How Phishing is Done via Malicious Code

Hackers to phish out your personal data  very easily as it is to sit in a canoe on a still pond, cast the bait and wait for the fish to bite.

So many people fail to learn about phishing scams, a favorite and extremely prevalent scam among cybercriminals.

A type of phishing scam is to lure the user onto a malicious website. ZeuS (Zbot) is such an example, planted on websites; visit that site and it will download a virus to your device that will steal your online banking information, then forward it to a remote server, where the thief will obtain it. Very clever.

But that ingenuity is contingent on someone being gullible enough to open a phishing e-mail, and then taking that gullibility one step further by clicking on the link to the malicious site.

10 Phishing Alerts

• An unfamiliar e-mail or sender. If it’s earth-shaking news, you’ll probably be notified in person or via a voice phone call.
• An e-mail that requests personal information, particularly financial. If the message contains the name and logo of the business’s bank, phone the bank and inquire about the e-mail.
• An e-mail requesting credit card information, a password, username, etc.
• A subject line that’s of an urgent nature, particularly if it concludes with an exclamation point.

Additional Tips

• Keep the computer browser up-to-date.
• If a form inside an e-mail requests personal information, enter “delete” to chuck the e-mail.
• The most up-to-date versions of Chrome, IE and Firefox offer optional anti-phishing protection.
• Check out special toolbars that can be installed in a web browser to help guard the user from malicious sites; this toolbar provides fast alerts when it detects a fraudulent site.

How NSA Allegedly Hacks into your Network ?

How NSA Allegedly Hacks into your Network ?

The United States' National Security Agency succeeded years ago in penetrating the company's digital firewalls. An NSA division called ANT has burrowed its way into nearly all the security architecture made by the major players in the industry -- including American global market leader Cisco and its Chinese competitor Huawei, but also producers of mass-market goods, such as US computer-maker Dell.

The specialists at ANT, which presumably stands for Advanced or Access Network Technology, could be described as master carpenters for the NSA's department for Tailored Access Operations (TAO). In cases where TAO's usual hacking and data-skimming methods don't suffice, ANT workers step in with their special tools, penetrating networking equipment, monitoring mobile phones and computers and diverting or even modifying data. Such "implants," as they are referred to in NSA parlance, have played a considerable role in the intelligence agency's ability to establish a global covert network that operates alongside the Internet.

Some of the equipment available is quite inexpensive. A rigged monitor cable that allows "TAO personnel to see what is displayed on the targeted monitor," for example, is available for just $30. But an "active GSM base station"  a tool that makes it possible to mimic a mobile phone tower and thus monitor cell phones costs a full $40,000. Computer bugging devices disguised as normal USB plugs, capable of sending and receiving data via radio undetected, are available in packs of 50 for over $1 million.

The ANT division doesn't just manufacture surveillance hardware. It also develops software for special tasks. The ANT developers have a clear preference for planting their malicious code in so-called BIOS, software located on a computer's motherboard that is the first thing to load when a computer is turned on.

This has a number of valuable advantages: an infected PC or server appears to be functioning normally, so the infection remains invisible to virus protection and other security programs. And even if the hard drive of an infected computer has been completely erased and a new operating system is installed, the ANT malware can continue to function and ensures that new spyware can once again be loaded onto what is presumed to be a clean computer. The ANT developers call this "Persistence" and believe this approach has provided them with the possibility of permanent access.

Another program attacks the firmware in hard drives manufactured by Western Digital, Seagate, Maxtor and Samsung, all of which, with the exception of the latter, are American companies. Here, too, it appears the US intelligence agency is compromising the technology and products of American companies.

Other ANT programs target Internet routers meant for professional use or hardware firewalls intended to protect company networks from online attacks. Many digital attack weapons are "remotely installable"  in other words, over the Internet. Others require a direct attack on an end-user device , an "interdiction," as it is known in NSA jargon,  in order to install malware or bugging equipment.

Court in EU Backs 'Right to be Forgotten on Google"

Court in EU Backs 'Right to be Forgotten'

European Union Internet users now can ask Google and other search engines to remove certain sensitive information from Internet search results, Europe's highest court ruled on May 13,2014.

The ruling, handed down by the Court of Justice of the European Union, states the "operator of the search engine ... is, in certain circumstances, obliged to remove links to Web pages that are published by third parties and contain information relating to a person from the list of results displayed following a search made on the basis of that person's name."

The court's ruling on the "right to be forgotten" stems from a case involving a man in Spain who argued that Google's search results disclosed details about the auction of his repossessed home over unpaid debts. "[The man] stated that the proceedings concerning him had been fully resolved for a number of years and that reference to them was now entirely irrelevant," the ruling states.

Google, in a statement provided to Information Security Media Group, said: "This is a disappointing ruling for search engines and online publishers in general. We now need to take time to analyze the implications."

EU Justice Commissioner Viviane Reding, the European Commission's vice president, said on her Facebook page May 13 that the judgment is a "clear victory" for the protection of Europeans' personal data.

"Companies can no longer hide behind their servers being based in California or anywhere else in the world," she wrote. "Today's judgment is a strong tailwind for the data protection reform that the European Commission proposed in January 2012 as it confirms the main pillars of what we have inscribed in the data protection regulation. The ruling confirms the need to bring today's data protection rules from the 'digital stone age' into today's modern computing world."

The Implications

This judgement should make it easier for individuals who seek the removal or blocking of links to information that they find offensive, irrelevant or obsolete to obtain redress if the search engine ignores their request.This is finding a balance between the public's right to have access to any information that has been legally published, and the individual's right to obtain the blocking of data that might be inadequate, not relevant or no longer relevant, or excessive in relation to the purpose for which they were processed, and in the light of the time that has passed.

The ruling changes the risk landscape for not only services that are publishing information as first-party original content, but any service that aggregates data from other websites, such as Facebook, Twitter and search engines, This is an incredibly significant decision for all of them.

In India some one has to file a writ in any Courts of jurisdiction and get the same judgement passed here.

DDoS Analysis for 2014-A Serious Risk

DDoS Analysis for 2014
DDoS attacks are evolving in complex, dangerous ways. Companies assessing their risk and protection should consider:
• Nearly twice as many companies (60 percent) report being attacked in 2013.
• Almost 92 percent of those attacked were hit repeatedly.
• 57% of DDoS targets were victims of theft: funds, customer data or intellectual property.
• Though attack duration is down, the number of attacks between 1–5 Gbps shot up nearly three times.
• DDoS drains manpower: over half of businesses (57 percent) need 6 or more people to mitigate DDoS attacks.
• Risks of $1M a day (estimated outage losses) are common: 4 in 10 companies would suffer this much or more.
• DDoS is costly across the enterprise. Customer service and other public-facing areas now take as large a hit as IT/Security.
In protecting against DDoS attacks, companies must ask: What do they stand to lose if they’re hit hard? Rigorous risk, threat and cost analysis is in order. 
Predicting DDoS is as unpredictable as the attacks themselves.

2014 Internet Security Threat Report

2014 Internet Security Threat Report

Highlights from the 2014 Internet Security Threat Report

Key Findings
91% increase in targeted attacks campaigns in 2013
62% increase in the number of breaches in 2013
Over 552M identities were exposed via breaches in 2013
23 zero-day vulnerabilities discovered
38% of mobile users have experienced mobile cybercrime in past 12 months
Spam volume dropped to 66% of all email traffic
1 in 392 emails contain a phishing attacks
Web-based attacks are up 23%
1 in 8 legitimate websites have a critical vulnerability

Citadel : The Banking Trojan for Cyber Attacks on Banks

Citadel : The Banking Trojan wanna buy one ..

Citadel is a banking trojan based on the Zeus source code. A few months after the Zeus source code was leaked, a threat actor using the moniker "AquaBox" was observed on a Russian-language eCrime forum offering Citadel 1.1, a new derivative of Zeus malware. Citadel retained basic Zeus functionality but added modifications to improve the functionality and security of this banking trojan.

Citadel developed a community of customers and contributors around the globe that suggested new features and contributed code and modules as part of an ad hoc criminal social network. Capabilities included AES encryption of configuration files and communications with the C2 server, an ability to evade tracking sites, the capacity to block access to security sites on victims' systems, and the ability to record videos of victims' activities. The network of Citadel contributors continued adding innovative features to the trojan, making it more adaptive and faster, until the trojan became ubiquitous and criminals began using it for all types of credential theft.

The Citadel toolkit is made up of three parts: a builder, the actual trojan, and a C2 web panel. The builder allows the attacker to edit and compile the configuration file and to build the actual trojan that is delivered to victims' systems. The trojan modifies the compromised computers and steals information. The C2 server monitors and controls the trojan and stores all stolen data.

Citadel infects computers through many different methods. The attackers behind the Citadel trojan have made concerted efforts to spread Citadel using spam campaigns and drive-by download attacks using different exploit kits. Table-5 shows the statistics for the Citadel samples and configurations analyzed in 2013.

ATTRIBUTE	COUNT
C2 servers	905
Configuration files	2,296
Samples	21,716
Encryption keys	311
Versions	5
Targets	1,170 (unique); 137,000 (total)

Citadel samples and configuration files analyzed in 2013.

Architecture

Citadel's C2 design is simple. Each trojan is programmed to connect to one or more C2 servers. Attackers can dynamically update the C2 server options from a configuration file. Cybercriminals may rent individual servers to orchestrate their banking campaigns.

The Citadel trojan running on an infected system has two primary functions:

• Passive function: automatically executed on the infected system through application programming interface (API) hooking. The hooked code embedded in network and other APIs performs the following tasks:
• HTTP session redirection
• Web injections (MITB attack)
• FTP credential theft
• POP3 credential theft
• Flash files control
• Keystroke logging
• Screen capture
• Video recording of activities
• Active function: executed upon receipt of a command from the C2 server. Citadel supports the following commands, organized by category:
• OS — shutdown, reboot
• FS — search, download, upload
• Bot — install, uninstall, add, remove, httpinject enable/disable
• User — logoff, url_block, certs_get, homepage_set, execute, destroy
• DDoS — start, stop
• Module — execute enable/disable, download enable/disable
• Info — system info

Webinject module

Citadel introduced a new feature called "dynamic webinjection." This feature is implemented through an entry in the configuration file and a command issued to the bot from the C2 server. The new dynamic webinject feature is triggered by a command called "webinjects_update", which takes two arguments. A typical command uses the following syntax:

               webinjects_update dual "webinjects/new.js"

The first option can be "dual," "single," or "disabled," and the second option is a file path. "Dual" indicates that this webinject file should be used in conjunction with existing webinjects contained in the configuration file; "single" instructs the bot to use the listed webinject file instead of the data in the configuration file; and "disabled" turns web injection off. The second argument is the full path to the server file that contains the webinject code.

When the bot receives this command, it issues an HTTP POST request for the specified webinject file. The C2 server replies with the relevant file. The request and the reply are formatted and scrambled using the AES+RC4 encryption scheme.

Citadel has emerged as a popular choice in the underground economy for use in financial fraud. Its improved feature list suggests that the Citadel authors continue to innovate and improve the overall quality of their product by adding functionality that their competitors do not offer. Citadel has allowed attackers to expand their reach and target a larger variety of web browsers. It provides a platform for additional criminal revenue opportunities, such as installation of ransomware.

Improvements

The Citadel authors created a crowd sourced model for feature improvement by allowing customers and prospective users to propose features. Citadel has built upon the base capabilities of Zeus by introducing the following improvements:

• Google Chrome support — Citadel added support for hooking and monitoring Chrome activity.
• Revised cryptography — Citadel's encryption routine changed from standard RC4 to 128-bit AES. Citadel also modified the RC4 implementation slightly by adding an XOR operation with the original seed string. This custom RC4 implementation is also used to encrypt stolen data sent to the C2 server.
• Sandbox detection — Citadel can detect if it is running within a virtualized environment. If yes, Citadel alters its behaviour, generating a random "decoy" domain name and URL path for the C2 URL rather than connecting to its typical C2 server.
• Video capture — The video capture plugin is typically downloaded from the C2 server when the malware connects for the first time. The ability to capture video allows a threat actor to monitor portions of a victim's entire browsing session.
• Denial of service — Citadel included the capability for infected systems to participate in a distributed denial of service (DDoS) attack against a specified target. The botmaster initiates this command via the Citadel control panel.
• Automated command execution — Citadel improved Zeus's ability to execute an arbitrary command on an infected system by introducing a series of pre-defined commands.
• Aggressive DNS filtering — Citadel introduced a capability to alter the domain name resolution to prevent antivirus (AV) and security companies from resolving domain names, block AV software from receiving updates, and prevent victims from visiting AV or other security sites to download removal tools and obtain mitigation advice.

In May 2013, the Citadel 3.1 variant was first identified as introducing the ability to spread via external devices, such as USB, by taking advantage of the "autorun.inf" functionality. It also introduced a "port scan" command and added a new encryption layer for both communication and the configuration file. Compared to the last known Citadel version 1.3.5.1, the encryption scheme was modified slightly with an added XOR layer and a fixed constant value included in the binary and 32 random bytes.

Cyber Weapon : Duqu

Cyber Weapon : Duqu

I have been analyzing an  malware threat identified as the Duqu trojan. This Trojan horse has received a great deal of attention because it is similar to the infamous Stuxnet worm of 2010. I had put countermeasures in place  to detect Duqu C2 traffic, and they continue to monitor for new Duqu samples and update protections as needed.

What is Duqu?

The Duqu trojan is composed of several malicious files that work together for a malicious purpose. The first component is a Windows kernel driver that searches for and loads encrypted dynamic link library (DLL) files. The decrypted DLL files implement the main payload of Duqu, which is a remote access trojan (RAT). The RAT allows an adversary to gather information from a compromised computer and to download and run additional programs.

In addition to the RAT, another piece of malware was recovered with Duqu in one instance. This malware is an information stealer designed to log user keystrokes and other information about the infected system. This piece of malware is believed to be related due to programming similarities with the main Duqu executables.

What is the relationship to Stuxnet?

There has been much speculation that Duqu is a new version of Stuxnet or that it was written by the same authors. There are several factors that could influence these speculations:

• Duqu and Stuxnet both use a kernel driver to decrypt and load encrypted DLL (Dynamic Load Library) files. The kernel drivers serve as an "injection" engine to load these DLLs into a specific process. This technique is not unique to either Duqu or Stuxnet and has been observed in other unrelated threats.
• Encrypted DLL files are stored using the .PNF extension. This is normally the extension Microsoft Windows uses for precompiled setup information files. The commonality exists due to the kernel driver implementation being similar.
• The kernel drivers for both Stuxnet and Duqu use many similar techniques for encryption and stealth, such as a rootkit for hiding files. Again, these techniques are not unique to either Duqu or Stuxnet and have been observed in other unrelated threats.
• Both Stuxnet and Duqu have variants where the kernel driver file is digitally signed using a software signing certificate. One variant of the Duqu kernel driver was signed by a certificate from C-Media Electronics Incorporation. An unsigned Duqu kernel driver claimed to be a driver from the JMicron Technology Company, which was the same company whose software signing certificate was used to sign one of the Stuxnet kernel driver files. The commonality of a software signing certificate is insufficient evidence to conclude the samples are related because compromised signing certificates can be obtained from a number of sources. One would have to prove the sources are common to draw a definitive conclusion.

Attribute	Duqu	Stuxnet
Infection Methods	Unknown	USB (Universal Serial Bus) PDF (Portable Document Format)
Dropper Characteristics	Installs signed kernel drivers to decrypt and load DLL files	Installs signed kernel drivers to decrypt and load DLL files
Zero-days used	None yet identified	Four
Command and Control	HTTP, HTTPS, Custom	HTTP
Self propagation	None yet identified	P2P (Peer to Peer) using RPCs (Remote Procedure Call) Network Shares WinCC Databases (Siemens)
Data exfiltration	Add-on, keystroke logger for user and system info stealing	Built-in, used for versioning and updates of the malware
Date triggers to infect or exit	Uninstalls self after 36 days	Hard coded, must be in the following range: 19790509 => 20120624
Interaction with control systems	None	Highly sophisticated interaction with Siemens SCADA control systems

Table 1. Comparison of Duqu and Stuxnet.

Both Duqu and Stuxnet are highly complex programs with multiple components. All of the similarities from a software point of view are in the "injection" component implemented by the kernel driver. The ultimate payloads of Duqu and Stuxnet are significantly different and unrelated. One could speculate the injection components share a common source, but supporting evidence is circumstantial at best and insufficient to confirm a direct relationship. The facts observed through software analysis are inconclusive at publication time in terms of proving a direct relationship between Duqu and Stuxnet at any other level.

Does Duqu target industrial control systems?

Unlike Stuxnet, Duqu does not contain specific code that pertains to supervisory control and data acquisition (SCADA) components such as programmable logic controllers (PLCs). Duqu's primary purpose is to provide an attacker with remote access to a compromised computer, including the ability to run arbitrary programs. It can theoretically be used to target any organization.

Is there any evidence in the code indicating specific targets?

Duqu facilitates an adversary's ability to gather intelligence from an infected computer and the network. I have not identified any specific market segments, technologies, organizations or countries that are targeted by the Duqu malware.

What are indicators of a Duqu infection?

The Duqu trojan attempts to use the network to communicate with a remote command and control (C2) server to receive instructions and to exfiltrate data. Analysis of Duqu revealed that it uses the 206.183.111.97 IP address as its C2 server. This IP address is located in India and has been shut down by the hosting provider. Also, Duqu may attempt to resolve the kasperskychk.dyndns.org domain name. The resulting IP address is not used for communications, so this lookup may serve as a simple Internet connectivity check. Administrators should monitor their network for systems attempting to resolve this domain or connect to the C2 IP address for possible infection.

Duqu uses multiple protocols to communicate with its C2 server, including standard HTTP on TCP port 80 and a custom protocol on TCP port 443. Some of Duqu's communications that use TCP port 443 do not use the HTTPS protocol. Organizations may be able to monitor egress traffic through proxy servers or web gateways and investigate network traffic that does not conform to the SSL (Secure Sockets Layer) specification. Non-SSL traffic on port 443 is commonly observed with other threats, and this behavior is not exclusive to Duqu.

I am aware of the following files that may be installed by the Duqu trojan. The byproducts in Table 2 have been collected from multiple Duqu variants and would not be present on a single infected computer.

Name	File Size	MD5
jminet7.sys	24,960 bytes	0eecd17c6c215b358b7b872b74bfd800
netp191.pnf	232,448 bytes	b4ac366e24204d821376653279cbad86
netp192.pnf	6,750 bytes	94c4ef91dfcd0c53a96fdc387f9f9c35
cmi4432.sys	29,568 bytes	4541e850a228eb69fd0f0e924624b245
cmi4432.pnf	192,512 bytes	0a566b1616c8afeef214372b1a0580c7
cmi4464.pnf	6,750 bytes	e8d6b4dadb96ddb58775e6c85b10b6cc
<unknown> (sometimes referred to as keylogger.exe)	85,504 bytes	9749d38ae9b9ddd81b50aad679ee87ec
nfred965.sys	24,960 bytes	c9a31ea148232b201fe7cb7db5c75f5e
nred961.sys	unknown	f60968908f03372d586e71d87fe795cd
adpu321.sys	24,960 bytes	3d83b077d32c422d6c7016b5083b9fc2
iaStor451.sys	24,960 bytes	bdb562994724a35a1ec5b9e85b8e054f

Table 2. Byproducts of Duqu.

The name "Duqu" was assigned to this malware because the keylogger program creates temporary files that begin with the prefix "~DQ". A computer infected with Duqu may have files beginning with "~DQ" in Windows temporary directories.

How do Duqu infections occur?

The mechanism by which Duqu infections occur is unknown. Current analysis of Duqu has not revealed any ability to infect additional systems like the Stuxnet worm could. In addition, all of the Duqu files  I have analyzed would likely have been installed by an initial installer or "dropper" malware. None of the original installers have been recovered. The recovery of one of these installers may help provide clues to how Duqu infections occurred.

Is Duqu an advanced persistent threat (APT)?

I don’t identify individual tools as APT. APT is a threat actor or actors targeting an organization for assets of interest. An APT involves planning by the adversary, teams with specialized roles, multiple tools, patience and persistence. While Duqu does provide capabilities used by other tools observed in APT-related intrusions, an assessment of the particular threat requires knowledge of the adversary, targeted organization and assets and the scope of attacks.

Is antiVirus and antiMalware protection sufficient for detecting Duqu?

Since its discovery, security vendors have worked to improve their ability to detect Duqu. However, the author may simply release newer variants that are no longer detected by antivirus and antimalware products.

What can I do to protect my organization from Duqu?

• Administrators should use host-based protection measures, including antivirus and antimalware, as part of a holistic security process that includes network-based monitoring and controls, network segmentation and policies, user access, and controls to help mitigate the threat of malware like Duqu.
• A computer infected with Duqu may have files beginning with "~DQ" in Windows temporary directories.
• Organizations may want to monitor egress traffic through proxy servers or web gateways and investigate network traffic that does not conform to the SSL (Secure Sockets Layer) specification. Non-SSL traffic on port 443 is commonly observed with other threats, and this behavior is not exclusive to Duqu.
• Administrators should monitor their network for systems attempting to resolve Duqu-related domains or connect to Duqu C2 IP addresses for possible infection.