Archive

Archive for the ‘social engineering’ Category

Malicious macro using a sneaky new trick

May 18th, 2016 No comments

We recently came across a file (ORDER-549-6303896-2172940.docm, SHA1: 952d788f0759835553708dbe323fd08b5a33ec66) containing a VBA project that scripts a malicious macro (SHA1: 73c4c3869304a10ec598a50791b7de1e7da58f36). We added it under the detection TrojanDownloader:O97M/Donoff – a large family of Office-targeting macro-based malware that has been active for several years (see our blog category on macro-based malware for more blogs).

However, there wasn’t an immediate, obvious identification that this file was actually malicious. It’s a Word file that contains seven VBA modules and a VBA user form with a few buttons (using the CommandButton elements).

Screenshot of VBA script editor showing the user form and list of modules

The VBA user form contains three buttons

 

The VBA modules look like legitimate SQL programs powered with a macro; no malicious code found there … However, after further investigation we noticed a strange string in the Caption field for CommandButton3 in the user form.

It appeared to be some sort of encrypted string.

We went back and reviewed the other modules in the file, and sure enough – there’s something unusual going on in Module2. A macro there (UsariosConectados) decrypts the string in the Caption field for CommandButton3, which turns out to be a URL. It uses the deault autoopen() macro to run the entire VBA project when the document is opened.

Screenshot of the VBA macro script in Module2 that decrypts the Caption string

The macro script in Module2 decrypts the string in the Caption field

 

The macro will connect to the URL (hxxp://clickcomunicacion.es/<uniqueid>) to download a payload which we detect as Ransom:Win32/Locky (SHA1: b91daa9b78720acb2f008048f5844d8f1649a5c4).

The VBA project (and, therefore, the macro) will automatically run if the user enables macros when opening the file – our strongest suggestion for the prevention of Office-targeting macro-based malware is to only enable macros if you wrote the macro yourself, or completely trust and know the person who wrote it.

See our threat intelligence report on macros and our macro-based malware page for further guidance on preventing and recovering from these types of attacks.

-Marianne Mallen and Wei Li
MMPC

Social engineering tricks open the door to macro-malware attacks – how can we close it?

April 28th, 2015 No comments

The macro malware-laden documents that target email users through email spam are intentionally crafted to pique any person's curiosity.  With subjects that include sales invoices, federal tax payments, courier notifications, resumes, and donation confirmations, users can be easily tricked to read the email and open the attachment without thinking twice.

The user opens the document, enables the macro, thinking that the document needs it to function properly – unknowingly enabling the macro malware to run.

Just when you think macro malware is a thing of the past, over the past few months, we have seen an increasing macro downloader trend that affects nearly 501,240 unique machines worldwide.

Increasing trend of macro downloaders from April 2014 to 2015

 Figure 1: Increasing trend of macro downloaders from April 2014 to 2015

We have seen majority of the macro-malware attacks in the United States and United Kingdom.

Macro downloaders’ prevalence in affected countries

Figure 2: Macro downloaders’ prevalence in affected countries

 

Macro malware distribution heat map

Figure 3: Macro malware distribution heat map

Macro malware infection chain

As stated in the previous macro blog, macro downloaders serve as the gateway for other nasty malware to get in. The following diagram shows how a typical macro downloader gets into the system and deliver its payload.

Macro downloader infection chain

Figure 4: Macro downloader infection chain

The macro malware gets into your PC as a spam email attachment. The spam email recipient then falls for a social engineering technique, opens the attachment, thereby enabling the macro inside the document.

We have identified some of these macro downloader threats, but not limited to:

When a malicious macro code runs, it either downloads its final payload, or it downloads another payload courier in the form of a binary downloader.

We have observed the following final payload, but is not limited to:

We have also observed the following binary downloaders to be related to these macros, but not limited to:

After the macro malware is downloaded, the job is pretty much done. The torch is passed to either the final payload or the binary downloader.

We have observed the following threats being downloaded by the binary downloaders, but not limited to:

 

Prevention: How do you close that door?

If you know that social engineering tricks through spam emails open the door to macro malware attacks, what can you do to help protect your enterprise software security infrastructure in closing that door?

Be careful on enabling macros

Macro threats, as payload couriers, seem to gain popularity as an effective infection vector. But unlike exploit kits, these macro threats require user consent to run. To avoid running into trouble because of these macro threats, see Before you enable those macros, for details on prevention.

You can also read more about the macro configuration options to understand the scenarios when you can enable or disable them. See Microsoft Project – how to control Macro Settings using registry keys for details.

Aside from that, be aware of the dangers in opening suspicious emails. That includes not opening email attachments or links from untrusted sources.

If you are an enterprise software security administrator, what can you do?

Most, if not all of the macro malware received are in .doc file format (D0 CF) which are seen in Microsoft Office 2007 and older versions.

If you are in charge of looking after your enterprise software security infrastructure, you can:

  • Update your Microsoft security software. Microsoft detects this threat and encourages everyone to always run on the latest software version for protection.
  • Ensure that your Trust Center settings are configured not to load older Office versions:
    1. Go to Word Options, and select Trust Center. Click Trust Center Settings.

      Trust Center settings

                                                                  

    2. In the Trust Center dialog box, select File Block Settings. Then, select the Word versions that you need to block. 

Trust Center file block settings

Doing so blocks older Office versions from opening.

You can check if MAPS feature is enabled in your Microsoft security product by selecting the Settings tab and then MAPS.

System Center Endpoint Protection MAPS settings

MMPC

Social engineering tricks open the door to macro-malware attacks – how can we close it?

April 28th, 2015 No comments

The macro malware-laden documents that target email users through email spam are intentionally crafted to pique any person's curiosity.  With subjects that include sales invoices, federal tax payments, courier notifications, resumes, and donation confirmations, users can be easily tricked to read the email and open the attachment without thinking twice.

The user opens the document, enables the macro, thinking that the document needs it to function properly – unknowingly enabling the macro malware to run.

Just when you think macro malware is a thing of the past, over the past few months, we have seen an increasing macro downloader trend that affects nearly 501,240 unique machines worldwide.

Increasing trend of macro downloaders from April 2014 to 2015

 Figure 1: Increasing trend of macro downloaders from April 2014 to 2015

We have seen majority of the macro-malware attacks in the United States and United Kingdom.

Macro downloaders’ prevalence in affected countries

Figure 2: Macro downloaders’ prevalence in affected countries

 

Macro malware distribution heat map

Figure 3: Macro malware distribution heat map

Macro malware infection chain

As stated in the previous macro blog, macro downloaders serve as the gateway for other nasty malware to get in. The following diagram shows how a typical macro downloader gets into the system and deliver its payload.

Macro downloader infection chain

Figure 4: Macro downloader infection chain

The macro malware gets into your PC as a spam email attachment. The spam email recipient then falls for a social engineering technique, opens the attachment, thereby enabling the macro inside the document.

We have identified some of these macro downloader threats, but not limited to:

When a malicious macro code runs, it either downloads its final payload, or it downloads another payload courier in the form of a binary downloader.

We have observed the following final payload, but is not limited to:

We have also observed the following binary downloaders to be related to these macros, but not limited to:

After the macro malware is downloaded, the job is pretty much done. The torch is passed to either the final payload or the binary downloader.

We have observed the following threats being downloaded by the binary downloaders, but not limited to:

 

Prevention: How do you close that door?

If you know that social engineering tricks through spam emails open the door to macro malware attacks, what can you do to help protect your enterprise software security infrastructure in closing that door?

Be careful on enabling macros

Macro threats, as payload couriers, seem to gain popularity as an effective infection vector. But unlike exploit kits, these macro threats require user consent to run. To avoid running into trouble because of these macro threats, see Before you enable those macros, for details on prevention.

You can also read more about the macro configuration options to understand the scenarios when you can enable or disable them. See Microsoft Project – how to control Macro Settings using registry keys for details.

Aside from that, be aware of the dangers in opening suspicious emails. That includes not opening email attachments or links from untrusted sources.

If you are an enterprise software security administrator, what can you do?

Most, if not all of the macro malware received are in .doc file format (D0 CF) which are seen in Microsoft Office 2007 and older versions.

If you are in charge of looking after your enterprise software security infrastructure, you can:

  • Update your Microsoft security software. Microsoft detects this threat and encourages everyone to always run on the latest software version for protection.
  • Ensure that your Trust Center settings are configured not to load older Office versions:
    1. Go to Word Options, and select Trust Center. Click Trust Center Settings.

      Trust Center settings

                                                                  

    2. In the Trust Center dialog box, select File Block Settings. Then, select the Word versions that you need to block. 

Trust Center file block settings

Doing so blocks older Office versions from opening.

You can check if MAPS feature is enabled in your Microsoft security product by selecting the Settings tab and then MAPS.

System Center Endpoint Protection MAPS settings

MMPC

Congratulations! You’ve won $800,000!!

Well, maybe not.

But that’s just one of the many ploys that scammers send in their relentless efforts to part people from their money or sensitive personal information like passwords and account numbers.

Microsoft is asking people to take a survey of their experience with online fraud—what kinds of scams they’ve encountered (including those on mobile devices and Facebook), how concerned they are about online or phone fraud, and what steps they take to protect themselves.

In 2012, Microsoft fielded its first such study, interviewing 1,000 US residents to understand their exposure to, and perception of, online fraud and scams.

Respondents reported having encountered roughly eight different scams on average, with these as the top four:

  • Scams that promise free things or coupons (44 percent)

  • Fake antivirus alerts that imitate real programs offering virus repair but that download malware instead (40 percent)

  • Phishing scams using fake messages that mimic those of trusted businesses to trick people into revealing personal information (39 percent)

  • Fraud that features a request for bank information or money upfront from someone (such as a “foreign prince”) who needs help transferring large sums of money for a cut of the total (39 percent)

In the new survey, we’re interested in how scams and responses to scams might have changed since 2012. Are there different scams? What are the most common? Where are they most often occurring—on mobile devices? On Facebook?

Results of our last survey showed that nearly everyone (97 percent) took steps to safeguard their computers, but more than half (52 percent) did nothing at all to protect their mobile devices. So we’re particularly interested to see if these numbers have changed. 

You can help us fight online scams and fraud by taking our survey.

We will release the results of the survey during National Cyber Security Awareness Month this October. Follow the hashtag #NCSAM to read the story. 

Congratulations! You’ve won $800,000!!

September 2nd, 2014 No comments

Well, maybe not.

But that’s just one of the many ploys that scammers send in their relentless efforts to part people from their money or sensitive personal information like passwords and account numbers.

Microsoft is asking people to take a survey of their experience with online fraud—what kinds of scams they’ve encountered (including those on mobile devices and Facebook), how concerned they are about online or phone fraud, and what steps they take to protect themselves.

In 2012, Microsoft fielded its first such study, interviewing 1,000 US residents to understand their exposure to, and perception of, online fraud and scams.

Respondents reported having encountered roughly eight different scams on average, with these as the top four:

  • Scams that promise free things or coupons (44 percent)
  • Fake antivirus alerts that imitate real programs offering virus repair but that download malware instead (40 percent)
  • Phishing scams using fake messages that mimic those of trusted businesses to trick people into revealing personal information (39 percent)
  • Fraud that features a request for bank information or money upfront from someone (such as a “foreign prince”) who needs help transferring large sums of money for a cut of the total (39 percent)

In the new survey, we’re interested in how scams and responses to scams might have changed since 2012. Are there different scams? What are the most common? Where are they most often occurring—on mobile devices? On Facebook?

Results of our last survey showed that nearly everyone (97 percent) took steps to safeguard their computers, but more than half (52 percent) did nothing at all to protect their mobile devices. So we’re particularly interested to see if these numbers have changed.

You can help us fight online scams and fraud by taking our survey.

We will release the results of the survey during National Cyber Security Awareness Month this October. Follow the hashtag #NCSAM to read the story.

Do you know your kids’ passwords?

August 27th, 2014 No comments

This is the second of two blog posts on password protection. Read Part 1: Create strong passwords and protect them.

Whether or not you should know all of your kids’ passwords depends on their age, how responsible they are, and your parenting values.

However, kids of any age and responsibility level need to know how to create strong passwords and how to protect those passwords.

Sharing is great, but not with passwords

Your kids should never give their friends their passwords or let them log on to their accounts. Also, be careful sharing your passwords with your kids.

3 strategies for strong passwords

  • Length. Make your passwords at least eight (8) characters long.

  • Complexity. Include a combination of at least three (3) uppercase and/or lowercase letters, punctuation, symbols, and numerals. The more variety of characters in your password, the better.

  • Variety. Don’t use the same password for everything. Cybercriminals can steal passwords from websites that have poor security and then use those same passwords to target more secure environments, such as banking websites.

For more information, see Help kids create and protect their passwords.

Do you know your kids’ passwords?

August 27th, 2014 No comments

This is the second of two blog posts on password protection. Read Part 1: Create strong passwords and protect them. Whether or not you should know all of your kids’ passwords depends on their age, how responsible they are, and your parenting values. However, kids of any age and responsibility level need to know how to create strong passwords and how to protect those passwords.

Sharing is great, but not with passwords

Your kids should never give their friends their passwords or let them log on to their accounts. Also, be careful sharing your passwords with your kids.

3 strategies for strong passwords

  • Length. Make your passwords at least eight (8) characters long.
  • Complexity. Include a combination of at least three (3) uppercase and/or lowercase letters, punctuation, symbols, and numerals. The more variety of characters in your password, the better.
  • Variety. Don’t use the same password for everything. Cybercriminals can steal passwords from websites that have poor security and then use those same passwords to target more secure environments, such as banking websites.

For more information, see Help kids create and protect their passwords.

Why do I have to update my email account information?

August 21st, 2014 No comments

We’ve noticed comments from many of you asking why we want you to verify your Microsoft security information. We’d like to explain why verifying this information is important. To help protect your email account and your personal data, we ask everyone who has a Microsoft account to make sure that the security information associated with their account is correct and up to date. When your security information (like an alternate email address or phone number) is current, we can use it to verify your identity.

For example, if you forget your password or if someone else tries to take over your account, Microsoft uses your security details to help you get back into your account.

If you see a message asking you to update or verify your Microsoft account security information, you have seven days to do it. If you no longer have access to your security information, you will have to fill out a support request.

Get a quick overview of how to add security info to your account

Why do I have to update my email account information?

August 21st, 2014 No comments

We’ve noticed comments from many of you asking why we want you to verify your Microsoft security information. We’d like to explain why verifying this information is important. To help protect your email account and your personal data, we ask everyone who has a Microsoft account to make sure that the security information associated with their account is correct and up to date. When your security information (like an alternate email address or phone number) is current, we can use it to verify your identity.

For example, if you forget your password or if someone else tries to take over your account, Microsoft uses your security details to help you get back into your account.

If you see a message asking you to update or verify your Microsoft account security information, you have seven days to do it. If you no longer have access to your security information, you will have to fill out a support request.

Get a quick overview of how to add security info to your account

When should kids be allowed online?

August 9th, 2013 No comments

As a parent or caregiver, you probably needed only one trip to the playground to realize that children can have radically different styles of play. Just as there’s no “one size fits all” approach to helping children navigate the jungle gym, the way you talk about online safety with kids will depend on the child, their maturity level, and your family’s values.  

But what is your parenting style when it comes to introducing your children to new devices and online technology?

Take a brief survey and get tailored tips to help you have conversations with young Internet users about staying safer on the ever-changing digital playground.

7 ways to avoid TMI

July 23rd, 2013 No comments

Technology can make everything in our lives easier—including sharing too much information (TMI). Just because you can take a picture of your new credit card and post it on Instagram doesn’t mean that you should. In fact, you shouldn’t.

Sharing too much information can lead to identity theft. It can also damage your online reputation, which could prevent you from getting into college, getting a job, or even getting health insurance.

Here are ways to avoid sharing TMI:

  1. Never share your address, phone number, Social Security number, or other personal information through online interactions. 
  2. Use and manage your privacy settings. Limit who can see details of your online profiles.
  3. Never shop, bank, or enter passwords or credit card numbers over public Wi-Fi.
  4. Ask questions. Sometimes we do need to share personal information, but before doing so, ask why the information is necessary and beware of imposters.
  5. Use sites that you can trust. Learn what to look for.
  6. Stop and think before you post an image, blog, tweet, or comment. What does it say about you and how you want to be viewed online?
  7. Take charge of your online reputation: Discover, evaluate, protect, cultivate, and restore as needed.

For more tips on avoiding TMI, check out the hashtag #IsThisTMI on our Twitter channel.

 

Catfishing: Are you falling for it?

June 20th, 2013 No comments

The news is filled with stories about people, famous and otherwise, getting caught in online dating scams. The phenomenon is so common that it now has a name: Catfishing. The term catfishing comes from the 2010 movie Catfish about a man who was lured into a relationship by a scammer who was using a fake social networking profile.

Catfishing is a kind of social engineering. It’s similar to messages that claim that your computer has a virus, that you’ve won a lottery, or that you can earn money for little or no effort on your part. All of these scams are designed to “hook” you with fear, vanity, and too-good-to-be-true offers. The cybercriminal in a catfishing scam might post fake pictures or send encouraging messages to entice you into a relationship, but the goal is the same as in other scams: The scammer wants to steal your personal information, your money, or both.

3 ways to help avoid catfishing

  • Always remember that people on the other end of online conversations might not be who they say they are. Treat all emails and social networking messages with caution when they come from someone you don’t know.
  • Never share your passwords, even with someone you trust. If you think your accounts have been compromised, change your passwords as soon as possible.
  • If you suspect that someone is catfishing you, report them.

For more general tips and advice on how to avoid scams, download our free 12-page booklet, Online Fraud: Your Guide to Prevention, Detection, and Recovery (PDF file, 2.33 MB), and browse our other resources on how to protect yourself online.

There is no Hotmail Maintenance Department

June 13th, 2013 No comments

Cassie writes:

I received an email from the Hotmail Maintenance Department requesting personal information verification. The message included a PDF file. Is this a scam?

Yes. This is one of many types of email cybercrime, also called phishing. Cybercriminals often use the Microsoft name to try to get you to share your personal information so that they can use it for identity theft. Delete the message—do not open it, and do not click any links or open any attachments.

The Hotmail Maintenance Department doesn’t exist—and if it did, the department wouldn’t send unsolicited email messages with attachments that asked for your personal information. Be suspicious of any email messages that appear to come from the Hotmail team; even though your email address still says “Hotmail,” the service is now called Outlook.com.

For more tips on spotting scam email messages, see How to recognize phishing email messages, links, or phone calls.

If you opened the PDF file, your computer might already be infected with malware that can be used to steal your personal information. Scan your computer with the Microsoft Safety Scanner to find out. The scanner will also help you remove any malicious software it finds.

Watch out for prize scams

January 16th, 2013 No comments

We’ve seen an increase in scam email messages that promise recipients they have won some kind of prize or a lottery. These unsolicited messages will often claim that the prize is sponsored by Microsoft or another well-known company. They request personal information that cybercriminals can use for identity theft.

Do not respond to these fraudulent messages with personal information. There is no Microsoft Lottery.

For more information, see:

Watch out for prize scams

January 16th, 2013 No comments

We’ve seen an increase in scam email messages that promise recipients they have won some kind of prize or a lottery. These unsolicited messages will often claim that the prize is sponsored by Microsoft or another well-known company. They request personal information that cybercriminals can use for identity theft.

Do not respond to these fraudulent messages with personal information. There is no Microsoft Lottery.

For more information, see:

Top 10 security stories of 2012

December 27th, 2012 No comments

From the latest scams and fraud to how, when, and why to update your computer, here are the stories that you viewed and clicked on the most this year.

Download security update for Internet Explorer. In September, Microsoft released a security update for Internet Explorer. To help protect your computer, visit Windows Update to download and install the update and ensure that you have automatic updating turned on.

Update your browserIn February, if you had automatic updating turned on, Windows Update automatically upgraded you to Internet Explorer 9.  Now you can get Internet Explorer 10.

Is my computer up to date? In March, you clicked on this blog entry to learn how to turn on automatic updating and to make sure that your computer had all of the latest updates.

Beware of ransomware. Nearly a year ago, a lot of you stopped by to learn about the resurgence of this scam. It launches a pop-up window warning that illegal material has been found on your computer and then locks you out of your computer unless you pay a fee. It’s still around, and we recently offered new guidance to help you deal with it.

Protect yourself from online tracking. Earlier this year we reported on Tracking Protection, which was a new feature in Internet Explorer 9. Read more about how user privacy protection has evolved and why it is turned on by default in Internet Explorer 10.

Here are five more stories that were popular with you this year:

For more information on the top online safety stories of this year, visit the Trustworthy Computing blog.
 
 

Top 10 security stories of 2012

December 27th, 2012 No comments

From the latest scams and fraud to how, when, and why to update your computer, here are the stories that you viewed and clicked on the most this year.

Download security update for Internet Explorer. In September, Microsoft released a security update for Internet Explorer. To help protect your computer, visit Windows Update to download and install the update and ensure that you have automatic updating turned on.

Update your browserIn February, if you had automatic updating turned on, Windows Update automatically upgraded you to Internet Explorer 9.  Now you can get Internet Explorer 10.

Is my computer up to date? In March, you clicked on this blog entry to learn how to turn on automatic updating and to make sure that your computer had all of the latest updates.

Beware of ransomware. Nearly a year ago, a lot of you stopped by to learn about the resurgence of this scam. It launches a pop-up window warning that illegal material has been found on your computer and then locks you out of your computer unless you pay a fee. It’s still around, and we recently offered new guidance to help you deal with it.

Protect yourself from online tracking. Earlier this year we reported on Tracking Protection, which was a new feature in Internet Explorer 9. Read more about how user privacy protection has evolved and why it is turned on by default in Internet Explorer 10.

Here are five more stories that were popular with you this year:

For more information on the top online safety stories of this year, visit the Trustworthy Computing blog.
 
 

Shop online with care this holiday season

November 27th, 2012 No comments

Holiday shopping is in full swing and so are the scams. The following tips can help you stay safe when you shop online.

Use a modern browser. Internet Explorer 9 and Internet Explorer 10 (available with Windows 8) include the SmartScreen filter.  SmartScreen helps protect you from fraudulent shopping websites that seek to acquire personal information such as user names and passwords. Learn more about SmartScreen.

Use strong passwords for online retail sites and keep your passwords secret. Make your passwords eight or more characters. Use a combination of numbers, symbols, and uppercase and lowercase letters (the greater the variety of characters, the stronger the password). Also, make sure you don’t use the same password for all the sites you use. Check the strength of your password.

Be careful when you shop online using a public Wi-Fi connection. If possible, save your financial transactions for a secured home connection. Passwords, credit card numbers, or other financial information are less secure on a public network. If you have to make a purchase, choose the most secure connection—even if that means you have to pay for access. Learn more about Wi-Fi safety.

Get more advice for safer online shopping

An analysis of Dorkbot’s infection vectors (part 2)

November 21st, 2012 No comments

In part 1 of this series, we talked about Dorkbot and its spreading mechanisms that required user interaction. In this post, we’ll talk about how Dorkbot spreads automatically, via drive-by downloads and Autorun files.

Spreading vectors not requiring user interaction: Drive-by downloads and Autorun files

Dorkbot can also spread automatically, without user interaction. We recently encountered a malicious Java applet that exploits the vulnerability described in CVE-2012-4681 to distribute the Dorkbot worm. We detect the applet as Exploit:Java/CVE-2012-4681.HD. Let’s take a closer look at how this exploit works.

Java applets that are not digitally signed are considered untrusted. They are executed with limited permissions by the Java Runtime Environment. Before it can download and execute arbitrary files, Exploit:Java/CVE-2012-4681.HD has to disable the security manager, which defines the security policy of the applet. The security manager can be disabled with a call to System.setSecurityManager(null), but applets are restricted from calling this method directly.

The exploit relies on vulnerabilities in the implementation of the following two methods:

  • Method com.sun.beans.finder.ClassFinder.findClass(String,ClassLoader)
  • Method com.sun.beans.finder.MethodFinder.findAccessibleMethod(Class,String,Class[])

We decompiled the method ClassFinder.findClass to determine why it was vulnerable. As shown in Figure 8, ClassFinder.findClass calls the method Class.forName in its internal implementation. The method Class.forName in turn only looks at the immediate caller to perform security checks. As you can see, the vulnerability lies in the way Class.forName is used, and not in the method Class.forName itself.

The fix was to perform an additional package access check at the beginning of method ClassFinder.findClass, a check that fails if an applet attempts to access a restricted Java class (Figure 8).

Figure 8: The vulnerability in com.sun.beans.finder.ClassFinder.findClass(String,ClassLoader)

Another issue, this time in the implementation of the method sun.awt.SunToolkit.getField(Class,String), allows one to access private members of Java classes. The method SunToolkit.getField would not be accessible by default to user code, but the exploit calls it with the help of a java.beans.Expression object. java.beans.Expression.execute() is also vulnerable because it relies on the two vulnerable methods described above.

Exploit:Java/CVE-2012-4681.HD calls SunToolkit.getField to modify a private member of a java.beans.Statement object and set the access control context to “all permissions”. The class Statement can be used to invoke methods from arbitrary classes with modified access control context value. The exploit relies on a Statement object with modified access control context to invoke the privileged method System.setSecurityManager. After this, it has the permission to download additional malware (Figure 9).

Figure 9: Execution flow of Exploit:Java/CVE-2012-4681.HD

As is typical for Java exploits nowadays, the code of Exploit:Java/CVE-2012-4681.HD is heavily obfuscated to try to bypass AV detection. Figure 10 shows how the exploit retrieves the private field “acc” of the java.beans.Statement class, a field that defines the access control context.

Figure 10: Obfuscated code in Exploit:Java/CVE-2012-4681.HD

Exploits for CVE-2012-4681 are guaranteed to work if the Java Runtime Environment is vulnerable (unlike exploits for memory corruptions, for instance). They are also platform independent (so they can also infect *nix and Mac users) and target a huge base of Java installations.

Unsurprisingly, as shown in Figure 11, our telemetry indicates that exploits for CVE-2012-4681 have been widely used to distribute malware since the vulnerability was first made public in late August 2012. A security update to resolve it was released around the same time.

Figure 11: Infections attempts with CVE-2012-4681 Java exploits reported from September 15th to October 17th, 2012

To avoid getting infected through drive-by downloads, make sure your software is up to date – for Java specifically, we talked about that in a previous post.

Worm:Win32/Dorkbot can also infect removable drives, by creating an autorun.inf file that points to a copy of the worm. If you have Autorun enabled in your computer, Dorkbot automatically runs whenever the removable drive is accessed. Fortunately, this distribution method is not very effective anymore as explained in a previous blog post. Please keep your Windows up-to-date to deal with this infection vector.

Conclusion

As we previously mentioned, malware these days use a variety of ways to infect computers and Dorkbot is no exception. And its access to a C&C server allows for a certain level of dynamic behavior. Because of this, we advise users to be more vigilant against all the different channels that Dorkbot uses.

And finally, always make sure your definitions are up-to-date for your antivirus solution. If you don’t have one and you’re running Windows XP, Vista, or 7, you can download and install Microsoft Security Essentials for free. If you’re using Windows 8, make sure your antivirus program is enabled and running properly.

The following are the SHA1s of the samples that we’ve analyzed for this blog post:

  • Exploit:Java/CVE-2012-4681.HD – f624121d44b87369ba9ffa975db64fbb7bc395b3
  • Worm:Win32/Dorkbot spreading component – 11a2ddb73af46060802537dec0f8799e2a0dc13f
  • Worm:Win32/Dorkbot.A – 4176f4193b1ef64569bf0ab220113cce6074df4e
  • Worm:Win32/Dorkbot.I – 37c09e044ebe57eb66aa6c72cb039140b3b985f1

Horea Coroiu, MMPC Munich

Beware of deceptive downloads

October 18th, 2012 No comments

The Microsoft Security Intelligence Report (SIR) analyzes online threats using data from Internet services and over 600 million computers worldwide. Volume 13 of the SIR is now available and focuses on vulnerability disclosures from the first and second quarters of 2012.

A featured article, Deceptive Downloads: Software, Music, and Movies, highlights a growing trend of malware infection associated with unsecure supply chains, including legitimate sites that make shareware and music available for public downloads.

Download the latest report