Rahul Tyagi Official Blog | Information Security

CryptoWall 3.0 2015 | Understanding CryptoWall 3.0 in Depth

defaultNick — Sun, 05 Apr 2015 14:54:56 GMT

Crypto-ransomware is once again upping the ante with its routines. We came across one crypto-ransomware variant that’s combined with spyware—a first for crypto-ransomware. This development just comes at the heels of the discovery thatransomware has included file infection to its routines.

CryptoWall 3.0

We first encountered CryptoWall as the payload of spammed messages last year. We noted that while other crypto-ransomware variants have a graphical user interface (GUI) for their payment purposes, CryptoWall relied on other means—opening a Tor site to directly ask for payment or opening the ransom note in Notepad, which contained the instructions to access a payment page via a Tor browser.

But a lot of things have changed since those first CryptoWall sightings. The earlier versions of CryptoWall pretended to be CryptoLocker, even mimicking its UI for its messages. Since then, we have seen CryptoWall use its own name and UI for its victims.

Also gone is the use of Tor for its command-and-control (C&C) servers. The latest version, dubbed CryptoWall 3.0, now uses hardcoded URLs. Admittedly, using Tor can be seen as an advantage for the anonymity offered. But the disadvantage is that system admins could easily block Tor network traffic or even the Tor application itself if there is no need for it.

The hardcoded URLs are heavily obfuscated so threat researchers wouldn’t extract them easily. Since URL blocking is reactive, there is a delay before the blocking can be implemented. During this “window,” the malware could have already communicated with the C&C server and acquired the RSA public key to be used for file encryption.

It should be noted that its C&C server is different from its payment page. The malware still uses Tor for its payment page so that transactions wouldn’t be hindered if authorities try to bring down their payment servers.

And perhaps as a “precautionary measure,” CryptoWall 3.0 deletes the system’s shadow copies to disable restoring files to their previous state, rendering victims with no other options for saving their files.

Using JavaScript and “JPEGS”

CryptoWall 3.0 arrives via spammed emails, using a JavaScript attachment. In the screenshot below, the attachment poses as a resume inside an archive file. A .JS file (detected as JS_DLOADR.JBNZ, JS_DLOAD.CRYP, and JS_DLOADE.XXPU) will be extracted from the file, which is peculiar as it is as the file extensions often associated with resumes are .DOC, .PDF and .RTF.

Figure 1. Sample spammed message

Selecting a .JS file could be seen as an evasion technique due to its small file size, which can be skipped by some scanners, together with the obfuscation applied in its code.

Figure 2. Screenshot of the obfuscated code (truncated)

Further analysis of the .JS file reveals that it will connect to two URLs to download “.JPG” files. But don’t be fooled by the extension—this is an old technique which may bypass poorly designed intrusion detection systems (IDS) by disguising malware as an image file. Looking at the screenshot below, you will see that it actually downloads executable files.

Figure 3. MZ and PE signature of the downloaded executable file disguised as an image

The JS file will execute the said files after a successful download. The two files, one.jpg and two.jpg, are detected as TROJ_CRYPWAL.YOI and TSPY_FAREIT.YOI, respectively.

File Encryption

TROJ_CRYPWAL.YOI will create a new instance of explorer.exe to gain local admin privilege, provided that the victim has admin rights—which is a common setup. Using a legitimate system process like explorer.exe could help the malware bypass scanners that use whitelisting. It will create a new instance of svchost.exe with -k netsvcsarguments which will perform the C&C communication and file encryption. This also gives the malware system service privileges.

Figure 4. System modification

As you can see in the screenshot in Figure 4, it will also delete the shadow copies by issuing the commandvssadmin.exe Delete Shadows /All /Quiet. This will prevent victims from restoring their files using the shadow copies.

After receiving the RSA public key for file encryption from its C&C server, as the private key to be used for decryption is stored in the server, it will start encrypting the files with certain file extensions. Targeted files include documents, databases, emails, images, audio, video, and source codes.

After encrypting a file using RSA-2048 encryption algorithm, it will append a random file extension to the original file name, and add the “HELP_DECRYPT” files to the directory affected. After its encryption routine, it will open the “HELP_DECRYPT” files to show the victim the dreaded ransom note.

Figure 5. Sample ransom note

Information Theft by FAREIT

TSPY_FAREIT.YOI is executed alongside TROJ_CRYPWAL.YOI. While the victim is distracted by CryptoWall’s extortion, the spyware will steal credentials stored in the system’s FTP clients, web browsers, email clients and even Bitcoin wallets.

As we mentioned earlier, this is the first time we’ve seen crypto-ransomware team up with spyware. This just shows that the cybercriminals are getting greedier. They are no longer content with the revenue they get from their ransom, around US$500—which doubles after a certain period of time has lapsed.

Figure 6. Ransom fee increases

Covering All Bases

There could be several reasons why cybercriminals introduced FAREIT to their crypto-ransomware attacks. Perhaps people are refusing to pay the ransom or they have become more savvy in protecting their files. Regardless of the reason, the threat actors are using an “old business model” as their back-up plan. Even if the victim refuses to pay the Bitcoin ransom, the cybercriminals can still get money by stealing existing Bitcoin wallets and by selling/using any stolen information.

Based on feedback from the Smart Protection Network, the region most affected by CryptoWall 3.0 is Australia/New Zealand, followed by North America and Europe.

Figure 7. Regions affected by CryptoWall 3.0

Users can protect their important data by regularly backing up their files. They can implement the 3-2-1 rule for their files. Of course, for threats like crypto-ransomware and spyware, other safety practices are advised. For example, users should never open attachments from unknown or unverified senders. In fact, they should ignore or delete from unknown senders. Lastly, they should invest in security solutions that can protect their devices against the latest threats.

Source : http://blog.trendmicro.com/trendlabs-security-intelligence/cryptowall-3-0-ransomware-partners-with-fareit-spyware/

Xenotix APK Decompiler | Learn Ethical Hacking India

defaultNick — Wed, 05 Nov 2014 09:00:02 GMT

So you think reversing and getting source code of an APK is a big deal. Then give a try to Xenotix APK Decompiler.

APK Decompiler is an Open Source Android Application Package (APK) decompiler powered by dex2jar and JAD written in Python.

Minimum Requirements
OS: Windows
JDK 1.6
Wx Python

Download
https://github.com/ajinabraham/Xenotix-APK-Decompiler/

Understanding Xiaomi Mobile's Privacy Issues | Learn Ethical Hacking India

defaultNick — Wed, 05 Nov 2014 04:56:54 GMT

Xiaomi is present third largest smartphone manufacture in the world. But few days ago IAF found Xiaomi stealing the private information, call logs, IMEI numbers and some info to webservers in Beijing china.

The Indian Air force warned its employees and their belongings that their private information was being shipped over to servers in China, and asked them to avoid using Xiaomi smartphones due to security risk.

Xiaomi is facing an investigation in Taiwan for alleged cyber security threat, as a result of which last month the Taiwanese government decided to ban the company due to several privacy controversies.

Coming to sales in India, Xiomi’s models Mi3 and Redmis … created a record sales in flipkart by being sold more than 80 k phones in 9-13 seconds.

Recently a Chinese woman found that , Xiaomi can stole bankcard data by using Near Field communication.

Security Researchers from F-Secure Antivirus firm has shown that the Xiaomi phones (RedMi 1S handset) send quite a lot of personal and sensitive data to "api.account.xiaomi.com" server located in China, including following information:

1)IMEI Number of your phone
2)IMSI Number (through MI Cloud)
3)Your contacts and their details
4)Text Messages

Kenny Li of Hong Kong forum, IMA Mobile, recently noticed something odd with its Redmi Note smartphone. He discovered that the device continued to make connections with IP addresses in Beijing, China. The device kept trying to make the connection, even after switching off the company's iCloud-like MiCloud service

Xiaomi said the company collects data only with the user's permission to offer specific services like cloud and will set up a server in India next year.

Article By : Sai Phaneendra Mulupuru

Talk To Me : https://www.facebook.com/sai.phaneendra.10

Cracking Passwords with HashCat on Windows 8.01 |Learn Ethical Hacking India

defaultNick — Sun, 14 Sep 2014 15:17:51 GMT

Hashcat is the world’s fastest CPU-based password recovery tool.

While it's not as fast as its GPU counterpart localHashcat, large lists can be easily split in half with a good dictionary and a bit of knowledge of the command switches.

Exploiting Android with Metasploit Framework | Learn Ethical Hacking India

defaultNick — Fri, 23 May 2014 20:55:28 GMT

Today we will talk about something interesting , YES :) , As we all know today Android is the best mobile OS and crossed over 80% of global mobile users. Hence in this article we will try to exploit android through the one and only hacker's love - > Metasploit Framework.

Requirements:
1. Kali Linux / Backtrack 5 (Having MSF)
2. Android Phone ( Jelly Beans - I am Using Samsung S3)
3. Common Wireless Network ( Using Hotspot)

I am not gona take much time hence will do it fast in simple steps. So lets go.

Step 1: Open Your Kali terminal and type the following command.

Step 2: After pressing the enter key, just type ls for listing the files on same directory. And you will see app.apk file.

Step 3: Now use the exploit i.e exploit/multi/handler , set the respective payload and after setting lhost and lport just type exploit to trigger the exploit.

Step 4: Now send the .apk file we just created to victim, it will be having an M icon showing Metasploit icon on it. As user tries to install it you on attacker machine i.e Kali Linux in our case will get the reverse connection.

Step 5: Now as you can see in below image we got the shell of the Android phone and can have access to its data. If the phone is rooted then you can even get Call Logs, SMS and other data stored in the internal storage space.