SWITCH Security-Blog

SWITCH-CERT IT-Security Blog


Leave a comment

Why the most successful Retefe spam campaign never paid off

Switzerland is one of the main targets of the Retefe banking trojan since its first appearance in November 2013. At that time, it changed the local DNS resolver on the computer (See also blog post “Retefe Bankentrojaner” in German only). Almost a year went by until they changed to the still current approach of setting a proxy auto-config (PAC) URL (See also blog post “The Retefe banking Trojan has targeted Switzerland“). To understand the story of this blog post, it helps to understand the modus operandi of the Retefe malware. We recommend you read up on it on our blog links posted above if you are not familiar with it.

While the Retefe actors are constantly changing tactics, for example their newest campaigns also target Mac OS X users, their malware still works the same. One of notable changes was the introduction of Tor in 2016. At first, they started using Tor gateway domain names such as onion.to, onion.link within the proxy auto-config URLs, later on they switched to Tor completely. The advantage of using Tor is of course, anonymity and the difficulty to block or take down the infrastructure.

Onion domain names don’t use DNS or do they?
The Tor network can use .onion domain names but these names are not resolved over DNS but instead work only in the Tor network. RFC 7686 (The “.onion” Special-Use Domain Name) goes into more details on the special case of .onion domain names. However, the fact is that .onion domain names do leak into the DNS system. For potential reasons and more information on this subject we recommend the paper by Versign Labs “Measuring the Leakage of Onion at the Root” (PDF).
Continue reading

Mobile Malware


Leave a comment

Adups — The Spy in your Pocket

Smartphones have become inseparable companions of our everyday life. They are so cheap nowadays, you can buy commodity devices running Android OS for less than a hundred Swiss francs. Smartphones aren’t mere wireless telephony devices. They are modern computer systems equipped with a variety of sensors: cameras, microphone, GPS receiver, gyroscopes and accelerometers, etc. They also feature multiple wireless communication interfaces such as multi-generation mobile networking, 2.4 and 5 GHz Wi-Fi, Bluetooth, NFC, etc, which make them a polyvalent communication platform with a quasi permanent Internet connection. Another way of looking at it: using all the components typical smartphones are equipped with, they can be fitted as perfect bugging devices.

On November 15th 2016, Kryptowire published a blog post revealing that „several models of Android mobile devices contained a firmware that collected sensitive personal data about their users and transmitted the data to third-party servers without disclosure or the users’ consent“. The sensitive data includes unique device and user identifiers, but also contact lists, call history, installed applications, and under circumstances text messages as well as fine grained location data. The said firmware originates from Adups, a Shanghai-based company specialized in mobile and IoT technologies. It is part of their FOTA product, a commercial replacement of Google’s Over-The-Air upgrade system, which is used to deploy firmware upgrades to the devices (hence the acronym: Firmware Over The Air). The FOTA component is pre-installed on various brands and models of Android devices manufactured in China. Being installed as a system APK, the software has unrestricted access to all data on the device and cannot be uninstalled.

 

HTTP request originating from a device affected by the Adups backdoor

HTTP request originating from a device affected by the Adups backdoor

Continue reading


6 Comments

Usage of .ch domain names for spamming malware Tofsee stopped

It is rare that a malware family uses .ch or .li domain names in their domain name generation algorithm (DGA). The last time I remember, that we had to take action against a malware using .ch or .li domain names was about 8 years ago. It was Conficker that infected millions of computers worldwide. The malware was generating about 500 .ch and .li domains a day to be potentially used as a command and control server. By then SWITCH joined the conficker working group to prevent the use of domain names by this malware.

Since then we have been watching the use of .ch and .li domain names in malware DGAs and prepared for this by making an agreement with the Registrar of Last Resort (RoLR) to prevent the registration of domain names used in DGA algorithms of malware.

This week the Swiss Govermental Computer Emergency Response Team (GovCERT) informed us about the malware Tofsee using .ch as one of the TLDs in its DGA. Continue reading


A file that wasn’t there

One of our minions (he was introduced in this blog entry a while ago) recently came to us asking for advice: he was about to automate yet another task, by using his Python-fu, and realized that he misses entries in the file system as well as in the registry.

Notably, he only sees this behaviour on 64bit-versions of the Windows operating system:

Windows Explorer (64bit) vs Python application (32bit)

Left: Windows Explorer (64bit) lists several folders and files.   Right: Python application (32bit) only lists the folder Microsoft.

The left image shows the folder C:\Windows\System32\Tasks as seen in the Windows Explorer, the right image as seen in a simple 32bit-python application. Only the subfolder Microsoft is listed there. Something is amiss.

 

Below is the code to produce the right image, when executed in a 32bit-version of Python:

import glob, os
for pathfilename in glob.glob(r"C:\Windows\System32\Tasks\*"):
    print pathfilename

Continue reading


An attachment that wasn’t there

By Slavo Greminger and Oli Schacher

On a daily basis we collect tons of Spam emails, which we analyze for malicious content. Of course, this is not done manually by our thousands of minions, but automated using some Python-fu. Python is a programming language that comes with many libraries, making it easy for us to quickly perform such tasks.

Python’s email library deals with, well, emails. And it does it well. But on October 3rd, we encountered an attachment that wasn’t there – at least according to Python’s email library.

Mal-formatted email

Left: Outlook Web does not show the attachment          Right: Thunderbird does show the attachment

Now how could that happen?

Emails do have a certain structure, which is described nicely in RFC #822, RFC #2822, RFC #5322, RFC #2045, RFC #2046, RFC #2047, RFC #2049, RFC #2231, RFC #4288 and RFC #4289. Even though these RFC’s are clear in their own way, an illustration might help (we focus on multipart emails only) to understand why Python’s email library got fooled.

Continue reading


New SWITCH Security Report available

Dear Reader!

A new issue of our monthly SWITCH Security Report has just been released.

The topics covered in this report are

  • ICSI’s Haystack looking for Android needles – and beta testers for its field study
  • Staging a comeback with a blackout – macro-Trojans return and apparently cause Christmas power cut in western Ukraine 
  • Is it really smart? Many smart home solutions have security holes as big as a garage door
  • From Mad Men to Bad Boys – malware becoming harder to monitor due to malvertising

The Security Report is available in both English and German.

»»  Download the english report.      »»  Download the german report.


2 Comments

Attack of the killer Ads

By Daniel Stirnimann and Serge Droz

Recently I was quoted saying “… .ch and .li are the most secure (top-level) domains!”. In the same meeting, Security Rock Star Mikko Hyppönen claimed, “Surfing the Web with your laptop is the most dangerous thing you can do in the Internet.”  So what is true, what is false? Rather than speculate about obscure statistics I’d like to illustrate one of the big problems we face in .ch today, namely using ads as a back door to reach victims through reputable sites.

Ads: enter through the hallway

Malware distributors have one goal: spreading their stuff as widely as possible. This is achieved through different means. Malware was traditionally distributed – and still is – through e-mail attachments. This was the case, for example, with the Retefe malware. Alternatively, web pages can be hacked and used to spread malware by exploiting browser bugs. SWITCH has been very active, through its Safer Internet initiative, in working to reduce this infection vector. In fact, we’ve been so successful, that drive-by is very scarce in Switzerland, hence the statement that ” … .ch is one of the most secure ccTLDs”. Drive-by websites are always hacked, but in most cases they are not very popular websites, since popular websites are typically well protected. Many of the later ones offer a backdoor tough: ads! News sites in particular make most of their revenue by selling on line ads, which explains the “ad-war” arms race between ad-blockers an news agencies (see our Security Report on anti-anti-ad features). A very common way is malvertising, a term coined by William Salusky. Salusky found ads that were in fact carrying malicious payloads. Let’s look at a slightly different scenario, namely a legitimate but compromised ad server. While technically a different scenario it has the same effect on the end user.

Most people would think that visiting a website just serves you content from that site but this is not true for most of the large sites, in particular news sites. They import contents such as videos, trackers, counters, scripts and especially ads from third-party sites. These are not controlled by the original site, and often import content themselves from yet another site. Thus, a well maintained site with high security standards will often import stuff from sites with lower security. Think of it as sitting in a highly rated restaurant that has one bad food supplier.

The image below shows all the external sites involved whenever you visit three popular news sites.

 

Ohne Addon

The above example shows what happens when you visit three popular Swiss newspapers. Triangles denote third-party sites from which content is imported when you visit the respective news site. The visualisation was done using the Mozilla addon LightBeam

Continue reading