This morning we had a particularly large virus campaign come in. The messages were claiming to be from payment@bill.com about an unprocessed payment. Attached to the message was a zipped piece of malware.

Sample Message

Sample Message

 

Over the past month we’ve been seeing around 1.5 to 2.5 million virus messages through out the entire day. This morning though, over the course of about 3 hours we have seen 6.2 million from a single virus campaign. There were a few other campaigns numbering in the tens of thousands during that time but the fake bill.com malware certainly dwarfed any others. For this campaign, though it was large in volume and numbers across all servers here, the malware attached was matching a virus rule that had previously been in place on our system. That rule having the same 6.2 million matches this morning. Running a sample of the virus in virustotal.com shows only 16 of 54 antivirus companies are blocking this particular executable.

All ur base...It took less than one day after the news was publically released about a major flaw in the bash command line interpreter before a botnet leveraging this flaw, referred to as ShellShock, has been spotted in the wild. This vulnerability is being compared to Heartbleed, the OpenSSL flaw that made headlines earlier this year, in terms of severity. Unfortunately researchers agree that this actually has the potential to eclipse Heartbleed in that arena. The reason being is that where Heartbleed was able to easily steal data from unsuspecting victims, this new bash vulnerability allows an attacker to actually gain access and control of its victim’s machines. Another concerning factor of this new exploit is its potential targets. Bash runs in both Linux and Mac’s OS X operating systems, a rarely targeted group which may be caught with their guard down. Every Mac we have tested this on so far has been vulnerable to this exploit, where we achieved varying results with Linux environments due to particular Linux flavors and bash versions that were installed. Bash is the most widely used shell on Linux based systems and is also the default shell in Mac OS X Panther which is (version 10.3) and later. This vulnerability is present in every bash version up to 4.3, which is potentially a large swatch of users. It is being stated however that the likely prime target of these new attacks will be Apache web servers that use standard CGI implementation.

The botnet, known as Wopbot, has already gone to work. It has been busy running distributed denial of service attacks against Akamai and other targets over night. It has also been scanning the entire IP address space of the US Department of Defense apparently searching for open Telnet ports which commonly would be brute forced in order to gain access. This is quick work by cyber attackers which is exactly what those at risk do not want with such a publically available flaw. Currently the Linux community is rushing to create and push out patches for ShellShock while others are arguing whether or not to simply remove the point of vulnerability altogether. It is unclear what Apple’s stance is on this or when they may have a fix available. Hopefully they will move quickly as well or all of my friends who “never get viruses” just may be in trouble.

It is recommended that those who may be susceptible to this vulnerability watch closely for patches or hotfixes and apply them as soon as possible.

With many consumers chomping at the bit to get their hands on a new iPhone 6, internet scammers are quickly taking advantage to distribute their wares. Immediately following the unveiling of the new iPhone 6 and iPhone 6 plus, scammers began circulating email and web scams attempting to capitalize on its popularity.

Here is a look at one of the many related scams that has been in circulation since last week’s announcement.iphonescamHere, the scammers are using iPhone 6 to lure in potential victims.  If the reader follows the instructions, an adware install will commence.  Adware is a form of software that is meant to generate revenue for its author by automatically displaying advertisements. Adware is not typically anything more than an annoyance but can often seriously infringe on users privacy. This particular strain has a wide array of functionality and can make a victim’s web browsing experience fairly miserable. Thes type of attacks, also carry the possibility of malicious activity (i.e., password theft). Though its presence is not secret, it is quite good at imbedding itself into the victim’s system and can be quite difficult for the average user to remove. Since Sept 12th we have seen nearly 1 million messages associated with this campaign and of course this is just one of many. Remember, advertisements promising you something for nothing are almost always too good to be true.

A campaign just started up of fake JP morgan emails. The emails coming in claim to be secure messages from JP Morgan using the Voltage secure messaging platform. The FROM name changes between the messages but stays in a consistant format for the actual email address (First.Last@jpmorgan.com). Interestingly, all of the messages seemed to try to use the same security image of, what I assume, is a valid users image from JP Morgan. However the link the spammers used appears to be dead now and none of the messages show a security image.

initialemailjpmorgan

 

 

 

The HTML file is just an official looking page with a button to read the message (and a personal image here that shows). One thing to note is that looking at the source of the HTML or hovering over links does indeed only show jpmorgan links. The Click to Read Message button did not show the link when hovering and linked directly to an address using an IP instead of a hostname.

 

initial page in attachment

 

This campaign has sort of a 3 part attack going on here. The first attack is when you click the read message button. The next page it loads has a malicious iframe in it. From the samples I have seen, the iframes all had data hosted at cornishhoughs.com. Eset classifys the attack as “JS/Kryptik.ASA trojan”.

second page email address

cornishmaliframe

esetalertjpmorganthird page password jpmorgan

No matter what you type in, as long as it’s in the proper format, the page advances. This could be considered a second part to the entire attack. The pages do make POSTs to the server with the email address and password that are typed in. This data is most lilely being harvested as well for further attacks to be made with that users information. If anyone visited these pages and typed their information in, I’d strongly suggest changing your password as soon as possible.

Once you get this far you are taken to a rather convincing looking secure messaging portal. Complete with working buttons that all lead to JP Morgan pages. The exception being the View and Download buttons.

 

JPMorgan Chase - Sign In 2014-08-21 13-16-03

Clicking either View or Download prompts you to save an exe file with a double extension at the end and is the third part of this attack.

download prompt jpmorgan

 

These can fool most users in to thinking they are harmless once the file is saved. The reason is that most of the time the malware writeers will build in a resource icon of whatever the fake extension is. This method combined with the fact that Windows does not show known file extensions by default, means that the average user would only see “8.21.14 report.pdf” as the filename and a normal PDF icon as well (as seen below). Some users find it annoying to show all file extensions but it can make it significantly easier to spot the double extension files that trick users.

fakepdfshowing

 

At the time of checking all of this, VirusTotal shows no AV company has anything on this file. It appears to be a trojan downloader that retrieves content offsite. Fortunately we were able to quickly block the file in our filter and have over 177,000 hits so far and climbing.

no virustotal hits jpmorgan

This particular campaign was tricky due to it being rather in depth and the effort put in to make it convincing. This type of campaign takes more resources for an attacker to put together, but if successful it can yield more of an impact due to the threat not being as obvious.

shutterstock_60239461While reading this morning about an recently discovered APT dubbed “Machete” discovered by the team over at Kaspersky Labs, I was immediately reminded of a recent briefing I attended at Blackhat USA. The talk was given by Mikko Hypponen and in this talk Hypponen discussed how the cyber-weapon capabilities of nation states are murky at best, especially in contrast to the very public nature of more traditional weapons such as nuclear warheads, naval vessels, etc.. This is never more evident than when a new piece of APT malware seemingly being used for cyber-espionage such as ‘Machete’ is made public.

This is a great example of the current state of cyber-espionage. The perpetrator of this attack may not be currently known but given the targets… it’s not unreasonable to assume that it was initiated by a nation state or some group acting on one’s behalf. “Machete” is interesting in both design and longevity (apparently has existed undetected since 2010). It is capable is a wide array of data gathering capabilities. It also appears that it is both designed by and aiming to infect targets with Spanish as the native language.

It is worthy to note that despite the somewhat unique methods and capabilities displayed in Machete, those spreading the infection are still relying on traditional infection vectors such as spearphishing emails and infected web pages. Of course it can be difficult for entities to protect themselves against attacks of this nature since it is so unclear exactly what they are trying to protect themselves from. One thing is for sure, there is not any single solution. That is why it is always advisable to employ a comprehensive layered security approach covering everything from email and web filtering to IPS and IDS.

This newly discovered APT (Machete) is likely just the tip of the iceberg when it comes to the scope of this activity on a global scale. Just as Hypponen discussed at Blackhat, we simply don’t know what types of cyber-weapons (like this) each nation is capable of deploying or currently have in place, which is what makes this situation so alarming.