Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

Archive

Author Archive
August 27th, 2014

Self-propagating ransomware written in Windows batch hits Russian-speaking countries

Ransomware steals email addresses and passwords; spreads to contacts.

Recently a lot of users in Russian-speaking countries received emails similar to the message below. It says that some changes in an “agreement’ were made and the victim needs to check them before signing the document.

msg
The message has a zip file in an attachment, which contains a downloader in Javascript. The attachment contains a simple downloader which downloads several files to %TEMP% and executes one of them.
payload
The files have .btc attachment, but they are regular executable files.

coherence.btc is GetMail v1.33
spoolsv.btc is Blat v3.2.1
lsass.btc is Email Extractor v1.21
null.btc is gpg executable
day.btc is iconv.dll, library necessary for running gpg executable
tobi.btc is   Browser Password Dump v2.5
sad.btc is sdelete from Sysinternals
paybtc.bat is a long Windows batch file which starts the malicious process itself and its replication

After downloading all the available tools, it opens a document with the supposed document to review and sign. However, the document contains nonsense characters and a message in English which says, “THIS DOCUMENT WAS CREATED IN NEWER VERSION OF MICROSOFT WORD”.

msg2 Read more…

July 17th, 2014

Tinybanker Trojan targets banking customers

Tinba Trojan specifically targets bank customers with deceitful debt notice.

The Tinba Trojan is banking malware that uses a social engineering technique called spearfishing to target its victims. Recently, targets have been banking customers in Czech Republic, AVAST Software’s home country. Tinba, aka Tiny Banker or Tinybanker,  was first reported in 2012 where it was active in Turkey. A whitepaper analyzing its functionality is available here (PDF). However, the spam campaigns against bank users in Czech Republic are still going on and have became more intensive. Here is an example of what Czech customers recently found in their email inbox.

Czech version:

VÝZVA K ÚHRADĚ DLUŽNÉHO PLNĚNÍ PŘED PROVEDENÍM EXEKUCE

Soudní exekutor Mgr. Bednář, Richard, Exekutorský úřad Praha-2, IČ 51736937, se sídlem Kateřinská 13, 184 00 Praha 2
pověřený provedením exekuce: č.j. 10 EXE 197/2014 -17, na základě exekučního titulu: Příkaz č.j. 077209/2014-567/Čen/G V.vyř.,
vás ve smyslu §46 odst. 6 z. č. 120/2001 Sb. (exekuční řád) v platném znění vyzývá k splnění označených povinností, které ukládá exekuční titul, jakož i povinnosti uhradit náklady na nařízení exekuce a odměnu soudního exekutora, stejně ták, jako zálohu na náklady exekuce a odměnu soudního exekutora:

Peněžitý nárok oprávněného včetně nákladu k dnešnímu dni: 9 027,00 Kč
Záloha na odměnu exekutora (peněžité plnění): 1 167,00 Kč včetně DPH 21%
Náklady exekuce paušálem: 4 616,00 Kč včetně DPH 21%

Pro splnění veškerých povinností  je třeba uhradit na účet soudního exekutora (č.ú. 549410655/5000, variabilní symbol 82797754, ČSOB a.s.), ve lhůtě 15 dnů od
doručení této výzvy 14 810,00 Kč

Nebude-li  uvedená částka uhrazena ve lhůtě 15 dnů od doručení této výzvy, bude i provedena exekuce majetku a/nebo zablokován bankovní účet  povinného ve smyslu § 44a odst. 1 EŘ a podle § 47 odst. 4 EŘ. Až do okamžiku splnění povinnosti.

Příkaz k úhradě, vyrozumění o zahájení exekuce  a vypučet povinnosti najdete v přiložených souborech.

Za správnost vyhotovení Alexey Mishkel

 

English translation:

Distraint notice
———————
Bailiff [Academic title] [First name] [Last name], Distraint office Prague-2 ID: 51736937 at Katerinska 13, 184 00 Prague 2 was authorized to proceed the execution 10 EXE 197/2014 -17 based on execution Order 077209/2014-567/Cen/G according to §46 paragraph 4, 120/2001 law collection in valid form which impose you to pay these costs:

Debt amount: 9,027.00 CZK ($445.00)
Distraint reward: 1,167 including 21% TAX
Fixed costs: 4,616 CZK including 21% TAX
Total: 14,810 CZK ($730.00)

To bank account 549410655/5000, variable symbol 82797754, CSOB a.s.

For the correctness of the copy warrants Alexey Mishkel

Using the spearfishing social engineering tactic, the attackers attempt to scare their victims with a specially designed email message explaining that a debt exists which needs to be paid.

Read more…

July 9th, 2014

Android Forensics, Part 1: How we recovered (supposedly) erased data

Introduction to Android forensics (aka CSI: Android)

Digital forensics is a branch of science which deals with the recovery and investigation of materials found in digital devices. Forensics is usually mentioned in connection with crime, vaguely similar to criminal investigations on TV shows like CSI: Crime Scene Investigation and NCIS. However, several experiments (1, 2), including this one, use methods of digital forensics as proof that people do not pay attention to what happens with their personal data when replacing their digital devices (computers, hard drives, cell phones). In this blog post series we will reveal what we managed to dig out from supposedly erased devices. The sensitive information includes pictures (even very private ones!), videos, contacts, SMS messages, Facebook chat logs, Google searches, GPS location coordinates, and more.

What happens to the file when it is “deleted”

When people want to delete a file, most will use the standard features that come with their operating system. After it’s done, they consider the unwanted data to be gone forever. However, this is not true. When a file is deleted, the operating system merely deletes the corresponding pointers in the file table and marks the space occupied by the file as free. The reality is that the file is not deleted and the data it contained still remains on the drive. With regular usage of the drive, the remaining data will sooner or later be overwritten with different data. The same thing happens on your PC.

The following screenshots show the scenario. We used the program FTK Imager to mount the image of a partition containing user data. The first figure shows a [root] directory followed by [unallocated space]. Although all the sensitive files were deleted in the regular way, something still remained in unallocated space. In this particular example, we managed to dump 251 blocks of unallocated data and to recover interesting messages, for example from a Facebook chat. The seller of this HTC Sensation cell phone thought that his personal was cleared out, but the figures below show that he/she was tragically mistaken.

ftk_imager Read more…

April 1st, 2014

Email with subject “FW:Bank docs” leads to information theft

In this blogpost we will look deep into a spam campaign, where unlike other possible scenarios, the victim is infected by opening and running an email attachment. In the beginning of this year, we blogged about a spam campaign with a different spam message – a fake email from the popular WhatsApp messenger. This time we will look at spam email which tries to convince the victim that it originates from his bank. The malicious email contains contents similar to the following one:


Subject: FW: Bank docs

We have received this documents from your bank, please review attached documents.
<name, address>

 

promo Read more…

Comments off
March 18th, 2014

Fake Korean bank applications for Android – Pt 3

Recently, we discovered an account on GitHub, a service for software development projects, that has interesting contents. The account contains several projects; one of the latest ones is called Banks, and it has interesting source codes.  The account contains information like user name, photo, and email address, but we cannot tell who the guy in the picture is. He might not be related to the contents at all, it could be a fake picture, fake name, or simply his account may have been hacked, his identity stolen, and the Banks repository created by someone else without his consent. In this blog post, we will explore the source codes in detail.
korea-03

When we downloaded the repository, we found several directories – GoogleService and fake applications imitating mobile applications of five major Korean banks – NH Bank, Kookmin Bank, Hana Bank, ShinHan Bank and Woori Bank.

korea-02

 

We previously published two blog posts with analyses of the above mentioned fake applications.

When we look at GitHub statistics, and Punchcard tab, it tells us what time the creators were most active. From the chart below you can see, that Saturday mornings and evenings and Sunday evenings were the most active times of comments of new versions. It seems that authors of this application do the development as a weekend job. At the time of writing this blogpost, the last update of fake bank applications was in the beginning of January 2014.

korea-20

This is not the first attack against users of Korean banks. About a year ago, we published this analysis.

Conclusion

Github, the web-based hosting service for software development projects, offers a lot of interesting contents, which depending on its settings can be later found and accessed by virtually anyone, including Google robots.  We managed to find the above mentioned repository by simply Googling the strings which occurred in a malicious Android application.

Acknowledgement:

The author would like to thank to Peter Kalnai and David Fiser for help and consultations related to this analysis.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on FacebookTwitter and Google+. Business owners – check out our business products.

March 3rd, 2014

Fake Korean bank applications for Android – part 2

In February, we looked at the first part of the fake Korean bank application analysis along with Android:Tramp (TRAck My Phone malicious Android application), which uses it. In this blogpost, we will look at another two Android malware families which supposedly utilize the same bunch of fake Korean bank applications. At the end of this article, we will discuss the origin of malware creators.

Analysis of Android:AgentSpy

It is interesting to search for references of bank applications package names – KR_HNBank, KR_KBBank, KR_NHBank, KR_SHBank, KR_WRBank. One reference goes to a malicious application called Android:AgentSpy. The infection vector of this application was described by Symantec, contagio mobile and Alyac. We will not delve into details, we will just mention that the malicious application is pushed to a connected mobile phone via ADB.EXE (Android Debug Bridge). The uploaded malicious file is called AV_cdk.apk.

Android:AgentSpy contains activity MainActivity and several receivers and service CoreService.

BootBroadcastReceiver

Monitors android.intent.action.BOOT_COMPLETED and android.intent.action.USER_PRESENT and if received, starts CoreService. It also monitors attempts to add or remove packages – android.intent.action.PACKAGE_ADDED and android.intent.action.PACKAGE_REMOVED.

CoreService

1) Calls regularly home and reports available connection types (wifi, net, wap), IMSI, installed bank apps

2) Regularly polls C&C and responds to the following commands

sendsms – sends SMS to a given mobile number

issms – whether to steal received SMS or not

iscall – whether to block outgoing call

contact – steals contact information and upload them to C&C

apps – list of installed bank apps

changeapp – replaces original bank applications with fake bank applications

move – changes C&C server

PhoneListener receiver

Moniors new outgoing calls. If android.intent.action.NEW_OUTGOING_CALL is received, information about the outgoing call is sent to C&C.

Config class

Contains C&C URL, name of bank packages (String array bank), name of fake bank packages (String array apkNames). It also contains reference to conf.ini configuration file.

koreanbanks_agentspy_config

Analysis of Android:Telman

One more Android malware family, which uses fake bank applications is called Android:Telman. Similarly to Android:Tramp and Android:AgentSpy, it checks for installed packages of the above mentioned banks. Read more…

February 17th, 2014

Fake Korean bank applications for Android – PT 1

About a year ago, we published this analysis about a pharming attack against Korean bank customers. The banks targeted by cybercriminals included NH Bank, Kookmin Bank, Hana Bank, ShinHan Bank, and Woori Bank. With the rise of Android-powered devices, these attacks now occur not only on the Windows platform, but also on the Android platform. In this blogpost we will look at a fake bank application and analyze several malware families which supposedly utilize them.

Original bank application

We will show just one bank application for brevity. For other banks the scenario is similar. The real Hana Bank application can be downloaded from Google Play. It has the following layout and background.
korea-08

Read more…

January 22nd, 2014

Win32/64:Blackbeard & Pigeon: Stealthiness techniques in 64-bit Windows, Part 2

1608606_777513882262041_947320490_n

Last week we promised to explain in detail how the “Blackbeard” Trojan infiltrates and hide itself in a victim’s system, especially on its 64-bit variant. Everything described in this blogpost happens just before Pigeon (clickbot payload) gets downloaded and executed. The most interesting aspects are the way it bypasses the Windows’ User Access Control (UAC) security feature and switches the run of 32-bit code of the Downloader to 64-bit code of the Payload. And finally, how the persistence is achieved.

From 32-bit Loader to 64-bit Payload

As almost all other malware, this downloader is encapsulated with a cryptor. After removing the first layer cryptor, we can see that the downloader is written in a robust way. The same code can be run under either a 32-bit or 64-bit environment, which the code itself decides on the fly based on the entrypoint of the unpacked layer. Authors can therefore encapsulate their downloader in either a 32-bit or 64-bit cryptor and it will get executed well in both environments.

Read more…

November 21st, 2013

Ransomware shocks its victims by displaying child pornography pictures

In our blog, we wrote several times about various types of Ransomware, most recently about CryptoLocker. In most cases, ransomware has pretended to be a program installed into a victim’s computer by the police. Because of some alleged suspicious activities found on the user’s computer, ransomware blocks the user from using the computer and demands a ransom to unlock the machine or files.

Different ransomware families have different graphics and skins, usually showing intimidating images of handcuffs, logos of various government and law enforcement organizations, policemen performing inspections, government officials, etc… You can read some of our previous analyses on our blog – Reveton, Lyposit, Urausy – are the most prolific examples of such ransomware.

In this blog post, we will look at the functionally of the same type of ransomware, but one which displays more annoying and disturbing photos. After showing the message saying, “Your computer has been suspended on the grounds of viewing illegal content,” accompanied with the current IP address, name of internet service provider (ISP) and the geographical location, it displays several pictures of child pornography!
01_censored Read more…

Comments off
November 4th, 2013

A report from RSA Conference Europe 2013

In today’s world where malware evolves and develops rapidly, sharing security information is the key element for success. Companies which ignore this fact  sooner of later suffer from the consequences of their bad decision. Malware researchers from all over the world regularly meet at various IT security conferences, where they learn from each other how to fight with malware and how to make the IT world a safer place.

rsac_01 Read more…

Comments off