default

On Cryptocurrency Mining Malware

We don’t deal with outsiders very well
They say newcomers have a certain smell
You have trust issues, not to mention
They say they can smell your intentions
You’re lovin’ on the freakshow sitting next to you
You’ll have some weird people sitting next to you
You’ll think “How did I get here, sitting next to you?”
But after all I’ve said, please don’t forget

Twenty One Pilots, Heathens

Note: This article was conceptualized mid February 2018. I am reposting it here to jump-start my articles about cryptocurrency and malware for 2018.

We are seeing increase in cryptocurrency mining malware activity (aka coinminer) in the overall threat landscape scene. In the threat samples we have seen from the labs, we have observed several notable findings:

  • the favorite cryptocurrency to mine/abuse is Monero (a shift from previous Bitcoin)
  • the resource sought/hijacked is CPU (with some dash of GPU mining) and
  • these coinminers can be generally categorized into 2 groups: scripts (web miners) and executable miners
  • In the executables, Windows files dominate, with some Mac OS, and linux files from time to time

Monero, the new Cryptocurrency Mining Malware King?

What is Monero?

Monero is a cryptocurrency that promises anonymity better than Bitcoin.  As per Monero website, sending and receiving addresses as well as transacted amounts are obfuscated by default. They claim that transactions on the Monero blockchain cannot be linked to a particular user or real-world identity. It is therefore logical for cybercriminals to make use of this for their activity, given the improved privacy and anonymity.

Monero can be mined machines’ CPU. Monero crypto-mining uses a compute-heavy algorithm called CryptoNight, which by design, performs to run well on consumer CPUs. As CPU is a widely available resource among consumers, distributing cryptocurrency miners covertly in desktops seems feasible for the malicious actors and using the victim’s computing power (e.g. hardware and electricity costs) is attractive as cryptocurrency mining provides a good monetization venue for their malicious campaign.

This CPU mining approach was the same one being used and abuses in the early stages of Bitcoin. I have observed that since Bitcoin CPU mining cannot be done profitably nowadays, the shift will be for more cost efficient and affordable crypto like Monero. I believe ASICs, Mining Rigs and Cloud Server Farm combo is way to go with bitcoin, but this strategy needs huge investment. Also mining difficulty for Bitcoin is so high now when compared to the early years of bitcoin.

I am also theorizing that the current price of bitcoin seems to affect cybercriminal usage, because high prices of BTC mean it is too costly to procure/exchange bitcoin thus affecting the value/profits/RoI of the activity.

My thoughts on Coinhive…
Coinhive is a website provider Monero cryptocurrency miner that you can plug and play on your website using JavaScript technology.

Coinhive works by providing website publishers a Javascript code that they can embed into their website. What this code does is that it “covertly” uses the website visitor’s CPU processing power to mine the Monero cryptocurrency. This is a good alternative for monetization of the website.

The challenge with Coinhive is that we have seen that it is heavily abused and most of the times website visitors won’t know that their CPU resource is being used without their knowledge. Scripts and website plugins are widely publicized in the internet on how easy to abuse Coinhive to force the cryptocurrency mining without user intervention.

We have seen Coinhive related infections and we can see it can be another venue for malvertising (for full story refer to this link). Take note Coinhive is not the only website providing this kind of JavaScript Monero miner via simple JS and API calls.

 

For more cryptocurrency mining malware insights, please read my article posted in Trend Micro Security Intelligence Blog entitled: Cryptocurrency-Mining Malware: 2018’s New Menace?

What’s Next?

I am planning to post more articles about executable coinminers, other cryptocurrency being targeted and abused, and some infosec topics and mixes soon. Watch out for it here at AVSecurityProductManager.com

Before I end this post, here are some standard disclosure/disclaimer:

I work at Trend Micro. The views expressed in this blog are mine and mine alone and do not necessarily represent my employer’s positions, strategies or opinions. Read more about me here.

If you want to get in touch, you reach me me via Twitter or Linkedin

Image credits:
Monero Logo – getmonero.org
Coinhive Logo – Coinhive website

default

Repost: Cluster of Coins: How Machine Learning Detects Cryptocurrency-mining Malware

Note:  In my previous post, I promised more #tech #infosec #security insights on #Cryptocurrency #Bitcoin #Monero so let me do this repost of my recent collab post. Personal insights to follow soon 🙂

Cluster of Coins: How Machine Learning Detects Cryptocurrency-mining Malware

By Jon Oliver and Menard Osena

As new trends and developments in the malicious mining of cryptocurrency emerge, a smart and sustainable way of detecting these types of threats is swiftly becoming a cybersecurity necessity. By using Trend Micro Locality Sensitive Hashing (TLSH), a machine learning hash that is capable of identifying similar files, we were able to group together similar cryptocurrency-mining samples gathered from the wild. By grouping together samples based on their behavior and file types, detection of similar or modified malware becomes possible.

Through TLSH, we came up with clusters for the cryptocurrency-mining malware. These are clusters that will analyze and detect cryptocurrency-mining threats by computing the mathematical “distance scores” between one file and another. Our algorithm generates a center TLSH of a coinminer malware that a group of other malware are close to.

Clustering malware samples allows security researchers to create one-to-many patterns that work proactively. The reason for this is that automated systems (or indeed reverse engineers) can examine the members of a malware group and identify similarities among the members. When our systems are examining a new file, they can look for elements which are exhibited by a malware group and also confirm that the new file falls within the constraints of the malware group.

In addition to this, TLSH also has the functionality of immediate and scalable searching and crosschecking of large amounts of possibly malicious or unknown files against known threats.

Table 1. A sample of five out of the 123 cluster members with TLSH values that have very close distance scores when compared to the center TLSH value

Note: We have identified the center TLSH value against which hash values from files being examined are compared to determine similarity. Trend Micro Proactive Detection: Coinminer_TOOLXMR.SM2-WIN32.

We have applied TLSH to detect similarities in cryptocurrency-mining malware. The threats discussed in this post are detected by both Trend Micro Predictive Machine Learning and by the real-time scan patterns for Coinminer_XMRMINE.SM, Coinminer_TOOLXMR.SM2-WIN32, and Coinminer_MALXMR.SMN1-WIN32.

Among the cryptocurrency-mining malware samples gathered, we found that a majority were mining for monero, which uses the mining algorithm CryptoNight.

Malware Moving to Monero

Bitcoin has been the cybercriminal’s go-to cryptocurrency for mining malware, what with its sudden rise in value that even peaked at $20,000 in 2017. However, it appears Monero is taking the lead. Though its value ($224 as of writing time) is far less than bitcoin’s ($9,000 as of writing time), it can be mined on consumer PCs and laptops. This, partnered with its untraceable transactions, enables malicious actors to illicitly mine cryptocurrency on a wider range of targets.

We also detected samples that used modified open-sourced code XMRig to mine monero or other CryptoNight-running digital currencies.

Figure 1. A sample of a modified XMRig command-line mining tool from a clustered sample

Note: The modified XMRig version is 2.4.1 while the latest available XMRig version on Github as of writing is 2.4.5.

Figure 2. A screen capture of a malicious sample of a modified XMRig command-line mining tool

Note: Trend Micro researchers provided test mining configuration files (mining pool address/port and Monero wallet address) for testing purposes.

One of the reasons why XMRig is favored by threat actors is its being an open source code, making it easy to adopt and reuse in cryptocurrency-mining attacks. It is important to note, however, that cybercriminals are not alone in favoring this command-line miner tool — even legitimate cryptocurrency-mining enthusiasts use it as well.

Cryptocurrency-mining Malware

Over the course of just a few years, the use of cryptocurrency-mining malware has attracted much attention from cybercriminals looking to profit from the increase in cryptocurrency prices through malicious means. Using malware, they abuse others’ computing resources to obtain valuable cryptocurrency surreptitiously and illegally.

Last year, we saw cryptocurrency mining swiftly gaining traction. Cryptocurrency mining was the most detected home network event by Trend Micro™ Smart Home Network™ while Smart Protection Network™ sensors detected a spike in cryptocurrency-mining malware.

Cryptocurrency mining malware has adverse effects on its victims’ resources. Mining consumes enormous amounts of electricity and exhausts computing power, and malware can do the same — even to the point of overheating a smartphone’s battery that it bursts open. This gives us a glimpse of just how far threat actors are willing to go to explore new, uncharted means of changing the threat landscape for their own gain.

As illegal cryptomining events continue to surge and cybercriminals diversify attack methods, the importance of creating solutions that will provide protection from various iterations of cryptocurrency-mining malware becomes all the more pronounced.

Trend Micro™ XGen™ security provides a cross-generational blend of threat defense techniques to protect systems from cryptocurrency-mining malware. It features high-fidelity machine learning that uses TLSH to secure the gateway and endpoint, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen protects against today’s threats that bypass traditional controls, exploit known, unknown, or undisclosed vulnerabilities, either steal or encrypt personally identifiable data, or carry out malicious cryptocurrency mining. Smart, optimized, and connected, XGen powers Trend Micro’s suite of security solutions: Hybrid Cloud SecurityUser Protection, and Network Defense.

Original Post from: Trendlabs Security Intelligence Blog
Full article link -> Cluster of Coins: How Machine Learning Detects Cryptocurrency-mining Malware

 

default

Repost: Cryptocurrency-Mining Malware: 2018’s New Menace?

Cryptocurrency-Mining Malware: 2018’s New Menace?
by: Menard Osena

Will cryptocurrency-mining malware be the new ransomware? The popularity and increasing real-world significance of cryptocurrencies are also drawing cybercriminal attention — so much so that it appears to keep pace with ransomware’s infamy in the threat landscape. In fact, cryptocurrency mining was the most detected network event in devices connected to home routers in 2017.


Figure 1. In 2017, cryptocurrency mining was the most detected network event in devices connected to home routers (based on Trend Micro Smart Home Network feedback)

What started out in mid-2011 as an afterthought to main payloads such as worms and backdoors has evolved into such an effective way to profit that even cyberespionage and ransomware operators, and organized hacking groups are joining the bandwagon.

Bitcoin, for instance, was valued at around US$1,000 in January 2017 but has since ballooned to over $11,000 today. It even peaked at a record $20,000 per bitcoin. Monero’s (XMR) story was the same, with a value that shot up from $13 in January 2017 to $325 in February 2018. The volatile yet sharp increases in their value give the shift some weight. Where there’s money to be made, expect threat actors to try to be in on it.

Their use of cryptocurrency-mining malware and its meteoric ascent in the threat landscape is a case in point. As shown below, cryptocurrency-mining malware’s prevalence gained momentum, peaking at 116,361 in October 2017 before stabilizing throughout November and December. We detected the most cryptocurrency-mining malware in Japan, India, Taiwan, the U.S., and Australia.

Figure 2. Cryptocurrency-mining malware detections in 2017
(based on Trend Micro Smart Protection Network)



Figure 3. Country distribution of cryptocurrency-mining malware detections in 2017
(based on Trend Micro Smart Protection Network)

Other paradigm shifts are expected to be signs of things to come for cybercriminal cryptocurrency mining: the abuse of legitimate and grayware tools, particularly Coinhive, the penchant for mining Monero, and the emergence of fileless cryptocurrency miners.

From Bitcoin to Monero
Coinhive provides users and companies an alternate monetization platform by offering an embeddable JavaScript code that will use the site visitor’s CPU to mine Monero. This method’s apparent convenience and customizability did not escape cybercriminals. In fact, malicious versions of Coinhive’s miner were reported to be the sixth most common malware in the world, hitting even the official websites of organizations in the U.S. and U.K. as well as cloud servers of high-profile companies. The miner also spread through malvertisements.

It’s no surprise that Monero would be Coinhive and the cybercriminals’ cryptocurrency of choice. The algorithm used to mine Monero — CryptoNight — is designed to be resistant to ASIC mining. It’s thus more suited to calculating hashes on consumer hardware CPUs.

While bitcoin mining is still technically possible by using CPU and graphics processing unit (GPU) or a combination of both, it’s no longer as viable as it was especially when held up against dedicated rigs using application-specific integrated circuit chips (ASICs) and cloud-mining providers. Meanwhile, a miner can run 24/7 for a year, and it still won’t yield a single bitcoin.

Monero is also more pseudonymous than bitcoin. Its use of ring signatures makes it difficult to follow trails in transactions made through Monero’s blockchain — address, amount, origin, and destination, senders and recipients, to name a few.

Fileless Cryptocurrency-Mining Malware
Just like how ransomware matured, we’re starting to see the use of notorious exploits and methods for deploying fileless malware to install miners. Coinhive notes, for instance, that 10-20 active miners on a website can turn a monthly profit of 0.3 XMR — or $97 (as of February 22, 2018). An army of zombified systems translates to more illicit payouts.

A cryptocurrency-mining malware we found last year, which exploited EternalBlue for propagation and abused Windows Management Instrumentation (WMI) for persistence, is an example of this. In fact, the Monero-mining Adylkuzz malware was reportedly one of the first to exploit EternalBlue before WannaCry. The longer the system and network remain unpatched, the more they are at risk of re-infection.

A typical infection chain in fileless cryptocurrency-mining malware, as shown below, involves loading the malicious code to the system’s memory. The only physical footprint indicating an infection is the presence of a malicious batch file, an installed WMI service, and a PowerShell executable. For propagation, some use EternalBlue exploits, but we also saw others employing Mimikatz to collect user credentials in order to access them and turn the machines into Monero-mining nodes.

Indeed, vulnerabilities will also be one of the main doorways for cryptocurrency-mining malware. This is demonstrated by the recent intrusion attempts we observed on Apache CouchDB database management systems. JenkinsMiner, a remote access Trojan also toting a Monero miner and targets Jenkins servers, reportedly earned its operators over $3 million worth of Monero.


Figure 4. A typical infection flow of fileless cryptocurrency-mining malware
(click to enlarge)

Thwarting Cryptocurrency-Mining Malware
Cryptocurrencies aren’t inherently prohibited, at least in many countries. Given their decentralized nature, they have regulatory frameworks from which their trade is legally overseen. Mining them illicitly through malware, however, is a different matter.

But while cryptocurrency-mining malware’s impact may not be as palpable or damaging as ransomware’s, they are no less of a threat. In December last year, the Loapi Monero-mining Android malware showed how they could physically damage a mobile device.

But cybercriminal cryptocurrency mining isn’t just about device wear and tear, or even the power consumption involved. It’s also a reflection of the ever-evolving technology landscape and the risks and threats that can come with it. And just like ransomware, we expect cryptocurrency-mining malware to be as diverse as they are common, using a plethora of ways to infect systems and even inadvertently turn their victims a part of the problem.  This highlights the need to complement security mechanisms with defense in depth, adopting best practices not only for enterprises and everyday users but also the devices’ design and equipment manufacturers.


Figure 5. Trend Micro’s proactive solutions against fileless cryptocurrency-mining malware
(click to enlarge)

Trend Micro XGen security provides a cross-generational blend of threat defense techniques to protect systems from cryptocurrency-mining malware. It features high-fidelity machine learning to secure the gateway and endpoint, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen protects against today’s threats that bypass traditional controls, exploit known, unknown, or undisclosed vulnerabilities, either steal or encrypt personally-identifiable data, or conduct malicious cryptocurrency mining. Smart, optimized, and connected, XGen powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.

Original Post from: Trendlabs Security Intelligence Blog
Full post link Cryptocurrency-Mining Malware: 2018’s New Menace?

Additional #tech #infosec #security insights on #Cryptocurrency #Bitcoin #Mining to follow soon, so watch out for it 🙂

 

default

On Salon.com and Cryptocurrency Mining

“When able to attack, we must seem unable; when using our forces, we must seem inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near”
Sun Tzu, Art of War

I came across this article last week:

https://www.salon.com/about/faq-what-happens-when-i-choose-to-suppress-ads-on-salon/

<image credits: Salon.com>

If you find it TL;DR : my rough translation will be:

The news site Salon.com is telling their viewers to:

  • Pay them $$$ for news access (subscription model) or
  • Show their Advertisements; else
  • Mine them some Monero/XMR

This is like premium subscription model (usual for some US news sites) vs Ads/Adsense model (freemium) vs Coinhive model. Wow! Just wow!

And from an #InfoSec perspective, I find this move so wrong on many levels. Initially, I wanted to rant out in twitter

But I chose to have an open mind and weigh things out first. Why not a blog post for AVSecurityProductManager.com on this topic? Maybe this can be a good way of “furthering the dialogue” and this is why we have this post 🙂 )

I’m not a regular visitor of Salon.com. All I know is that they are US/American news/opinion website. I also checked they seem to be Top 1000 site in US, Top 5000 Global site according to Alexa siteinfo

<Screen capture from Alexa.com siteinfo>

So green light and good website creds for me imho.

Some interesting points on their announcement (highlighted)

How does Salon make money by using my processing power?

The demand for computing power across many different industries and applications is potentially very high. We intend to use a percentage of your spare processing power to contribute to the advancement of technological discovery, evolution and innovation.

For our beta program, we’ll start by applying your processing power to mine cryptocurrencies to recoup lost ad revenue when you use an ad blocker. We plan to further use any learnings from this to help support the evolution and growth of blockchain technology, digital currencies and other ways to better service the value exchange between content and user contribution.

xxx

In any case, the possibilities for this sort of technology are limitless: In the future your spare computing power may go to solving the kinds of complex math problems that form the integrity of blockchains, but it can also be used for humanitarian and scientific projects such as helping research how proteins fold, to aid in biological discovery or helping pay for misdemeanor prisoners’ bail, or to see if we can better predict the impact of climate change.

Your spare computing power can even help analyze astronomical signals to figure out if extraterrestrials are trying to contact us. Some scholars have proposed using spare computing power to help secure voting and verify the integrity of democratic elections.

Uh-oh! That “spare processing power to contribute to the advancement of technological discovery, evolution and innovation” and “extraterrestrials are trying to contact us” cards again 🙂 I honestly feel this is sugar-coating the risks posed by cryptocurrency mining issue 🙂

And what will they mine?

What is Salon doing with my computer if I decide to opt-in?

Salon is mining digital currencies (for our beta, Monero). To do that, we are instructing your processor to run calculations. Think of it like borrowing your calculator for a few minutes to figure out the answer to math problems, then giving it back when you leave the site. We automatically detect your current processing usage and assign a portion of what you are not using to this process

Monero. XMR. Mucho Monero!!!

Don’t get me wrong now, I am not saying that “Monero is bad” or “Monero is evil”. I would just like to put in the discussion table that recent infosec events show that this crypto (Monero/XMR) tops other crypto in Mal activity. Some related links here and here.

(sidenote: I may write more about this Monero/XMR cryptocurrency in the future so this can be sort of a multipart post)

To sum up my thoughts, this change by Salon.com is a risky security move. It’s also a tricky business model.

And I will be watching closely on how this one will unfold…

Before I end this post, here are some Disclosure/Disclaimer:

I work at Trend Micro. The views expressed in this blog are mine and mine alone (and do not necessarily represent my employer’s positions, strategies or opinions). Read more about me here. You can contact me via twitter or linkedin

default

On Capture the Flag

Do you have l33t skills on targeted attacks, Internet of Things (IoT) and Industrial Control Systems (ICS/SCADA) and cybercrime? Interested in having some extra cash (JPY 1,000,000 (approximately US $8,700) or want to have have some fun while learning and building more knowledge in the InfoSec industry?  If yes, then read on…

Trend Micro is running an educational contest called Trend Micro CTF (Capture the Flag) 2017 this month. It is a global competition intended to help build skills among young professionals (20 years old +) and seasoned veterans alike in the field of cybersecurity.

Trend Micro Capture the Flag 2017 dubbed as the Raimund Genes Cup is the 3rd of the annual CTF cyber event we are organizing, and this year it will focus on the challenges across 4 InfoSec disciplines including targeted attacks, cybercrime, IoT, and SCADA.

Trend Micro is also offering an amazing opportunity for the top 10 online qualifying teams and will cover travel expenses to Japan (up to JPY 200,000 / approximately US$1,810/ conditions apply) as well as three nights hotel accommodation. Even if you are not really interested in the prizes, this is a great opportunity for you to test your skills and learn!!!

Online qualifiers will be on June 24-25, 2017 and will be done online!

Register your team HERE

For more details please visit the Press link  and the Trend Micro CTF 2017 page

Good luck!!!

Some Disclosure/Disclaimer:

I work at Trend Micro. The views expressed in this blog are mine and mine alone (and do not necessarily represent my employer’s positions, strategies or opinions). Read more about me here. You can contact me via twitter or linkedin

Tags: ,
default

On SHA1

I posted google’s announcement on the SHA1 Shattering in twitter several weeks ago

And I was surprised that a fellow infosec dude replied and tweeted

and it seems that the platform he is hinting does not have migration path or plan about it (or none that we know of). And its still MD5 :(.

This got me thinking  maybe this SHA1 can be a good topic for this blog so I looked into the details so that I can explain it in a simple way and answer what’s with this SHA1 being broken? and why should we care? or should we not?
SHA1 is broken. 

Google and the researchers demonstrated this by crafting 2 PDF files with different contents but same SHA1 hash.  They released the geeky how-to docs publicly. Good visualization too 🙂

Image Credits: Shattered.IT

So in a nutshell, it’s now possible to create a file to match a SHA1 of another file. So if you are using SHA1 as primary identification of files/certs, consider migration to other hash like SHA256 or SHA3.

How easy to do the attack?

Very hard (needs 6,500 yrs of single-CPU computing power or 110 years of single-GPU power). But of course with Google firepower, they fast-tracked things up drastically (experts say this is 3 years earlier than previous projection). My key learning here is given GPU advancements + cloud computing nowadays that “very hard” attack can be “so easy”, as long as you have the right resources ($$$, kaching-kaching, moolah).

Several experts estimated that such attack needs 75K USD budget, just rent some computing firepower via AWS, problem is solved :). Imho, 75K is peanuts to nation-states and large cybercriminal groups (whether its FUD or not, not my forte).

What are the usual systems potentially impacted? SHA-1 is used for digital signatures, file integrity, and/or file identification among others. So Digital Cert sigs, Email PGP sigs, Vendor file signatures, software updates, GITs, etc may be vulnerable.

SHA1 Certs have been depracated since 2015. Major browsers is OK and safe with Google doing early protection for Chrome and (other Google-related services too) and Firefox provided a fix a day after the disclosure.

GIT and software repo have a healthy discussion with Linus Torvalds  giving some good explanation on the impact to GIT.

Should we care?

Are you (or your tools, software, systems) heavily dependent on SHA1 for file integrity? If yes, then you should care and plan the migration right away. Migration path is SHA256 and SHA3. Exploit described above is demonstrated with PDF, and since this is in already public expect other file types to follow soon. This is not IF now but WHEN.

Tags:
default

On Ransomware

“They can beg and they can plead
But they can’t see the light
Coz the boy with the cold hard cash
Is always Mr. Right”

Material Girl, Madonna

I was planning to write about Ransomware for a long long time but I don’t know where to start. Will I start with the email that my childhood friend sent me in 2015 (frantically pleading “Halpppp me, I got this HELP_YOUR_FILE Virus and I’m doomed)? Or when ransomware first pique my interest (shout out goes out to Bundespolizei police ransomware c. 2012)? When?  What to share? Help!!!

But of course I’m good at procrastination, so as of February 2017 still zero post on ransomware 🙂 . But let’s end that because I promised that I will do more articles this year on all my blogs and I want to start it right. This is also in support of my all my infosec post belong to AVSecurityProductManager Blog, so here we go. For starters I’m sharing this Youtube video

Sorry I’m really a sucker for digital-DIY kitties. OK maybe just the bad kind of DIY kits (blame it on Vicodines of the macro poppy kit fame, sorry I’m old school virus dude mon!). Honestly I’m torn between sharing and suppressing this ransomware video advertisement in youtube. But sadly, this is a good demo to show how easy it will be creating/modding a ransomware (even dummies can do it huh). Not sure on how long this one will be up in youtube though.

I know Stampado/Philadelphia is kinda old (I think it may be active around September 2016). Maybe a decryptor is out already. But given the dynamics and motivations for ransomware (cold hard cash + someone is still paying the ransom) is here to stay, I guess this Ransomware problem will not go away easily.

Ruining Madonna’s lyrics

They can beg and they can plead
But they can’t decrypt it right
So the boys with the cold hard cash
Will buy bitcoins right???

(Please don’t kill me if my lyrics mod skills sux)

Lastly, I support NO More Ransom!!! Visit No More Ransom for more solutions and insights.

I will do a part 2 on ransomware soon…

Video credits to Youtube. Thanks goes out to Brian Krebs for his post on this topic.

Tags:
default

On Pump and Dump Spam Run

I thought they were an extinct in the wild technological mal-species already. But just yesterday I got this spammy mail via my mailbox:

safer-shot-spam

Image 1. Suspicious Email

Sorry I choose not comment on the company as I do not have verifiable info on them nr their industry. But I did not subscribe the affected mailbox to any stock-monitoring feeds so your paranoid Security Product Manager will tag this issue as SPAM. And since all my infosec post belong to this blog here are some additional security insights.

Dissecting the content of the mail…

[Name of supposed sender] here.

My NEWEST MONSTER PICK is – [company name here]. And they trade under the ticker symbol – [Symbol1] or [Symbol2]

I don’t know if you know this, but technically, 0.0001 is the lowest that a stock can trade at on the open market…

0.0001 is THE FLOOR!

So it stands to reason, if you get in at the ground level (THE FLOOR ), the stock CANNOT go lower.

So technically you have limited your downside.

Go buy [Symbol1] NOW and quadruple your money quick!

Actually the unsolicited nature of this email was the first red flag. The text “Go buy NOW and quadruple your money quick” and “So technically you have limited your downside” provide secondary red flags. Any get rich quick scheme will trigger my infosec spider-sense :).

Pump and Dump Scam run? Call it Maybe…

Some interesting thoughts on spam came to my mind which may be a good post in the future. I noted that there seems to be a “new” breed of spam mails targeting those who needs “high-end” systems users list. I don’t know if this is prevalent already. Maybe I can feature them here soon. Watch out for it. Soon.

Tags:
default

On Potentially Unwanted

I have been busy the past few months because of these PUAs (Potentially Unwanted Apps). Honestly I consider myself lucky because yours truly was an old-school AV veteran that survived the good ol’ spyware wars (circa 2003) so connecting the dots for this technical challenge will be considerably an easy task.

As I have not posted anything for this blog for the last 9 months, I want to post my personal insights on this PUA issue. I am not sure on where to start, so maybe I will post some basic Q&A on PUAs and do series of blog post just like what I did with vulnerability assessment.

Here we go:

What are PUAs?

Potentially unwanted application or applications (PUAs), classified as grayware, refer to applications installed in a mobile device or a computer that may pose high risk or have untoward impact on user security and/or privacy. It may also contribute in consuming computing resources. It may be unwanted by the user even if it is installed with users’ consent. Most often than not, PUAs do not explicitly and completely state their functions and purpose. The impact the application causes may either inadvertently or simply be a part of its design. PUAs are created by legitimate or illegitimate software publishers.

What are the common PUA behaviors?

Here are some notable PUA behaviors:

  • Bundling – There are applications that, when installed in a device or a computer, installs other applications (bundled software) that users may not want. The primary application that installed the additional applications often trick users during the installation process with options that allow the installation of the bundled software. Applications like these may also come bundled with other grayware.
  • Advertising – displays excessive advertisements, causing interruption or annoyance to users.
  • Information collection – applications that collect information without users’ consent.

PUAs can be complex and may contain other unwanted behavior such as:

  • Exaggerated or bogus notifications
  • Lack of control for users
  • Runs unwanted processes or applications that consume computing resources
  • Provides unconventional way of uninstalling the application

Source: Trend Micro PUA Security Definition Page

Some questions that I plan to give more insights in the succeeding posts

  • Is PUA equal to Malware?
  • Is PUA an endpoint problem?
  • What changed from the threat landscape of 2003 vs today?
Tags: ,
default

On Vulnerability Scanning – Part 2

Thus do many calculations lead to victory, and few calculations to defeat: how much more no calculation at all! It is by attention to this point that I can foresee who is likely to win or lose.
Sun Tzu, Art of War

This is the 2nd part of my Vulnerability scanning post.

Background:
A friend of mine asked me if I can give my advice about vulnerability scanning. He is enrolled in an infosec class in one of the universities here. He said this vulnerability scanning is an educational project for them.

Here are his questions:

  • Is it legal to perform a vulnerability scan from external source?
  • Do I have recommendation on how should they do the vulnerability scanning?
  • What are the standard parameters/elements of the vulnerability scanning that they should used in this vulnerability assessment exercise?
  • Their group agreed to do scanning on the “Company X”. Again, any advice on possible legal and other complications?
  • Is security “Company Y” providing a secure online vulnerability assessment tool?

On the first part of the post, I focused on the planning, high level objectives and scoping of the project. This post discusses the feedback on the other items.

Is it legal to perform a vulnerability scan from external source?

Most of vulnerability scan and assessment tools that I know of have legal implications. The legal complexity mainly depends on the which country or jurisdiction “Company X” operates. At the very least the students should know applicable laws in their respective countries. At the end of the day, it will be the lawyer and/or legal expert who can say if its legal or not so I may not the best candidate to answer this question.

Do I have recommendation on how should they do the vulnerability scanning?

For the vulnerability scan I directly participated, the usual setup is that entity being scanned and assessed provided consent and scans were made inside their network. So the key concepts here are consent and internal scanning. The target of my scans are within a defined network, and what is vulnerability being  searched have are clearly identified. The purpose of our vulnerability scan exercise is to notify and let IT admins address the “vulnerable” machines and mitigate risk of malware infection.

Their initial scope points to doing website scanning to “Company X” who is operating in “Country W” territory. They will do white hat (most probably website vulnerability scan), but the boundary between white hat (and grey hat) and black may not be clear. So for our examples sake, I reminded them that they should know the law of country W, for example if it will be in the Philippines maybe they should review Cybercrime Prevention Act of 2012 (RA 10175) and Electronic Commerce Act (RA 8792). Overall  this can be a very tricky situation especially if they will not engage Company X and do proper disclosure.

On motives, I told him to answer a simple question:

What will be the difference of the scanning they will do with what other malicious groups  (e.g. hackers) will do?

If they cannot differentiate theirs versus the bad actors in the net, then they may be inviting trouble.

Scrutinizing their initial plan I found out some interesting point : “Company X” operates in “Country W” is not entirely true. “Company X” is part of “Country W” government branch offices. So we got testers who are “Country W” citizens, operating in “Country W” territory doing vulnerability testing against “Company X” who is part of “Country Y” government. To summarize: original plan is inviting bigger trouble.

So I suggested that they do internal testing with Company X, get Company X consent and at least do responsible disclosure of the vulnerability if they find something. More on responsible disclosure can be read here

Is security “Company Y” providing a secure online vulnerability assessment tool?
I haven’t tried “Company Y”, but I know they are indirect competitor to my current company, so it might not be the unbiased feedback giver. I saw “Company Y” folks in RSA conference, and they seems cool and tech savvy. In RSAC, we always say, “we (RD guys) are all friends here when we are in RSA as it is the marketing dudes on the booths who are the one battling out the marketing mumbo jumbo. And “we are all part of a bigger ecosystem”, but in reality, there is really “Coopetition”. Coopetition is a portmanteau of cooperation and competition.

I suggested to them that they register at “Company Y” website, read the EULA/Disclaimer if their Free Online VA tool and assess “Company Y” tools capability. Just take note that in infosec nothing is really “free”.

© AVSecurityProductManager.com
CyberChimps