Monthly Archives: February 2017

Massive Necurs Spam Botnet Now Equipped to Launch DDoS Attacks

Massive Necurs Spam Botnet Now Equipped to Launch DDoS Attacks

With more than one million active bots at any time, a Necurs-enabled DDoS attack could dwarf such an attack by the Mirai botnet.

In an ominous development, the world’s largest spam botnet has acquired capabilities that could allow it to be used in massive distributed denial-of-service attacks.

Security researchers at BitSight’s Anubis Labs recently observed the Necurs botnet loading a component in infected systems that allow the systems to perform DDoS attacks.

The addition of the new component appears to have started at least six months ago, which is when BitSight researchers first observed some unusual communications on a Necurs-infected system.

In addition to communicating via port 80, the Necurs-infected system was also using a different port  as well as what appeared to be a different protocol, to communicate with a set of command and control addresses.

A subsequent analysis showed the communications from the infected system to be requests to download two separate modules. One of them was for the usual spam distribution purposes. And the other was for a proxy module that would cause the bot to make HTTP or UDP requests to a target system “in an endless loop,” BitSight said in a recent alert.

The bot is modular in design; the proxy and DDOS features are part of a module first was deployed in September, says Tiago Pereira, threat intelligence researcher at Bitsight’s Anubis Labs. “The SOCKS/DDOS module is being loaded in all the bots in the botnet,” he says. At the same time, the spam modules are also still being loaded on all infected system, he says.

Pereira says BitSight’s sinkholes measured an average of over 1 million active Necurs infected system every single day. “Simply taking into account its size—more than double the size of Mirai—we would expect it to produce a very powerful DDoS attack,” he says.

Security researchers estimate the overall size of the Necurs botnet to be upwards of 5 million infected systems, though only about 1 million are active at any give time. In addition to being used for spam distribution, the botnet has also been used to deliver the notorious Locky ransomware and the Dridex banking Trojan.

The botnet went offline somewhat inexplicably for a few weeks last year, resulting in an almost immediate drop-off in Locky and Dridex distributions. But it came back online equally inexplicably and with renewed vigor in June, and since then had been used to distribute spam and malware.

With the addition of the new DDoS module, Necurs appears set to become even more versatile than it is already.

Ben Herzberg, security group research manager at Imperva, says it’s interesting that Necurs has now added a feature for DDoS attacks. But threat actors are likely to increasingly favor using IoT botnets such as Mirai because they are easier to infect and use than desktop botnets like Necurs, he said.

“Therefore, it seems likely that this is either a test module, or something to be used in a ‘doomsday scenario’ – for example when the botnet operators need it for a very good reason – not just as a normal DDoS-for-hire campaign,” he said in a statement.

Word of the Necurs botnet update comes amid reports of changes to Neutrino, another well-known malware sample that has been used to assemble a large botnet. The authors of the Neutrino bot have developed a new protective loader that makes it harder for malware tools to detect the bot, Malwarebytes Labs said in an alert this week.

The new loader is designed to check whether it is being deployed in a controlled environment like a sandbox or a virtual machine and to delete itself automatically if that is indeed the case, Malwarebytes researchers Hasherezade and Jerome Segura said.

The tweak is not major. But the new protection layer is “very scrupulous in its task of fingerprinting the environment and not allowing the bot to be discovered,” they said.

Related stories:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

More Insights

from Dark Reading – All Stories

Data and kids’ voice messages exposed in CloudPets breach

To the 821,296 people who bought one, the CloudPets teddy toys must have seemed like a great way to exchange intimate voice messages with their kids across what used to be called “the internet”.

A CloudPet is simple to use. The parent or child speaks into a microphone inside the toy, which uses a Bluetooth interface to upload the recording to cloud storage via an Android or iOS smartphone app tied to an account. Recipients download and listen to the message on a second CloudPets toy.

But in a new nadir for the gimmick of sticking the Internet of Things (IoT) inside toys, something went badly wrong with security.

Researcher Tory Hunt was recently told that databases containing all of the user accounts and potentially up to 2.2m voice messages had been compromised by hackers who found them in an unprotected state around Christmas using nothing more complicated than the Shodan IoT search engine.

Worse, numerous people accessed the exposed databases, some of whom had demanded a ransom from the parent company after deleting them in a manner identical to a spate of recent attacks on MongoDB installations.

The databases lacked authentication although account profiles were at least protected with passwords hashed using Bcrypt, a secure algorithm.

But, as Hunt discovered after pitting them against Hashcat, the lack of password rules rendered this ineffective with”qwerty”, “password”, “123456”, “qwe and “cloudpets” matching large numbers of the hashes. This makes all recordings vulnerable.

We’ve been here before. In late 2015, toy maker VTech suffered a massive data breach, again involving data gathered from a children’s device and made public by Hunt. Hot on its heels came hackable Barbie, while only days ago Germany’s telecommunications watchdog branded the Cayla doll as a surveillance device on account of poor security.

Troy Hunt describes this kinder-dystopia in the making:

It only takes one little mistake on behalf of the data custodian – such as misconfiguring the database security – and every single piece of data they hold on you and your family can be in the public domain in mere minutes.

In a double helping of bad, the researcher who first told Hunt of the breach had attempted to warn CloudPets about the issue of three occasions but without response. A second researcher also tried to contact CloudPets as early as December 30, also without success.

It’s perhaps not a surprise that CloudPets was hard to contact given that its systems appear to have been stitched together for convenience from parts run by different entities.

Naked Security’s advice for CloudPets users who want to continue using the toys is to immediately change their password to something secure.

If there’s a moral it’s that parents should stop buying connected toys from any company until some standards develop and attitudes to security change. A

At the very least, companies should be able to point to a responsible disclosure system so researchers have a way of communicating any vulnerabilities they find. Right now, few seem to have such systems and are therefore not deserving of trust, a sentiment some would extend to almost all IoT.

As we like to say on Naked Security for many things, “If in doubt, don’t give it out.”



from Naked Security – Sophos

Report: Only 2 in 3 Cyber Attacks Can Be Stopped with Current Defenses

Report: Only 2 in 3 Cyber Attacks Can Be Stopped with Current Defenses

A recent Bitdefender survey of 250 US IT execs in companies with 1000 or more PCs paints a disturbing picture of cybersecurity preparedness in the enterprise.

Only 64% of cyber attacks can be stopped, detected or prevented with the current resources, on average, according to a Bitdefender survey  of 250 IT decision makers at companies in the US with more than 1,000 PCs.

Bitdefender’s survey shows that 64% of IT decision makers think their IT security budget is sufficient, 2% say the budget is enough, but they are understaffed, and 7% percent say funding is sufficient but can’t accommodate future expansion. Only 3% of IT decision makers surveyed said the security budget in their company is insufficient.

Less than 20% of IT decision makers say they could stop more than 90% of cyberattacks, while another 20% say they could detect and prevent less than a quarter.

Image Source: Bitdefender

Image Source: Bitdefender

Bitdefender’s survey shows 34% of respondent companies were breached in the past 12 months, with 74% reporting they don’t know how their company was breached. As a result, some 73% of IT decision makers fear a breach would force their companies to pay financial compensation, while 66% fear losing their jobs.

Cloud Spending Up

Cloud security spending at 48% of respondent companies increased in the past year while spending for other security activities remained the same, Bitdefender’s survey shows. While almost two-thirds of IT decision makers say their security budget is sufficient, the rest would need an increase of 34% percent, on average, to deliver efficient IT security policies. This is mainly because migrating information from traditional data centers to a cloud infrastructure has significantly increased companies’ attackable surface, bringing new threats and more worries to CIO offices about the safety of their data.

For example, cybercriminals can spend large amounts of time inside organizations without being detected. Advanced persistent threats, or APTs, for instance, are often defined as threats designed to evade detection. In the virtualization paradigm, since nothing being executed in raw memory is encrypted – just scrambled – APTs that try to execute malicious code on a virtual machine can be intercepted by Bitdefender’s Hypervisor Introspection technology long before they actually compromise the operating system. In fact, as soon as the malicious code –  even delivered via a zero-day exploit –  tries to execute in the VM’s memory, the introspection engine will immediately “see” the malicious action and the code that was trying to execute.

This survey was conducted in October 2016 by iSense Solutions for Bitdefender on 250 IT security purchase professionals (CIOs/CEOs/ CISOs, 26%; IT managers/directors, 56%;  IT system administrators, 10%; IT support specialists, 5%) and othersfrom enterprises with 1,000+ PCs based in the United States.

Razvan, a security specialist at Bitdefender, is passionate about supporting SMEs in building communities and exchanging knowledge on entrepreneurship. A former business journalist, he enjoys taking innovative approaches to hot topics and believes that the massive amount of … View Full Bio

More Insights

from Dark Reading – All Stories

Dridex Trojan Gets A Major ‘AtomBombing’ Update

The Dridex banking Trojan has been updated and now sports a new injection method for evading detection based on the technique known as AtomBombing.

Researchers with IBM X-Force identified the new Dridex v4 sample earlier this month and said it is already in use in active campaigns against U.K. banks. They said it’s only a matter of time before cybercrime gangs begin targeting U.S. financial institutions.

Related Posts

January 27, 2017 , 1:56 pm

January 19, 2017 , 3:35 pm

January 18, 2017 , 4:25 pm

“Over the long reign of Dridex v3, we have seen some significant changes implemented into the malware’s operations, such as modified anti-research techniques, redirection attacks and fraudulent M.O. changes. It is not surprising to see a new major version released from this gang’s developers,” according to an X-Force report on Dridex v4 released Tuesday.

As with previous campaigns, Dridex exhibits typical behavior of monitoring a victim’s traffic to bank sites and stealing login and account information. The biggest change is tied to Dridex v4’s code injection method. Code injection, researchers point out, is one of the most closely monitored processes by antivirus and other security solutions. Current injection techniques by previous versions of Dridex have become too common and easy to spot, they said. That’s forced cyber gangs to leverage AtomBombing in a new version of Dridex.

AtomBombing is a different approach to code injection that doesn’t rely on easy-to-spot API calls used by previous versions of Dridex. The AtomBombing technique, first spotted in October 2016 by enSilo researchers, allows Dridex v4 to inject code sans the aforementioned API calls.

“AtomBombing makes use of Windows’ atom tables and the native API NtQueueApcThread to copy a payload into a read-write memory space in the target process,” according to the report authors. “It then uses NtSetContextThread to invoke a simple return-oriented programming chain that allocates read/write/execute memory, copies the payload into it and executes it. Finally, it restores the original context of the hijacked thread.”

Atom tables are a function of the Windows operating system that allows applications to store and access temporary data and to share data between applications. An attacker can write malicious code into an atom table and force a legitimate program to retrieve it from the table, researchers describe.

What makes Dridex v4 different from other AtomBombing attacks is that attackers only use “the technique for writing the payload, then used a different method to achieve execution permissions, and for the execution itself,” according to co-authors of the X-Force report Magal Baz and Or Safran.

Where Dridex v4 differs is at the tail end of the AtomBombing technique where “Dridex simply calls NtProtectVirtualMemory from the injecting process to change the memory where the payload is already written into the read/write/execute (memory).” That cues up Dridex to use the Windows asynchronous procedure to call GlobalGetAtomA, which executes the payload, X-Force said.

“The last stage is the execution of the payload. To avoid calling CreateRemoteThread, Dridex again uses APC. Using an APC call to the payload itself would be very suspicious,” said researchers. Alternatively, Dridex v4 uses “the same GlobalGetAtomW method to patch GlobalGetAtomA, hooking it to execute the payload.”

X-Force said this specific implementation of AtomBombing is a first of its kind in the context of banking Trojans and designed to cloak the malware’s activities.

Other enhancements to Dridex v4 include a modified naming algorithm, enhanced encryption for its configuration and an updated persistence mechanism.

“The changes to Dridex’s code injection method are among the most significant enhancements in v4,” wrote researchers. “The adoption of a new injection technique shortly after its discovery demonstrates Dridex’s efforts to keep up with the times and the evolution of security controls.”

Over the years, cybercrimnals behind the different versions of the Dridex Trojan have been extremely persistent. While campaigns have fluctuated in volume, innovation into the malware has been consistent. In January, researchers at Flashpoint said they spotted a new variant of the Dridex Trojan with a technique that can bypass Windows User Account Control (UAC). In 2015, an older version of Dridex started using an evasion detection technique called AutoClose that involved phishing messages that contained macros-based attacks that did not execute until the malicious document was closed.

from Threatpost – English – Global – thr…

How Security Pros Can Bridge The Skills Shortage

How Security Pros Can Bridge The Skills Shortage

By paying it forward, we can help address the industry’s exploding need for talent.

If you feel like you’re overworked and that your security department is short-staffed, you’re probably not imagining it. Two reports were released recently, with less-than-encouraging statistics about the growing security skills shortage. Is there anything we can do to stem the tide?

ISACA’s Current Trends in Workforce Development sheds light on the problems companies are having staffing open positions. More than a quarter of enterprises find they are unable to hire the people they need, and those that are able to fill positions report that it takes more than six months to find the right applicant for the job. Almost half of those surveyed said they got fewer than ten applicants for each job listing and 64% of respondents said that not even half of those who applied were qualified for the position.

This means that there is a huge unmet need, which is causing a serious problem for businesses. In a recent study by Dimensional Research and Tripwire, only ten percent of organizations have the skills to address the full range of the most prevalent threats. Even when singling out ransomware – the threat that most organizations reported to be their biggest concern –  only 44% of respondents said they had the skills in house needed to handle the problem.

The obvious answer to the skills shortfall is to increase both the quantity and quality of applicants. But with few schools offering computer science at the K-12 level, many students are unaware of information security as a career option. Those who start computer science studies at the college level often feel discouraged, as the learning curve is steep, especially compared to peers who have had earlier learning opportunities.

Still, there are a lot of options out there where we as security professionals can help bridge the gap.

Pay It Forward: Volunteer!
While encouraging overworked people to volunteer may seem counterproductive, getting kids interested in computers and security can be a fantastic antidote to burnout. There are a lot of national groups such as TEALS, Girls Who Code, Women’s Society of Cyberjutsu, and CoderDojo as well as local STEM events, hackathons and bootcamps that are in need of expert support.

Show Them the Money: Scholarships
The cost of formal education is growing at a rapid pace, which keeps interested people from getting the skills they need to join this industry. The good news is that there are a lot of scholarships that have been set up to encourage people to pursue an education in security. Several sites, such as (ISC)², CyberWatchWest and WiCYS maintain lists of resources for students seeking scholarships and internships. Security companies’ and schools’ websites also may also offer information on additional financial resources. The second annual “ESET Women in Cybersecurity Scholarship,” will be taking applications through March 15th.

Uncover Untapped Resources: Diversity
A lot has been said about the lack of diversity in the security industry. While this is problematic, it’s also represents a huge opportunity, as it points to an untapped resource for attracting new talent. National groups like Code2040 and Black Girls Code are helping to cultivate the next generation of developers.

The ISACA report highlights another source of potential new hires that the industry may be overlooking: people who have neither formal education nor professional certifications in security. If someone has other important skills for the job at hand and technical aptitude or interest in security, but lacks more traditional qualifications, they may be automatically weeded out.

Some of the brightest people that I’ve known in the security industry came to it as a departure from a very different career path. People seem to have forgotten that not all security positions require a graduate degree in computer science, and that the necessary experience can be gained on the job. By making significant changes now, we can avoid the projected shortfall of 1.8 million professionals in 2022.

Related Content:

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all … View Full Bio

More Insights

from Dark Reading – All Stories

‘Filecode’ ransomware attacks your Mac – how to recover for free

Thanks to Anna Szalay and Xinran Wu of SophosLabs for their behind-the-scenes work on this article.

Last week, SophosLabs showed us a new ransomware sample.

That might not sound particularly newsworthy, given the number of malware variants that show up every day, but this one is more interesting than usual…

…because it’s targeted at Mac users. (No smirking from the Windows tent, please!)

In fact, it was clearly written for the Mac on a Mac by a Mac user, rather than adapted (or ported, to use the jargon term, in the sense of “carried across”) from another operating system.

This ransomware, detected and blocked by Sophos as OSX/Filecode-K and OSX/Filecode-L, was written in the Swift programming language, a relatively recent programming environment that comes from Apple and is primarily aimed at the macOS and iOS platforms.

Swift was released as an open-source project in 2016 and can now officially be used on Linux as well as on Apple platforms, and also on Windows 10 via Microsoft’s Linux subsystem. Nevertheless, malware programmers who choose Swift for their coding almost certainly have their eyes set firmly on making Mac users into their victims.

The good news is that you aren’t likely to be troubled by the Filecode ransomware, for a number of reasons:

  • Filecode apparently showed up because it was planted in various guises on software piracy sites, masquerading as cracking tools for mainstream commercial software products. So far, we’re not aware of Filecode attacks coming from any other quarter, so if you stay away from sites claiming to help you bypass the licensing checks built into commerical software, you should be OK.
  • Filecode relies on built-in macOS tools to help it find and scramble your files, but doesn’t utilise these tools reliably. As a result, in our tests, the malware sometimes got stuck after encrypting just a few files.
  • Filecode uses an encryption algorithm that can almost certainly be defeated without paying the ransom. As long as you have an original, unencrypted copy of one of the files that ended up scrambled, it’s very likely that you will be able to use one of a number of free tools to “crack” the decryption key and to recover the files for yourself.

Ironically, the fact that you can recover without paying comes as a double relief.

That’s because the crook behind this ransomware failed to keep a copy of the random encryption key chosen for each victim’s computer.

We’ve written about this sort of ransomware before, dubbing it “boneidleware“, because the crooks were sufficiently inept or lazy that they didn’t even bother to set up a payment system, scrambling (or simply deleting) your files, throwing away the key, and then asking for money in the hope that at least some victims would pay up anyway.

CryptoLocker, back in 2013, was the the first widespread ransomware. The crooks behind it set up an extortion process that could reliably supply decryption keys to victims who paid the ransom. Word got around that paying up, no matter how much it might hurt to do so, would probably save your data, and that’s what many people did, creating a “seller’s market” for ransomware demands. But recent attacks, where paying up doesn’t do any good, have started to change public opinion. In a neat irony, it looks as though the latest waves of ransomware have turned out to be the strongest anti-ransomware message of all!

We’ve seen three versions of Filecode: one claims to crack Adobe Premiere, the second to crack Office 2016, and the third, called Prova, seems to be a version that wasn’t supposed to be released:

The word prova means “test” in Italian.

This version only encrypts files in a directory called /Desktop/test, and doesn’t make any effort to hide the giveaway text messages stored inside the program:

If you run one of the “Patcher” versions of this ransomware, you’ll see a popup window that makes it clear the program is about to get up to no good:

If you click [Start], the process will begin under the guise of a fictitious message, shown here still pretending everything would be OK, even after the files on the Mac desktop had been encrypted:

In fact, Filecode goes through all the files it can access in the /Users directory, using the built-in macOS program find to list your files, zip to encrypt them, and rm to delete them. (Files removed using the rm program don’t go into the Trash and so can’t easily be recovered.)

The ZIP password used is a randomly-chosen 25-character text string, so that although each infected Mac will be scrambled with a different password, all the files in one run of the malware will have the same key. (As we’ll see below, that’s a silver lining in this case.)

Note that the Filecode malware doesn’t need administrator privileges. When you run the ransomware app, you implicitly give it the right to read and write the same set of files that you could read and modify yourself using any other app, such as Word or Photos. Ransomware doesn’t need system-wide access to attack your personal files, and those are the files that are mot valuable to you. Because of this, you won’t see any giveaway warnings popping up to say “This app wants to make changes – Enter your password to allow this”. Generally speaking, only apps that need to install components that can be used outside the app itself, such as kernel drivers or browser plugins, will alert you with a password popup. We regularly meet Mac users who still don’t realise this, and who therefore think that looking out for password popups is a necessary and sufficient precaution against malware attack.

Filecode leaves behind a raft of text files that tell you how to pay 0.25 bitcoins (about $300 on the date we published this) to the crook behind the attack, giving you a Bitcoin address for the money and a temporary email address to make contact.

You’re then supposed to leave your computer connected to the internet so the criminal can access it remotely – instructions on how this part works are not supplied at this stage – and he promises to let himself in and unscramble your files within 24 hours.

Apparently, for BTC 0.45 (about $530) instead of BTC 0.25, you can buy the expedited service and he’ll unlock your files within 10 minutes:

The real problem comes if you don’t have a backup and make the stressful decision to pay up in the hope of making the best of a bad job.

We couldn’t see anywhere in the code where the crook keeps a record of the encryption key that he passes to the ZIP program, either by secretly saving the password locally or uploading it to himself.

In other words, Filecode seems to be yet another example of “boneidleware“, in which the crook either neglects, forgets or isn’t able to create a reliable back-end system to keep track of keys and payments, leaving both you and him with no straightforward recovery process.

Even if you did grant the crook access to your computer to “fix” the very problem he created in the first place, and even if he were able to connect in remotely to have a go, we think that he’d have no better approach that trying to crack the ZIP encryption from scratch.

So, in the unlikely event you are hit by this ransomware, you might as well learn how to crack the ZIP encryption yourself, and avoid having to rely on a criminal for help.

Cracking your own code

In our tests, a ZIP cracking tool called PKCRACK (it’s free to download, but you have to send a postcard to the author if you use it) was able to figure out how to recover Filecode-encrypted files in just 42 seconds.

That’s because the standard encryption algorithm used in the ZIP application was created by the late Phil Katz (the PK in the original PKZIP software), who was a programmer but not a cryptographer.

The algorithm was soon deconstructed and cracked, and software tools to automate the process quickly followed.

PKCRACK doesn’t work out the actual 25-character password used by the ransomware in the ZIP command; instead, it reverse-engineers three 32-bit (4 byte) key values that can be used to configure the internals of the decryption algorithm correctly, essentially short-circuiting the need to start with the password to generate the key material:

If we assume a choice of 62 different characters (A-Z, a-z and 0-9), then there are a whopping 6225 alternatives to try, or about one billion billion billion billion billion.

But by focusing on the three internal 32-bit key values inside PKZIP’s encryption process, and the fact that only a small subset of combinations are possible, PKCRACK and other ZIP recovery tools can do the job almost immediately.

The only caveat is that you need to have an original copy of any one of the files that was encrypted by Filecode, because ZIP cracking tools rely on what’s called a known plaintext attack, where comparing the input and output of the encryption algorithm for a known file greatly speeds up recovery of the key.

Once you’ve cracked the 32-bit key values for one file, you can use the same values to decrypt all the other files directly, so you’re home free.

What to do?

Watch this space for our followup article giving a step-by-step description of how we got our own files back for free from our sacrificial test Mac!


(Audio player above not working? Listen on Soundcloud or access via iTunes.)

from Naked Security – Sophos