WRDW Science/Technology Headlines

SC suing Department of Energy over MOX suspension

Updated: 03/18/2014 - It could be a major economic blow for our area. Just weeks ago, the president's budget suspended a huge Savannah River Site project. But now, the State of South Carolina is fighting back. State leaders are suing the federal government to save the thousands of jobs the MOX project will create.

Gov. Haley addresses suspension of MOX, possible lay-offs

Updated: 03/05/2014 - We're continuing to learn more about what President Obama's budget could mean for our area. In particular, we're learning how it could even terminate a crucial project at Savannah River Site. News 12's Chad Mills talked to the governor to find out more.

Pres. Obama's budget suspends MOX project

Updated: 03/04/2014 - It's potentially bad news for Savannah River Site. On Tuesday, President Barack Obama released his budget. The budget calls for placing the Mixed Oxide (MOX) Fuel Fabrication Facility at SRS on "cold stand-by."

More WRDW Science/Technology Headlines

Related Video Resources

Watch NASA TV LIVE on your computer!
Watch Science and Technology Video from Voxant Newsroom!

Hot Files from CNET Downloads

No Items Retrieved from Feed.

Discover Magazine - Latest News

No Items Retrieved from Feed.

Virus Alerts from Viruslist.com

  • Chthonic: a New Modification of ZeuS

    In the fall of 2014, we discovered a new banking Trojan, which caught our attention for two reasons:

    • First, it is interesting from the technical viewpoint, because it uses a new technique for loading modules.
    • Second, an analysis of its configuration files has shown that the malware targets a large number of online-banking systems: over 150 different banks and 20 payment systems in 15 countries. Banks in the UK, Spain, the US, Russia, Japan and Italy make up the majority of its potential targets.

    Kaspersky Lab products detect the new banking malware as Trojan-Banker.Win32.Chthonic.

    The Trojan is apparently an evolution of ZeusVM, although it has undergone a number of significant changes. Chthonic uses the same encryptor as Andromeda bots, the same encryption scheme as Zeus AES and Zeus V2 Trojans, and a virtual machine similar to that used in ZeusVM and KINS malware.

    Infection

    We have seen several techniques used to infect victim machines with Trojan-Banker.Win32.Chthonic:

    • sending emails containing exploits;
    • downloading the malware to victim machines using the Andromeda bot (Backdoor.Win32.Androm in Kaspersky Lab classification).

    When sending messages containing an exploit, cybercriminals attached a specially crafted RTF document, designed to exploit the CVE-2014-1761 vulnerability in Microsoft Office products. The file has a .DOC extension to make it look less suspicious.

    Sample message with CVE-2014-1761 exploit

    Sample message with CVE-2014-1761 exploit

    In the event of successful vulnerability exploitation, a downloader for the Trojan was downloaded to the victim computer. In the example above, the file is downloaded from a compromised site – hxxp://valtex-guma.com.ua/docs/tasklost.exe.

    The Andromeda bot downloaded the downloader from hxxp://globalblinds.org/BATH/lider.exe.

    Downloading the Trojan

    Once downloaded, the downloader injects its code into the msiexec.exe process. It seems that the downloader is based on the Andromeda bot's source code, although the two use different communication protocols.

    Example of common functionality of Andromeda and Chthonic downloaders

    Example of common functionality of Andromeda and Chthonic downloaders

    Differences in communication protocols used by Andromeda and Chthonic C&C

    Differences in communication protocols used by Andromeda and Chthonic C&C

    The Chthonic downloader contains an encrypted configuration file (similar encryption using a virtual machine was used in KINS and ZeusVM). The main data contained in the configuration file includes: a list of С&С servers, a 16-byte key for RC4 encryption, UserAgent, botnet id.

    The main procedure of calling virtual machine functions

    The main procedure of calling virtual machine functions

    After decrypting the configuration file, its individual parts are saved in a heap - in the following format:

    Chthonic_5

    This is done without passing pointers. The bot finds the necessary values by examining each heap element using the RtlWalkHeap function and matching its initial 4 bytes to the relevant MAGIC VALUE.

    The downloader puts together a system data package typical of ZeuS Trojans (local_ip, bot_id, botnet_id, os_info, lang_info, bot_uptime and some others) and encrypts it first using XorWithNextByte and then using RC4. Next, the package is sent to one of the C&C addresses specified in the configuration file.

    In response, the malware receives an extended loader – a module in a format typical of ZeuS, i.e., not a standard PE file but a set of sections that are mapped to memory by the loader itself: executable code, relocation table, point of entry, exported functions, import table.

    Code with section IDs matching the module structures

    Code with section IDs matching the module structures

    It should be noted that the imports section includes only API function hashes. The import table is set up using the Stolen Bytes method, using a disassembler included in the loader for this purpose. Earlier, we saw a similar import setup in Andromeda.

    Fragment of the import setup function in Andromeda and Chthonic

    Fragment of the import setup function in Andromeda and Chthonic

    Header of a structure with module

    Header of a structure with module

    The extended loader also contains a configuration file encrypted using the virtual machine. It loads the Trojan's main module, which in turn downloads all the other modules. However, the extended loader itself uses AES for encryption, and some sections are packed using UCL. The main module loads additional modules and sets up import tables in very much the same way as the original Chthonic downloader, i.e. this ZeuS variant has absorbed part of the Andromeda functionality.

    The entire sequence in which the malware loads, including the modules that are described below, is as follows:

    Chthonic_9

    Modules

    Trojan-Banker.Win32.Chthonic has a modular structure. To date, we have discovered the following modules:

    Name Description Has a 64bit version
    main Main module (v4.6.15.0 - v4.7.0.0) Yes
    info Collects system information Yes
    pony Module that steals saved passwords No
    klog Keylogger Yes
    http Web injection and formgrabber module Yes
    vnc Remote access Yes
    socks Proxy server Yes
    cam_recorder Recording video from the web camera Yes

    The impressive set of functions enables the malware to steal online banking credentials using a variety of techniques. In addition, VNC and cam recorder modules enable attackers to connect to the infected computer remotely and use it to carry out transactions, as well as recording video and sound if the computer has a webcam and microphone.

    Injections

    Web injections are Chthonic's main weapon: they enable the Trojan to insert its own code and images into the code of pages loaded by the browser. This enables the attackers to obtain the victim's phone number, one-time passwords and PINs, in addition to the login and password entered by the victim.

    For example, for one of the Japanese banks the Trojan hides the bank's warnings and injects a script that enables the attackers to carry out various transactions using the victim's account:

    Online banking page screenshots before and after the injection

    Online banking page screenshots before and after the injection

    Interesting functions in injected script

    Interesting functions in injected script

    The script can also display various fake windows in order to obtain the information needed by the attackers. Below is an example of a window which displays a warning of non-existent identification problems and prompts the user to enter TAN:

    Fake TAN entry window

    Fake TAN entry window

    Our analysis of attacks against customers of Russian banks has uncovered an unusual web injection scenario. When opening an online banking web page in the browser, the entire contents of the page is spoofed, not just parts of it as in an ordinary attack. From the technical viewpoint, the Trojan creates an iframe with a phishing copy of the website that has the same size as the original window.

    Below is a fragment of injected code, which replaces everything between title and body closing tags with the following text:

    Chthonic_13

    And here is the script itself:

    Chthonic_14

    Additionally, the bot receives a command to establish a backconnect connection if the injection is successful:

    Chthonic_15

    Coverage

    There are several botnets with different configuration files. Overall, the botnets we are aware of target online banking systems of over 150 different banks and 20 payment systems in 15 countries. The cybercriminals seem most interested in banks in the UK, Spain, the US, Russia, Japan and Italy.

    Chtonic target distribution by country

    Chtonic target distribution by country

    It is worth noting that, in spite of the large number of targets on the list, many code fragments used by the Trojan to perform web injections can no longer be used, because banks have changed the structure of their pages and, in some cases, the domains as well. It should also be noted that we saw some of these fragments in other bots' config files (e.g., Zeus V2) a few years back.

    Conclusion

    We can see that the ZeuS Trojan is still actively evolving and its new implementations take advantage of cutting-edge techniques developed by malware writers. This is significantly helped by the ZeuS source code having been leaked. As a result, it has become a kind of framework for malware writers, which can be used by anyone and can easily be adapted to cybercriminals' new needs. The new Trojan – Chthonic – is the next stage in the evolution of ZeuS: it uses Zeus AES encryption, a virtual machine similar to that used by ZeusVM and KINS, and the Andromeda downloader.

    What all of this means is that we will undoubtedly see new variants of ZeuS in the future.

    A few md5:

    12b6717d2b16e24c5bd3c5f55e59528c
    148563b1ca625bbdbb60673db2edb74a
    6db7ecc5c90c90b6077d5aef59435e02
    5a1b8c82479d003aa37dd7b1dd877493
    2ab73f2d1966cd5820512fbe86986618
    329d62ee33bec5c17c2eb5e701b28639
    615e46c2ff5f81a11e73794efee96b38
    77b42fb633369de146785c83270bb289
    78575db9f70374f4bf2f5a401f70d8ac
    97d010a31ba0ddc0febbd87190dc6078
    b670dceef9bc29b49f7415c31ffb776a
    bafcf2476bea39b338abfb524c451836
    c15d1caccab5462e090555bcbec58bde
    ceb9d5c20280579f316141569d2335ca
    d0c017fef12095c45fe01b7773a48d13
    d438a17c15ce6cec4b60d25dbc5421cd

  • A Nightmare on Malware Street

    Another ransomware has been spotted in the wild lately, branded as 'CoinVault'. This one involves some interesting details worth mentioning, including the peculiar characteristic of offering the free decryption of one of the hostage files as a sign of good faith.

    CoinVault

    Technically, the malware writers have taken a lot of measures to slow down the analysis of the sample. Even though it was made with Microsoft's .NET framework, it takes a while to reach the core of their malicious application. Upon opening the initial sample in 'IL Spy', we find that the program starts by using a string key which is passed to a decryption method, which will ultimately get the executable code.

    CoinVault (17)

    A byte array is also passed as a parameter to the 'EncryptOrDecrypt' method, which in conjunction with the key will output a final byte array with the malware's much needed code.

    CoinVault (18)

    Implementing these functions in Visual Studio is as easy as copy/paste, so we execute the methods gotten from the source code and set a breakpoint to check what the decryption method is doing. A '77', '90' in decimal tells us we are on the right track since when converting these numbers to hexadecimal we get '4D', '5A', which is the magic number for DOS executable files identified by the ASCII string 'MZ'. We dump all the bytes to an executable file in disk for further analysis.

    CoinVault (19)

    We get a file called 'SHIELD runner', serving as a 'RunPE' helper application. A 'RunPE' application serves to execute files on the fly, meaning that a memory stream is created from an input and executed directly without first storing the file to disk. This is useful for malware writers that want to avoid leaving traces behind, and as we'll soon see, it's not all this file has to offer.

    CoinVault (2)

    Although we'll carry on with our investigation into the ransomware code, there's a noteworthy string embedded in the SHIELD runner executable, 'd:\Users\dennis…'.

    CoinVault (13)

    In the same way as before, a string key and a byte array are used to generate yet another executable file. As you can see, the cybercriminals have gone to great lengths in order to slow down the analysis and hide the malicious payload for as long as possible.

    CoinVault (1)

    Not only do we have the usual 'RunPE' functions but also a nice additional set of methods that will help the malware detect analysis tools and virtualized environments. It checks for 'Sandboxie', 'Wireshark', 'Winsock Packet Editor' and even checks whether the machine's name is 'MALTEST'. Fortunately, none of these conditions are met in my environment so we are good to go.

    CoinVault (20)

    But wait…. there's more! The detection of the virtualized environment will cause the execution to stop and the malicious payload to be hidden.

    CoinVault (21)

    Using PowerShell, we are going to check if the malware can actually detect our environment. Apparently it can, so we'll need to carry out some simple modifications in order to continue the analysis process.

    CoinVault (10)

    We can fix this easily from VMWare's configuration VMX file, setting the option 'SMBIOS.reflectHost = TRUE'. Running out PowerShell checks again, we witness the good news and are ready to go even further.

    CoinVault (11)

    Repeating the process of string key and byte array decryption and dumping the memory at just the right time pays off and we finally end up with the set of files that will be used during the infection.

    CoinVault (6)

    The CoinVault 'Locker' has two main Windows forms: the main one telling us to pay in order to recover the victim's files and 'frmGetFreeDecrypt' which is used to decrypt one of the victim's files as a way to demonstrate that we can in fact recover our precious information if we comply in a timely manner.

    CoinVault (3)

    However, before the 'Locker' analysis we'll need to deobfuscate it (at least a little bit). The malware writers display some sense of humor here: if the analyst has gone through this much trouble to reach this point it seems he's welcome as suggested by the phrase, 'Your worst nightmare'. Moreover, they are keen enough to leave a banner signaling the obfuscation utility they used. In this case we are dealing with the ever popular 'Confuser', in its version 1.9.0.0.

    CoinVault (4)

    Certainly, this is confusing… but we can make it better. So, we go from something that resembles a Chinese manuscript to readable source code.

    CoinVault (5)

    We now can see, amongst the many (many) methods and delegates inside the assembly some relevant code regarding the file encryption. .NET's 'System.Security.Cryptography.RijndaelManaged' namespace is used (amongst others) revealing symmetric encryption functionality.

    CoinVault (8)

    We can even get a glance at how the PRNG was implemented and some internal details of the malicious application.

    CoinVault (7)

    When we are finally shown the 'Locker' executable, a connection is made to a dynamic domain. During the analysis, two addresses were present: 'cvredirect.no-ip.net' and 'cvredirect.ddns.net'. They are currently offline and this hampers the 'Locker' functionality, since upon traffic analysis inspection we were able to see that a hardware ID is sent to the C&C in order to use a dynamic file encryption password. I guess now we can understand why the malware is checking for Wireshark in the system. After all, cybercriminals wouldn't want you to take a peek at how their business is getting done.

    Network (1)

    At this point, if everything went well (for the cybercriminals) your personal documents and files have been encrypted and a payment is demanded in less than 24 hours or the price will rise. The bitcoin address used is dynamic too, making the tracing of the funds a lot more complex than usual.

    MainScreen

    Is this your worst nightmare? If you don't have an updated anti-malware suite and (just in case) a backup of your most important files, it might just be.

    Kaspersky detects this family as 'Trojan-Ransom.Win32.Crypmodadv.cj'. We have already seen similar malicious applications in the past (regarding functionality) such as 'TorrentLocker', and some PowerShell ransomware, but the amount of effort invested in this one in order to protect the code shows that cybercriminals are leveraging already developed libraries and functionality in order to avoid reinventing the wheel.

  • Brazilian Trojan Bankers – now on your Android Play Store!

    It took some time but they're finally here – Brazilian cybercriminals have started to target their attacks towards mobile banking users. This week we spotted the first Trojan banker targeting Brazilian users of Android devices. Two malicious applications meant to pass for apps from local Banks were hosted on Google Play.

    en_generic_rgb_wo_60

    According FEBRABAN (the local Federation of Banks), more than 6 million Brazilians are using mobile banking regularly, so it's not surprising to find malware targeting mobile users. In fact, Brazil was crowned the country most attacked by banking malware in our Q3 threat evolution report:

    Q3_2014_MW_Report_14This move by Brazilian bad guys was predictable and awaited as a natural development in the local malware scene. In 2012, we witnessed attacks using phishing pages in mobile format and now a bad guy using the name "Governo Federal" (Federal Government) was able to publish 2 malicious apps in the Play store:

    3

    Both apps used the name of two very popular public Brazilian Banks – the first app was published on October 31st and registered 80 installations. The second was published on November 10th and had only 1 installation.

    To create the malicious app, the (lazy) bad guy decided to use "App Inventor": a free platform that allows anyone to create their own mobile Android application, no technical knowledge required. The result is an app big in size and full of useless code. But both apps had the function to load the logos of the targeted Banks and open a frame – the phishing page programmed to capture the user's credentials. Simple, but effective, as mobile banking users in Brazil still use single authentication, without tokens or OTPs, where only the account number and password are required.

    6

    The phishing pages of the targeted Banks were hosted on a hacked website. A good soul removed them and inserted an alert to the visitors stating: "Este é um aplicativo Falso, denuncie este app", meaning "This is a fake app, please report it". As a result, when the user downloads, installs and opens the fake banking app, this message is displayed inside, instead of the original phishing page:

    9

    We reported  both apps to Google, and they promptly removed them from the Play Store. We detect both apps as Trojan-Banker.AndroidOS.Binv.a (MD5s: 00C79B15E024D1B32075E0114475F1E2 and A18AC7C62C5EFD161039DB29BFDAA8EF) and we're quite sure that these are only the first crude attempts of many more to come.

    Thanks to my colleague Roman Unucheck for the valuable help in this case.

  • Android NFC hack allow users to have free rides in public transportation

    "Tarjeta BIP!" is the electronic payment system used in Chile to pay for public transportation via NFC incorporated in the user's smartphone. Numerous projects enabling mobile NFC ticketing for public transportation have been already executed worldwide. This is a trend. It means that criminal minds should be interested in it. Moreover, they are.

    More and more people keep talking about the feature of payments via NFC. The problem in this particular case is that somebody reversed the "Tarjeta BIP!" cards and found a means to re-charge them for free. So, on Oct. 16 the very first widely-available app for Android appeared, allowing users to load these transportation cards with 10k Chilean pesos, a sum  equal to approximately $17 USD.

    1

    MD5 (PuntoBIP.apk) = 06a676fd9b104fd12a25ee5bd1874176

    Immediately after appearing on the Internet, many users downloaded it and proved they were able to recharge their travel cards. All they had to do is to install the mentioned app on a NFC capable Android device, to approach the travel card to the phone and then to push the button "Cargar 10k", which means "Refill the card with 10,000" Chilean pesos.

    According to the metadata of the .dex file package, it was compiled on October 16, 2014 and it has 884.5 kB (884491 Byte) size. The feature it incorporates interacts directly with the NFC port: android.hardware.nfc

    The app has four main features: "número BIP" - to get the number of the card, "saldo BIP" - to get the available balance, "Data carga" - to refill available balance and finally, maybe the most interesting is "cambiar número BIP" - allowing the user to change the card number altogether. Why would we say this last feature is the most interesting? Well, a source suggested the authorities were going to block fraudulently refilled BIP cards. However, as we can see, the app is able to change the BIP number.

    Since the original links to download the app were taken down, new links appeared, now pointing to new servers and actually hosting a new app:

    MD5 (PuntoBIP-Reloaded.apk) = 2c20d1823699ae9600dad9cd59e03021

    This is a modified version of the previous app, compiled on the next business day Oct 17, 2014 and which is a lot bigger 2.7 MB (2711229 Byte). This includes an advertisement module which shows ads via the doubleclick network.

    Since both apps allow users to hack a legitimate application, they are now detected by Kaspersky as HEUR:HackTool.AndroidOS.Stip.a

    Since the app is a hot one and a lot of people from Chile are looking for it, I expect some bad guys to come along and create fake similar apps but trojanized to infect mobile users and take some advantage of their interest.

    At the same time, it is important to mention that mobile payments are getting more and more popular. NFC is one of the most promising ports in this field. This is a good example of how fresh new payment schemes often present the same old problems.

    Thanks to Roman Unuchek for his analytical insights.

    You may follow me on twitter: @dimitribest

  • Android Backdoor disguised as a Kaspersky mobile security app

    This week, our virus lab handled a case where a customer received a phishing email with an Android Backdoor archive masquerading as a Kaspersky mobile security app (we are aware that those who created this app are also disguising it as apps from other major AV brands).

    It prompts recipients to install the fake Kaspersky Android app to protect their mobile security. From the context we can presume the intended targets are users in Poland.

    turla

    Most email phishing attacks tend to target PC users, but this time the attackers have turned their attention to mobile platforms. We think it's a new trend in spreading virus. Mobile security is related to user privacy. In most cases, a mobile device is more important than PC for users. It contains user contacts, text messages, photos and call logs. And mobile security is generally considered to be a weak point. So, most people will believe these phishing emails and are likely to install the fake mobile security app.

    In this case, the Android apk in the phishing email is a powerful and aggressive backdoor which is detected as Backdoor.AndroidOS.Zerat.a. The backdoor is full of malicious functions, but the GUI is a little simple and crude.

    turla

    turla

    Maybe it only wants you to install it and click the button. By executing, it links to hxxp://winrar.nstrefa.pl/path/DeviceManager.php to register the victim device info.

    turla

    turla

    Then it visits hxxp://winrar.nstrefa.pl/path/Linker.php to get commands.

    turla

    According to the commands, it will perform lots of malicious activities.

    turla

    Some of the commands are shown below.
    Getting location:

    turla

    Recording:

    turla

    Intercepting text messages:

    turla

    Browsing history:

    turla

    Recording call:

    turla

    Store and upload:

    turla

    This is a new type of mobile security threat that works just like a phishing site or phishing SMS. With the phishing email, the backdoor will spread more easily. There is reason to believe that more increasingly complex mobile attacks with follow. Composite attacks on mobile platforms are simply a matter of time.

    In this day and age it is very important to protect our privacy and device security. It's recommended to follow these tips:

    • Download a mobile security app from the official Kaspersky website.
    • Don't trust strange emails.
    • Don't just open and execute files in email attachments.
AdFusion Technology News
Mailing Address: P.O. Box 1212 Augusta, GA 30903 Main Telephone: (803) 278-1212 Newsroom: (803) 278-3111 Fax: (803) 442-4561
Copyright © 2002-2014 - Designed by Gray Digital Media - Powered by Clickability
Gray Television, Inc.