApp’s early cryptographic SNAFUs involved using non-secret information to construct secret encryption keys, which is a bit like using your pet’s name as a login password.

The company went on to make two-time use of a one-time pad, a no-no in cryptographic circles. (It isn’t called a one-time pad for nothing.)

WhatsApp CEO Jan Koum subsequently asserted that “[r]espect for your privacy is coded into our DNA” little more than a year after the company was censured by Canadian and Dutch privacy authorities for violating privacy rules in both countries.

And the app went through a period of blurting out your location to eavesdroppers by communicating with Google Maps via unencrypted HTTP rather than using encrypted-and-authenticated HTTPS.

The company was bought by Facebook in early 2014, at which point we wondered whether that would make things better or worse.

Technically, at least, the acquisition seems to have done no harm, with WhatsApp now providing end-to-end encryption in a privacy-centred way, where WhatsApp itself never holds the cryptographic secrets that it would need to snoop on your messages as they pass through its service.

So much for what’s often called “encryption in transit” or “encryption in motion.”

Encryption at rest

But what about “encryption at rest”?

If crooks (or suitably warranted-up law enforcement officials) got hold of your laptop, or your phone, or your iCloud backups, would they find blobs of digital shredded cabbage?

Or would some or all of your long-sent and theoretically-deleted messages hang around where they could be recovered?

Well-known and respected iOS security researcher Jonathan Zdziarski decided to take a look at the iOS flavour of WhatsApp, and he found that WhatsApp’s delete function didn’t quite.

The iOS app stores its messages in a database that uses the popular and widespread SQLite toolkit.

SQLite promises to keep your data safe and consistent: what’s known in the trade as ACID, short for Atomic, Consistent, Isolated, and Durable.

Even if the battery runs out at the wrong moment, or the app crashes half-way through, the database will still be in a stable and sensible condition.

But SQLite doesn’t offer, or claim, to encrypt your data at rest; that aspect of security can be provided by an additional cryptographic layer, thus avoiding the additional complexity that would arise if SQLite also had to be an encryption tool, or the encryption tool also had to be an ACID database engine.

In other words, when you delete messages from the WhatsApp database, SQLite marks the records so they can be re-used later, but until the database fills back up again (which could take a long time if you delete lots of messages at once), the raw bits-and-bytes of the old data will remain behind.

A forensics expert like Zdziarksi might well be able to recover it, especially if you have synced your phone to your laptop without encrypting it, or backed it up to iCloud, where it won’t be encrypted:

The WhatsApp chat database gets copied over from the iPhone during a backup, which means it will show up in your iCloud backup and in a desktop backup.

Fortunately, desktop backups can be encrypted by enabling the “Encrypt Backups” option in iTunes. Unfortunately, iCloud backups do not honor this encryption, leaving your WhatsApp database subject to law enforcement warrants.

This isn’t the end of the world, of course: it’s still not easy for crooks to grab your WhatsApp messages, and even after a heap of work they might get no more than a few fragments of uninteresting stuff.

But it’s a reminder to programmers everywhere that end-to-end encryption doesn’t just mean “each end of a network connection.”

It includes the physical device at each end, too.

What to do?

Zdziarski has a range of handy hints for iOS data security in general, which we encourage you to look at.

Suggestions include:

  • Remove and reinstall the app from time to time so a blank database is re-created.
  • Backup locally via iTunes and encrypt the backup, but don’t replicate your data to iCloud.

As always, this is a reminder that security is a journey, not a destination.

from Naked Security – Sophos

Tumblr users, get ready to see ads everywhere

Tumblr users, get ready to see ads everywhere

…and to eventually get a slice of the pie.

Tumblr this week announced how it’s going to start earning its keep: by putting ads on each and every one of its 306 million blogs.

The ads rolled out on Thursday.

Tumblr said on its blog that sometime in the coming months, nearly every Tumblr blog could have an ad on it, and at some point, users will get a slice of the ad revenues.

The ads will be on by default, but you’ll be able to turn them off – at least, on your own blog – and opt out of Tumblr’s latest attempt to make some money.

Here’s the rationale, according to its staff blog:

So that later this year people can start making money from their blogs.

…it also doesn’t hurt that Tumblr itself will, of course, make money. As it is now, it’s a free service, having to date only made money by selling a few special themes.

Tumblr’s owned by what the Wall Street Journal terms the “ever-struggling” Yahoo.

We don’t yet know any of the details, including how the revenue-sharing with users will work, when all users will be affected, how users will be paid, or the size of their cut. Tumblr’s still working that all out, it said.

In an interview with the WSJ earlier this week, Yahoo CEO Marissa Mayer said there’s “untapped value” in Tumblr’s future. The newspaper reports that Tumblr ads will be served by Yahoo’s Gemini ad service and will show up on the mobile and desktop web, as well as on Tumblr’s mobile app.

According to TechCrunch, which spotted the quietly announced news earlier this week, the advertising move appears to be an expansion of an earlier program: Creatrs, which connects brands with Tumblr users directly, instead of having advertisers work with third-party influencer networks.

Even before this announcement, concerns were raised about malvertising on the platform due to way that when followers share a Tumblr link, embedded ads come along for the ride.

The fact that embedded ads thus spread far and wide makes for a tempting target for cybercriminals who specialize in rigging those ads with malicious code.

Malvertising is one of the very good reasons that people use adblockers.

Short for malicious online advertising, it’s when usually trustworthy sites temporarily go rogue because one of the ads they display turns out to be booby-trapped and tries to foist malware or potentially unwanted content on your computer.

Here’s hoping that Yahoo’s secured the service appropriately.

Image courtesy of Roman Pyshchyk /

from Naked Security – Sophos

New Trojan SpyNote Installs Backdoor on Android Devices

A new Android Trojan called SpyNote has been identified by researchers who warn that attacks are forthcoming.

The Trojan, found by Palo Alto Networks’ Unit 42 team, has not been spotted in any active campaigns. But Unit 42 believes because the software is now widely available on the Dark Web, that it will soon be used in a wave of upcoming attacks.

Unit 42 discovered the Trojan while monitoring malware discussion forums. Researchers say that’s where they found a malware builder tool specifically designed to be used to create multiple versions of SpyNote Trojan.

SpyNote, according to the Unit 42 team, has a wide range of backdoor features that include the ability to view all messages on a device, eavesdrop on phone calls, activate the phone’s camera or microphone remotely or track the phone’s GPS location. The APK (Android application package file) containing the remote access tool (RAT) SpyNote, gives an attacker complete access to a victim’s phone.

SpyNote is similar to other remote administration tools such as OmniRat and DroidJack. Droidjack made news earlier this month when researchers at Proofpoint found a rigged version of the massively popular game Pokémon Go with the Trojan. OmniRat is similar in function and was first spotted in Germany in November by researchers who said targeted victims received a text message asking them to download an app to view an image.

Once installed, SpyNote is hard to get rid of, according to the Unit 42 team. Once installed the Trojan will remove the SpyNote application icon from the victim’s phone and install new APKs and update the malware.

“The SpyNote APK requires victims to accept and give SpyNote many permissions, including the ability to edit text messages, read call logs and contacts, or modify or delete the contents of the SD card,” according to a technical description of malware by Unit 42.

Palo Alto Networks’ Unit 42 team has gleaned important details of SpyNote from what it identifies as a video demonstrating the capabilities of the malware. In the video hacking tutorial a user appears to be running SpyNote through its paces showing a remote takeover of an Android device.

“The uploader might be following the instructions described in YouTube videos on using SpyNote, considering the port number used is exactly the same as in the videos and the uploader only changes the icon of the APK file,” wrote Jacob Soo, with Palo Alto Networks’ Unit 42 team in the technical write up on the malware.

Unit 42 asserts SpyNote is configured to communicate with a command and control server via IP address via TCP using hard-coded SERVER_IP and SERVER_PORT values. That has given researchers the ability to extract C2 information from the malware.

Unlike the closely related RATs OmniRat and DroidJack, researchers say they have not seen SpyNote in the wild therefore determining how attackers might lure victims into downloading the Android APK is still an unknown.

from Threatpost – English – Global – thr…

fping 3 – Multi Target ICMP Ping Tool

a Show systems that are alive.

A Display targets by address rather than DNS name.

b n Number of bytes of ping data to send. The minimum size (normally 12) allows room for the data that fping needs to do its work (sequence number, timestamp). The reported received data size includes the IP header (normally 20 bytes) and ICMP header (8 bytes), so the minimum total size is 40 bytes. Default is 56, as in ping. Maximum is the theoretical maximum IP datagram size (64K), though most systems limit this to a smaller, systemdependent number.

B n In the default mode, fping sends several requests to a target before giving up, waiting longer for a reply on each successive request. This parameter is the value by which the wait time is multiplied on each successive request; it must be entered as a floatingpoint number (x.y). The default is 1.5.

c n Number of request packets to send to each target. In this mode, a line is displayed for each received response (this can suppressed with q or Q). Also, statistics about responses for each target are displayed when all requests have been sent (or when interrupted).

C n Similar to c, but the pertarget statistics are displayed in a format designed for automated responsetime statistics gathering.

shows the response time in milliseconds for each of the five requests, with the “−” indicating that no response was received to the fourth request.

d Use DNS to lookup address of return ping packet. This allows you to give fping a list of IP addresses as input and print hostnames in the output.

D Add Unix timestamps in front of output lines generated with in looping or counting modes (l, c, or C).

e Show elapsed (roundtrip) time of packets.

f Read list of targets from a file. This option can only be used by the root user.

g Generate a target list from a supplied IP netmask, or a starting and ending IP. Specify the netmask or start/end in the targets portion of the command line.

h Print usage message.

i n The minimum amount of time (in milliseconds) between sending a ping packet to any target (default is 25).

l Loop sending packets to each target indefinitely. Can be interrupted with CtrlC; statistics about responses for each target are then displayed.

m Send pings to each of a target hosts multiple interfaces.

n Same as d.

p <n> In looping or counting modes (l, c, or C), this parameter sets the time in milliseconds that fping waits between successive packets to an individual target. Default is 1000.

q Quiet. Dont show perprobe results, but only the final summary. Also dont show ICMP error messages.

Q n Like q, but show summary results every n seconds.

r n Retry limit (default 3). This is the number of times an attempt at pinging a target will be made, not including the first try.

s Print cumulative statistics upon exit.

S addr Set source address.

I if Set the interface (requires SO_BINDTODEVICE support)

t n Initial target timeout in milliseconds (default 500). In the default mode, this is the amount of time that fping waits for a response to its first request. Successive timeouts are multiplied by the backoff factor.

T n Ignored (for compatibility with fping 2.4).

u Show targets that are unreachable.

O n Set the typ of service flag ( TOS ). n can be either decimal or hexadecimal (0xh) format.

v Print fping version information.

H n Set the IP TTL field (time to live hops).

from Darknet – The Darkside

Threatpost News Wrap, July 29, 2016

Mike Mimoso and Chris Brook discuss the news of the week, including a wireless keyboard vulnerability – KeySniffer, NIST’s statement on 2FA, a LastPass remote compromise bug, and a new Tor paper.

Download: Threatpost_News_Wrap_July_29_2016.mp3

Music by Chris Gonsalves


About Chris Brook

“Distrust and caution are the parents of security” – Benjamin Franklin

from Threatpost – English – Global – thr…