Windows

Travnet Botnet Steals Huge Amount of Sensitive Data

May 19th, 2013

The Travnet bot not only steals sensitive information from a victim’s machine; it also steals document files. Generally speaking, we store most of our sensitive information in Office files, PDFs, etc. Using data compression and data-encoding methods allows Travnet to steal huge amount of data including large files.

The bot at first gathers sensitive information about victim’s machine. Then searches for document files (doc, docx, xls, xlsx, txt, rtf, pdf).

The preceding code includes computer name, IP address, and username, and operating system, list of running processes, IPconfig details, and information about different accounts present on the system. The malware creates the file system_t.dll to store this information in plain text. It also creates the file travelbackinfo-(System Time).dll, which will be used in an HTTP GET request.

The data stored in the file can be huge, depending upon running processes and IPconfig details. The bot will use data compression and encoding methods to send the sensitive data to a remote server.

The bot sends the stolen data with the parameter “&filetext,” which starts with “begin::.” But the compressed file can be too big to send over the HTTP, so the bot sends the compressed file in chunks of 1,024 bytes. To track this, it uses the parameter “&filestart.” The bot appends the string “:: end” to signal the end of the file.

Data compression and encoding techniques

The bot processes the original data in two passes:In the first pass, it uses a data compression method similar to LZSS (Lempel–Ziv–Storer–Szymanski) to compress the original data

In the second pass, it encodes the compressed data using custom Base64

First pass data compression

The bot’s data compression maintains a dictionary (a sliding window) of previously seen data that is similar to data compression with LZSS.

The bot uses a similar method to maintain a large sliding window size (to achieve a high compression ratio) but outputs variable-length “Length- Offset” pairs (the number of bits required to represent the number). We have not seen yet any references or implementation that outputs variable lengths and variable offsets, so for now we will call this method a variant of the LZSS data compression algorithm.

The bot starts compression by reading original data in chunks of 65,536 bytes (so it has to maintain sliding windows of this size). The final output of compression will be in chunks following this format:

Original Length (2 bytes) + Compressed Length (2 bytes) + Compressed Data

This method achieves a high compression ratio and reduces the size of the original data, allowing the bot to upload large files on the remote server. The decompression process is very easy to write because it does not need to search for the longest match but needs only to take care of variable-length values.

Second pass custom Base64 encoding

The Travnet bot uses custom Base64 encoding to encode the compressed binary data. The key and character set used in standard Base64 is “ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/” with “=” used for padding; the key used by the bot is “ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-/” with “*” used for padding.

Small tool to decompress the data stolen by Travnet.

As we look at the output, we see the size of the decompressed file (the original data) is much higher than that of the compressed file. Let’s now look the decompressed data:

The preceding is the original data stolen from the victim’s machine. Interestingly, the unreadable characters in the decompressed file are in Chinese. While writing the sensitive information in a DLL file, the bot writes some hardcoded strings that are in Chinese. If we convert those strings to English.

Stealing files

The bot doesn’t stop; it steals more data. Next we see the functions called by the bot:

The bot will send the following:

A file containing lists of all filenames on the system drives

All files that have doc, docx, xls, xlsx, txt, rtf, and pdf extensions

All files from victim’s desktop

Once it sends all the files to the remote server, the bot will go into sleep mode and wait for further commands.

Server commands

UNINSTALL

UPDATE

RESET

UPLOAD

Next we see a command from the server telling the bot to upload more data:

Although the botnet uses a simple mechanism to infect and steal information, a few elements make a Travnet botnet unique:

Using lossless data compression to steal large data files

Stealing documents files with extensions doc, docx, xls, xlsx, txt, rtf, and pdf

Stealing all files on the system drives

These unique features and the presence of Chinese strings lead us to conclude that the Travnet botnet may be a targeted attack for stealing sensitive data. We suspect the attackers are using the initial data–computer information, IP’s–to steal sensitive data from a particular group or identity. We also believe that the data uploaded to malicious servers is actively monitored by the attackers. We have found new domains registered to carry out the attack. We believe that huge amounts of data have been stolen from victims whose machines were infected with Travnet.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

USB Autorun Attack

May 17th, 2013

New malware emerged recently attacking Android and Windows platforms.
Main capabilities: Steals information and downloads files
File size: 330,984 bytes
File type: APK

This malware comes up being a system solution that assists with accelerating your system. Right after setup, it displays an image launcher. After the harmful application is launched, the user will discover its home screen. The application offers a number of different “clean options” for the user to select, however they really practically do nothing at all other than display an activity bar.

Concurrently, the malware begins a service that is harmful throughout the background.
It signs up a location listener to gather as well as upload location details via HTTP to a server.
It additionally gets instructions from a C&C server.
The protocol utilized by the malware to communicate to the C&C server is a unique one.

The malware executes a number of functionalities, for instance:
•Send and Delete SMS messages
•Steal contact information
•Track location via GPS device
•Make phone calls
•Execute commands

Why this malware is special is the control usb-autorun-attack. Following this control the malware will download a few files from its server and also save them within side the SD card. Among the files saved is a traditional Windows autorun malware thus when the user chooses the USB setting on the cellular device and attaches with a Windows platform, the autorun malware will operate instantly. This auto-run is made to record voice and report to the server. The application is a major threat to the security of the data stored on the computer that has it installed.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Microsoft Holds Off Installing Update

April 23rd, 2013

Microsoft is urging users to who haven’t installed it yet to hold off on MS13-036, a security update that the company released earlier this week to fix a dangerous security bug in its Windows operating system. The advice comes in response to a spike in complaints from Windows users who found their machines unbootable after applying the update.

The MS13-036 update, first released on Tuesday, fixes four vulnerabilities in the Windows kernel-mode driver. In an advisory released April 9, the company said it had removed the download links to the patch while it investigates the source of the problem:

“Microsoft is investigating behavior wherein systems may fail to recover from a reboot or applications fail to load after security update 2823324 is applied. Microsoft recommends that customers uninstall this update. As an added precaution, Microsoft has removed the download links to the 2823324 update while we investigate.”

The problems with the patch appear to be centered around Windows 7 and certain applications on Windows 7, such as Kaspersky Anti-Virus. Microsoft has issued instructions on how to uninstall this update in the “resolution” section of this advisory.

Update, Apr. 23: Microsoft has re-released the problematic security update to address the problems that some Windows users were experiencing with the MS13-036 patch. The new update, KB62840149, replaces the faulty one, which was KB2823324.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Zero-Day Flaws in Adobe Reader, Acrobat

February 3rd, 2013

Adobe is warning that attackers are exploiting critical flaws in its PDF Reader and Acrobatsoftware to break into vulnerable systems, and that the exploit being used in attacks evades the sandbox protection built into these products.

The company issued an advisory about the threat on Wednesday, which confirms many of the details first disclosed by security firm FireEye earlier this week. FireEye has since posted a follow-up blog entry that sheds some additional light on how this attack works.

According to Adobe, there are two vulnerabilities in play here, and they exist in the latest versions of its software, including Adobe Reader and Acrobat XI (11.0.01 and earlier) for Windows and Macintosh, X (10.1.5 and earlier) for Windows and Macintosh, 9.5.3 and earlier for Windows and Macintosh, and Adobe Reader 9.5.3 for Linux.

Adobe says it is aware of reports that these vulnerabilities are being exploited in the wild in targeted attacks designed to trick Windows users into clicking on a malicious PDF file delivered in an email message. The software maker added that it is in the process of working on a fix for these issues.

In the meantime, Windows users of Adobe Reader XI and Acrobat XI can protect themselves from the security exploit by turning on Protected View, as follows: To enable this setting, choose the “Files from potentially unsafe locations” option under the Edit > Preferences > Security (Enhanced) menu.

For those spooked enough to avoid Adobe until a fix is available, there are several other free PDF reader programs available. I have been using Sumatra PDF for some time, and prefer it because it seems very lightweight and fast. Foxit Reader is another popular alternative.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta