New code injection method avoids malware detection on all versions of Windows

Presented at Black Hat Europe, a new fileless code injection technique has been detailed by security researchers Eugene Kogan and Tal Liberman. Dubbed Process Doppelgänging, commonly available antivirus software is unable to detect processes that have been modified to include malicious code.

The process is very similar to a technique called Process Hollowing, but software companies can already detect and mitigate risks from the older attack method. Process Hollowing occurs when memory of a legitimate program is modified and replaced with user-injected data causing the original process to appear to run normally while executing potentially harmful code.

Unlike the outdated hollowing technique, Process Doppelgänging takes advantage of how Windows loads processes into memory. The mechanism that loads programs was originally designed for Windows XP and has changed little since then.

To attempt the exploit, a normal executable is handed to the NTFS transaction and then overwritten by a malicious file. The NTFS transaction is a sandboxed location that returns only a success or failure result preventing partial operations. A piece of memory in the target file is modified. After modification, the NTFS transaction is intentionally failed so that the original file appears to be unmodified. Finally, the Windows process loader is used to invoke the modified section of memory that was never removed.

The following table shows the antivirus software tested by the researchers that is unable to block the exploit discovered.

Product	Operating System	Result
Windows Defender	Windows 10	Success
AVG Internet Security	Windows 10	Success
Bitdefender	Windows 10	Success
ESET NOD 32	Windows 7 SP1	Success
Symantec Endpoint Protection	Windows 7 SP1	Success
McAfee VSE 8.8 Patch 6	Windows 7 SP1	Success
Kaspersky Endpoint Security 10	Windows 7 SP1	Success
Kasperksy Antivirus 18	Windows 7 SP1	Success
Symantec Endpoint Protection 14	Windows 7 SP1	Success
Panda	Windows 8.1	Success
Avast	Windows 8.1	Success

It should be noted that Windows 10 Fall Creators Update originally appeared to fix the issue since the duo presenting were unable to perform the exploit on the latest version. When attempting the exploit, a stop error otherwise known as the blue screen of death occurs. Not a desirable effect, but better than ending up with an infected machine.

However, later updates apparently allowed for the exploit to work again even on the latest patches of Windows 10. Due to the nature of the exploit, Microsoft will have its work cut out to update a core feature that helps preserve software compatibility. Antivirus vendors should be able to push out updates to detect and prevent Process Doppelgänging within the coming weeks.

via Techspot

Read more »

Google just made it waaaay easier to backup any PC

It's time to back up your PC. Here are 6 things to consider Google just launched a new way to back up your PC data. 6 things you should know about backing up your PC Is it time to rethink the old ways of archiving your data? Maybe all but one of them... Last week, Google announced the new desktop version of its Backup and Sync app, and it got me thinking: What does desktop backup even mean in 2017? Not so long ago, there was one and only way to protect the precious data riding around in your laptop: Connect an external drive (or, if you were really fancy, a network drive), then perform a complete system backup. But is that really necessary anymore? It's time to inject some modern thinking into the old notions of PC backups. Here's what you should know: It's all about the data Think about what you're really trying to preserve in a backup. It's the data, right? Family photos, financial records, school papers, work documents -- stuff like that. OK, but what about software? What about the operating system? A full-system backup lets you preserve these items in addition to your data, the idea being to let you restore everything in one fell swoop should disaster strike. But, remember: What you really care about is the data. Not all software needs to be backed up... In the old days, when you bought software on CDs or even floppy disks, a full-system backup was logical, if only to avoid having to manually reinstall all those programs. Thanks to slow-loading media and comparatively slow PCs, that could be a long, torturous process. Backup or bust Get started with Google's Backup and Sync app Backups: Act like your business depends on them Get ransomware protection with Aomei Backupper Free But think about the software you use today. Some of it is probably web-based, meaning there's nothing to reinstall -- you just sign back into your, say, Google Docs account. As for local apps like CCleaner, Evernote, iTunes, Steam (and Steam games) and your antivirus software, you can quickly and easily re-download and reinstall them. (Even certain data is easily replaceable, like the PDF instruction manual you downloaded for your printer. Why bother backing that up?) So make a little inventory list of the software you're using and see if there's anything that actually needs to be backed up. There might be exceptions, like commercial programs that give you only a one-time download option (video editor CyberLink PowerDirector comes to mind). Those downloads, if you have any, should definitely get backed up along with your other data. ...and neither does Windows (sort of) Assuming you're running Windows 10 ($139.95 at Amazon.com), it's definitely a good idea to make a one-time backup of the OS in case you need it later. You can do this by running Microsoft's media-creation tool, which will put a copy of the OS onto a flash drive (5GB or larger). Ah, but will you need it later? If you're having software-related issues with your PC (malwareinfestation, everyday Windows wonkiness), you can use Windows' Recovery tool to get a factory-fresh reset -- no external media required. But if you have to, say, replace a defunct hard drive, now you'll want that flash drive so you can reinstall Windows. The dirty little secret of full-system backups OK, but if that's the case, doesn't a full-system backup make more sense so you can do a full-system restoration? I'll argue no, for these reasons: Full-system backups take time, even if you're just making incremental ones. Full-system backups require large-capacity external drives, which cost money. You also need backup software. There are freeware options, but do you really want to trust your entire hard drive to a free program? A full-system restore doesn't afford the benefits of a fresh Windows install; instead, you end up with all the same stray Registry keys and fragmented files that were dragging down the system before. Full-system restores are notoriously inconsistent. In my experience, they just flat-out don't work sometimes. Contrast that with a fresh install of Windows, reinstalling your software and then restoring your data: Not much can go wrong with that. Solution: Back up just your data We've come full circle. These days, a full-system backup is of questionable value. That's because the only thing that really matters is your data -- and think about where that data lives. On your hard drive, yes, but also in the cloud? All you need is a service like Amazon Drive, iCloud Drive, Google Drive or Microsoft OneDrive -- anything that automatically syncs your files to online storage. Meanwhile, are there even photos on your PC anymore? If you're like many users, you take pictures with your phone, and that phone copies everything to the cloud. Likewise, are you still using your PC to manage a music collection? If you subscribe to the likes of Apple Music or Spotify, there's nothing you need to back up; all your songs and playlists live on those services. Obviously there are exceptions, like if you have a large video library. Those files consume a lot of space, meaning cloud backup may not be practical. But I suspect many users just want to preserve office documents, tax records and the like, in which case a small amount of cloud storage easily gets the job done. The big caveat Many cloud services suffer from one considerable flaw: They won't protect you against ransomware and other forms of malware. The problem is that files corrupted on your PC will quickly get corrupted in the cloud as well, as part of the automated syncing process. You can overcome that problem by keeping malware off your PC in the first place. But many security experts note that the best way to protect yourself is to make regular local backups of your data. (Just your data, mind you.) And here's the key: Make sure your backup includes older versions of your files. Because as with online backups, it's all too easy for infected files to overwrite clean ones, leaving your backup in the same condition as your hard drive. Some backup services (including Carbonite, Dropbox and Google Drive) support versioning as well, though Google's implementation allows you to access only one file at a time -- just about useless if you have hundreds or even thousands of files to restore. And OneDrive keeps older versions only of Office files. What are your thoughts on modern-day PC backups? Do you think archiving data alone is enough? Share your thoughts in the comments! via cnet

Read more »

Check if you were hit by the massive 'Avalanche' cybercrime ring

SAN FRANCISCO — The U.S. government has posted links for free scanning programs so companies and individuals can check their computers to make sure they weren't victims of a massive, international cyber criminal operation that was taken down Thursday after a four-year investigation.

“This is probably the biggest operation that law enforcement has ever done against cyber crime,” said Catalin Cosoi, chief security strategist with BitDefender, one of the dozens of companies worldwide that worked with law enforcement to attack the group.

The U.S. Computer Emergency Readiness Team (US_CERT) has posted links to five scanners on its site. Europol has also posted a list of sites in multiple languages for potentially infected users. The malware only affects systems running the Microsoft Windows operating system, according to US-CERT.

The Department of Homeland Security’s National Cybersecurity and Communications Integration Center, which includes US-CERT, will be providing victim notification to stakeholders, including Internet Service Providers, DHS said in a statement.

Known as "Avalanche," the group had been active since 2009, according to the FBI and Europol, the European law enforcement agency. It was effectively a criminal company that sold and rented cloud-hosted software to other criminals who used it to take over systems, infect networks, launch ransomware or create enormous robot networks (botnets) to send spam.

Avalanche networks were also used to launch targeted attacks against banks and to recruit people to illegally transfer stolen money between countries, known as money mules.

"They sent more than one million e-mails with damaging attachments or links every week to unsuspecting victims," and involved as many as 500,000 infected computers worldwide on a daily basis, Europol said in a release.

“They would do whatever you wanted. You just had to call them, say ‘I need command and control service,’ or ‘I need to infect this type of people or this type of business,’ and they’d do it,” said Cosoi.

The investigation originally began in Germany in 2012 after prosecutors there detected a ransomware operation that blocked access to a substantial number of computer systems and allowed the criminals to do bank transfers from the victims' accounts.

As authorities became aware of the scope and reach of the criminal organization, the effort to shut it down ended up involving prosecutors and investigators in 30 countries.

Law enforcement takedown

On Wednesday, law enforcement launched a concerted action against the Avalanche group. It resulted in five arrests, the search of 37 premises and seizure of 39 servers. In addition, over 800,000 Internet domains, or addresses, were seized to block the criminals access to their customers.

Now that the operation has been taken down, the next crucial stage is for infected individuals and companies to check to make sure that their computers do not have Avalanche malware on them.

“Companies and consumers should take this opportunity to scan their systems for the different families of malware that the Avalanche botnet distributed,” said ESET senior security researcher, Stephen Cobb.

Multiple companies worldwide have written tools to run this scan.

As Europol said on its website, "computer users should note that this law enforcement action will NOT clean malware off any infected computers — it will merely deny the Avalanche users’ ability to communicate with infected victims’ computers. Avalanche victims’ computers will still be infected, but shielded from criminal control."

While the effort was hailed in the cyber security world as a major coup against cyber crime, the differential between how fast international cybercrime networks proliferate and how quickly international law enforcement can act is troubling.

“It does give some reason for concern that our anti-cybercrime efforts still can't match the speed and dexterity that cyber criminals use for their own efforts," said Nathan Wenzler, principal security architect at AsTech Consulting, a San Francisco-based security consulting company.

Unfortunately, while he believes that dismantling the Avalanche network will certainly show some short-term gains, he expects the cyber criminals will be "back up and running in short order.”

Read more »

Alert (TA16-336A) Avalanche (crimeware-as-a-service infrastructure)

Systems Affected

Microsoft Windows

Overview

“Avalanche” refers to a large global network hosting infrastructure used by cyber criminals to conduct phishing and malware distribution campaigns and money mule schemes. The United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation (FBI), is releasing this Technical Alert to provide further information about Avalanche.

Description

Cyber criminals utilized Avalanche botnet infrastructure to host and distribute a variety of malware variants to victims, including the targeting of over 40 major financial institutions. Victims may have had their sensitive personal information stolen (e.g., user account credentials). Victims’ compromised systems may also have been used to conduct other malicious activity, such as launching denial-of-service (DoS) attacks or distributing malware variants to other victims’ computers.

In addition, Avalanche infrastructure was used to run money mule schemes where criminals recruited people to commit fraud involving transporting and laundering stolen money or merchandise.

Avalanche used fast-flux DNS, a technique to hide the criminal servers, behind a constantly changing network of compromised systems acting as proxies.

The following malware families were hosted on the infrastructure:

• Windows-encryption Trojan horse (WVT) (aka Matsnu, Injector,Rannoh,Ransomlock.P)
• URLzone (aka Bebloh)
• Citadel
• VM-ZeuS (aka KINS)
• Bugat (aka Feodo, Geodo, Cridex, Dridex, Emotet)
• newGOZ (aka GameOverZeuS)
• Tinba (aka TinyBanker)
• Nymaim/GozNym
• Vawtrak (aka Neverquest)
• Marcher
• Pandabanker
• Ranbyus
• Smart App
• TeslaCrypt
• Trusteer App
• Xswkit

Avalanche was also used as a fast flux botnet which provides communication infrastructure for other botnets, including the following:        

• TeslaCrypt
• Nymaim
• Corebot
• GetTiny
• Matsnu
• Rovnix
• Urlzone
• QakBot (aka Qbot, PinkSlip Bot)

Impact

A system infected with Avalanche-associated malware may be subject to malicious activity including the theft of user credentials and other sensitive data, such as banking and credit card information. Some of the malware had the capability to encrypt user files and demand a ransom be paid by the victim to regain access to those files. In addition, the malware may have allowed criminals unauthorized remote access to the infected computer. Infected systems could have been used to conduct distributed denial-of-service (DDoS) attacks.

Solution

Users are advised to take the following actions to remediate malware infections associated with Avalanche:

• Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. Even though parts of Avalanche are designed to evade detection, security companies are continuously updating their software to counter these advanced threats. Therefore, it is important to keep your anti-virus software up-to-date. If you suspect you may be a victim of an Avalanche malware, update your anti-virus software definitions and run a full-system scan. (See Understanding Anti-Virus Software for more information.)
• Avoid clicking links in email – Attackers have become very skilled at making phishing emails look legitimate. Users should ensure the link is legitimate by typing the link into a new browser (see Avoiding Social Engineering and Phishing Attacks for more information).
• Change your passwords – Your original passwords may have been compromised during the infection, so you should change them. (See Choosing and Protecting Passwords for more information.)
• Keep your operating system and application software up-to-date – Install software patches so that attackers cannot take advantage of known problems or vulnerabilities. You should enable automatic updates of the operating system if this option is available. (See Understanding Patches for more information.)
• Use anti-malware tools – Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool. A non-exhaustive list of examples is provided below. The U.S. Government does not endorse or support any particular product or vendor.

          ESET Online Scanner

          https://www.eset.com/us/online-scanner/(link is external)  

          F-Secure

          https://www.f-secure.com/en/web/home_global/online-scanner(link is external)

          McAfee Stinger

          http://www.mcafee.com/us/downloads/free-tools/index.aspx(link is external)

          Microsoft Safety Scanner

          https://www.microsoft.com/security/scanner/en-us/default.aspx(link is external)

          Norton Power Eraser

          https://norton.com/npe(link is external)

         Trend Micro HouseCall

          http://housecall.trendmicro.com/(link is external)

References

• https://www.us-cert.gov/sites/default/files/publications/money_mules.pdf
• http://www.bankinfosecurity.com/avalanche-group-linked-to-fraud-a-2573(link is external)

Revisions

• December 1, 2016: Initial release
• December 2, 2016: Added TrendMicro Scanner

via: https://www.us-cert.gov/ncas/alerts/TA16-336A

Read more »

‘AVALANCHE’ NETWORK DISMANTLED IN INTERNATIONAL CYBER OPERATION

On 30 November 2016, after more than four years of investigation, the Public Prosecutor’s Office Verden and the Lüneburg Police (Germany) in close cooperation with the United States Attorney’s Office for the Western District of Pennsylvania, the Department of Justice and the FBI, Europol, Eurojust and global partners, dismantled an international criminal infrastructure platform known as ‘Avalanche’.

The Avalanche network was used as a delivery platform to launch and manage mass global malware attacks and money mule recruiting campaigns. It has caused an estimated EUR 6 million in damages in concentrated cyberattacks on online banking systems in Germany alone. In addition, the monetary losses associated with malware attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of euros worldwide, although exact calculations are difficult due to the high number of malware families managed through the platform.
The global effort to take down this network involved the crucial support of prosecutors and investigators from 30 countries. As a result, 5 individuals were arrested, 37 premises were searched, and 39 servers were seized. Victims of malware infections were identified in over 180 countries. Also, 221 servers were put offline through abuse notifications sent to the hosting providers. The operation marks the largest-ever use of sinkholing[1] to combat botnet[2] infrastructures and is unprecedented in its scale, with over 800 000 domains seized, sinkholed or blocked.

On the action day, Europol hosted a command post at its headquarters in The Hague. From there, representatives of the involved countries worked together with Europol’s European Cybercrime Centre (EC3) and Eurojust officials to ensure the success of such a large-scale operation.

In addition Europol supported the German authorities throughout the entire investigation by assisting with the identification of the suspects and the exchange of information with other law enforcement authorities. Europol’s cybercrime experts produced and delivered analytical products.

Eurojust’s Seconded National Expert for Cybercrime assisted by clarifying difficult legal issues that arose during the course of the investigation. Several operational and coordination meetings were also held at both Europol and Eurojust.

Julian King, European Commissioner for the Security Union, said: "Avalanche shows that we can only be successful in combating cybercrime when we work closely together, across sectors and across borders. Cybersecurity and law enforcement authorities need to work hand in hand with the private sector to tackle continuously evolving criminal methods.  The EU helps by ensuring that the right legal frameworks are in place to enable such cooperation on a daily basis".

Rob Wainwright, Europol Director, said: “Avalanche has been a highly significant operation involving international law enforcement, prosecutors and industry resources to tackle the global nature of cybercrime. The complex trans-national nature of cyber investigations requires international cooperation between public and private organisations at an unprecedented level to successfully impact on top-level cybercriminals. Avalanche has shown that through this cooperation we can collectively make the internet a safer place for our businesses and citizens”.

Michèle Coninsx, President of Eurojust, said: “Today marks a significant moment in the fight against serious organised cybercrime, and exemplifies the practical and strategic importance of Eurojust in fostering international cooperation. Together with the German and US authorities, our EU and international partners, and with support from Eurojust and EC3, Avalanche, one of the world’s largest and most malicious botnet infrastructures, has been decisively neutralised in one of the biggest takedowns to date.”

The criminal groups have been using the Avalanche infrastructure since 2009 for conducting malware, phishing and spam activities. They sent more than 1 million e-mails with damaging attachments or links every week to unsuspecting victims.

The investigations commenced in 2012 in Germany, after an encryption ransomware[3] (the so-called Windows Encryption Trojan), infected a substantial number of computer systems, blocking users’ access. Millions of private and business computer systems were also infected with malware, enabling the criminals operating the network to harvest bank and e-mail passwords.

With this information, the criminals were able to perform bank transfers from the victims’ accounts. The proceeds were then redirected to the criminals through a similar double fast flux[4]infrastructure, which was specifically created to secure the proceeds of the criminal activity.

The loss of some of the network’s components was avoided with the help of its sophisticated infrastructure, by redistributing the tasks of disrupted components to still-active computer servers. The Avalanche network was estimated to involve as many as 500,000 infected computers worldwide on a daily basis.

What made the ’Avalanche’ infrastructure special was the use of the so-called double fast flux technique. The complex setup of the Avalanche network was popular amongst cybercriminals, because of the double fast flux technique offering enhanced resilience to takedowns and law enforcement action.

Malware campaigns that were distributed through this network include around 20 different malware families such as goznym, marcher, matsnu, urlzone, xswkit, and pandabanker. The money mule schemes operating over Avalanche involved highly organised networks of “mules” that purchased goods with stolen funds, enabling cyber-criminals to launder the money they acquired through the malware attacks or other illegal means.

In preparation for this joint action, the German Federal Office for Information Security (BSI) and the Fraunhofer-Institut für Kommunikation, Informationsverarbeitung und Ergonomie (FKIE) analysed over 130 TB of captured data and identified the server structure of the botnet, allowing for the shut-down of thousands of servers and, effectively, the collapse of the entire criminal network.

The successful takedown of this server infrastructure was supported by INTERPOL, the Shadowserver Foundation, Registrar of Last Resort, ICANN and domain registries involved in the takedown phase. INTERPOL has also facilitated the cooperation with domain registries. Several antivirus partners provided support concerning victim remediation.

Computer users should note that this law enforcement action will NOT clean malware off any infected computers – it will merely deny the Avalanche users’ ability to communicate with infected victims’ computers. Avalanche victims’ computers will still be infected, but shielded from criminal control.

Victims of malware operating over the Avalanche network may use the following webpages created for assistance in removing the malware:

• www.bsi-fuer-buerger.de/botnetz and www.bsi-fuer-buerger.de/avalanche, in German;
• www.bsi-fuer-buerger.de/EN/botnetz and www.bsi-fuer-buerger.de/EN/avalanche, in English;
• https://us-cert.gov/avalanche;
• www.nationalcrimeagency.gov.uk/news/962-avalanche-takedown;
• www.getsafeonline.org/news/avalanche;
• www.actionfraud.police.uk/news-police-takedown-computer-network-used-to-infect-millions-of-devices-dec16;
• www.cyberaware.gov.uk/blog

The Shadowserver Foundation have supported this operation and will be making the sinkhole data available globally to responsible bodies via their free daily remediation feeds. More information can be found in their blog article.

[1] Sinkholing is an action whereby traffic between infected computers and a criminal infrastructure is redirected to servers controlled by law enforcement authorities and/or an IT security company. This may be done by assuming control of the domains used by the criminals or IP addresses. When employed at a 100% scale, infected computers can no longer reach the criminal command and control computer systems and so criminals can no longer control the infected computers. The sinkholing infrastructure captures victims’ IP addresses, which can subsequently be used for notification and follow-up through dissemination to National CERTs and Network Owners.

[2] Botnets are networks of computers infected with malware, which are under the control of a cybercriminal. Botnets allow criminals to harvest sensitive information from infected computers, such as online banking credentials and credit card information. A criminal can also use a botnet to perform cyberattacks on other computer systems, such as denial-of-service attacks.

[3] Ransomware is a type of malware that infects the victim’s PC and encrypts the victim’s files, so that the victim is unable to access them. The criminal behind the ransomware then uses intimidation and misinformation to force the victim to pay a sum of money in exchange for the password that unlocks the encrypted files. Even if a password is eventually provided, it does not always work.

[4] Fast flux technique is an evasion technique used by botnet operators to quickly move a fully qualified domain name (a domain that points to one specific Internet resource such as www. domain .com) from one or more computers connected to the Internet to a different set of computers. Its aim is to delay or evade the detection of criminal infrastructure. In the double fast flux setup, both the domain location and the name server queried for this location are changed.

Read more »