Category Archives: Malware

Posts that discuss malware infections and how to avoid or recover from their effects.

Mitigating August’s Remote Desktop Services (RDS) Vulnerabilities

Earlier last week Microsoft released security updates for Remote Desktop Services (RDS).

====================
TL DR:
If you use  Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions, please install the security updates for August 2019 which include fixes to these vulnerabilities: CVE-2019-1181 and CVE-2019-1182
====================

Why should these vulnerabilities be considered important?
The following two vulnerabilities CVE-2019-1181 and CVE-2019-1182 have received a CVSS 3 base score (defined) of 9.8 and have the potential to be used by network worms to rapidly spread without the need for assistance from computer users. There is the potential for a repeat of an attack very similar to the WannaCry ransomware outbreak of May 2017.

How can I protect my organisation or myself from these vulnerabilities?
The most effective means of defence is to install the updates released by Microsoft available via Windows Update (this link provides guidance on doing so) or manually from the above links.

While the BlueKeep vulnerability has not yet been exploited, there are indications (here and here) it may be soon. These more recent vulnerabilities will likely receive similar or more interest since they are present in more versions of Windows (8.1 and 10 alongside their Server based equivalents) than BlueKeep.

If for any reason this is not possible, the mitigations listed in this Microsoft blog post will be useful. Thank you.

IBM Creates “Warshipping” Proof of Concept Device

Earlier this year I detailed a new method for an attacker to compromise an organisation by means of a modified smartphone charging cable. Today we see another method to compromise an organisation using an even more common means; the postal mail.

Why should this attack method be considered important?
Virtually every organisation receives postal mail with packages being commonplace. An attacker could send an anonymous package with one of the devices the IBM X-Force team created. The device was a small motherboard (defined) with 3G, WiFi and GPS built-in. It can be activated remotely over the internet and report its position via GPS and then instructed to scan for vulnerable network devices to attack.

It’s used to obtain the credentials of a corporate WiFi network. Once complete the device seeks to pivot using other vulnerable devices on the network to eventually compromise the network (also achieving persistence) and exfiltrate data or any other action of the attacker’s choice.

An attacker no longer needs to scout premises before trying to infiltrate it. They can just send a parcel to do it for them.

How can I protect my organisation or myself from this?
For an organisation; you can prohibit employees from having personal packages shipped to their office. A much more rigorous and expensive option which is unlikely to be favoured would be to scan all deliveries with an RF scanner.

Other suggestions to counter this device are detailed in IBM’s blog post.

Thank you.

Responding to the Asus Live Update Supply Chain Compromise

Earlier last week the security vendor Kaspersky detailed their initial findings from the compromised supply chain of the Taiwanese hardware vendor Asus.

TL DR: If you own or use any Asus laptop or desktop system, please check if your device is affected using the downloadable tool from Kaspersky (which checks the MAC address (defined) of your network card). If you know how to obtain the MAC address of your network card manually you can use the online tool. This is the link for both tools: https://securelist.com/operation-shadowhammer/89992/

If you are affected, contact Kaspersky, contact Asus or use the anti-malware tools to try attempt removal of the backdoor (defined) yourself.

When did this attack take place and what was affected?
This incident took place from June to November 2018 and was initially thought to have affected approximately 60,000 users. This number was later revised to possibly affecting just over a million users. While primarily users in Asia and Russia were targeted; a graph of victim’s distribution by country shows users within South America, Europe and the US. It was later disclosed that mainly Asus laptops were affected by this incident.

What Asus infrastructure was affected?
An older version of the Asus Live Update utility was compromised by unknown attackers so that it would inject a backdoor within the Asus Live Update utility when it was running. The compromised Asus Live Update utility was signed with an older but still legitimate Asus digital signature. The compromised Asus utility was available for download from two official Asus servers.

What were the attacker’s intentions?
Unfortunately, even after extensive analysis it is unknown why the attackers targeted their chosen victim systems or what their eventual goal was. The backdoor would have likely allowed the attackers to steal files of their choice, remote control the system (if the second stage had been installed) and deploy compromised updates to systems which in the case of a UEFI update may have rendered the system unbootable.

It appears the goal of the attackers was to target approximately 600 systems of interest to them with the initial intention to carry the above-mentioned actions. We know it is approximately 600 systems since upon installation the malware would check if the system had a MAC address of interest; if yes it would install the stage 2 download (which unfortunately Kaspersky was unable to obtain a sample of). The server which hosted the stage 2 download was taken offline in November 2018 before Kaspersky became aware of this attack.

If the system was not of interest, the backdoor would simply stay dormant on the system. It’s unclear how the attackers may choose to leverage this in the future (assuming it remains intact on a system which installed the compromised utility).

Do we know who is responsible?
It is not possible to determine with absolute certainty who these attackers were but it is believed it is the same perpetrators as that of the ShadowPad incident of 2017. Microsoft identifies this advanced persistent threat (APT) (defined) group with the designation of BARIUM (who previously made use of the Winnti backdoor).

How have Asus responded to this threat?
Initially when Kaspersky contacted Asus on the 31st of January 2019 Asus denied their servers were compromised. Separately a Kaspersky employee met with Asus in person on the 14th of February 2019. However, Asus remained largely until earlier this week.

On the 26th of March Asus published a notice which contains an FAQ. They issued an updated version (3.6.8) of the Asus Live Update utility. Additionally, they have “introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism. At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future”.

They have also made available a utility to check if your system was affected. It is downloadable from the above linked to notice.

How can I remove the backdoor from my system if I installed the compromised Asus utility?
While Asus in their announcement recommends a full backup and full reset of your system; for some that may not be a preferred choice. If you use Kaspersky security suite it will very likely easily remove it since they were the first to detect it.

Please which ever approach is more convenient for you.

If you want to leave your system as it is:
I would first recommend a scan of your system with your current anti-malware product. I would then recommend using free anti-malware scanners such as RogueKiller, AdwCleaner and PowerEraser since they use cloud based forensic analysis and compare known safe files on your system with VirusTotal to check if any file has been tampered with or is new/suspicious. It is very unlikely the backdoor could hide from all of these utilities. Yes, this is overkill but will ensure a thorough check.

A link to full original story of this malware is available here.

You use an Asus system; how were you affected?
Since my high-end Core i9 7980 Extreme desktop uses an Asus desktop motherboard (ROG Rampage VI Apex); I ran the Asus utility to check my system; It displayed the message “Only for Asus systems” before closing. I’ll make an educated guess and assume that since the threat mainly affects laptops running this tool on a desktop system resulted in this message.

The offline and online tools from Kaspersky showed no issues with my system. I wasn’t surprised since I don’t use the Asus Live Update utility. Their drivers are available manually from their website and that’s how I stay updated.

I upload every downloaded file for my system to VirusTotal, verify the checksums and digital signatures, use two reputation based scanners on new downloads and have application whitelisting enabled. In summary; my system will be more difficult to compromise.

Thank you.

Botnet Targeted Unpatched Counter-Strike Vulnerabilities

In mid-March the security firm Dr. Web published details of a botnet (defined) they were able to shut down affecting players of the classic first-person shooter (FPS) game; Counter-Strike 1.6.

Why should this development be considered significant?
The report made available by Dr. Web showed that at it’s height the botnet resulting from the distribution of the Trojan (defined) Belonard numbered up to 39% of all the available game servers (1951 out of 5000) listed for Counter-strike gamers to choose from.

How were gamers systems infected?
One of the popular services offering servers to play on exploited 2 zero day (defined) remote code execution vulnerabilities within the 1.6 version of the Counter-Strike client to install Trojan Belonard within a gamer’s system. Researchers from Dr. Web found that this game remains very popular and can be played by 20,000 individuals on average at a time.

Counter-Strike can make use of dedicated servers that gamers can choose to connect to. These servers offer reduced lag, greater reliability while some monetised servers offer access to special weapons and protection against bans.

In an example scenario, a gamer might launch the official Steam gaming client. The client automatically will display a list of servers the player can connect to. Those with the lowest (lower is better) ping rate will be displayed at the top of the list. This list will also contain publicly available Valve (the company which created and maintains the Steam client) servers. However, the Trojan Belonard once it has infected a system it re-orders the servers offered to another system (placing them high in the list you see) in order to spread further. You may think you are connecting to a server with a low ping when in fact connecting to a malicious server which then infects your system with the Trojan. It does this by exploiting a remote code execution (defined: the ability for an attacker to remotely carry out any action of their choice on your device) vulnerability within the Counter-Strike client. A more detailed description and diagram is available from Dr. Web’s analysis of this threat. Your system will now contribute to spreading the Trojan by re-ordering the server list we discussed above.

The botnet herder did this in order to make more money since their other more legitimate servers would also be displayed high in the list of servers and those charge a fee for their use.

What happened to this botnet?
Dr. Web was successful in disrupting this botnet by coordinating with the registrar of the reg.ru domain name to shut down the websites used by the Trojan thus protecting new gamers from becoming infected. Furthermore, the domain generation algorithm (DGA)(defined); is being monitored by Dr. Web in order to continue to sinkhole (defined) the domains the malware attempts to use to continue spreading itself.

How can I protect myself from this threat or clean it from my system if I am already infected?
Unfortunately; the only way to prevent this botnet from being re-activated by whoever created it is for the zero-day vulnerabilities within the Counter-Strike client to be patched. Given the age and lack of financial reward to Valve to do this; that is unlikely.

If you suspect or know your system is infected with this malware; update your anti-malware software and run a full system scan. If this does not remove the malware you can use the free version of Malwarebytes to perform a scan and remove the malware. If you suspect any remnants remain you can use the additional anti-malware scanners linked to on this blog to remove them. In this case; RogueKiller, AdwCleaner and PowerEraser would be the most suitable for this malware.

Thank you.

MikroTik Routers Exploited to Generate Cryptocurrency

In early August security researchers discovered a large malware campaign under way taking advantage of a now patched vulnerability within MikroTik routers.

Why should this threat be considered important?
This attack is underway since while a patch for an exploit for the Winbox component of the RouterOS being open was patched in one day (on the 23rd of April); there are many users who have not installed this update. The number is estimated to be in the hundreds of thousands including internet service provider (ISP) routers). Once exploited the vulnerability allows an attacker to gain remote administrative (high privilege) access to an affected router. Initially this attack originated in Brazil but has since been extended to over 200k devices worldwide (with a second attack). It’s unclear if its by the same perpetrator as the first attack.

Proof of concept (defined) code made available on GitHub has been modified by unknown attackers to add to all traffic passing through a vulnerable MikroTik router a copy of the Coinhive library along with the relevant Coinhive key to benefit a single attacker by means of cryptocurrency mining (an excellent introduction article to BitCoin and cryptocurrency). This attack isn’t just affecting MikroTik routers; Simon Kenin from Trustwave’s SpiderLabs division found that traffic going to and from a MikroTik router was affected e.g. if a website was hosted behind an affected router it would also be impacted.

More recently the attacker has altered his/her approach to adding the Coinhive script to the error pages of the routers rather than the more noticeable approach described above. That altered approach affects more than 170k routers. These error pages can potentially be accessed millions of time per day earning the attacker funds for each page served. With approximately 1.7 million of these routers online around the world there is the potential for this to get worse.

How can I protect myself from this vulnerability?
If you own/administer a MikroTik router or know someone who does, please ensure that any such devices are using the most recent firmware available from this link. Further advice after upgrading the firmware is also provided by MikroTik at the above link.

Thank you.

VPNFilter: Overview and removal

====================
Update: 24th October 2018:
====================
Researchers from Cisco’s Talos team have discovered further capabilities of this malware. As detailed below the 3rd stage of the malware features:

Provides plugins for the RAT (defined below in the original post) to extend its functionality.

However, the team was able to determine the following extra capabilities:

  1. Packet sniffing (obtain information from passing data packets (defined) on a network connection)
  2. JavaScript (defined) injection used to deliver exploit (a small piece of software used to trigger a known vulnerability to the advantage of an attacker) to a compromised device (most likely a router).
  3. Encrypted tunnelling (defined) to hide data the malware steals as well as the existing command and control data traffic.
  4. Creating network maps (defined)
  5. Remote connection/administration via SSH (Secure Shell)(defined)
  6. Port forwarding (defined)
  7. Create SOCK5 (defined) proxies (defined)
  8. DDoS (defined)

The good news about this malware is that from the Talos team’s research it does not appear that any malware samples remain active. However; they caution it is not possible to assume that this malware has finished its malicious actions and the possibility of its return remains.

Thank you.

====================
Update: 20th June 2018:
====================
If you would prefer a video or a podcast of how to remove this malware from your router, this Sophos blog post provides links to both. The video is hosted on Facebook but a Facebook account isn’t required to view it. Sophos also provide an archive of previous videos on the same Facebook page.

Thank you.

====================
Update: 6th June 2018:
====================
The Cisco Talos team have provided an updated list of known affected routers. I have added these to the list below with “(new)” indicating a new device on the existing list. I have also updated the malware removal advice to provide easier to follow steps.

Thank you.

====================
Original Post:
====================
In late May; a strain of malware known as VPNFilter affecting routers from the vendors listed below was publicly disclosed by the Cisco Talos team:

Affected vendors:
Asus RT-AC66U (new)
Asus RT-N10 (new)
Asus RT-N10E (new)
Asus RT-N10U (new)
Asus RT-N56U (new)
Asus RT-N66U (new)
D-Link DES-1210-08P (new)
D-Link DIR-300 (new)
D-Link DIR-300A (new)
D-Link DSR-250N (new)
D-Link DSR-500N (new)
D-Link DSR-1000 (new)
D-Link DSR-1000N (new)
Huawei HG8245 (new)
Linksys E1200
Linksys E2500
Linksys E3000 (new)
Linksys E3200 (new)
Linksys E4200 (new)
Linksys RV082 (new)
Linksys WRVS4400N
Mikrotik CCR1009 (new)
Mikrotik Cloud Core Router (CCR) CCR1016
Mikrotik CCR1036
Mikrotik CCR1072
Mikrotik CRS109 (new)
Mikrotik CRS112 (new)
Mikrotik CRS125 (new)
Mikrotik RB411 (new)
Mikrotik RB450 (new)
Mikrotik RB750 (new)
Mikrotik RB911 (new)
Mikrotik RB921 (new)
Mikrotik RB941 (new)
Mikrotik RB951 (new)
Mikrotik RB952 (new)
Mikrotik RB960 (new)
Mikrotik RB962 (new)
Mikrotik RB1100 (new)
Mikrotik RB1200 (new)
Mikrotik RB2011 (new)
Mikrotik RB3011 (new)
Mikrotik RB Groove (new)
Mikrotik RB Omnitik (new)
Mikrotik STX5 (new)
Netgear DG834 (new)
Netgear DGN1000 (new)
Netgear DGN2200
Netgear DGN3500 (new)
Netgear FVS318N (new)
Netgear MBRN3000 (new)
Netgear R6400
Netgear R7000
Netgear R8000
Netgear WNR1000
Netgear WNR2000
Netgear WNR2200 (new)
Netgear WNR4000 (new)
Netgear WNDR3700 (new)
Netgear WNDR4000 (new)
Netgear WNDR4300 (new)
Netgear WNDR4300-TN (new)
Netgear UTM50 (new)
QNAP TS251
QNAP TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link R600VPN
TP-Link TL-WR741ND (new)
TP-Link TL-WR841N (new)
Ubiquiti NSM2 (new)
Ubiquiti PBE M5 (new)
UPVEL Unknown Models* (new)
ZTE ZXHN H108N (new)

Why should this malware be considered important?
The authors (thought to be a group funded by a nation state) of this malware are using it to hijack vulnerable routers (500,000 are known to have been compromised across 54 countries) for possible use in cyberattacks against the Ukraine. Indeed, the malware more recently began seeking out Ukrainian routers specifically. The Ukrainian Secret Service issued a security alert on this on the 23rd of May.

The malware has the ability to do so by utilising previously publicly disclosed (defined) vulnerabilities to gain access and persistence (namely remaining present after the router is powered off and back on) within these routers. Last week the FBI took control of this botnet and are now working to clean up the affected devices.

The malware is very sophisticated and can persist within a router even if the router is powered off and back on (becoming the second malware to have this ability, the first being the Hide and Seek botnet). The malware is made up of 3 stages:

Stage 1: Is responsible for the persistence (mentioned above).
Stage 2: Providing the capabilities of a remote access Trojan (RAT)(defined)
Stage 3: Provides plugins for the RAT to extend it’s functionality.

The malware also has the capability to do the following:

  1. Wipe the firmware (see Aside below for a definition) of routers rendering them useless
  2. Inspect the data traffic passing through the router (with the possible intention of obtaining credentials passing over the wire to gain access to sensitive networks)
  3. Attempt to locate ICS/SCADA devices (defined) on the same network as the router by seeking out port 502 traffic, namely the Modbus protocol (defined) with the option of deploying further malware
  4. Communicate via the Tor network (definition in the Aside below).

How can I protect my devices from this malware?
The FBI are asking anyone who suspects their internet router to be infected to first reboot it (turn on and off the router). This will cause an infected device to check-in with the now under FBI control C&C (command and control, C2 (defined) server to provide them with a better overview of the numbers of infected devices.

To completely remove the malware; reset the device to factory defaults (this won’t harm a non-infected either but please ensure you have the necessary settings to hand to re-input them into the router, your internet service provider (ISP) will be able to help with this). This will remove stage 1 of the malware (stage 2 and 3 are removed by turning the router on an off).

To prevent re-infection: Cisco Talos’ team recommendations are available from this link. Moreover the US CERT provide recommendations here and here. Symantec’s recommendations are provided here (especially for Mikrotik and QNAP devices).

Further advisories from router manufacturers are as follows (their advice should supersede any other advice for your router model since they know their own devices the best):

Linksys
MiktroTik
Netgear
QNAP
TP-Link

Further recommendations from Sophos are:

  • Check with your vendor or ISP to find out how to get your router to do a firmware update.
  • Turn off remote administration unless you really need it
  • Choose strong password(s) for your router
  • Use HTTPS website where you can

A very useful and easy to follow step by step walk through of removing this malware by BleepingComputer is available from this link with useful guidance for multiple router models.

Thank you.

=======================
References:
New VPNFilter malware targets at least 500K networking devices worldwide : Cisco Talos team
=======================

=======================
Aside:
What is firmware?
Firmware is semi-permanent embedded software code that allows a device to carry out its function by having the low-level hardware carry out useful sequences of events.

What is The Onion Router (Tor)?
The Onion Router (Tor) is an open source (defined) project with the goal of protecting your privacy by passing your web browsing activity through a series of anonymous relies spread across the internet. These relays act like proxy servers which encrypt and randomly pass the traffic they receive from relay to relay.

This web of proxies is sometimes referred to as the Dark web (a portion of the internet only accessible using the Tor network). This makes tracing the source of the source almost impossible.
=======================

HP audio driver contained keylogger

Late last week it was announced the security firm Swiss security firm ModZero had responsibly disclosed (defined) to HP back in early April 2017 their discovery of an audio driver (Conexant HD Audio) containing a keylogger. The driver is known to be present on 28 HP devices (listed here).

Conexant also creates drivers to Asus, Lenovo and Dell, at this time it is not clear if they use the same driver (security analysts have been unable to discover any other devices using the affected driver).

How can I tell if my HP (or other device) is affected by this vulnerability?
This BleepingComputer article explains how to check for this vulnerability.

Why should this vulnerability be considered important?
The affected audio driver (versions 1.0.0.31 up to and including 1.0.0.46) contained the issue with the issue first being created in December 2015. Thus it has the potential to have gathered a vast quantity of information since this time.

Not only does the driver record key presses (using a low-level keyboard input hook (defined)) but the driver exposes the OutputDebugString and MapViewOfFile APIs (API, defined). The OutputDebugString API enables any running application to capture keystrokes while MapViewOfFile enables any framework or application with access to MapViewOfFile API to do the same.

Since the unencrypted keystrokes are stored in a text file, forensic investigators with access to the log file (stored at C:\Users\Public\MicTray.log) could potentially recover previously saved sensitive data (a reboot or power of the device clears the file). When backups of the affected systems are performed previous versions of this file would contain further captured (and potentially sensitive) information.

Since our keyboards are used to enter all kinds of sensitive information,  emails, chat/instant message conversations, social media posts, credit card numbers etc., this vulnerability could have serious consequences If the log contents were to be obtained by cyber criminals. The file might also contain credentials (usernames/passwords for the above mentioned activities.

From the information disclosed about this vulnerability, there is evidence to suggest the driver uploads/sends the information it gathers within that log to HP, Conexant or anyone else. However if you are creating unencrypted backups within a corporate, small business or consumer environment this file over time will contain more and more information gathered over time. If someone knew you create these backups and knew where to look within them (assuming they are not encrypted), they could gather significant volumes of sensitive information.

How can I protect myself from this vulnerability?
After ModZero disclosed this information to HP, HP made available a driver update (version 10.0.931.90) which removes the keylogging behavior. Moreover, the driver update will be made available via Windows Update for both 2016 and 2015 HP devices. HP Vice President Mike Nash clarified the logging feature of the driver was simply debugging code (defined) inadvertently left within the driver.

If you followed the steps above to check if your device was vulnerable but there is no driver update available, the same BleepingComputer article describes how to mitigate the vulnerability.

Thank you.