February 23, 2017, 9:23 am
in Anti-Malware Research , by Bogdan Botezatu

Ever since the emergence in 2007 of the APT28 group, Bitdefender has become familiar with the backdoors used to compromise Windows and Linux targets, such as Coreshell, Jhuhugit and Azzy for the former OS or Fysbis for the latter.

Continue reading

Comments Off on Dissecting the APT28 Mac OS X Payload whitepaper available
February 14, 2017, 1:22 pm
in Anti-Malware Research , by Bogdan Botezatu

APT28 operators have upped their game – the Xagent payload now can target victims running Mac OS X to steal passwords, grab screens and steal iPhone backups stored on the Mac.

Continue reading

12 Comments
November 2, 2016, 11:00 am
in Anti-Malware Research , by Alexandra GHEORGHE

A new smart network camera can be hijacked and turned into a full-fledged spying tool, Bitdefender IoT & malware researchers have discovered.

As part of their ongoing effort to raise awareness on the serious consequences of security-neglected IoT devices, Bitdefender researchers are constantly analyzing the security posture of various gadgets which may pose privacy and security risks to home users and their networks.

Device and setup

The analyzed network camera is a feature-rich monitoring device for homes and small businesses. It includes a motion & sound detection system, two-way audio, built-in microphone and speaker, built-in selectable lullabies to put children to sleep, temperature & humidity sensors and a microSD/SDHC card slot.

It’s commonly used as a home surveillance system as well as a baby monitor and communication medium between parents and children.

The device follows the standard setup routine, creating a hotspot during configuration via a wireless network. Once installed, the corresponding mobile application tries to establish a connection with the device’s hotspot and after it detects it, the app connects to it automatically. Next, the app asks the user to introduce the credentials of his home network, which it transmits to the device. The smart plug connects to the local network and the setup process is complete.

screenshot1

Fig 1. Mobile application screenshot

Vulnerabilities

While scrutinizing the device in a controlled testing environment, Bitdefender researchers observed the following security oversights:

The hotspot is open; no password is required.

Data sent between application, device and server is simply encoded, not encrypted.

Network credentials are sent in plain text from mobile app to device.

screenshotnetwork

Fig 2. Local network credentials sent in plain-text during configuration

Possible Attacks

When the mobile app connects remotely to the device, from outside the local network, it authenticates through a security mechanism known as a Basic Access Authentication. By today’s security standards, this is considered an insecure method of authentication, unless used in conjunction with an external secure system such as SSL. Usernames and passwords are passed over wire in an unencrypted format, encoded with a Base64 scheme in transit.

 “Base64 is an encoding scheme, meaning it’s reversible and virtually useless for providing data security”, says Radu Basaraba, malware researcher at Bitdefender.

Secondly, the device’s communication with the push servers is HTTPS secured, however, authentication of the device is based exclusively on the MAC address.

Every time it starts and at regular intervals, the device sends an UDP message to the authentication server, containing device data, an ID number represented by the MAC address and a 36-character code.  However, the cloud server does not verify the code, it trusts the device’s MAC address to perform the authentication.

Consequently, an attacker can register a different device, with the same MAC address, to impersonate the genuine one. The server will communicate with the device that registered last, even if it’s rogue. So will the mobile app. This way, attackers can capture the webcam’s new password, if the user changes the default one.

To speed up the process and grab the password faster, an attacker can take advantage of the camera’s push notification feature. Users can opt to receive notifications on their smartphone, specifically video alerts, whenever the camera detects any suspicious sound or movement in their homes. When the user opens the app to view the alert, the app will authenticate on the device using Basic Access Authentication and, thus, send the new password unencrypted to the hacker-controlled webcam.

Finally, attackers can enter the username, password and ID to get full control of the user’s webcam, through the mobile app.

screenshot3

Fig 3. Push notification message as seen by the user

screenshotpush

Fig 4. Push notification commands

screenshot6

Fig 5. Adding stolen user credentials

“Anyone can use the app, just as the user would”, George Cabau, antimalware researcher says. “This means turning on audio, mic and speakers to communicate with children while parents aren’t around or having undisturbed access to real-time footage from your kids’ bedroom. Clearly, this is an extremely invasive device, and its compromise leads to scary consequences.”

Advice for users

This research shows how exploiting vulnerable IoT devices may have serious consequences for users. Bitdefender advises home users to:

Perform a thorough research before buying an IoT device for their homes. Online reviews may reveal privacy issues other users have encountered.

Test the gadget to understand how it works (if possible). How does it connect to the Internet, what data can it access, where is that data stored and under what circumstances? Proper research into the new device will help users weigh the risks and benefits – can this device turn into a privacy hazard? Using data collected from it, could someone infiltrate the home Wi-Fi network to snoop on private conversations and steal other personal information?

Read the privacy statement before activating the device and connecting it to the web.

Install a home cyber-security solution designed for IoTs. It will scan the whole network to provide anti-phishing protection, malicious-website alerts, detection and quarantining of any malware or rogue users.

Responsible disclosure and status

Bitdefender practiced reasonable disclosure with the vendor of the aforementioned IoT equipment. So, as a matter of course, the vulnerabilities were reported in accordance to Bitdefender’s vulnerability disclosure policy. According to this policy, vendors are officially informed of the findings and encouraged to solve the bugs/flaws in their products. 30 days after the initial reporting, the findings are published.

The problems persist on the latest firmware version (2.02), however the vendor is currently working on a fix.

Technical analysis performed by Bitdefender researchers Dragos GAVRILUT, Radu BASARABA and George CABAU.

Comments Off on Smart Webcam Can Go Rogue to Spy on Kids, Bitdefender Finds
August 18, 2016, 2:17 pm
in Anti-Malware Research , by Alexandra GHEORGHE

Users might be risking their privacy, and even physical security, when using smart plugs to manage appliances in homes, office buildings and other spaces. A popular electrical socket is vulnerable to malicious firmware upgrades and can be controlled remotely to expose users to both physical and online security risks, Bitdefender IoT researchers found.

As part of Bitdefender’s continuous efforts to raise awareness on the security hazards posed by Internet of Things technologies, researchers have performed a new analysis on IoT gadgets and are ready to reveal the findings.

The vulnerable device is a smart electrical switch that plugs into any wall socket and enables users to schedule a connected electronic device on and off from their smartphone. It can power any gadget – thermostats, smart TVs, coffee makers, security cameras, garage doors, and medical devices and so on.

Configuring the device

edimax

To set up the device, the user needs to plug it in a regular electrical socket. Secondly, he is required to download the corresponding mobile app from Google Play Store or the Apple Store. The mobile app has been downloaded by over 10k Android users alone, at the time of writing.

In the mobile application, the user selects the option to install a new plug and chooses the home Wi-Fi network from the list. The mobile application tries to establish a connection with the device’s hotspot and after it detects it, the app connects automatically. The user is asked to introduce the credentials of his home network, which the app transmits to the device. The smart plug connects to the local network and the setup process is complete.

Next, the device registers to vendor servers through UDP messages containing information on the model, the device name and MAC address. The same data, plus the firmware version, port and local IP address, is sent in reply to the app.

fig2

Figure 2. Information sent to application

Vulnerability insights

Bitdefender researchers observed that the hotspot is secured with a weak username and password combination. Furthermore, the application does not alert the user to risks associated with leaving default credentials unchanged. Changing them can be done by clicking ‘Edit’ on the name of the smart plug from the main screen and choosing a new name and a new password.

Secondly, researchers noticed that, during configuration, the mobile app transfers the Wi-Fi username and password in clear text over the network. Also, the device-to-application communication that passes through the manufacturer’s servers is only encoded, not encrypted. Encoding can be easily reversed using a scheme that is publicly available, while encryption keeps data secret, locked with a key available for a selected few.

3

Figure  3. Device name and password sent unsecured over the network

Lastly, a product feature allows the device to be configured to send email notifications to the user every time it switches from one state to another. However, this functionality requires access the user’s email account credentials.

fig4

Figure 4. Email notification service

Possible attacks

In light of the above information, there are two types of cyber-attacks that can be performed. To test the applicability of the attacks, Bitdefender researchers created a test environment – a local network replicating, as accurately as possible, the real conditions in which sensitive data is being communicated.

Password remote control

If an attacker knows the MAC address of the device and the default password, he can gain remote control of the device to re-schedule it, or access all the information the device uses, including the user’s email address and password, if the email notification feature is enabled. This can lead to the full compromise of the linked email account, unless two-factor authentication is enabled.

Firmware upgrade through command injection

The device hashes its own credentials using the MD5 algorithm. Hashing means that, for every input (string of data), a hash delivers a unique value of 32 characters. This is done through the md5sum command, which receives the joined username and password as a parameter.

This method is prone to command injection because the password is not sanitized. Sanitization strips invalid characters typically banned in usernames, passwords or email addresses such as commas, question marks or Unicode characters.

The password, for instance, can contain the “;” symbol that may be misinterpreted as the end of a command. Thus, the initial command ends before “;”, and a command specified in the newly created password will be executed.

5

Figure 5. Hashing credentials through md5sum command

When an attacker exploits this flaw, the commands specified in the new password overwrite the root password and can open the embedded Telnet service. Using Telnet, an attacker, regardless of his location, can send commands to stop/start/schedule the device, as well as to execute rogue commands, including running malicious firmware to achieve persistence or using the device to perform attacks on other computers or devices inside the local network.

“This type of attack enables a malicious party to leverage the vulnerability from anywhere in the world”, says Alexandru Balan, Chief Security Researcher at Bitdefender. “Up until now most IoT vulnerabilities could be exploited only in the proximity of the smart home they were serving, however, this flaw allows hackers to control devices over the Internet and bypass the limitations of the network address translation. This is a serious vulnerability, we could see botnets made up of these power outlets.”

6

Figure 6. Connecting to Telnet to access the compromised device remotely

One of the most destructive actions an attacker can take is to rip off the existing software and plant malicious software in its place,” says George Cabau, antimalware researcher at Bitdefender. “For users, the consequences can extend to losing control of all their network-connected devices as they become weapons of attack in a cyber-criminal network, as well as to exposing their email accounts and their contents.”

Advice for users

This research reminds users to take into account the security imperfections of Internet of Things devices, because exploiting them may result in serious consequences to their online privacy and even physical security. Bitdefender advises users to:

Perform a thorough research before buying an IoT device for their homes. Online reviews may reveal privacy issues other users have encountered.

Test the gadget to understand how it works (if possible). How does it connect to the Internet, what data can it access, where is that data stored and under what circumstances?

Proper research into the new device will help users weigh the risks and benefits – can this device turn into a privacy hazard? Using data collected from it, could someone infiltrate the home Wi-Fi network to snoop on private conversations and steal other personal information?

Read the privacy statement before activating the device and connecting it to the web.

Install a home cyber-security solution designed for IoTs. It will scan the whole network to provide anti-phishing protection, malicious-website alerts, detection and quarantining of any malware or rogue users.

Bitdefender is at the forefront of the home integrated cyber-security industry since designing Bitdefender BOX, the first home security solution for connected devices. The BOX solves one of the biggest challenges derived from the IoT market’s complexity and fragmentation – security for “non-classical” devices.  This was made possible by shifting from device-oriented security to a solution able to intercept attacks at their core: the home network.

Thus, Bitdefender BOX provides advanced malware protection for all connected devices – smartphones, PCs, Macs, home appliances, wearables and others. The product has been recently upgraded with a Vulnerability Assessment feature, which scans devices to pinpoint their security weaknesses, and Active Threat Control, which stops even never-before-seen malware.

Responsible disclosure and status

Bitdefender practiced reasonable disclosure with the vendor of the aforementioned IoT equipment. So, as a matter of course, the vulnerabilities were reported in accordance to Bitdefender’s vulnerability disclosure policy. According to this policy, vendors are officially informed of the findings and encouraged to solve the bugs/flaws in their products. 30 days after the initial reporting, the findings are published.

The vendor is working on a fix to be released in Q3 of 2016.

The technical analysis has been performed by Bitdefender researchers Dragos Gavrilut, Radu Basaraba and George Cabau.

8 Comments
July 5, 2016, 2:34 pm
in Anti-Malware Research , by Alexandra GHEORGHE

A new piece of malware, dubbed Backdoor.MAC.Eleanor by Bitdefender researchers, exposes Apple systems to cyber-espionage and full, clandestine control from malicious third-parties. Continue reading

4 Comments
July 1, 2016, 1:32 pm
in Anti-Malware Research , by Razvan Stoica

Bitdefender researchers Marius Tivadar, Cristian Istrate, Iulian Muntean and Andrei Ardelean dissected some malware samples which had been used in the Pacifier APT spear phishing campaign over the past two years. These samples show clear evolution over time, both in terms of functionality and of stealth, proof of active development efforts.

The results of their work, IoCs included, can be found here. The APT is still under analysis, so expect updates in the following days/weeks.

Comments Off on Pacifier APT – two years and counting
June 8, 2016, 4:13 pm
in Anti-Malware Research , by Alexandra GHEORGHE

Bitdefender detects and blocks a new type of ransomware that replicates itself on removable and network drives. The sample analyzed by our researchers has worm-like capabilities – it can spread via autorun.inf files on USB drives. When an infected USB is plugged into a system, ZCrypt automatically launches a file called invoice.exe, which, once opened, infects the system with ransomware.

ZCrypt first corrupts the files and then encrypts them to limit the ability of victims to use disk recovery tools. User files with the following extensions are affected:

.zip   .7z .mp4    .avi    .mkv    .wmv    .swf    .pdf  .sql    .txt    .jpeg   .jpg    .png    .bmp    .psd    .doc    .docx .rtf    .xls    .xlsx   .odt    .ppt    .pptx   .ai .xml    .c  .cpp  .asm    .js .php    .cs .aspx   .html   .conf   .sln    .mdb    asp .3fr    .accdb  .arw    .bay    .cdr    .cer    .cr2    .crt    .crw   .dbf    .dcr    .der    .dng    .dwg    .dxf    .dxg    .eps    .erf   .indd   .kdc    .mdf    .mef    .mrw    .nef    .nrw    .odb    .odp   .ods    .orf    .p12    .p7b    .p7c    .pdd    .pef    .pem    .pfx   .pst    .ptx    .r3d    .raf    .raw    .rw2    .rwl    .srf    .srw   .wb2    .wpd    .jnt    .pub    .trc    .gz .tar    .jsp    .pl .py .rb .mpeg   .msg    .log    .vob    .max    .3ds    .3dm    .db .cgi   .jar    .class  .java   .bak    .pdb    .apk    .sav    .cbr    .pkg   .tar. gz. fla.    .h  .sh .vb .vcxproj  .XCODEPROJ  .eml    .emlx  .mbx   .vcf

The original file will be deleted and the encrypted files will have the .zcrypt extension. A ransom note will be created with the following name “How to decrypt files.html”

Untitled2

To ensure persistence, the malware will create the following registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\zcrypt, which will point to  itself, and also a shortcut named “zcrypt.lnk” in the startup folder.

Interestingly, ZCrypt uses an old, yet effective technique. Introduced back in the Windows XP era to facilitate software installations from CD-ROM media for non-technical computer users, the Autorun feature has rapidly become the infection vector of choice for cyber-criminals. For years, Autorun-based malware has been atop of the worldwide e-threat landscape, with notorious representatives such as Trojan.AutorunInf, the Conficker worm (Win32.Worm.Downadup) or Worm.Autorun.VHD.

Bitdefender has a solution – the USB Immunizer disables autorun-related threats before they access the computer. Once installed, it constantly watches for newly inserted USB storage devices and immunizes them on the fly. If you accidentally plug in an infected USB drive that has not been immunized, the computer will not auto-execute the piece of malware located on the USB storage device.

Read more and download Bitdefender’s USB Immunizer here.

Bitdefender detects this threat as  Gen:Variant.ZCrypt.1.

MD5: 62bf8f83071452af96a37e0ed0159731

2 Comments
May 26, 2016, 3:17 pm
in Uncategorized , by Liviu Arsene

Bitdefender vulnerability researcher Radu Caragea presented today at the Hack In The Box Amsterdam conference a novel way to extract TLS keys from virtual machines, using an out-of-guest approach. The new technique works to detect the creation of TLS session keys in memory as the virtual machine is running.
Continue reading

Comments Off on TeLeScope unveiled at Hack In the Box
May 16, 2016, 9:03 am
in Anti-Malware Research , by Alexandra GHEORGHE

Online advertising is a multi-billion dollar business mostly ran by Google, Yahoo or Bing via AdSense-like programs. The current generation of clickbots such as the Redirector.Paco Trojan have taken abuse to a whole new level, burning through companies’ advertising budget at an unprecedented pace.

Continue reading

4 Comments
April 26, 2016, 11:12 am
in Uncategorized , by Alexandra GHEORGHE

Facebook vulnerability breaks down the convenience of social login authentication.  Insufficient security validation allows attackers to impersonate Internet users and gain password-less access to any of their online accounts. Continue reading

1 Comment