(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Enlarge / Free, unfiltered Web browsing—without a data plan. (credit: Jacob Ajit)

Jacob Ajit, a 17-year-old student at the Thomas Jefferson High School for Science and Technology in Fairfax, Virginia, was bored and screwing around with a smartphone that had service and a SIM for T-Mobile's prepaid phone service. He soon discovered it was possible to still gain access to the Internet without paying for an account; all he had to do was route everything through a proxy application running on a server with "/speedtest" in its Web address.

The T-Mobile prepaid SIM makes it possible to pay for new service from the phone itself. This requires the phone to be able to connect to T-Mobile's network to do so, essentially blocking access to the rest of the Internet through a capture portal until the account is activated. But Ajit found that the Speedtest mobile app worked even when the phone's data plan hadn't been activated—likely as a marketing tool to demonstrate the speed of T-Mobile's 4G network.

By capturing some of the data sent to Speedtest when connected to a shared network connection through his Mac (he used mitmproxy to do so), Ajit discovered the graphics used in the Speedtest app to measure download speed were hosted on a number of different sites. The only similarity in them was their Web addresses all included "/speedtest" in the URL. He manually entered the URLs into a browser on the phone and was able to reach them despite the T-Mobile block.

Read 2 remaining paragraphs | Comments

 

Enlarge

Signal, the mobile messaging app recommended by NSA leaker Edward Snowden and a large number of security professionals, just fixed a bug that allowed attackers to tamper with the contents of encrypted messages sent by Android users. The update is available on this Github submission, but isn't yet available in the Google Play market for Android apps.

The message authentication-bypass vulnerability was one of two weaknesses found by researchers Jean-Philippe Aumasson and Markus Vervier in an informal review of the Java code used by the Android version of Signal. The bug made it possible for attackers who compromised a Signal server or were otherwise able to monitor data passing between Signal users to modify a valid attachment with a fraudulent data. A second bug possibly would have allowed attackers to remotely execute malicious code, but a third bug made limited exploits to a simple remote crash.

"The results are not catastrophic, but show that, like any piece of software, Signal is not perfect," Aumasson wrote in an e-mail. "Signal drew the attention of many security researchers, and it's impressive that no vulnerability was ever published until today. This pleads in favor of Signal, and we'll keep trusting it."

Read 7 remaining paragraphs | Comments

 
ESA-2016-094: RSA BSAFE® Micro Edition Suite Multiple Vulnerabilities
 

(credit: Social media, via China Daily)

China's Mid-Autumn Festival started today, as much of the world now knows due to a runaway inflatable moon incident reported yesterday (as seen below). Celebrated on the 15th day of the eighth month in the Han calendar—corresponding to the full moon closest to the Autumnal Equinox—the holiday is commemorated in Chinese culture through the exchange and sharing of moon cakes.

That escaped moon, blown loose by typhoon winds in Fuzhou.

The cakes are round pastries filled with lotus seed paste or red bean paste and occasionally the salted yolk of a duck egg surrounded by a thin crust. They are traditionally given as presents by businesses and are in huge demand in much of China and in Chinese communities around the world leading up to the festival. And that's likely what drove four employees of the Chinese e-commerce site Alibaba to exploit a weakness in an internal company website offering discounted mooncakes to company staff.

Alibaba offered its employees one free mooncake each—complete with a plush Alibaba mascot hidden inside, rather than the traditional duck yolk. Additional cakes were sold at cost to employees for friends and family through an internal e-commerce page. But as China Daily reports, the four employees—software engineers at the company—were able to surreptitiously insert additional software into the website, directing extra mooncakes to themselves. Alibaba's internal security team detected the hack and found that the four were "cheating using technology" to amass 124 boxes of the cakes (with four cakes per box). All four employees were dismissed.

Read 2 remaining paragraphs | Comments

 

One of my morning rituals is to take the last few malware samples I received in any of my inboxes and run them in a virtual machine to see if there is anything new. To be honest: There isnt much new that we havent already written about. The sample is usually a zipped VBScript file that will download and run ransomware. But that isnt the only constant. The other constant is the inability of anti-malware to protect your system from these consistent attacks.

The virtual machine runs a fully patched Windows 10 install, and home-user grade anti-malware. I would consider it a well configured average home user system.

This morning, for example, I tried these three samples:

924936fb9f562dc08556bf0677a5d15c813eebde SCAN_20160915_241418570.zip
c29dd0d1fe36b3891d685171683635c442d84c8d SCAN_20160915_3640961765775.zip
6213e371567b4620064933efa43e5ffdba455c65 SCAN_20160915_894622558880029.zip

They all arrived in similar emails with a subject of SCAN ." />

If you are paying attention of malware, you probably have seen e-mails like this for years with various attachments.

Two of these samples were nicely detected by my anti-malware solution, and I wasnt even able to copy them to my virtual machine. But the third one, which isnt substantially different, made it past whatever signature was used to detect these generic JavaScript downloaders.

Virustotal shows that some name-brand anti-malware solutions do not detect this particular sample:

https://www.virustotal.com/en/file/8acb71453b9759a64eea060949ad87bae3d6f070b04daf2f70ed124b1a905399/analysis/
https://www.virustotal.com/en/file/f732887b200563bfdd89f516fc30139ea21e8adbd3280df3436c289bc154383a/analysis/
https://www.virustotal.com/en/file/a9b4a38e515ee10e1dc8eda13ac9abd8c11c0eece4ac1cb1c746015d17ff5a0c/analysis/

It also shows that all of these samples were rather fresh in that Virustotal had received them about 30 minutes ago, so around the time I had received them.

Even if your anti-malware solution doesnt detect the downloader, there is still a chance that it will detect the malware that is downloaded by the JavaScript. This often leads to a false sense of security in that you will see, often multiple times, popups that your anti-malware solution did remove malicious code from your system. But these downloaders can be rather persistent. One sample I looked at yesterday took about 15 minutes, and about a dozen of malware found popups, until it finally downloaded a version of Locky that was not detected, and I ended up with another encrypted system.

So what can you do?

  • The less malware reaches the user, the better. Filter as much on mail servers and proxies as you can using generic filters (zipped VBscripts and the list. We talked about this before).
  • Once you notice a possible infection, NEVER trust anti-malware to clean your system. It is probably best to shut down the system as soon as you notice malware found popups. This way, you MAY prevent the final successful install, and you may be able to save some of your files from being encrypted.
  • Just like you should not rely on anti-malware: Blocklists of bad URLs and the like are just as bad (ours included). They will help you in hindsight to figure out who got infected yesterday (or an hour ago if they are good), but they will not consistently prevent exploitation.

For example, here are the URLs that I think where used in the undetected sample (I didnt do a full analysis):

(spaces added to protect readers.)

bigfishcasting .com/ afdIJGY8766gyu?YJRTHAigKa=sLUfGQkQRhO
delicefilm .com /afdIJGY8766gyu?YJRTHAigKa=sLUfGQkQRhO (this one has some reasonable recognition as a bad URL)
keratin .sk/ afdIJGY8766gyu?YJRTHAigKa=sLUfGQkQRhO

The issue with anti-malware missing the downloader, and then hoping that the downloaded malware will be detected, isnt new, and going back at least to the famous WMF incident more than 10 years ago, when anti-virus was suggested as a mitigation for the vulnerability, even though it didnt detect actual exploitation of the vulnerability but instead only the additional malware downloaded via the exploit. 10+ years later... not much changed. We are still making it too easy for the bad guys.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Oracle Java SE and JRockit CVE-2016-3508 Remote Security Vulnerability
 
Cisco EPC 3925 Multiple Vulnerabilities
 
Insecure transmission of data in Android applications developed with Adobe AIR [CVE-2016-6936]
 
Internet Storm Center Infocon Status