Home   Blog   Twitter   Database  

Changing characters: something exotic in place of regular Latin script

Spammers use all types of tricks to bypass spam filters: adding ‘noise’ to texts, inserting redirects to advertised sites, replacing text with pictures - anything to stop the automatic filter from reading the keywords and blocking the message. Recently, we’ve been seeing a trend to replace Latin characters with similar-looking symbols from other alphabets. This “font kink” is especially typical of phishing messages written in Italian.

Non-Latin characters are inserted in place of similar-looking Latin characters both in the “Subject” field and in the body of the message. Here is an example of what headers obscured with ‘foreign’ symbols look like:

Posted: 24 Apr 2014 | 3:00 am

Bank of England seeks 'HACKERS' to defend vaults against e-thieves

Report: 20 major cash-holders to be probed by white hats

The Bank of England is planning to hire ethical hackers to conduct penetration tests on 20 "major" banks and other financial institutions, it has been reported.…

Posted: 24 Apr 2014 | 2:37 am

NGOs: Fighting Human Rights Violations and, Now, Cyber Threat Groups

With so many non-government organizations (NGOs) in operation today around the world, we asked ourselves a question here at FireEye Labs. Who would think about targeting NGOs?  Steal from a nonprofit? It would seem unthinkable to most people. But, as we can see from a few recent examples below, this is a clear reality.

As more NGOs reach out to us, it is clear that the situation for them is not a pretty one. Based on the breaches we have observed in this space, it appears there are more than 15 distinct advanced threat groups active in NGO networks. The sheer volume and variety of threat groups active in NGO environments struck us as unusually high for a single industry and indicates the incredibly difficult threat landscape NGOs face.

Hamstrung by limited budgets to establish strong network defenses and few personnel that understand how and why these threats are materializing, NGOs make a relatively easy target. Even if they aren’t profitable, NGOs use credit cards for donations, transact with cash, store personally identifiable information (PII) and, in some cases, even house intellectual property.  Many NGOs also work on political issues—an inviting target for opponents who want to monitor their communications and activities. Weak defenses and a target-rich environment make NGOs an enticing victim to maliciously motivated threat actors.

Cyber Operations at NGOs: An Intelligence Collection Pursuit?

NGOs — particularly those based in the U.S. — have long been perceived as instruments of U.S. government policy. Regimes with a less-than-favorable view of the U.S. frequently consider NGOs’ work as a rallying point for domestic unrest and political opposition. Three nations that fit this description — China, Russia and Iran — are all rumored or known to have existing and growing cyber operations to support their governments’ political agendas. Data acquired from NGOs via network compromises has the potential to grant these nation-states valuable, predictive insights on key policy topics and NGO programming, as well as intelligence on personnel and their contacts.

Over the last few years, we have observed China-based advanced persistent threat (APT) groups frequently target U.S.-based NGOs. Unsurprisingly, they were organizations with programs that touched on Chinese human rights, democratic reforms, and social issues.  In these instances, data theft was not just limited to documents about NGO programming, but also included documents on grants, legal proceedings, research programs, and even employee communications. The threat actors and recipients of the stolen data were likely able to gain significant insights into the NGOs’ operations, issues, and personnel. Not only were the threat actors better positioned to understand the NGOs’ values and plans, but, more importantly, they could potentially identify in-country contacts for the NGOs. These domestic contacts could face repercussions for their collaboration with the NGO.


Figure 1: A sample breakout of the types of documents stolen from an NGO

Sought-After Financial Data Goldmine

Because NGOs are often dependent on donations from large donors and dedicated supporters, they maintain or process financial data of potentially great value to cybercriminals who seek to steal PII. This financial information could be used to perpetrate identity theft and other types of criminal exploitation, including the theft of credit card numbers, bank account information, and other PII of wealthy individuals. There are any number of cases of non-profits who were either breached via network compromise or even experienced the physical theft of devices that gave perpetrators access to databases filled with valuable information such as names, addresses and social security numbers. In one instance, a simple website misconfiguration exposed one nonprofit’s database of donors and their personal information.

The acknowledged wealth of many NGO donors likely contributes to the motivations financial threat groups would have in targeting NGOs. FireEye tracks a number of criminal threat groups who conduct network intrusions to obtain data similar to the kind NGOs manage in large quantities. These threat actors may seek financial gain from cyber operations through direct theft of funds or the resale of data they have stolen. Because NGOs maintain valuable financial data, and perhaps other data they perceive to be valuable, criminal threat actors may target these networks with the intent to profit.

Perception of Weak Defenses

When criminals are looking for an easy target, NGOs’ networks may be perceived to be easy pickings. Just as the common thief would rather steal items of value from a house without an alarm than one with, the same is true with advanced threat actors and cybercriminals. NGOs possess information of value that a variety of threat actors desire, and their networks can sometimes be far easier targets than government institutions or large commercial organizations, due to their typically limited resources when it comes to network security and defense.

Although NGOs face a unique landscape when it comes to advanced threats in terms of the sheer number of threat groups targeting them and the widely varying possible impacts of a breach, their operations and needs share many similarities with those of our small- and medium-sized (SMB) customers. To that end, FireEye Labs recommends reviewing our latest SMB-focused white paper for more insight into what the broader threat landscape looks like for NGO-like organizations. A copy of the paper can be found here: http://www2.fireeye.com/smb_five_reasons_wp.html.

Posted: 24 Apr 2014 | 1:00 am

Tokyo airport employee loses handwritten passcodes ahead of Obama visit

An employee of Skymark Airlines at Tokyo's Haneda International Airport mislaid a printout containing key passcodes on Sunday, just days before President Obama's scheduled visit.

Posted: 23 Apr 2014 | 2:45 pm

Cybercriminals Take Advantage Of Heartbleed With Spam

Since news about Heartbleed broke out earlier this month, the Internet has been full of updates, opinions and details about the vulnerability, with personalities ranging from security experts to celebrities talking about it. Being as opportunistic as they are, cybercriminals have taken notice of this and turned the furor surrounding Heartbleed into lure for a spam attack.

Figure 1. Heartbleed spam

The spammed mail is a simple-looking one, as far as spam goes. The body is plain text, notifying the user about the ‘big security concern on the internet’ that is Heartbleed and gives advice as well as a link to an alleged CNN report about the matter. The spam purports itself to be from an individual named ‘Dexter’ who appears to reside in Riyadh, Saudi Arabia.

The link doesn’t lead to the CNN website at all, or any website in its domain. As with all spammed links, it leads to a different URL that, as of this moment, seems to have been taken down or rendered inaccessible. Of course, it’s a good bet that it was malicious in the first place.

Cybercriminals are ready and willing to use all newsworthy topics for their social engineering schemes, including big security incidents/advisories. With the Heartbleed Bug being as big and as serious a security issue can get – not only does it affect some of the most popular websites on the Web today, but can also strike from mobile apps as well – users need to anticipate that threats may strike in a way that they never really expect.

Always be vigilant, alert and skeptical – especially when it comes to what you get in your e-mail. It may be a spammed mail you’re looking at. Clicking links in email is generally not a good idea; it’s more secure to go directly to the relevant site instead.

Trend Micro customers are of course defended against this particular attack, with the spammed mail and the URL blocked.

As for Heartbleed itself, we’ve released some tools you can use to protect yourself against this threat – namely our Trend Micro Heartbleed Detector App for Android (which notifies you of vulnerable apps and uninstalls them for you) and our Trend Micro OpenSSL Heartbleed Scanner App for Chrome (which checks specific sites for Heartbleed vulnerability). We’ve also got our Trend Micro Heartbleed Detector Website if you wish to use that instead.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Cybercriminals Take Advantage Of Heartbleed With Spam

Posted: 23 Apr 2014 | 9:49 am

F-Secure and David Hasselhoff

We first blogged about David Hasselhoff in 2011 (see: Don't hassle the Hoff on F-Secure's watch).

The case from 2011 involved a remote access trojan which had a feature called "David Hasselhoff Atach".

David Hasselhoff

And now, in 2014, David Hasselhoff is becoming the Freedome Ambassador for F-Secure.

David Hasselhoff

We will be launching our Digital Freedom Manifesto at the re:publica conference in Berlin together with David. For real.

For more information, se our Digital Freedom site.

On 22/04/14 At 02:04 PM

Posted: 22 Apr 2014 | 4:09 am

8×8 Script Leads to Infinity Drive-By

The “8×8″ script I’m referring to includes a link that looks like this:
hxxp://www.example .com/JB3xd6iX.php?id=87342871

And can be detected using a regular expression that looks something like this:

One set of links redirect users to social engineering scams (e.g. fake Adobe Flash Player update) that I wrote about earlier. Another set redirects users to Infinity EK (aka “RedKit”, “GoonEK”).

First, let’s see how this drive-by looks like from the users’ perspective.

The user visits a website that’s been compromised. On one of the webpages, there’s a script with the filename containing eight random characters followed by an ID value which has eight digits (i.e. the “8×8″ script).


The user is then redirected to another legitimate website that’s been previously compromised. This site serves up a script that leads to another site.


This site is also legitimate and compromised. It houses the Infinity Exploit Pack script which tries to exploit the user’s browser.


This is what the deobfuscated version of the landing page looks like. If the exploit is successful, there’s a request for the malicious payload file back to the same site.


Infinity has an arsenal that includes two Java, two MSIE, Flash, and Silverlight exploits. The author(s) have been adding updates to their arsenal as well as modifying the links and infrastructure since the last time I analyzed it as RedKit v2.0.

Now let’s look at what’s happening behind the scenes. A webmaster provided me with suspicious files from his compromised website after I informed him his site was redirecting users to a drive-by. (I promised I would not reveal his site name so I redacted and/or modified the following screens.)

Turns out his site was compromised two different times. The first time, the attacker modified at least one HTML page and inserted the following script tags:


Sometime later, the/another attacker modified the index.php file and inserted a PHP script that would download content from another website.


Running this script, makes a request to a backend server and produces a seemingly endless number of new links:


I was very fortunate that the compromised website had both the infected index.php file and the 8×8 script on his server. The link above leads to a PHP script on another site but I’m pretty certain it’s the same as the one below (which is also the same as the one I wrote about earlier).


Deobfuscating the script is no longer a chore so I can extract the contents of the encrypted config string.


Running it produces the TDS IP, key, and other information:


So this is what’s going on…


Here’s a series of packets showing this:


The scripts are all the same and therefore appears to be the work of the same gang behind RedKit v2, Box Fraud, Goon EK, and Infinity.

Posted: 6 Apr 2014 | 10:40 pm

Botnet bruteforcing Point Of Sale terminals via Remote Desktop

Every single day our automated systems analyze hundreds of thousands of malicious samples. Yesterday one of the samples caught my attention because the malware started performing bruteforce attacks against Remote Desktop using certain username and passwords.

MD5: c1fab4a0b7f4404baf8eab4d58b1f821

Other similar samples:

Once started the malware copy itself to \Documents and Settings\Administrator\Application Data\lsacs.exe and starts the communication with the C&C sending data about the status of the bot (number of hosts bruteforced, packets per second, number threatds, version, etc).

and the server replies with a configuration block containing:

- Login/Password list to use during bruteforcing

- Timestamp

- List of IP Addresses to attack

- Number of threads to use

- Interval 

As you can see some of the user/passwords that they are using (pos, pos1, pos01, shop, station, hotel, atm, atm1, micros, microssvc) are the default ones commonly used in Point of Sale terminals by retailers and businesses all around the world.

The control panel of the botnet is also hosted in the same server:

This is not new, we know cybercriminals have been using this technique to compromise Point of Sale systems for years. Once they gain access to the terminal using one of the default credentials, they upload a second stage payload commonly known as a memory scrapper that is a piece of malware that searchs for credit card data in memory before it has been encrypted. Some examples are:

- BlackPOS


- VSkimmer

- Alina

- RetalixScrapper

- Dexter

These pieces of malware are able to extract the credit card data from the terminal and exfiltrate the data to the attackers that will then sell the information in the black market.

When it comes to detect the infection of a system in your network, this is how our AlienVault Unified Security Management (USM) will detect a compromised assset in your network:


USM is able to detect both the communication wit the the C&C server and the network activity that is generated when the malware performs bruteforce attacks against devices on the Internet. It is worth mentioning that the C&C server IP address was already in our Open Threat Exchange database and the correlation engine used that information to generate an alarm about a system compromise.



If you want to try yourself you can download our Open Source SIEM - OSSIM or the Free 30 day trial of AlienVault Unified Security Management (USM)

We have shown how these threats can impact companies using Point Of Sale terminals, specially those retailers and medium and small businesses that don't have visibility into the systems that are part of their networks and handle credit card information.

Some recommendations to protect against these kind of attacks are:

- Change default credentials of POS systems

- Configure an access control list

- Keep your software up-to-date

- Install an Antivirus solution

- Centralize and monitor the logs from your POS systems to detect potential security breaches


Posted: 11 Mar 2014 | 2:34 am

16,800 clean and 11,960 malicious files for signature testing and research.

Signature and security product testing often requires large numbers of sorted malicious and clean files to eliminate false positives and negatives. They are not always easy to find, but here are some that I have.

Clean documents are collected from various open sources. All the copyright rights belong the the authors of each document and file. You must not use the documents for their content but only as samples of particular file types.

Download all

             All files use the same password (scheme). Email me if you need the password. 

  1. EXE
  2. XLS(X), DOC(X), RTF
  3. ZIP, 7Z, RAR
  4. JAR
  5. PDF
    PDF - 9000_files   and  PDF -100+with embed_3d_video_swf_ js
  6. MACH-O

  1. PDF
    MALWARE PDF NEW -170 FILES MALWARE PDF PRE_04-2011_10982_files

  2. RTF, XLS
    MALWARE RTF_CVE-2010-3333_RTF_92files
  3. MACH-O
  4. ELF
  5. JAR


Windows executables. I am not posting any because you can quickly generate your own from any vm.
See exe collect utility by Stephan Chenette. https://github.com/IOActive/SearchAndCollect

RTF - 200_files
XLSX -100_files

7z, ZIP, RAR
Encrypted and not.


P.S.  - please remove  _185-1 (86).rar  from RAR_OFFICE+PDF_500_files_pass_1234!@#$ as it is not clean, accidental sneak in. It was already removed in the current set.


PDF - 9000_files
PDF -100+__embed_3d_video_swf_ js - clean pdf documents with special features - embedded javascript, 3d objects, flash, video, etc.



These 4 files were removed as questionable (perl2elf utility with obfuscated perl code)



PDF-XDP _3files
MALWARE_PDF_PRE_04-2011_10982_files - files from web exploit packs - older than April 2011.

MALWARE RTF_CVE-2010-3333_RTF_92files
MALWARE_ENCRYPTED_XLS_16files  - CVE-2012-0158




Posted: 4 Feb 2014 | 6:48 pm

Cyber Engineering Services Announces the Cyber Red List

Cyber Engineering Services Announces the Cyber Red List, Industries That Have Been Cyber Walloped Since 2010

List Highlights Smaller Defense Supply Chain Partners, Legal Counsel and Public Relations/Advertising as Major Targets for Cyber Attacks

COLUMBIA, MD – May 7, 2013 – Based on its observation of thousands of cyber attacks over the 30 months since its founding, Cyber Engineering Services today announced the launch of the Cyber Red List. Developed using the company’s proprietary technology that enables Cyber Engineering Services to identify cyber attacks in progress, the Cyber Red List details the industries that have been hardest hit by cyber attacks since November 2010, and identifies accompanying environmental indicators that place organizations at a higher level of risk.

“Size doesn’t matter when you’re looking at cyber attack victim commonalities; the kind of data you have does,” commented Joseph Drissel, CEO of Cyber Engineering Services and former acting chief of the Department of Defense Computer Forensics Lab cyber intrusions section. “Based on what we’ve read in the news lately, it would be easy for companies with revenues of $1 billion and under to get the false impression that only the big contractors, the news organizations, and companies that are involved in Chinese diplomacy are targets. The Cyber Red List shows that what motivates the adversary is the kind of information you deal in and have access to – weapons, communications, energy, policy, and research – and often the smaller companies don’t have the resources in place to effectively seal their networks. We help them get the same level of data protection as the big guys.”

Cyber Engineering Services is an information security company with heavy experience in forensics analysis, reverse engineering and malware arenas focusing on what is known as the Advanced Persistent Threat (APT). Its proprietary technology, called Legal Non-Invasive Malware Exploitation technique (LNIME), provides the company substantial insight into the malicious activities of cyber adversaries. Cyber Engineering Services works on behalf of its clients to:
• Identify, in real time, when a cyber attack is happening,
• Stop an attack before critical data is lost,
• See live command-and-control keystrokes of the adversary, and
• Engage with the adversary to regain control of networks.
“A huge volume of our country’s intellectual property is owned by companies that supply or collaborate with large contractors or government agencies, yet what is most alarming is that many of these companies don’t have the cyber security infrastructure that their larger, better-funded counterparts do,” Drissel went on to say. “The smaller players not only have the most to lose in terms of IP and valuation, but the potential implications for national and international safety, security, health and well-being are vast. All it takes is one hole in the network to result in a massive data loss. We identify and then plug those holes to keep the bad guys out and seal data in.”
For media inquiries, contact: Media@CyberEngineeringServices.com.

The Cyber Red List

Cyber Engineering Services has observed cyber attacks in thousands of networks since the company’s inception in November 2010, many of which resulted in significant data losses for the compromised companies. The following is a snapshot of industries that were most targeted based on the data gathered through Cyber Engineering Services Legal Non-Invasive Malware Exploitation (LNIME) technique. The vast majority of compromises took place in organizations with revenues of less than $1 billion USD annually.

1. Defense, Homeland Security, International Security including unmanned aerial vehicles (UAV), satellite communications, aerospace and military communications, rocket and propulsion systems, and radar systems.

2. Critical infrastructure including energy, oil, gas, transportation, banking, and telecommunications.

3. Sensitive data exchange environments including law firms, public relations and advertising agencies whose clients do business in energy, oil, transportation, communications, and defense.

4. Long-term policy information including from lawmakers, think tanks, diplomatic and policy organizations.

5. Research and Development-focused industries including laboratories, pharmaceutical and medical facilities.

Additionally, the following environmental indicators were present in cyber attacks among the targeted industries:

1. Where data is shared electronically via email, the internet, on a smartphone or other handheld device;
2. Where the Advanced Persistent Threat or competitor could degrade or otherwise manipulate data to source, duplicate, transport, purchase, sell, manufacture or supply a product or service through alternate means;
3. Where there is a global nexus.

Due to the highly sensitive nature of the data that was breached in these attacks – inclusive of data protected under the International Traffic in Arms Regulations (ITAR) – Cyber Engineering Services does not disclose the names of the victims or the technical information that was stolen. Cyber Engineering Services has reported these incidents directly to the victims, as well as followed established protocols to report to the government agencies that oversee these functions.

Cyber Engineering Services, an information security company with heavy experience in forensics analysis, reverse engineering and malware arenas focusing on what is known as the Advanced Persistent Threat (APT), compiled the Cyber Red List to raise awareness among victim organizations – especially smaller organizations often with fewer cyber security resources – for the need to protect mission and operation-critical data assets from cyber attacks. Cyber Engineering Services team of experts works with clients to control their networks and protect their most valued data assets using unrivaled technical skills, investigative curiosity and tenacity to prevail. For more information, contact Media@CyberEngineeringServices.com.

# # #

Posted: 6 May 2013 | 8:21 pm