This could be a long blog post, but I’ll try to make it short. However, for those of you that are lazy, here you can read the answer to the question, and the ones interested on the whole story (I will make it short, I promise) just follow the * mark:

NO (*)

(*): One of the characteristics of a targeted attack is that the attacker has previously studied the victim (who is a specific person or organization). This attacker will study the victim: Which systems he is running, where the most valuable information is located, what defenses are built in place, etc. And not only that, also the person(s) will be investigated, in which fields are they working, what hobbies they have, etc. This is why it is almost impossible to avoid these kinds of attacks. However, this is not a reason to lower our defenses, and that’s something that really puzzles me: taking a look at some of the major attacks we have seen in the last years, many of them were possible because there were servers with no antivirus protection, with an outdated operating system, etc. In a single word: negligence.

However, this is not always the case. If we take a look at the 2 most important attacks that have happened during 2011 (the RSA incident and the Duqu case) we will see that both attacks were really sophisticated, and that the way to start the intrusion was a mix of social engineering mixed with some kind of software vulnerability. I would like to point out that in both cases users were receiving a document, and once it was opened the document dropped and run a file in the system, and from that moment on the system was compromised. Of course, these kind of attacks can be done using known or unkown vulnerabilities, and you could argue that a user has no way to detect that a document is malformed in that way, and that the antivirus won’t detect a single thing as it will be new and the attacker has previously checked that the malware pieces involved were not detected: fair enough, I do agree with that.

And what if I tell you that if they had used Panda the attack would have failed? In 2004 we released TruPrevent technologies, with the goal to detect a portion of the brand new malware, that one that was still not detected with signatures. Since then we have included those technologies in our products, and one of those basically prevents that opening a document a file is downloaded and executed. Smart, nice, clean…

Conclusion: in case RSA, or any of the companies attacked by Duqu, had used even the free version of Panda Cloud Antivirus those intrusions wouldn’t have happened… IN THAT WAY. Anyway, remember the answer to the question (“NO”). Attackers would have figured out a way to circumvent it, probably trying a different kind of attack, but the harder we make it, the more chances we’ll have to avoid it.

Read more:
Could targeted attacks be avoided?

There is a new friend in the village. Many people thought that the fake antivirus (aka rogueware) business had decreased, and it was true that for a few months rogueware infections were not that prevalent, mainly due to the efforts made by law enforcement with the help of security companies, but it was a matter of time to have them back. In the last weeks we have seen an increase in the infections, and today I want to show you a new one that calls itself “Cloud AV 2012″.

Cybercriminals always try to confuse their victims, so they use names similar or equal to those used in real antivirus products. In this case they have taken advantage of the famous Panda Cloud AV to do their trick. Once it is installed in your computer, it will create a link in your desktop to open the program, but you won’t need to do it as as soon as it is installed it will open itself and will launch a system scan, which will give you as a result loads of malware found in your system. Of course that won’t be true, but they don’t care:

What any user would do here is to click on “Remove threats”, but once you click on it, a new window will pop up asking you to buy the product:

Of course, if you want to buy it you will be redirected to a web form where you can make the payment:

Of course if you give your credit card to pay the 52$, you’ll get the code to unlock the fake antivirus… if you don’t do it, you’ll get a message every now and then telling you are still infected. And what it’s worse, everytime you try to run any program in your computer it will tell you that it is infected, so your computer will be useless.

So… what to do if you are already infected? You should start your computer in Safe Mode, go to www.cloudantivirus.com and install the real Panda Cloud Antivirus to remove all the malicious files. Easy, isn’t it?

Read the original post:
Fake Cloud AV 2012

Greetings from Hong Kong! This week we are enjoying the security conference AVAR, which is taking place in Hong Kong. Some interesting topics are being covered, such as the talk “Malware in EFI”, where Intel’s Igor Muttik showed us how malware could take advantage of the the EFI (Extensible Firmware Interface)  and the challenges we could be facing, as well as the countermeasures that can be taken. Another topic that has been around a lot is malware in mobile devices. Even though it is not that prevalent, it is true that it is an emerging threat and it raises some interesting thoughts. Of course the cloud is another topic covered here, but one of the most interesting ones are those that are talking about targeted attacks in certain countries in Asia, as South Korea and Japan. The full program is here in case you want to take a look at it.

As some of you may remember, in last year’s AVAR in Bali I was awarded the “Wildlist Reporter of the year” prize, so this year I was the one in charge of giving the prize to the next. On Thursday night, after the gala dinner, I went to the stage to announce the next “Wildlist Reporter of the year” winner, and that was my good friend Philipp Wolf, Director of Protection Labs in Avira. In the following picture, from left to right, you can see Luis Corrons, Philipp Wolf and Peter Chung (Wildlist Director):

Wildlist Reporter of the Year

The rest is here:
Hong Kong, AVAR 2011

The new PandaLabs Report Q3 11 is out. Take a look at what has happened in the computer security field during the last 3 months. Just click on the picture.

In this quarter 5 million new malware samples have been created and the record of new Trojans has been broken as it the preferred category by cybercriminals to carry out their theft of information.

The Anonymous Group, who starred in the second quarter, has continued making the headlines in this period, due to the arrest of some members, theft of data from different web sites and operation PayPal.

The PandaLabs report also includes information about cybercrime, cyberwar, social networks, Mac and cell phones, social networks and a wide section to explain about exploits.

The highlight of this third quarter is the record set in the creation of new Trojan samples. 3 out of 4 new malware samples created by cybercriminals are Trojans and this is just another proof that they are focused on stealing users information.

See the original post here:
PandaLabs Report – Q3 2011

Article written by David Sánchez Lavado

This post explains how to analyze the malicious code used in current Exploit Kits.

There are many ways to analyze this type of code, and you can find tools that do most of the job automatically. However, as researchers who like to understand how things work, we are going to analyze it with no other tools than a text editor and a Web browser.

My goal is to lay the basis for you to learn how to remove the different obfuscation layers that a malicious JavaScript code may employ. I will teach you how to remove those layers step by until you get to the last layer where the logic that exploits the relevant vulnerability is found.

IMPORTANT: I recommend that you perform this type of analysis on a virtual machine on its own isolated network in a laboratory dedicated exclusively to this type of research to avoid unwanted infection.

BASIC CONCEPTS

Generally speaking, malicious code is used to exploit vulnerabilities in Web browsers and PDF readers like Adobe Reader or Foxit. This code is usually written in javascript and has various layers of obfuscation. Code obfuscation techniques are generally used to make code difficult to understand for researchers, avoid detection by signatures or bypass automated scanning tools. The way they work is really simple: each of these layers calls other functions that obfuscate code that will become part of the next layer and so on and so forth until the final code.

The final code is normally divided into two parts. The first one aims at detecting the Web browser version and the plug-ins installed on the victim’s computer (like Adobe Reader, Apple Quicktime or the Java virtual machine). The second part selects the vulnerability to exploit according to the information gathered in the first part.

CODE ANALYSIS

The image below is a screenshot of the malicious code to be analyzed in this article.

As you can see, the code is made up of several HTML objects. However, if you look closer you can actually identify different things in these objects: First: The value of the id attribute for each of these objects has the format “+CytobimusubekUda”, where “” is a number from 0 to 1230 in consecutive order. Second: The value of each object is an apparently meaningless string of characters of approximately the same length, and the word Add repeated several times inside it.

All this seems to indicate that the id attribute is used as an index (look at the consecutive numbers) in a cycle to parse all HTML objects and deobfuscate their contents to create a new code layer. Let’s start analyzing the code.

FORMATTING THE CODE

The first thing I usually do when examining a javascript code is use the Format Code option in Malzilla. This option formats the code as if it had been written with a program such as Visual Studio. Although simple, this is a very important step as many times the code is not properly formatted and is hard to understand.

You could also do this manually, line by line, but you risk making a mistake and it will take you too long. For example, the malicious code that we will analyze here contains almost 600 lines of script code and HTML code.

Malzilla is an excellent utility to analyze malicious code automatically. However, in this article we intend to analyze this malware strain manually.

Unformatted code (before using the “Format Code” option)

Well-formatted code (after using Malzilla’s “Format Code” option)

THE TOOL

The next step is to copy the well-formatted Javascript code to the text editor to be used in the analysis. Any text editor with the following basic options should be enough:

1. JavaScript code identification: It will help you view the code and quickly detect Javascript functions.
2. String search-and-replace: This will help you avoid mistakes when replacing the names of functions and variables.
3. Windows Tabs: This is optional. Tabs will let you work very quickly when analyzing the code of various files.

FINDING THE ‘START’ FUNCTION

The sample currently has 96 lines of javascript code and more than 500 lines of HTML code. You will reduce the number of lines as you remove the obfuscation layers. The first thing you have to do is determine the javascript code that runs when the browser loads the malicious Web page. Then you have to analyze all the other functions as they are run.

The first steps to take with every function are the following:

1. Simplify the code to analyze
2. Rename the functions and variables for the code to be easier to understand.

To do that, first check the HTML code, and if there is no HTML object that calls a javascript function, proceed to analyze the code found between the tags. There you must find the code that does not belong to a function definition, as that will be the code that runs automatically when the Web page is loaded by the browser.

The screenshot below shows that code between lines 81 and 89 (both included). You can also see that the HazakeduhaQurenepenus() function (85) is the first one to run (the previous three don’t perform any important actions). Therefore, this is the first function that you must analyze.

Code run on loading the page (red rectangle)

SIMPLIFYING THE CODE AND MAKING IT EASIER TO UNDERSTAND

Simplifying the code and making it easy to understand is one of the most difficult yet important tasks. It involves studying almost every instruction in the javascript code, and modifying them to create a code that is easier to understand and analyze.

VERY IMPORTANT: When modifying the code, don’t change the final result that would be returned by the original code.

As previously said, start with the HazakeduhaQurenepenus() function. This function looks like this:

“HazakedubaQurenepenus()” function before the analysis

In the code, pay special attention to the functions that are not part of the javascript API, that is, the functions programmed by the user. You have to resolve the value that these will return in order to analyze the function.

In the code above, the factor to resolve is the PypiwIgo() function that has the following code:

If you take a look at it and you are familiar with the javascript language, you will realize that the function will return the getElementById string every time it is called. With this in mind and knowing that the DeqesedaDakonyqev variable refers to the document object, you can make the first change for the code to be easier to understand. The resulting code will look like this:

“HazakedubaQurenepenus()” function after the analysis

You may have noticed that I have changed the name of several variables and of the analyzed function itself to func_decrypt_01. This may seem a little bit bold, but after having analyzed many functions like this you become capable of recognizing certain code structures at a glance.

Your next objective is to resolve the value to be returned by the function in the buffer variable. To do that, you must separate the function from the original code and run it independently. Prior to that, you must make sure that the function to analyze will not need any external values or any other piece of data calculated by any other function of the assigned code in any global variable. Otherwise, you will have to first calculate that value and then replace it in the code to isolate. This is very important as otherwise you will probably not be able to run the code separately: the Web browser will show an error when loading the page and it will not be possible to run the code or it simply won’t behave in the same way as if it had been run with the entire malicious code.

Let’s see this with an example in the code we are analyzing. The following instruction refers to an external value in the DasuRokyduconiwidy HTML object.

string_01 = document.getElementById(“DasuRokyduconiwidy”).innerHTML;

The resulting value is assigned to the string_01 variable. Since this variable is used inside the code, you must resolve its value. Otherwise, if the variable was only used to confuse the user, you could eliminate it from the code.

The technique of using data in HTML objects and referring to it from the javascript code is frequently used to obfuscate code by splitting it into parts. This serves to bypass the automatic analyses performed by certain tools unable to interpret the connection between the javascript and the HTML code.

This anti-analysis technique is also used by malicious PDF files. The technique involves making calls to the Adobe PDF API’s javascript functions, which cannot be interpreted by many analysis tools.

The first thing you need to do is find the DasuRokyduconiwidy object. Once you find it, assign its value to the string_01 variable in the script code that you have created, and replace the return buffer instruction with a TEXTAREA object that will show the content of the buffer variable once the new code is run in the Web browser.

Value of the DasuRokyduconiwidy object and line of code to replace

The screenshot below shows the simplified code and how the “return buffer” instruction has been replaced with a textarea object created at runtime.

New code created to view the result of the buffer variable

Once you have the code, open it with the Web browser to see the function result.

Value of the buffer variable

As you can see, the returned result is a string comprising a sequence of names of javascript API functions. Once you have resolved the value obtained when calling the func_decrypt_01 function, rename the GuzoZaq variable. This is the variable that the return value is assigned to. For example, call it concat_func_string, and then assign to it the value obtained in the textarea object. The code will look like this.

concat_func_string variable with the value already resolved

Continue analyzing the code run when loading the Web page. The next function to analyze is NupUr(). This function calls function HaynubOguf(), which you must resolve before continuing to analyze the code. HaynubOguf( ) is a very simple function that returns the substr string, which is the name of a javascript function whose job is to obtain a substring from a string. Therefore, rename the HanynubOguf() function to func_substr(). The NupUr() function will look like this.

NupUr() function to analyze

Now that you have “resolved” the different parts of the function code, make the code more readable. This involves resolving the names of all the functions in brackets from inside out.

As you can see, the code uses the concat_func_string variable. If you remember, this variable refers to a string made up of the names of multiple javascript API functions. Also, note that the code uses the substr variable as well. This indicates that part of the string will be extracted to obtain the name of the function to be later on used in the code.

The result is the following code:

Resolved NupUr() function

As you resolve more and more functions you will be able to discover the actions to be taken by the rest of them simply by taking a glance at their code. This is because you’ll have already resolved many unknown values. This will help you analyze other functions more quickly and eliminate obfuscation layers more easily.

Finally, let’s analyze the MivoJaqugutec() function:

Unresolved NivoJaqugutec function

At first glance, the first thing that you can identify in the code is a cycle that runs through all of the HTML objects, storing their values and concatenating them in the PofUhicehofudilysuwe variable returned by the function once the cycle ends. Well, with everything you have learnt so far you probably know what to do. Separate the function from the original code, resolve the unknown values and rename its variables for the code to be easier to understand. Your objective should be to determine the value of the PofUhicehofudilysuwe variable in the return instruction.

Code used to get the value of the PofUhicehofudilysuwe variable renamed to buffer

Once you run the code on the Web browser you’ll get the following result:

Similarly, transform the other functions in the code that’s left to analyze. The final result is quite interesting: you’ve gone from 96 lines of javascript code and some 500 lines of HTML code to just 2 lines of javascript code with the eval() and unescape() functions.

These 2 functions normally indicate the execution of a new obfuscation layer. Have you reached your final objective yet? Is this the final layer responsible for triggering the vulnerability? Well, let’s see what it contains.

ACCESSING THE FINAL CODE

The last 2 lines of code include the payload variable, which refers to an encoded, 55,496-character-long unicode string. After running its content with the eval( unescape(payload) ) instruction you’ll get to the last layer in the malicious code.

In this last part of the article we will only analyze the generic parts often found in malicious codes.

The following two screenshots show a series of instructions that are often used both in legitimate and malicious code, although with very different purposes. Whereas they are used in legitimate code for design purposes, in malicious code they are used to obtain information about the victim’s environment and exploit the most appropriate vulnerability.

As you can see in the two screenshots above, the programmer has used the userAgent method of the navigator object to identify the Web browser used by the victim. In the case of Internet Explorer they check to see if the version is lower than 6.

They also try to identify if there are any plug-ins installed on the browser.

In this code the programmer has decided to create an object identified by the CLSID CA8A9780-280D-11CF-A24D-444553540000 in the Pdf1 variable. Although the name of the variable gives a hint as to what object the programmer wants to create, let’s make sure. Use the regedit.exe tool to find the CLSID key in the Windows registry.

Our suppositions were true: The CLSID key refers to the Adobe Acrobat/Reader ActiveX control. The programmer has created this object to find out if the victim has Adobe Acrobat or Adobe Reader installed (and what version they are using), and select the malicious PDF file that can exploit one of the vulnerabilities in the detected version.

They use the GetVersions() method to find out the version of the Adobe program installed on the victim’s computer, as seen in the first instruction in the code below:

The last part of the code is used to select the most appropriate PDF file to exploit the vulnerability. If the value of the lv variable is greater than or equal to 800 (which possibly identifies version 8), the code will call the fghjdfgxbz function passing the string “d0456d.pdf” as a parameter. Otherwise, it will pass the “07dd5d.pdf” string as a parameter. The fghjdfgxbz function simply creates an IFRAME object at runtime that points to the value passed as the parameter. As a result, the Web browser will open a malicious PDF file designed to exploit an unpatched security vulnerability.

To sum up, in this article we have explained how to analyze and deobfuscate the layers of one of the malicious codes currently used in exploit kits, with just a text editor, a Web browser and some knowledge of JavaScript and HTML. We have also analyzed part of the final code to show you some of the methods used to detect the Web browser and the plug-ins installed on victims’ computers. Happy hunting!!

Read the rest here:
Deobfuscating malicious code layer by layer

As you all probably know, Steve Jobs passed away yesterday. These are sad news, and everyone is talking about him and his life as he has achieved so many fantastic things. Social Networks are flooded with quotes from Steve, and all of us have only good words to talk about him.

But as you can imagine, there are always people trying to take advantage of these situations. Some cybercriminals created a Facebook page called “R.I.P. Steve Jobs”, and innocent people have been joining by the thousands. In just a few hours it had more than 90,000 fans. Criminals published a link using the popular shortener service bit.ly, where they said that Apple will be giving away 50 iPads.

Of course all the stuff is a scam, and once you click to that URL (which ended with “restinpeace-steve-jobs”) you were redirected to a place where you are offered a number of gifts, such as iPads, Sony Bravia TVs. For that they ask for your information, such as Full Name, Address, Phone Number, e-mail address, etc.

Facebook has closed the page and bit.ly has done the same with their link. There are some really interesting statistics that I’d like to show you. Out of those > 90,000 fans, 25,669 clicked in the link provided by the criminals! This is the breakdown of victims (clicks) per country:

We’ve been doing some reseach on this attack, and it turns out that the very same criminal has been doing this kind of ‘work’ for the last weeks. He recently did a similar thing with the iPhone 5 and with the 10th anniversary of the 9-11. We have to put these guys behind bars, otherwise they will continue with their business.

The rest is here:
R.I.P. Steve Jobs

This week I am in Barcelona, where the Virus Bulletin conference is taking place. I will be attending some preVB meetings, such as the AVPD (AntiVirus Product Developers) hosted by ICSA Labs and the WildList meeting, where we’ll talk about some future plans.

Hesperia Tower Hotel

All the meetings and the conference itself will take place at the Hesperia Tower Hotel, a nice place with a huge conference center, which looks promising.

The Virus Bulletin conference this year will be covering many topics, from social networks attacks to all kind of cybercrime. There are a number of highly interesting talks, you can take a look at all of them in the programme.

At the same time the conference is taking place, a major event will be happening: Table Football World Championship 2011. As usual it is sponsored by our friends and competitors from GData, and 9 teams from all around the world will be facing each other. Pedro Bustamante, our table soccer star, won’t be attending this year, but we’ll try to do it as well as we can. Sergio Lara, from the lab, will be with me in this fight. I’ll let you know how we perform, this is the schedule for it:

Here is the original post:
Greetings from Barcelona

Next week we’ll publish PandaLabs Report for the 2nd Quarter. This time we have made a few changes. Our team (special kudos to Txema Quintana) has changed (to better) the design of the report, making it easier to read. But this won’t be the only change.

Delivering the news in an impersonal manner is OK, but you already have –or should have– the media for that. My years of experience in the security field together with my own personal perception of the world, where personal freedom plays a pivotal role, are very much present in this report. I am not just delivering the facts, I also take the opportunity to express my views on their protagonists and their behavior.

Those who know me already know I am a very direct person. I am honest and straightforward, outspoken and opinionated, but not rude. And there is something I can guarantee: This report will not leave you indifferent. Love me or hate me, but in the end I just hope you have as much fun reading it as I had writing it for you.

Here you can read an excerpt from the report, next Wednesday (July 6th) you could download and read the entire paper:

From ‘hacktivism’ to ‘stupidism’

It seems that the only way the Anonymous group has to protest is by committing illegal acts. However, if the members of the group were smart enough, they would realize that their constant breaking of the law undermines the legitimacy of their protests. Over the last few months they have launched attacks on Sony and the websites of the U.S. Chamber of Commerce, Spain’s national police force, several governmental institutions, etc.

Moreover, they claim that their activities are ’peaceful protests’, despite their actions are purposefully enacted to cause economic loss and completely illegal. They say they represent everyone’s ‘best interest’ but are not brave enough to appear publicly, hiding instead behind their pseudonyms.

Well, if you hadn’t already had enough of Anonymous, a new hacker collective called LulzSec has emerged, whose claimed main motivation is simply ‘to have fun by causing mayhem’. In my opinion, if you took the most irresponsible and brainless members of Anonymous and put them all together, they would be considered the most refined gentlemen compared to LulzSec.

Go here to read the rest:
Changes are coming

We are releasing it right now. Do you want to know what has happened in the computer security field during the last 3 months? Just click on the picture!:

Continued here:
PandaLabs Report – Q2 2011

Maybe you don’t know this, but many guys here in the lab can tell you where a banking Trojan is from just taking a look at it for a few seconds. There are a number of different banking Trojan families, but it’s really easy -once you have analyzed thousands of them- to group them by origin. In the case of the Brazilian ones, there are a number of tips that can be used:

- Size of the file (yeah, I know this is pretty basic but the size of those Trojans is way bigger than the average)
- Programming language (Delphi)
- Text strings (usually Brazilian or South American banks)

And I’m only talking about the binary file. If we take a look at the distribution methods, we can obtain more leads. Unlike the rest of the world, these Brazilian cybercriminals don’t use infection kits (MPack, etc.) but only social engineering techniques, which seems to be good enough for them. One of the latest cases we have seen was using the current president of Brazil, Dilma Rousseff, as bait. They usually spread the malware via e-mail in spam messages, or in Internet forums and social networks:

In this case the downladed file is the Trojan Nabload.DUF. Taking a look at the server where the file is hosted, we were able to find one folder with a different file (another Nabload):

My Brazilian Portuguese is not great but good enough to understand they are talking about Juju, Nicole and a video. But who are Nicole and Juju? Using one of Internet’s most powerful weapons, a search engine, we find out who Nicole and Juju are:

Nicole Bahls

Juju Salimeni

asdasdasd

asdasdasdasd

asdasdasdasd

asdasdasdasdas

asdasdasdas

asdadasdasd

asdasdasdasdad

asdadasdasdasdas

adadasdasdasdasd

asdasdadasdasdasd

dadasdsadasdasdsad

Now I know what kind of social engineering is this one

Even though the file was uploaded in April, we found some spam messages distributed in July:

Remember that we are the weakest link in security, and it doesn’t matter how many security measures we do take, there are not -yet- an antivirus for human beings

Originally posted here:
Brazilians, banking Trojans and social engineering