What will 2011 bring in relation to IT security? What threats can be expected and will the trends look like? That is why we used ESET’s global resources and asked some of the best researchers in the business including ESET´s very own David Harley and those at ESET’s new Cyber Threat Analysis Center (CTAC) about anticipated trends in 2011…

Read more:
ESET 2011 TRENDS: Attacks on Facebook and other social networks will increase

I’ve already seen many strange things inside malware packers, but there’s always something surprising. Last time, it was during the analysis of packer used to wrap Zbot, LockScreen and similar binaries (detected under various MalOb-* [Cryp] names). There’s a block of allocated memory with a long list of names. But these names are not used to anything related to malware execution, they’re not visible to the user (unless you emulate/trace the sample), they have no special purpose. But why they are there? And where’s the Czech footprint?

dump of memory block

The highlited name – Zatopek – belongs to the famous Czech long-distance runner (wiki). It’s somehow mysterious (at least for me) how and why he did make it to the list. This list is different from sample to sample and Zatopek doesn’t seem to appear in all of them. Does anyone of you, readers, know something what would put all the names from the list to relation? And which name from the list is interesting for you and why?

Visit link:
Unexpected Czech footprint

[More news from my colleagues in Russia on their analysis of an interesting item of bank-targeting malware.]

This month we discovered new information on a new modification in the Win32/TrojanDownloader.Carberp trojan family. This trojan is notorious as one of the most widely spread malicious programs in Russia,

Article written by David Sánchez Lavado

This post explains how to analyze the malicious code used in current Exploit Kits.

There are many ways to analyze this type of code, and you can find tools that do most of the job automatically. However, as researchers who like to understand how things work, we are going to analyze it with no other tools than a text editor and a Web browser.

My goal is to lay the basis for you to learn how to remove the different obfuscation layers that a malicious JavaScript code may employ. I will teach you how to remove those layers step by until you get to the last layer where the logic that exploits the relevant vulnerability is found.

IMPORTANT: I recommend that you perform this type of analysis on a virtual machine on its own isolated network in a laboratory dedicated exclusively to this type of research to avoid unwanted infection.

BASIC CONCEPTS

Generally speaking, malicious code is used to exploit vulnerabilities in Web browsers and PDF readers like Adobe Reader or Foxit. This code is usually written in javascript and has various layers of obfuscation. Code obfuscation techniques are generally used to make code difficult to understand for researchers, avoid detection by signatures or bypass automated scanning tools. The way they work is really simple: each of these layers calls other functions that obfuscate code that will become part of the next layer and so on and so forth until the final code.

The final code is normally divided into two parts. The first one aims at detecting the Web browser version and the plug-ins installed on the victim’s computer (like Adobe Reader, Apple Quicktime or the Java virtual machine). The second part selects the vulnerability to exploit according to the information gathered in the first part.

CODE ANALYSIS

The image below is a screenshot of the malicious code to be analyzed in this article.

As you can see, the code is made up of several HTML objects. However, if you look closer you can actually identify different things in these objects: First: The value of the id attribute for each of these objects has the format “+CytobimusubekUda”, where “” is a number from 0 to 1230 in consecutive order. Second: The value of each object is an apparently meaningless string of characters of approximately the same length, and the word Add repeated several times inside it.

All this seems to indicate that the id attribute is used as an index (look at the consecutive numbers) in a cycle to parse all HTML objects and deobfuscate their contents to create a new code layer. Let’s start analyzing the code.

FORMATTING THE CODE

The first thing I usually do when examining a javascript code is use the Format Code option in Malzilla. This option formats the code as if it had been written with a program such as Visual Studio. Although simple, this is a very important step as many times the code is not properly formatted and is hard to understand.

You could also do this manually, line by line, but you risk making a mistake and it will take you too long. For example, the malicious code that we will analyze here contains almost 600 lines of script code and HTML code.

Malzilla is an excellent utility to analyze malicious code automatically. However, in this article we intend to analyze this malware strain manually.

Unformatted code (before using the “Format Code” option)

Well-formatted code (after using Malzilla’s “Format Code” option)

THE TOOL

The next step is to copy the well-formatted Javascript code to the text editor to be used in the analysis. Any text editor with the following basic options should be enough:

1. JavaScript code identification: It will help you view the code and quickly detect Javascript functions.
2. String search-and-replace: This will help you avoid mistakes when replacing the names of functions and variables.
3. Windows Tabs: This is optional. Tabs will let you work very quickly when analyzing the code of various files.

FINDING THE ‘START’ FUNCTION

The sample currently has 96 lines of javascript code and more than 500 lines of HTML code. You will reduce the number of lines as you remove the obfuscation layers. The first thing you have to do is determine the javascript code that runs when the browser loads the malicious Web page. Then you have to analyze all the other functions as they are run.

The first steps to take with every function are the following:

1. Simplify the code to analyze
2. Rename the functions and variables for the code to be easier to understand.

To do that, first check the HTML code, and if there is no HTML object that calls a javascript function, proceed to analyze the code found between the tags. There you must find the code that does not belong to a function definition, as that will be the code that runs automatically when the Web page is loaded by the browser.

The screenshot below shows that code between lines 81 and 89 (both included). You can also see that the HazakeduhaQurenepenus() function (85) is the first one to run (the previous three don’t perform any important actions). Therefore, this is the first function that you must analyze.

Code run on loading the page (red rectangle)

SIMPLIFYING THE CODE AND MAKING IT EASIER TO UNDERSTAND

Simplifying the code and making it easy to understand is one of the most difficult yet important tasks. It involves studying almost every instruction in the javascript code, and modifying them to create a code that is easier to understand and analyze.

VERY IMPORTANT: When modifying the code, don’t change the final result that would be returned by the original code.

As previously said, start with the HazakeduhaQurenepenus() function. This function looks like this:

“HazakedubaQurenepenus()” function before the analysis

In the code, pay special attention to the functions that are not part of the javascript API, that is, the functions programmed by the user. You have to resolve the value that these will return in order to analyze the function.

In the code above, the factor to resolve is the PypiwIgo() function that has the following code:

If you take a look at it and you are familiar with the javascript language, you will realize that the function will return the getElementById string every time it is called. With this in mind and knowing that the DeqesedaDakonyqev variable refers to the document object, you can make the first change for the code to be easier to understand. The resulting code will look like this:

“HazakedubaQurenepenus()” function after the analysis

You may have noticed that I have changed the name of several variables and of the analyzed function itself to func_decrypt_01. This may seem a little bit bold, but after having analyzed many functions like this you become capable of recognizing certain code structures at a glance.

Your next objective is to resolve the value to be returned by the function in the buffer variable. To do that, you must separate the function from the original code and run it independently. Prior to that, you must make sure that the function to analyze will not need any external values or any other piece of data calculated by any other function of the assigned code in any global variable. Otherwise, you will have to first calculate that value and then replace it in the code to isolate. This is very important as otherwise you will probably not be able to run the code separately: the Web browser will show an error when loading the page and it will not be possible to run the code or it simply won’t behave in the same way as if it had been run with the entire malicious code.

Let’s see this with an example in the code we are analyzing. The following instruction refers to an external value in the DasuRokyduconiwidy HTML object.

string_01 = document.getElementById(“DasuRokyduconiwidy”).innerHTML;

The resulting value is assigned to the string_01 variable. Since this variable is used inside the code, you must resolve its value. Otherwise, if the variable was only used to confuse the user, you could eliminate it from the code.

The technique of using data in HTML objects and referring to it from the javascript code is frequently used to obfuscate code by splitting it into parts. This serves to bypass the automatic analyses performed by certain tools unable to interpret the connection between the javascript and the HTML code.

This anti-analysis technique is also used by malicious PDF files. The technique involves making calls to the Adobe PDF API’s javascript functions, which cannot be interpreted by many analysis tools.

The first thing you need to do is find the DasuRokyduconiwidy object. Once you find it, assign its value to the string_01 variable in the script code that you have created, and replace the return buffer instruction with a TEXTAREA object that will show the content of the buffer variable once the new code is run in the Web browser.

Value of the DasuRokyduconiwidy object and line of code to replace

The screenshot below shows the simplified code and how the “return buffer” instruction has been replaced with a textarea object created at runtime.

New code created to view the result of the buffer variable

Once you have the code, open it with the Web browser to see the function result.

Value of the buffer variable

As you can see, the returned result is a string comprising a sequence of names of javascript API functions. Once you have resolved the value obtained when calling the func_decrypt_01 function, rename the GuzoZaq variable. This is the variable that the return value is assigned to. For example, call it concat_func_string, and then assign to it the value obtained in the textarea object. The code will look like this.

concat_func_string variable with the value already resolved

Continue analyzing the code run when loading the Web page. The next function to analyze is NupUr(). This function calls function HaynubOguf(), which you must resolve before continuing to analyze the code. HaynubOguf( ) is a very simple function that returns the substr string, which is the name of a javascript function whose job is to obtain a substring from a string. Therefore, rename the HanynubOguf() function to func_substr(). The NupUr() function will look like this.

NupUr() function to analyze

Now that you have “resolved” the different parts of the function code, make the code more readable. This involves resolving the names of all the functions in brackets from inside out.

As you can see, the code uses the concat_func_string variable. If you remember, this variable refers to a string made up of the names of multiple javascript API functions. Also, note that the code uses the substr variable as well. This indicates that part of the string will be extracted to obtain the name of the function to be later on used in the code.

The result is the following code:

Resolved NupUr() function

As you resolve more and more functions you will be able to discover the actions to be taken by the rest of them simply by taking a glance at their code. This is because you’ll have already resolved many unknown values. This will help you analyze other functions more quickly and eliminate obfuscation layers more easily.

Finally, let’s analyze the MivoJaqugutec() function:

Unresolved NivoJaqugutec function

At first glance, the first thing that you can identify in the code is a cycle that runs through all of the HTML objects, storing their values and concatenating them in the PofUhicehofudilysuwe variable returned by the function once the cycle ends. Well, with everything you have learnt so far you probably know what to do. Separate the function from the original code, resolve the unknown values and rename its variables for the code to be easier to understand. Your objective should be to determine the value of the PofUhicehofudilysuwe variable in the return instruction.

Code used to get the value of the PofUhicehofudilysuwe variable renamed to buffer

Once you run the code on the Web browser you’ll get the following result:

Similarly, transform the other functions in the code that’s left to analyze. The final result is quite interesting: you’ve gone from 96 lines of javascript code and some 500 lines of HTML code to just 2 lines of javascript code with the eval() and unescape() functions.

These 2 functions normally indicate the execution of a new obfuscation layer. Have you reached your final objective yet? Is this the final layer responsible for triggering the vulnerability? Well, let’s see what it contains.

ACCESSING THE FINAL CODE

The last 2 lines of code include the payload variable, which refers to an encoded, 55,496-character-long unicode string. After running its content with the eval( unescape(payload) ) instruction you’ll get to the last layer in the malicious code.

In this last part of the article we will only analyze the generic parts often found in malicious codes.

The following two screenshots show a series of instructions that are often used both in legitimate and malicious code, although with very different purposes. Whereas they are used in legitimate code for design purposes, in malicious code they are used to obtain information about the victim’s environment and exploit the most appropriate vulnerability.

As you can see in the two screenshots above, the programmer has used the userAgent method of the navigator object to identify the Web browser used by the victim. In the case of Internet Explorer they check to see if the version is lower than 6.

They also try to identify if there are any plug-ins installed on the browser.

In this code the programmer has decided to create an object identified by the CLSID CA8A9780-280D-11CF-A24D-444553540000 in the Pdf1 variable. Although the name of the variable gives a hint as to what object the programmer wants to create, let’s make sure. Use the regedit.exe tool to find the CLSID key in the Windows registry.

Our suppositions were true: The CLSID key refers to the Adobe Acrobat/Reader ActiveX control. The programmer has created this object to find out if the victim has Adobe Acrobat or Adobe Reader installed (and what version they are using), and select the malicious PDF file that can exploit one of the vulnerabilities in the detected version.

They use the GetVersions() method to find out the version of the Adobe program installed on the victim’s computer, as seen in the first instruction in the code below:

The last part of the code is used to select the most appropriate PDF file to exploit the vulnerability. If the value of the lv variable is greater than or equal to 800 (which possibly identifies version 8), the code will call the fghjdfgxbz function passing the string “d0456d.pdf” as a parameter. Otherwise, it will pass the “07dd5d.pdf” string as a parameter. The fghjdfgxbz function simply creates an IFRAME object at runtime that points to the value passed as the parameter. As a result, the Web browser will open a malicious PDF file designed to exploit an unpatched security vulnerability.

To sum up, in this article we have explained how to analyze and deobfuscate the layers of one of the malicious codes currently used in exploit kits, with just a text editor, a Web browser and some knowledge of JavaScript and HTML. We have also analyzed part of the final code to show you some of the methods used to detect the Web browser and the plug-ins installed on victims’ computers. Happy hunting!!

Read the rest here:
Deobfuscating malicious code layer by layer

Kaspersky Lab announces that Eugene Kaspersky, CEO of Kaspersky Lab together with Alexander Gostev, Director of Kaspersky Lab’s Global Research and Analysis Team have left Moscow on their glorious journey across Antarctica to the South Pole

Follow this link:
Kaspersky Lab at the South Pole!

Our friends at Threatpost have come across what they describe as a massive phishing attack against Tumblr users. It seems the lure of sexual content will work as many times as Lucy can pull the football out each time Charlie Brown tries to kick it.

According to the article, hijacked web pages of Tumbler users contain links to malicious sites that pose as a Tumblr login page and indicate that in order to access the “Adult Content” the user must enter their credentials. They don’t call it a booby trap for nothing!

The attack is particularly cunning in that it uses URLs that look like they could be legitimate Tumblr addresses, but are not. In almost every case, if you click on a link and it asks you to log in, it is unsafe to do so. It might be a good time to remind you of how the phishing cycle works, so here is a diagram.

As you can see, if you fall for the phishing attack it will be your friends who are next attacked. If your password is compromised then a hacker can post anything on your Tumblr page and it will appear to come from you. If you think you may have fallen for such an attack, type in the name of the actual website, such as www.tumblr.com and then use the regular means to change your password. If you use the same password at multiple sites you will need to change the password at multiple sites. Since it can be a bit of a hassle try to remember 20 different really good passwords, stop trying, and use a password manager! In addition to the password managers mentioned in Paul Laudanski’s blog, lastpass.com and Password corral are viable tools. For tips on preventing yourself from falling victim to a phishing attack, I offer some advice at http://blog.eset.com/2011/06/01/gmail-accounts-under-attack.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America

Follow this link:
Do you Use Tumblr? Beware!

Yet another Facebook Clickjacking attack is making the rounds. This time the message shows as below.

A right-click (not left) will allow you to copy the source location and open the link in a protected environment. The link brings up the following image

The “Jaa” button is actually a “Share” button and will post the first picture on your wall. Following the links leads to a survey for which the attackers almost certainly get paid if you complete it. Following through with the “surveys” leads to a YouTube video of a clothed woman on a webcam that is a thinly disguised advertisement for a “sexy webcam” site.

You know, Facebook has their Facial recognition “feature”. Perhaps it is time to recognize a legitimate “share” button too. The current functionality of the Facebook share feature means that users have to know how to inspect links in order to safely use Facebook.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America

Continue reading here:
Well That Was Embarrassing

A couple of days ago I blogged about a disturbing new way that Facebook was sharing information without notification or authorization. A friend of mine pointed me to an article on ZDNET that described the issue and what was happening. The “feature” is called “Instant Personalization” and the concept is simple. The concept is not comprehensible, but it is simple. I go to Yelp to read reviews about the gym that is closest to my house and Yelp shows me what a friend 1,000 miles away is up to. This somehow is supposed to be fun and relevant to me as I read about how the gym has a history of making it difficult to cancel memberships. Make sense? It does to Facebook and Yelp somehow. I’m sure this isn’t the finest example. I’m sure if you were searching for an Alcoholics Anonymous Chapter near you that Bing would show you what friends are in the bar right now, and Facebook thinks that’s a brilliant application of technology.

After publishing the blog, another friend checked his account settings and found that Instant personalization isn’t available to him at this instant, but that it has already been pre-enabled for deployment and he is not allowed to opt out of it. The check box is grayed out so he cannot deselect it. Paul Laudanski covers this option in his Facebook Privacy: An Easy How-to Guide to Protecting Yourself. What will happen is at some random point in time, Facebook will go to great lengths to avoid letting him know that they have enabled the feature and are automatically authorizing apps without asking him if he wants them. These apps will share varying degrees of his data with third parties and without his knowledge and Facebook plans do to the same thing to you if they haven't already.

Facebook has taken away your ability to approve an app before it is installed and is sharing your data without notification or approval.

The only reasonable option Facebook provides to allow you to prevent them from signing up corporate stalkers is for you to disable ALL platform apps.

You’ve been warned.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America

Go here to see the original:
Facebook Invites Stalkers to Your Profile

Well, isn’t today a happy day! We have International Children’s Day and National Internet Safety Month. For those of you outside of the US, feel free to join us in the celebration.

In observance of Internet Safety Month, ESET has teamed up with the San Diego Police department to launch SafetyNet eLearning, a free online Internet safety guide for parents, educators and concerned adults. Created by ESET North America as part of its Securing Our eCity initiative, the SafetyNet eLearning guide allows busy adults to learn – at their own pace and on their own schedule – what needs to be done to keep kids safe online.

If you happen to be In San Diego, tonight, June 1st from 6:00 to 7:45 PM the San Diego Police Foundation and the San Diego Internet Crimes Against Children Task Force, in conjunction with ESET North America and the AT&T Foundation will be hosting a free Internet safety seminar at the La Jolla Muirlands Middle School auditorium.

To see the SafetyNet eLearning program you can visit http://www.smartcyberchoices.org/elearning/.

Those interested in participating in tonight’s free Internet safety event, contact Darlene Kanzler with the San Diego Police Foundation at darlene at sdpolicefoundation.org or (858) 453-5066 for additional information. Individuals who complete the SafetyNet eLearning guide will have an opportunity to win an iTunes gift card.

You can find some other tips on keeping children safe online in my International Children’s Day blog.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America

Read this article:
Happy National Internet Safety Month

Google posted information today about an attack against some Gmail account holders.

In this case the attack appeared to be directed at government officials in the US and Korea, as well as Chinese political activists, journalists and military personnel. If you don’t fit in these categories it doesn’t mean you are not at risk, it just means these specific attackers were not after your Gmail account. If you don’t have a Gmail account, it doesn’t matter, cybercriminals are after all kinds of accounts and the fundamentals are the same. The difference is that unlike many free email providers and some ISPs like Comcast, Gmail defaults to secured communications where Yahoo doesn’t give you an option and Comcast won’t tell you how it’s done.

The basic plan of attack is phishing and malware. There are tactics you can use to prevent attackers from phishing you and installing malware on your computer and none of the tactics involve believing that any antivirus product in the world can protect you from everything.

To start with you need to have a strong password. We have talked about passwords a few times before. Paul quite recently posted here and David’s older post even lists other blogs and articles, and here I even include a link to some of the worst passwords people use.

Once you have chosen your password, make sure you only use it in one place and don’t forget to protect against password reset attacks.

To prevent yourself from becoming a phishing victim, I recommend you follow my two simple rules.

1) If someone asks you for your password assume they are a thief or an idiot. This means that if you get an email claiming that there is a problem with your email account and your password is needed or the account will be disabled, it was a thief sending the email, not the organization you think sent it. Do not give your password.

I know some IT people might get a bit bent out of shape over this rule because on rare occasions they may actually have a reasonable need for your password, but the exception is very rare and the IT person needs to evaluate whether asking an employee for their password is really the smartest thing to do. You don’t want to train people to make mistakes.

2) If you click on a link and it leads to a log in page, close the browser.
In the case of some of the Gmail attacks the victims clicked on a link in an email and it lead them to a fake Gmail login page. Don’t fall for this trick. It is very easy for the bad guys to send an email that appears to be legitimate and appears to come from a known source. Everything about email can be spoofed. Facebook LinkedIn and most social networking sites are huge offenders when it comes to training people to make critical mistakes. Never, ever log into your account if you clicked on a link in a Facebook email or other social networking message. This also applies to links in instant messages and text messages. Always type in the name of the site and log in there. If the message is legitimate it will be in your social networking account email. You can find what you are looking for without doing the one thing that makes phishing work… giving up your credentials at a fake site. You may think you know that the email is legitimate, but that is what the criminals count on and will fool you with.

The Google blog has some good security information in addition to the marketing. Google claims that Chrome’s sandboxing enhances security, but I have never seen them show any scientific testing to validate the claim. I’m not saying the sandboxing doesn’t help, and in theory it should help if you use a different tab for every web site, but it would be nice to see proof that their claims are more than hype.

You really don’t have to be a government official, or high profile at all for some criminal to want to steal your account. You really do need to take appropriate precautions.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America

Excerpt from:
Gmail Accounts Under Attack