Browsing articles in "Internet Security"
Dec 18, 2017
Comments Off on Mobile Menace Monday: upping the ante on Adups

Mobile Menace Monday: upping the ante on Adups

Adups is back on our radar. The same China-based company caught collecting an abundance of user data and creating a backdoor on mobile devices in 2016 has another malicious card to throw down. This time, it’s an auto installer we detect as Android/PUP.Riskware.Autoins.Fota.

We thought they cleaned up their act

When the headlines about Adups came out in 2016, it forced the company to update a component known under the package name com.adups.fota. The new version was clean of wrongdoing, and we all went about on our collective our ways.

However, it appears there was a lingering component we overlooked. It comes with the package names com.adups.fota.sysoper and com.fw.upgrade.sysoper, appears in the app list as UpgradeSys, and has the filename FWUpgradeProvider.apk.

They call it FWUpgradeProvider

An auto-installer is only threatening if it has system-level rights, which (unfortunately), FWUpgradeProvider does. “How?” you may ask. Because it comes preinstalled on various devices. Thus, by default it has system level privileges. Essentially, this allows it to install and/or update apps without a user’s knowledge or consent.

The trend of preinstalled PUP/malware has been on the rise. Historically, these cases were isolated to budget mobile devices bought from online stores. However, with FWUpgradeProvider, there are reports of it being installed on phones bought from legitimate phone carriers in countries such as the UK.

Cannot remove, cannot disable

Preinstalled system apps cannot be removed from a mobile device. Therefore, full remediation is not possible with anti-malware scanners. However, it is possible to disable these systems apps. Malwarebytes for Android walks you through how to disable a system app that it detects as PUP/malware. No big deal, right? Well, here’s the kicker. Recently, it was brought to our attention by many frustrated customers that FWUpgradeProvider cannot, I repeat, CANNOT, be disabled.

Click to view slideshow.

Now what!?

Well friends, we’re working on it. It used to be that the only choice users had was to root their mobile device—a risky practice that could lead to permanently destroying a device if done incorrectly.

However, we may have found a method that can disable FWUpgradeProvider (and other preinstalled apps) without rooting. This method uses a PC tool called Debloater. This tool was created by the powerful XDA Developers forum user gatesjunior. The tool uses an exploit found in versions 4.x.x of the Android OS, which luckily is what many phones with FWUpgradeProvider are running. For a full tutorial, see Disabling Adups via Debloater posted on our support forum.

Deep breaths

Regretfully, the solution listed above isn’t much of a solution—it hasn’t fully been tested and we can’t guarantee it won’t cause damage to the mobile device. Consequently, we understand that many users are not comfortable attempting this method.

As it stands, FWUpgradeProvider is categorized as a PUP/Riskware. PUP, or Potentially Unwanted Program, means that it is not malware, and therefore not as threatening. Riskware means that it’s something that could be potentially risky. Yes, it does have auto-installing capabilities. Rest assured, though, that if anything truly malicious installs on your device, we will detect it.

So, if you’re asking yourself if you need to replace the phone you just bought, the answer is no. As a standalone app, FWUpgradeProvider is not a threat. It’s the potential to install other more dangerous apps that prompts us to detect. Hopefully, bringing public attention to this will once again alert Adups to clean things up. If not, we will remain vigilant of any malicious apps it may try to install.

The post Mobile Menace Monday: upping the ante on Adups appeared first on Malwarebytes Labs.

Powered by WPeMatico

Dec 15, 2017
Comments Off on, an ad server for adult sites, tops Malwarebytes detections, an ad server for adult sites, tops Malwarebytes detections

There is a belief that most of what you’ll find on adult websites is going to harm your system. In many cases, this has proven to be true, but overall the adult industry has made numerous efforts to protect their customers and audience. While we would like to tell you that it’s completely safe to surf adult websites these days, we do still need to stay vigilant. That’s why Malwarebytes has started blocking two new domains that are ad servers often seen in adult traffic:


What you are likely seeing when you are doing some adult…research.

The reason why we are preventing traffic to any of those hostnames is based on reports from our customers of malicious redirects and fraud, and our own collection tools—and has nothing to do with the fact that these are sites serving porn. For example, here is a redirection from main.exosrv[.]com, which takes users to a fake online pharmacy website:

Click to view slideshow.

Here at Malwarebytes, we do our best to protect users by blocking not just malicious sites, but also scam sites, with fake pharmaceutical sites being one of the most common we encounter. Due to this, ads.exosrv[.]com has become our top malicious URL detection, totaling over 4 million blocks in one day, which is due to the huge amount of traffic the main domain receives.

Breakdown of blocks for this domain by country

Our goal at Malwarebytes continues to be the protection of our users, which is why we are taking an aggressive approach on blocking certain ad networks stepping over the line. Visiting adult sites is perfectly legal. Getting scammed on account of it is not.

Stay safe

Beyond keeping an up-to-date security solution installed on your system (like Malwarebytes), it’s advised to do the following when surfing any website:

  • Utilize an ad blocker to keep malicious advertisements away from your system.
  • Utilize a script blocker to keep malicious scripts from running in your browser. (Many ad blockers do this, too.)
  • Utilize safe or private browsing tools so less of your personal information is provided to websites.
  • Keep some kind of anti-exploit technology running in the background to prevent drive-by exploits from infecting your system. Malwarebytes also has this functionality baked into it.
  • Don’t follow the white rabbit! Visit websites that are known and trusted, have high reviews and/or are easy to find. The worst stuff online usually won’t be found by clicking on a Google link.

Thanks for reading!

The post, an ad server for adult sites, tops Malwarebytes detections appeared first on Malwarebytes Labs.

Powered by WPeMatico

Dec 15, 2017
Comments Off on Tech support scammer tries to sell free software

Tech support scammer tries to sell free software

AmericaGeeks is your typical tech support scam company, but with an extra warming glow of attitude, greed, and complete all-around rudeness. Most scams will gladly take your money by buttering up the victim while simultaneously scaring them into thinking that they are in a dangerous situation with their computer or device. They then swoop in to heroically “help” them.

AmericaGeeks instead jumps straight to the point of rude behavior and scare tactics to scam their victims. They do an amazing job of dehumanizing and belittling the user, all while scamming them out of their money. This trait was what made AmericaGeeks shine through the rest.

AmericaGeeks Tech Support has a campaign sending out browser lockers, like the one above. They are posing as Microsoft, sending out warnings to users stating that their computer is infected and they need to contact them immediately. I called them at 877-658-9988, this was the number that was listed on the pop-up. I used a computer that was clean of any infections and allowed them access.

Below is the connect screen they used.

Obviously uncomfortable not knowing which of his company’s pop-ups resulted in the call, the tech wandered about for 10 to 15 minutes, at one point trying to log in to my router using default credentials.

The tech then ran a diagnostic and told me the computer was infected and that I had no security. What is interesting is the tool, ToolWiz, seems to be a rather legit application that is like Ccleaner, and is completely free for anyone to use. This scam is using ToolWiz to mislead users with its results, which are below:

According to the tech, I had 196 infections on my system, but he would fix them for free with the purchase of antivirus software. He suggested that I purchase either Webroot or Norton. As you can see below, he wanted to overcharge me for the cost of the software to make money. It is also important to note that I did not have “196 infections.” The tool simply found 196 Temporary Files, Registry Keys, and other benign objects to remove. When I confronted him about the price, he was flustered and made up some excuse that I was paying a higher price because I was getting antivirus, anti-malware, anti-Trojan, and anti-spyware, and they were all separate (which they are not).


Buyer beware: educate yourself, ask a friend, and never call any number that pops up on your screen claiming that your system is infected. Below are all the indicators we could find associated with this particular scam.

Primary indicators


Using the same phone number


The post Tech support scammer tries to sell free software appeared first on Malwarebytes Labs.

Powered by WPeMatico

Dec 14, 2017
Comments Off on Free tools: Internet traffic monitoring

Free tools: Internet traffic monitoring

Are you an amateur analyst or security enthusiast looking for free tools to do some basic Internet traffic monitoring? You’ve come to the right place. Not everyone is versed in the use of robust tools like Wireshark (even though it is worth the trouble of learning if you have to do network traffic analysis on a regular basis). So let’s take a look at some free, simple tools to get started.

There are several alternatives to Wireshark for Windows systems, and we will shed a little light on the ones that we like the most. Each has its own strength, and therefore it will depend on your specific needs to select the program that’s right for you. We have focused on tools that you can use on a local system and that run on the same system, to the exclusion of remote traffic monitoring and network monitoring software.

URL Revealer by Kahu security

URL Revealer is a web proxy that will capture requests and then drop them. I use it primarily to find out what a script or program is trying to download, especially when I have no interest in the files it’s trying to download. This happens a lot when we already know what malware will be downloaded but want to know the domains they’ll be coming from (so we can block them). The program is a command line utility. You can use the –o switch to write the log to a text file, from which you can easily harvest the resulting domains. The beauty of the dropped requests is that any dropper or downloader will assume the download it tried first is off-line and will move on to try the next one. This way you can grab all the options the downloader tries without getting actual malware on your system.

TCPView and Tcpvcon by Microsoft sysinternals

TCPView is a program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and the state of active TCP connections. Since TCPView also shows you which program is responsible for which connection, it is very suitable to figure out which process is communicating on that strange port you noticed.


A cryptominer in a Chrome process

The program Tcpvcon that comes with TCPView is a command line utility which is very similar to netstat. The –c switch exports the output as a CSV file.

Fiddlercap by Telerik

Fiddlercap is the little brother of Fiddler, and it’s so easy to use that specialists often ask users to use it and capture a small portion of traffic so they can remotely analyze if there are any bugs. The tool creates a .saz file, which allows the specialist to replay the events in Fiddler or Wireshark. This is ideal to find bugs on sites or observe strange browser behavior. Fiddler itself is a free web debugging proxy for any browser, system, or platform. But there’s a bit of a learning curve to use its full potential.

BitMeter 2 by Codebox Software

If you are only interested in how much of your bandwidth is being used—maybe because your ISP has restricted your usage—then BitMeter 2 might be what you are looking for. It displays your current usage and you can set an alarm to warn you when your usage reaches a certain percentage of your cap.

Built-in Windows tools

It’s sometimes easy to forget Windows comes with built-in tools like Resource Monitor that can show you the current usage by the application on the Network tab.

Resource Monitor

And if you’re running Windows 10, you can use the App history tab in Task manager to see the usage from the date when Windows 10 began monitoring your apps. You can also click the Delete usage history link to reset the data usage counter, otherwise it will reset automatically every 30 days.


Do you have your own favorites? Please let us know about them in the comments! But, no URLs please, or your post will be “automagically” blocked by our filters.

The post Free tools: Internet traffic monitoring appeared first on Malwarebytes Labs.

Powered by WPeMatico

Dec 13, 2017
Comments Off on There’s a hole in my bucket: Bitcoin scams aim to exploit volatile market

There’s a hole in my bucket: Bitcoin scams aim to exploit volatile market

Bitcoin! Black gold! Texas tea!

Only one of these is currently worth ridiculous amounts of money (and technically numbers two and three are the same thing). Whether you’re in possession of lots of Bitcoins, or in full bandwagon panic “must buy 20 graphics cards before the bubble bursts” mode, you should be aware that lots of awful people want in on your precious haul. Indeed, the past week or so has seen an explosion of Bitcoin-centric scams, fakeouts, and all-around bad behaviour as scammers look to cash in at your expense.

The huge value of Bitcoin, plus the launch of Bitcoin futures, has attracted so many scammers that it’s difficult to keep up, whether it’s fake endorsements from well-known traders or plain-old RATs targeting would-be investors. Fake news, malware, bogus wallets, and even Bitcoin laundering via self-made music loaded onto the iTunes store—everyone seems to have gone a little Bitcoin crazy.

The top 6 trending searches on the @AppStore are crypto currency based. I’ve never seen a “theme” in here.

— Cesar Kuriyama (@CesarKuriyama) December 13, 2017

Bitcoin is here to stay—but what is it?

Bitcoin is a digital currency created by someone claiming to be Satoshi Nakamoto (which may well be an alias), and it’s all about digital wallets, mining, and hoping someone doesn’t steal millions overnight. It’s even being used as a volatile talking point related to ads, scripts, and blocking—from random websites to free wi-fi services, everyone is getting in on the action.

In this chaotic mess of bubbles, adverts, scams, and mistaken identities, the price of Bitcoin has gone through the roof. The reasons for which are multifaceted and also involve people endlessly talking about it. It may well be something off in the distance for many people, or some weird Internet thing you keep hearing people mention in horribly confusing terms, but make no mistake, it’s becoming mainstream. In fact, Bitcoin is rising so suddenly that people are taking out mortgages so they can get in on the Bitcoin action .(Tip: You probably don’t want to do this).

An avalanche of chicanery

This past week, we’ve seen quite a few things you may want to steer clear of—from mobile to survey scams. It’s frankly overwhelming and for many of us, there’s simply no way to tell the good from the bad from the mildly shoulder shrugging.

For example, someone has taken ye olde survey scam and remixed it for the coin collective:

Coins and Youtube, oh my

Advertised on Youtube (until the video was pulled down, anyway), this site claims to generate Bitcoins with a 100 percent success rate. Sure does beat all that cumbersome mining and electricity use, and this is a definite boon for someone trying to jam a GTX1080 graphics card into a netbook. The site itself, located at bitcoingenerator(dot)space, is exactly what you’d expect a survey scam to look like, except it’s asking for Bitcoin addresses instead of how many Xbox Live points you want.

Coin survey

Users need to be verified by filling in a selection of geotargeted surveys. You don’t need me to tell you that survey scams are junk. They’ve been around forever, and are the absolute bottom rung of unimaginative, cookie-cutter fakeouts that never give you what you want. They’re the first thing to fall out of the “In case of scam emergency, break glass” box.

Seeing one suddenly throwing itself on the Bitcoin bandwagon is a bit of an eye-opener though, and something we should take notice of. People will seemingly do pretty much anything to nab some free coins, including clicking this shortened link roughly 34k times to play a game of snake-as-Bitcoin-faucet.

Snake coin

Sadly, the landing page is dead at time of writing, so we have no way of knowing if this one ever got off the ground. It could well be legit, but keep in mind that sites and videos will claim to offer up all manner of faucets. Not all of them will play nice, so on your own snakey visage be it, and be especially cautious around any downloadable executables.

Repackaging the tech support scam

Elsewhere, we have our old friend the tech support scam marching in the direction of coin-related antics. Or at least, scammers using some of the hallmarks of the tech support scam in an effort to part Bitcoin traders using Kraken from their digital currency. A good while ago, I covered fake EA support accounts who wait for the real thing to go “out of office,” then slide into conversations before directing victims to phishing links. This has a bit of a similar feel, with scammers waiting for trading sites to go offline due to maintenance/bad luck/DDoS/whatever, then jump into hashtags on social media with links to fake support sites, including phony “support” over the phone. It all ends in phishing and vanished coins.

Old tricks, new victims, unfortunately.

Ignore that part of your brain that says, “Well, it’s just one coin or whatever,” because the problem is these things are so highly-valued right now that takes just one being swiped to cause major problems. And that, in turn, makes coins the absolute number one hot target on the block right now. Or, to put it another way:


That is an astonishing amount of cash to be cheated out of, and it’ll only get worse as scammers come up with the path of least resistance for obtaining illicit Bitcoins. It also seems like this has been going on for a while, so sites dealing in and around coins should consider bulking out their security hints and tips for new (and even experienced) Bitcoiners.

If you’re feeling a little swamped with the perils of Bitcoin, that’s understandable. Potential bubble + massive bandwagon + huge array of services + large corporations taking an interest + hordes of newcomers who have no idea what’s legit and what isn’t charging into the fray = please pass me the headache tablets.

Something we’ve been seeing recently is sites offering “crypto debit cards” if visitors invest certain amounts into their linked wallets. Is that real? Fake? A good deal? What’s the benefit for doing this? What on earth does this mean in the terms and conditions?


Why do you have to be in a SEPA country? What is a SEPA country? All of these questions and more can be yours, for the low, low price of total and utter confusion. Make no mistake: if you want to make serious cash, you’re going to have to do some serious research.

Cornering the market on best practices

If you’re totally new to Bitcoin, your most likely first port of call may well be one of the numerous exchanges out there. You’d do well to heed the following advice from digital crime writer Joseph Cox:

  • use unique password
  • create a new email account (don’t share it)
  • put 2FA on both the email and the exchange account (if SMS, don’t share number, but preferably Google Auth)
  • don’t trade over PayPal (scam)

— Joseph Cox (@josephfcox) December 8, 2017

  • Don’t log into exchanges over Tor, unless you really have to for some reason, and can use a hidden service (malicious exit nodes to steal logins, etc)Verification on exchanges helps you and the seller, do it
  • Keep trades through the exchange’s system, to ensure you get $$

— Joseph Cox (@josephfcox) December 8, 2017

Whatever your way in, please take some time to read up on the pros and cons of digital currency. Unless you understand the basics, even the simplest of easy-to-spot Bitcoin scams may well elude your radar until it’s too late. Considering the huge sums at play, and the breakneck pace being set by all things digital currency, it’s never been more important to be fully aware of the risks as well as the benefits of cashing in your crypto-chips.

The post There’s a hole in my bucket: Bitcoin scams aim to exploit volatile market appeared first on Malwarebytes Labs.

Powered by WPeMatico

Dec 12, 2017
Comments Off on A state of constant uncertainty or uncertain constancy? Fast flux explained

A state of constant uncertainty or uncertain constancy? Fast flux explained

Last August, WireX made headlines. For one thing, it was dubbed the first-known DDoS botnet that used the Android platform. For another, it used a technique that—for those who have been around in the industry for quite a while now—rung familiar in the ears: fast flux.

In the context of cybersecurity, fast flux could refer to two things: one, a network similar to a P2P that hosts a botnet’s command and control (C&C) servers and proxy nodes; and two, a method of registering on a domain name system (DNS) that prevents the host server IP address from being identified. For this post, we’re focusing on the latter.

Malware creators are the first actors to use this tactic. And Storm, the infamous worm that boggled and exasperated Internet users and security researchers alike in 2007, is one of the first binaries that proved fast flux’s effectiveness in protecting its mothership from detection and exposure. Fast flux made it doubly difficult for the security community and law enforcement agencies to track down criminal activity and shut down operations. Eventually—and albeit gradually—Storm’s reign ended, mainly due to the ISP that hosted the worm’s master servers, Atrivo, going dark.

From then on, the actors behind fast flux campaigns have been varied: from phishers and bot herders to criminal gangs behind money mule recruitment sites. There are also those that use fast flux to engage in other unlawful schemes, such as hosting exploit sites, extreme or illegal adult content sites, carding sites, bogus online pharmacies, and web traps. Recently, fast flux has been gaining notoriety and usage among cybersquatters, which makes this another threat for businesses with an online presence.

Fast flux—what is it really?

Fast flux is, in a nutshell, an advanced game of hide and seek. Cybercriminals hide by assigning hundreds or thousands of IP addresses that are swapped with extreme frequency to a fully qualified domain name (FQDN)—let’s say This is done using a combination of (1) distributing the load received by the server across many geographical points acting as proxies or redirectors and (2) banking on a remarkably short time-to-live (TTL) data lifespan. This address swapping happens so fast that the whole architecture seems to be in flux.

Here’s a simple illustration: If criminals assign a set of IP addresses that change every 150 seconds, users who access are actually connecting to different infected machines every single time.

Fast flux is occasionally used as a standalone term; however, we also see it used as a descriptor to the nature of a network, botnet, or a malicious agent. As such, you’ll find the below terms used as well, and for clarity, we have listed their definitions:

  • fast-flux service network (FFSN): The Honeynet Project defines this as “a network of compromised computer systems with public DNS records that are constantly changing, in some cases every few minutes.” There are two known types of this: single-flux and double-flux.
  • fast-flux botnet: Refers to a botnet that uses fast flux techniques. Herders behind such a botnet are known to engage in hosting-as-a-service schemes wherein they rent out their networks to other criminals. Also, some fast-flux botnets have begun supporting SSL communication.
  • fast-flux agent: Depending on the context, this could refer to either (1) the malware responsible for infecting systems to add them to the fast-flux network or (2) the machine that belongs to a fast-flux network.

Fast flux shouldn’t be confused with domain flux, which involves the changing of the domain name, not the IP address. Both fluxing techniques have been used by cybercriminals.

Wait, so assigning different IP addresses to a single domain name is legal?

Although it’s generally the case that one domain name points to one IP address, this association isn’t a strict mapping. And that is a good thing! Otherwise, web admins wouldn’t be able to efficiently distribute incoming network traffic to multiple resources, wherein a single resource corresponds to a unique IP address. This is the basic concept behind load balancing, and popular websites use it all the time. And round-robin DNS—this one-domain-to-many-IP-address association—is just one of several load-balancing algorithms one can implement.

There’s nothing illicit about this. What criminals are doing is merely taking advantage of or abusing what network technology already has to offer.

Aside from Storm, what other malware has been associated with fast flux?

Threat campaigns that use malware associated with fast flux networks usually involve botnets. And in the earlier years, worms were the type that used fast-flux botnets. Storm is a worm binary; so is Stration, its rival. Nowadays, other malware strains have banked on fast flux’s efficacy. We have Kronos and ZeuS/Zbot, two known banking Trojans; Kelihos, a Trojan spammer and Bitcoin miner; Teslacrypt, a ransomware (their payment sites are found hosted on an FFSN in East Europe); and Asprox, a Trojan password stealer turned advance persistent threat (APT).

As a side note, fast flux networks are not only used to hide malicious activities. Akamai, a known cloud delivery platform, has revealed in a white paper [PDF] that a fast flux network was used in several web attacks, specifically SQL injection, web scraping, and credential abuse, against their own customers.

Read: Inside the Kronos malware—Part 1, Part 2

Can fast flux be detected/identified? If so, how?

Definitely. Some organizations and independent groups in the security industry have put a lot of effort into investigating, studying, and educating others on what fast flux is, how it works, and how it can be detected. Below are just a few references that you can visit, browse, and read more thoroughly:

Can users protect themselves from fast flux activity?

When it comes to keeping our computing devices safe from physical and online compromise—with data in them unaltered and secure—extra vigilance and good security hygiene can save folks from a lot of headaches in the future. Installing an anti-malware with URL blocking features on devices not only protects them from malware but also blocks sites that have been deemed malicious, consequently stopping the attack chain. Lastly, regularly update all security software you use.

Stay safe out there!

The post A state of constant uncertainty or uncertain constancy? Fast flux explained appeared first on Malwarebytes Labs.

Powered by WPeMatico

Dec 11, 2017
Comments Off on A week in security (December 04 – December 10)

A week in security (December 04 – December 10)

Last week on the blog, we looked at a RIG EK malware campaign, explored how children are being tangled up in money mule antics, took a walk through the world of Blockchain, and gave a rundown of what’s involved when securing web applications. We also laid out the trials and tribulations of the Internet of Things, advised you to be on the lookout for an urgent TeamViewer update, tore down the disguise of new Mac malware HiddenLotus, sighed at the inevitability of a Napoleon-themed piece of ransomware, and unveiled our New Mafia report.

Other news

  • Bitcoin chaos as NiceHash is compromised and thousands of Bitcoins go wandering into the void, potentially to the tune of $62m. (source: Reddit)
  • How easy is it to make a children’s toy start swearing? This easy. (source: The Register)
  • Chrome 63 is now available and comes with multiple security improvements and additions. (source: Chrome updates website)
  • Phishers are slowly turning to HTTPs scam sites—but why? (source: PhishLabs)
  • The Andromeda Botnet is finally dismantled by law enforcement. (source: Help Net Security)
  • If you try to hack your friends out of jail, you may well end up joining them. (source: MLive)
  • Perfect email spoofs? Oh dear. (source: Wired)
  • Think you’ll be getting a ransom out of North Carolina, think again. (source: Chicago Tribune)

Stay safe, everyone!

The post A week in security (December 04 – December 10) appeared first on Malwarebytes Labs.

Powered by WPeMatico

Dec 11, 2017
Comments Off on How cryptocurrency mining works: Bitcoin vs. Monero

How cryptocurrency mining works: Bitcoin vs. Monero

Ever wondered why websites that are mining in the background don’t mine for the immensely hot Bitcoin, but for Monero instead? We can explain that. As there are different types of cryptocurrencies, there are also different types of mining. After providing you with some background information about blockchain [1],[2] and cryptocurrency, we’ll explain how the mining aspect of Bitcoin works. And how others differ.

Proof-of-Work mining

Cryptocurrency miners are in a race to solve a mathematical puzzle, and the first one to solve it (and get it approved by the nodes) gets the reward. This method of mining is called the Proof-of-Work method. But what exactly is this mathematical puzzle? And what does the Proof-of-Work method involve? To explain this, we need to show you which stages are involved in the mining process:

  1. Verify if transactions are valid. Transactions contain the following information: source, amount, destination, and signature.
  2. Bundle the valid transactions in a block.
  3. Get the hash that was assigned to the previous block.
  4. Solve the Proof-of-Work problem (see below for details).

The Proof-of-Work problem is as follows: the miners look for a SHA 256 hash that has to match a certain format (target value). The hash will be based on:

  • The block number they are currently mining.
  • The content of the block, which in Bitcoin is the set of valid transactions that were not in any of the former blocks.
  • The hash of the previous block.
  • The nonce, which is the variable part of the puzzle. The miners try different nonces to find one that results in a hash under the target value.

So, based on the information gathered and provided, the miners race against each other to try and find a nonce that results in a hash that matches the prescribed format. The target value is designed so that the estimated time for someone to mine a block successfully is around 10 minutes (at the moment).

If you look at, for example, you will notice that every BlockHash is 256 hexadecimal digits long and starts with 18 zeroes. For example the BlockHash for Block #497542 equals 00000000000000000088cece59872a04457d0b613fe1d119d9467062e57987f1. At the time of writing, this is the target—the value of the hash has to be so low that the first 18 digits are zeroes. So, basically, miners have some fixed input and start trying different nonces (which must be an integer), and then calculate whether the resulting hash is under the target value.


How is Monero different?

Browser mining and other methods of using your system’s resources for other people’s gain is usually done using other cryptocurrencies besides Bitcoin, and Monero is the most common one. In essence, Monero mining is not all that different from Bitcoin. It also uses the Proof-of-Work method. Yet, Monero is a popular cryptocurrency to those that mine behind the scenes, and we’ll explain why.


The most notable difference between Bitcoin and Monero mining is anonymity. Where you will hear people say that Bitcoins are anonymous, you should realize that this is not by design. If you look at a site like BlockExplorer, you can search for every block, transaction, and address. So if you have sent or received Bitcoin to or from an address, you can look at every transaction ever made to and from that address.

Therefore we call Bitcoin “pseudononymous.” This means you may or may not know the name of that person, but you can track every payment to and from his address if you want. There are ways to obfuscate your traffic, but they are difficult, costly, and time-consuming.

Monero however, has always-on privacy features applied to its transactions. When someone sends you Monero, you can’t tell who sent it to you. And when you send Monero to someone else, the recipient won’t know it was you unless you tell them. And because you don’t know their wallet address and you can’t backtrack their transactions, you can’t find out how “rich” they are.

list of transactions

                                                                                      Transactions inside a Bitcoin block are an open book.


Monero mining does not depend on heavily specialized, application-specific integrated circuits (ASICs), but can be done with any CPU or GPU. Without ASICs, it is almost pointless for an ordinary computer to participate in the mining process for Bitcoin. The Monero mining algorithm does not favor ASICs, because it was designed to attract more “little” nodes rather than rely on a few farms and mining pools.

There are more differences that lend themselves to Monero’s popularity among behind-the-scenes miners, like the adaptable block size, which means your transactions do not have to wait until they fit into a later block. The Bitcoin main-stream blockchain has a 1 MB block cap, where Monero blocks do not have a size limit. So Bitcoin transactions will sometimes have to wait longer, especially when the transaction fees are low.

The advantages of Monero over Bitcoin for threat actors or website owners are mainly that:

  • It’s untraceable.
  • It can make faster transactions (especially when they are small).
  • It can use “normal” computers effectively for mining


For those of you looking for more information on the technical aspects of this subject, we recommend:

Bitcoin block hashing algorithm

The Blockchain Informer

Blockchain Info

How Bitcoin mining works

How does Monero privacy work

The post How cryptocurrency mining works: Bitcoin vs. Monero appeared first on Malwarebytes Labs.

Powered by WPeMatico

Dec 8, 2017
Comments Off on Napoleon: a new version of Blind ransomware

Napoleon: a new version of Blind ransomware

The ransomware previously known as Blind has been spotted recently with a .napoleon extension and some additional changes. In this post, we’ll analyze the sample for its structure, behavior, and distribution method.

Analyzed samples

31126f48c7e8700a5d60c5222c8fd0c7 – Blind ransomware (the first variant), with .blind extension

9eb7b2140b21ddeddcbf4cdc9671dca1 – Variant with .kill extension

235b4fa8b8525f0a09e0c815dfc617d3.napoleon (main focus of this analysis)

//special thanks to @demonslay335  for sharing the older samples

Distribution method

So far we are not 100 percent sure about the distribution method of this new variant. However, looking at the features of the malware and judging from information from the victims, we suspect that the attackers spread it manually by dropping and deploying on the hacked machines (probably via IIS). This method of distribution is not popular or efficient, however we’ve encountered similar cases in the past, such as DMALocker or LeChiffre ransomware. Also, few months ago, hacked IIS servers were used as a vector to plant Monero miners. The common feature of samples dropped in this way is that they are not protected by any cryptor (because it’s not necessary for this distribution method).

Behavioral analysis

After the ransomware is deployed, it encrypts files one-by-one, adding its extension in the format [email].napoleon.

Looking at the content of the encrypted test files, we can see that the same plaintext gave different ciphertext. This always indicates that different key or initialization vectors were used for each file. (After examining the code, it turned out that the difference was in the initialization vector).

Visualizing the encrypted content helps us guess the algorithm with which the files were encrypted. In this case, we see no visible patterns, so this leads us to suspect an algorithm with some method of chaining cipher blocks. (The most commonly used is AES in CBC mode, or eventually in CFB mode). Below, you can see the visualization made with the help of the file2png script: On the left is a BMP file before encryption. And on the right, after encryption by Napoleon:


At the end of each file, we found a unique 384-long block of alphanumeric characters. They represent 192 bytes written in hexadecimal. Most probably this block is the encrypted initialization vector for the particular file):

The ransom note is in HTA format and looks like this:

It also contains a hexadecimal block, which is probably the victim’s key, encrypted with the attackers’ public key.

The GUI of Napoleon looks simplified in comparison to the Blind ransomware. However, the building blocks are the same:

It is common among ransomware authors to prepare a tor-base website that allows automatic processing for payments and better organizes communication with the victim. In this case, the attackers decided to use just an email—probably because they planned for the campaign to be small.

Among the files created by the Napoleon ransomware, we will no longer find the cache file (netcache64.sys) that in the previous editions allowed to recover the key without paying the ransom.

Below is the cache file dropped by the Blind ransomware (the predecessor of Napoleon):

Inside the code

The malware is written in C++. It is not packed by any cryptor.

The execution starts in the function WinMain:

The flow is pretty simple. First, the ransomware checks the privileges with which it runs. If it has sufficient privileges, it deletes shadow copies. Then, it closes processes related to databases—Oracle and SQL Server—so that they will not block access to the database files it wants to encrypt. Next, it goes through the disks and encrypts found files. At the end, it pops up the dropped ransom note in HTA format.

Comparing the code of Napoleon with the code of Blind, we see that not just the extension of encrypted files has has changed, but also many functions inside have been refactored.

Below is a fragment of the view from BinDiff: Napoleon vs Blind:

What is attacked?

First, the ransomware enumerates all the logical drives in the system and adds them into a target list. It attacks both fixed and remote drives ( type 3 -> DRIVE_FIXED  and 4 -> DRIVE_REMOTE):

This ransomware does not have any list of attacked extensions. It attacks all the files it can reach. It skips only the files that already have the extension indicating they are encrypted by Napoleon:

The email used in the extension is hardcoded in the ransomware’s code.

Encryption implementation

Just like the previous version, the cryptographic functions of Napoleon are implemented with the help of the statically-linked library Crypto++ (source).

Referenced strings pointing to Crypto++:

Inside, we found a hardcoded blob—the RSA public key of the attackers:

After conversion to a standardized format, such as PEM, we were able to read its parameters using openssl, confirming that it is a valid 2048 bit–long RSA key:

Public-Key: (2048 bit)
Exponent: 17 (0x11)

This attacker’s public key is later used to encrypt the random key generated for the particular victim. The random key is the one used to encrypt files – after it is used and destroyed, it’s encrypted version is stored in the victim’s ID displayed in the ransom note. Only the attackers, having the private RSA key, are capable to recover it.

The random AES key (32 bit) is generated by the function provided by Crypto++ library:

It uses underneath the secure random generator: CryptGenRandom:

All the files are encrypted with the same key, however the initialization vector is different for each.

Encrypting single file:

Inside the function denoted as encrypt_file, the crypto is initialized with a new initialization vector:

The fragment of code responsible for setting the IV:

Setting initialization vector:

Encrypting file content:

The same buffer after encryption:


Napoleon ransomware will probably not become a widespread threat. The authors prepared it for small campaigns—lot of data, like email, are hardcoded. It does not come with any external configuration like Cerber that would allow for fast customization.

So far, it seems that the authors fixed the previous bug in Blind of dropping the cache file. That means the ransomware is not decryptable without having the original key. All we can recommend is prevention.

This ransomware family is detected by Malwarebytes as Ransom.Blind.


Read about how to decrypt the previous Blind variant here.



The post Napoleon: a new version of Blind ransomware appeared first on Malwarebytes Labs.

Powered by WPeMatico

Dec 8, 2017
Comments Off on Interesting disguise employed by new Mac malware HiddenLotus

Interesting disguise employed by new Mac malware HiddenLotus

On November 30, Apple silently added a signature to the macOS XProtect anti-malware system for something called OSX.HiddenLotus.A. It was a mystery what HiddenLotus was until, later that same day, Arnaud Abbati found the sample and shared it with other security researchers on Twitter.

The HiddenLotus “dropper” is an application named Lê Thu Hà (HAEDC).pdf, using an old trick of disguising itself as a document—in this case, an Adobe Acrobat file.

This is the same scheme that inspired the file quarantine feature in Mac OS X. Introduced in Leopard (Mac OS X 10.5), this feature tagged files downloaded from the Internet with a special piece of metadata to indicate that the file had been “quarantined.” Later, when the user tried to open the file, if it was an executable file of any kind, such as an application, the system would display a warning to the user.

The intent behind this feature was to ensure that the user knew that the file they were opening was an application, rather than a document. Even back in 2009, malicious apps were masquerading as documents. File quarantine was meant to combat this problem.

Malware authors have been using this trick ever since, despite file quarantine. Even earlier this year, repeated outbreaks of the Dok malware were distributed in the form of applications disguised as Microsoft Word documents.

So HiddenLotus didn’t seem all that interesting at first, other than as a new variant of the OceanLotus backdoor first seen being used to attack numerous facets of Chinese infrastructure. OceanLotus was last seen earlier this summer, disguised as a Microsoft Word document and targeting victims in Vietnam.

But there was something strange about HiddenLotus. Unlike past malware, this one didn’t have a hidden .app extension to indicate that it was an application. Instead, it actually had a .pdf extension. Yet the Finder somehow identified it as an application anyway.

This was quite puzzling. Further investigation did not turn up a hidden extension. There was also no sign of a trick like the one used by Janicab in 2013.

Janicab used the old fake document technique, being distributed as a file named (apparently) “RecentNews.ppa.pdf.” However, the use of an RLO (right-to-left override) character caused characters following it to be displayed as if they were part of a language meant to be read right-to-left, instead of left-to-right as in English.

In other words, Janicab’s real filename was actually “,” but the presence of the RLO character after the first period in the name caused everything following to be displayed in reverse in the Finder.

However, this deception was not used in HiddenLotus. Instead, it turned out that the ‘d’ in the .pdf extension was not actually a ‘d.’ Instead, it was the Roman numeral ‘D’ in lowercase, representing the number 500.

It was at this point that Abbati’s tweet referring to “its very nice small Roman Unicode” began to make sense. However, it was still unclear exactly what was going on, and how this special character allowed the malware to be treated as an application.

After further consultation with Abbati, it turned out that there’s something rather surprising about macOS: An application does not need to have a .app extension to be treated like an application.

An application on macOS is actually a folder with a special internal structure called a bundle. A folder with the right structure is still only a folder, but if you give it an .app extension, it instantly becomes an application. The Finder treats it as if it were a single file instead of a folder, and a double-click launches the application rather than opening the folder.

When double-clicking a file (or folder), LaunchServices will consider the extension first. If the extension is known, the item will be opened according to that extension. Thus, a file with a .txt extension will, by default, be opened with TextEdit. Some folders may be treated as documents, as in the case of the .aplibrary extension used for an Aperture library “file.” A folder with the .app extension will, assuming it has the right internal structure, be launched as an application.

A file with an unfamiliar extension is handled by asking the user what they want to do. Options are given to choose an application to open the file or to search the Mac App Store.

However, something strange happens when double-clicking a folder with an unknown extension. In this case, LaunchServices falls back on looking at the folder’s bundle structure (if any).

So what does this mean? The HiddenLotus dropper is a folder with the proper internal bundle structure to be an application, and it uses an extension of .pdf, where the ‘d’ is a Roman numeral, not a letter. Although this extension looks exactly the same as the one used for Adobe Acrobat files, it’s completely different, and there are no applications registered to handle that extension. Thus, the system will fall back on the bundle structure, treating the folder as an application, even though it does not have a telltale .app extension.

There is nothing particularly special about this .pdf extension (using a Roman numeral ‘d’) except that it is not already in use. Any other extension that is not in use will work just as well:

Of course, the example shown above wouldn’t fool anyone, it’s merely illustrative of the issue.

This means that there is an enormously large list of possible extensions, especially when Unicode characters are included. It is easily possible to construct extensions from Unicode characters that look exactly like other, normal extensions, yet are not the same. This means the same trick could be used to mimic a Word document (.doc), an Excel file (.xls), a Pages document (.pages), a Numbers document (.numbers), and so on.

This is a neat trick, but it’s still not going to get past file quarantine. The system will alert you that what you’re trying to open is an application. Unless, of course, what you are opening was downloaded via an application that does not use the APIs that properly set the quarantine flag on the file, as is the case for some torrent apps.

Ultimately, it’s very unlikely that this trick is going to have any kind of significant impact on the Mac threat landscape. It’s probable that we will see it used again in the future, but the risk to the average user is not significantly higher than in the case of any other fake document malware.

More than anything else, this trick opens our eyes to an interesting aspect of how macOS identifies and launches applications.

If you think you may have encountered this malware, Malwarebytes for Mac will protect against it, and will scan for and remove it, if present, for free.

The post Interesting disguise employed by new Mac malware HiddenLotus appeared first on Malwarebytes Labs.

Powered by WPeMatico


Location and hours

Txt/Email or CALL NOW to discuss your recovery plan.
Computer repair association logo