Category Archives: Security

Gone Phishin’

No, not the band. And yes, I did spell it right. I’m talking about phishing emails. I’m sure everyone’s come across at least one. Phishing emails are the type use social engineering to try and get users to reveal personal information, such as usernames, passwords, credit card numbers, social security numbers, and other information. Releasing this information allows the bad guy to use that information against you, by means of logging into your accounts, using your credit card information to make transactions, or maybe even stealing your identity.

Identifying Phishing Emails

There are numerous factors that can help identify phishing emails; a sense of urgency, a suspicious link, poor branding, unknown senders, and also generalized referencing to the intended recipient(s). Lets look at the sample below

PhishingEmail

1. Unknown Sender: Lets first look at the “From” message header. It looks like this email is from Fidelity, but the email address associated with does not associate at all with the company it is supposedly being sent from. Nonetheless, the email address in general is someone who is unknown. This causes suspicion.

*Occasionally, phishing emails with be “spoofed” This means that it looks like it was sent from a sender whom you know, although it was actually sent from the bad guy to trick you into trusting the email if it is sent from someone you know

2. Sense of Urgency: Did you see the subject? “Alert! Urgent Action Required” Phishing emails want you to feel like you have to respond right now, and that it is a higher priority. Many times, phishing sites will only be up for a day, maybe even a few hours. By making the user feel like it’s important, the user is more likely to comply sooner rather than later.

3. Generalization: Normally, legitimate emails sent to a user will include the recipients name, whether it’s in the form of “Hey Corrie!” from a friend, or even “Dear Corrie” (or something along those lines).  Phishing emails are usually sent to numerous people all at once, making it difficult to personalize the email. Be suspicious of emails that are not addressed to you personally, but addressed to a general customer, user, or group of people.

4. The Link: At first glance, the link looks legitimate, right? Look closer. Fidelity is spelt with an e instead of an i after the F. Fidelity.com would be the legitimate site, but the link to fedelity.com is definitely suspicious. In this circumstance, the link is clearly presented within the email, making it easier for the user to know where they are heading when they click the link. Although, many phishing emails will have hyperlinks saying “CLICK HERE”  in blue, underlined font, for example, and when the user clicks the button they are led to a site. Hovering your mouse over that hyperlink will display a pop-up revealing where the hyperlink is actually going, as opposed to where it looks like it might lead.

5. Poor Branding: Phishing emails pretending to be sent form a company, or other entity often have poor branding. Legitimate emails may have logos, contact information, or other unique identifiers to validate their emails. Phishing emails often times won’t contain that type of branding.

Another thing to note — phishing emails may also contain attachments asking you to reply to the email with your contact information because you suddenly inherited $1,000,000 from a far distant relative in Nigeria. If a suspicious email has any attachments, don’t open them

Stay tuned for how to deal with phishing emails

Mandiant’s APT1 Report – Real or Fake?

Anyone in the malware/forensic/security industry has probably heard about the report released by Mandiant titled  APT1: Exposing One of China’s Cyber Espionage Units. This paper (which is incredible by the way) outlines several years of research on APT1, including their attack methods, targets, and general goals. It was only a matter of time before Mandiant’s report was a target for a new attack.

Now, we are seeing spear phishing emails taking advantage of the widespread, highly intriguing news. What a better way to attack those who are interested in the topic, right? The emails identified appear to be someone (particularly from the media) recommending the report to the user, and even attaching the document for their convenience (file names such as Mandiant.pdf and Mandiant_APT1_Report.pdf). Unfortunately, the report attached is not the actual report (gotcha!) but is a malicious pdf. When a user opens this pdf, the malicious code embedded exploits the recent Adobe vulnerability (CVE-2013-0641) in order for malicious actors to execute remote code on a system. In the end, the PDF drops malware. The type of malware installed depends on the version of the malicious PDF, and is classified differently by each security vendor, but either way it’s not good.

Moral of the Story

1. Do not open email attachments titled Mandiant.pdf or Mandiant_APT1_Report.pdf, or any other variation

2. Do not trust email attachments, period. Always verify the attachment is legitimate, even from a trusted sender (emails can easily be spoofed, and the amount of phishing emails these days can lead to many compromised IDs)

3. Update your Adobe software ASAP. CVE-2013-0641 is now patched with their most recent update.

4. Always keep your Anti-Virus updated (even you Mac users!). I’ve been working with SUPERAntiSpyware lately, and it’s done a wonderful job at detecting most of these recent infections.

5. Always hover. If there’s a link within the email, hover your mouse over the link before clicking it. The email may show that the link goes to www.goodsite.com, but hovering your mouse may reveal that it actually leads to www.badsite.com.

6. If you want to read the real report from Mandiant, I have linked the report within my paragraph above. If you do download any reports, check the MD5 hashes that Mandiant provided for it:

Mandiant_APT1_Report.pdf

MD5: 936FEB234F60CFBF6916BA61FBAB2781

SHA-1: 3974687624EB85CDCF1FC9CCFB68EEA052971E84

Mandiant_APT1_Report_Appendix.zip

MD5: FD103F16BBBB28162C23BE3A47371AA9

SHA-1: ABF9D09A991E56393D18433644FF0DBA907A9154

References: Symantec’s Blog Post

Google Antivirus?

VirusTotal just announced today that they have been bought out by Google. HIP HIP HOORAY!

I personally am super excited to see what comes from the service from here on out. For those of you who might not know, virustotal.com is a wonderful site to start out analyzing malware. You can upload a malicious file or URL and it will do a quick analysis of the content, providing information on the hash values, exports and imports, metadata and more, while scanning it against 42 of the leading security vendors to determine what it gets detected as, if anything. Now that it is owned by Google, I see so much more potential for the service. Funding is everything now-a-days, and we all know Google basically owns everyone and everything. More funding can bring more (and better quality) services, better tools and more reliable data now that they have Google’s resources at hand.

What I told a coworker today was that VirusTotal is like my shy best friend I go to for advice before I take action. Google is like that friend I can’t get rid of, so I use them for what they can give me. Now that these two have meshed, my friend group just became stronger.

This is so exciting and I’m anxious to see what becomes of Virus Total in the future. Who knows…maybe Google will be coming out with their own AntiVirus one day in the near future.

Check out the blog post by VirusTotal to see what they have planned:
http://blog.virustotal.com/2012/09/an-update-from-virustotal.html

Malicious PDF Triage

Today was the first time I was able to analyze malicious PDFs. I previously knew nothing about how to treat these potential infections, but learned the tactics through research.

Malicious PDFs usually spread through spam emails, depending on uneducated users to open the PDF attachment. The PDFs will generally execute malicious code when opened, exploiting a vulnerability in an outdated version of Adobe Reader or Java to open a backdoor into the system. From there, the infection will call home every so often, waiting for instructions by an attacker.

Therefore, handling these files are a bit different than playing around with a malicious executable or dll. Standard static analysis tools (like PE Explorer, PEiD) do not support PDF files. Uploading the file to VirusTotal also showed no results. Everything I previously had known about static analysis did not apply in this case. Fortunately, there are a series of free tools out there that will help identify what kind of PDF you’re looking at. Disclaimer: Tools used by Didier Stevens can be found here

I started off by using a tool called PDFiD by Didier Stevens. This tool is really helpful in determining the strings within a PDF. It’s a python script, so it has to be run in command line (Python also needs to be installed). In command prompt, navigating to the directory where the script is stored, running “pdfid.py filename.pdf” will give you the output (for Mac python is pre-installed, so the command would be “python pdfid.py filename.pdf“)

The output will look similar to what you see above — the object string on the left and the number of instances it’s found on the right. The objects/strings to pay attention to are boxed in red. The /Page string tells you how many pages the PDF is. *Most malicious PDFs are only one page in length* The /JS and /JavaScript strings will tell you if there’s JavaScript embedded. *In this case, it’s 0, but if there is an instance of JavaScript, this is a red flag and requires further investigation* The /AA and /OpenAction functions are equally as important, because an instance of this would allow the JavaScript within the PDF to execute without user interaction.

Now, lets say there was an instance of JavaScript embedded with the PDF. How do we pull this out? Fortunately, Didier Stevens also has another python tool called PDF-Parser, which will pull apart the objects that make up a PDF file and display them (I would suggest having the output save to a text file for easier viewing. The results can be a bit overwhelming, but if you know what you’re looking for, a simple Control+F in the text file for /JavaScript will make life easier) Running the command “pdf-parser.py filename.pdf > filename.txt” will do this for you. You will then be able to determine what the JavaScript does, and how that relates to the opening of the PDF file.

A tool I found later down the road called PDFScope will combine the functionalities of pdfid and pdf-parser into one GUI that separates results by tabbed functions. It’s pretty nifty and easy to use to quickly get everything you want to know into one place.
Another interesting tool is part of the PDF Toolkit (Pdftk). Using the switch data_dump with the tool will pull all the metadata for the file.

 

The timestamps are represented as yyyymmddhhmmss (so in this case, the file was created on 7/24/2012 at 00:28:27 [12:28:27am]) The PDFID’s are MD5 hash values for the information within the metadata to help identify the data. Also, in this case the Title is different than the Filename — something to keep in mind.

In the case I dealt with today, there was no fun JavaScript or other red flags of a malicious document. The only off-setting qualities was that it was one page in length, and was discovered in a series of spam emails. In this case, this was just a phishing email. It basically said that so-and-so’s email was pulled in an international drawing, the ONLY won $2,000,000, and to claim the prize you needed to send all this information (including copies of passport and license) to a guy in Belgium (he clearly stated he’s in Belgium…email actually came from the Netherlands).

Even though the file was “boring”..it was still a great day learning about all this!