SWITCH Security-Blog

SWITCH-CERT IT-Security Blog

securityreport


Leave a comment

The December 2016 issue of our SWITCH Security Report is available!

Dear Reader!

A new issue of our monthly SWITCH Security Report has just been released.

The topics covered in this report are:

  • Power and cybercrime – massive quantities of user data stolen in two recent hacks
  • When supposed security add-ons actually spy on your browsing habits
  • Mirai part II – botnet knocks out 900,000 Telekom routers
  • It’s not all bad news – Avalanche botnet taken down

The Security Report is available in both English and German.

»»  Download the english report.      »»  Download the german report.

Did you miss our previous Security Report? Click here to go to the archive.

Sicherheit_Icon_cert_verteidigung


An attachment that wasn’t there

By Slavo Greminger and Oli Schacher

On a daily basis we collect tons of Spam emails, which we analyze for malicious content. Of course, this is not done manually by our thousands of minions, but automated using some Python-fu. Python is a programming language that comes with many libraries, making it easy for us to quickly perform such tasks.

Python’s email library deals with, well, emails. And it does it well. But on October 3rd, we encountered an attachment that wasn’t there – at least according to Python’s email library.

Mal-formatted email

Left: Outlook Web does not show the attachment          Right: Thunderbird does show the attachment

Now how could that happen?

Emails do have a certain structure, which is described nicely in RFC #822, RFC #2822, RFC #5322, RFC #2045, RFC #2046, RFC #2047, RFC #2049, RFC #2231, RFC #4288 and RFC #4289. Even though these RFC’s are clear in their own way, an illustration might help (we focus on multipart emails only) to understand why Python’s email library got fooled.

Continue reading

securityreport


New SWITCH Security Report available

Dear Reader!

A new issue of our monthly SWITCH Security Report has just been released.

The topics covered in this report are

  • ICSI’s Haystack looking for Android needles – and beta testers for its field study
  • Staging a comeback with a blackout – macro-Trojans return and apparently cause Christmas power cut in western Ukraine 
  • Is it really smart? Many smart home solutions have security holes as big as a garage door
  • From Mad Men to Bad Boys – malware becoming harder to monitor due to malvertising

The Security Report is available in both English and German.

»»  Download the english report.      »»  Download the german report.

Sicherheit_Icon_virus_echt


2 Comments

Attack of the killer Ads

By Daniel Stirnimann and Serge Droz

Recently I was quoted saying “… .ch and .li are the most secure (top-level) domains!”. In the same meeting, Security Rock Star Mikko Hyppönen claimed, “Surfing the Web with your laptop is the most dangerous thing you can do in the Internet.”  So what is true, what is false? Rather than speculate about obscure statistics I’d like to illustrate one of the big problems we face in .ch today, namely using ads as a back door to reach victims through reputable sites.

Ads: enter through the hallway

Malware distributors have one goal: spreading their stuff as widely as possible. This is achieved through different means. Malware was traditionally distributed – and still is – through e-mail attachments. This was the case, for example, with the Retefe malware. Alternatively, web pages can be hacked and used to spread malware by exploiting browser bugs. SWITCH has been very active, through its Safer Internet initiative, in working to reduce this infection vector. In fact, we’ve been so successful, that drive-by is very scarce in Switzerland, hence the statement that ” … .ch is one of the most secure ccTLDs”. Drive-by websites are always hacked, but in most cases they are not very popular websites, since popular websites are typically well protected. Many of the later ones offer a backdoor tough: ads! News sites in particular make most of their revenue by selling on line ads, which explains the “ad-war” arms race between ad-blockers an news agencies (see our Security Report on anti-anti-ad features). A very common way is malvertising, a term coined by William Salusky. Salusky found ads that were in fact carrying malicious payloads. Let’s look at a slightly different scenario, namely a legitimate but compromised ad server. While technically a different scenario it has the same effect on the end user.

Most people would think that visiting a website just serves you content from that site but this is not true for most of the large sites, in particular news sites. They import contents such as videos, trackers, counters, scripts and especially ads from third-party sites. These are not controlled by the original site, and often import content themselves from yet another site. Thus, a well maintained site with high security standards will often import stuff from sites with lower security. Think of it as sitting in a highly rated restaurant that has one bad food supplier.

The image below shows all the external sites involved whenever you visit three popular news sites.

 

Ohne Addon

The above example shows what happens when you visit three popular Swiss newspapers. Triangles denote third-party sites from which content is imported when you visit the respective news site. The visualisation was done using the Mozilla addon LightBeam

Continue reading

Safer-Internet-Home


Fixing hundreds of websites in one day

Remedying Angler infections in Switzerland

In recent weeks the Angler exploit kit has become the dominating tool for DriveBy attacks. Cleaning Angler compromised web servers is a challenge which has been well mastered in Switzerland, thanks to the close collaboration of Swiss hosters and SWITCH.

The culprit

On Sunday July 5 an the Italian ‘offensive security’ firm HACKING TEAM got hacked and all its files were made public. This included a couple of zero day exploits. Only two days later one of these was already used in the wild by the notorious Angler exploit kit. This is not surprising: Angler today is the most sophisticated exploit kit. Since its inception in 2013 it sported several new innovations which are today uses by others. According to a Sophos blog Angler’s “market share” rose from about 22% last fall to more than 80% this spring.

The payload

Angler used to distribute a variety of different malwares, from ransom-ware to banking trojans. However it seems with the rapid growth of the kit it also focused on distributing mostly Cryptowall 3.0. This malware encrypts all the files on an infected system and demands a hefty ransom of several hundreds of Euros to unlock them. Many people claim to not have “anything important” on their PCs to then discover that all their family pictures of the past ten years are gone. An it’s not looking better for businesses that lose all their data, including their backups on USB disks.

Cleaning Infections in Switzerland

SWITCH has been cleaning up misused domains since several years now through its Safer Internet campaign. We have processed thousands of domains and thus protected visitors of Swiss websites from the evil of exploit kits, such as Angler. Infection rates of Swiss websites have indeed gone down over the past month, or so we believed. On the 22. July 2015 however,  the good folks from the National Cyber Security Centre Finland (NCSC-FI) and abuse.ch have managed to make a small dent into Angles infrastructure. A total of over 200’000 compromised URLs worldwide were reported that are misused by Angular.

Angler Distribution

Distribution of web servers, which are misused by the Angler exploit-kit.

Of these 166 where in the .ch and .li top level domain and thus could be entered into our program. We reported these URLs to the respective domain owners as well as the hoster we have contacts to. Checking on the 23. July over 90% of these domains have been cleaned up and a handful have been added. As of the 24. July 2015 only a few sites remain infected.

This means that Swiss hosters are doing an excellent job. Cleaning a web page is not simple. It’s not enough to just remove the the offending code from that page itself. It’s known that the Angler crew installs several back doors, all of which have to be found and removed. These back doors often are webshells, which give full control over the entire web space of the server. The respective php files are obfuscated and not easily recognizable.

The Webshell used by the Angler crew. The white box shows the obfuscated php code. The shell gives full access to all resources the webserver has access to.

The Webshell used by the Angler crew. The white box shows the obfuscated php code. The shell gives full access to all resources the webserver has access to.

Some of the hoster report information back to us for which we are very grateful. This information can then be used to make the analysis better and discover new attack patterns quickly.

Conclusion

The close collaboration and exchange of information between all the stakeholders allows for a very rapid reaction to threats. Cleaning these web pages needs substantial resources by the hosters and also SWITCH. But it’s well invested: Taking down these pages quickly protects visitors from being infected by Cryptowall and saves their valuable data, be this treasured personal files or critical business information.

Safer-Internet-Home


Safer Internet

Anna is the director of a small kindergarten in Zurich. To give the kindergarten a home on the Internet, she registered a domain name and put up a website where parents can get up-to-date information about the kindergarten. A friend helped her to install a popular open-source content management system (CMS) for the website, so that she can change the menu every week and perform other updates herself. The parents of the kids were delighted to have access to this information online.

Three months after the website went online, one of the parents called her, telling her that the website was no longer available, and a warning was displayed instead. He also told her that he had a virus on his home PC and had to reinstall his operating system and change all his Internet passwords. When she talked to other parents that day, they told her the same.

What happened? Continue reading

News


IT-Security-Links #66

German: