GameOver Zeus

This week, a ring of cybercriminals responsible for the GameOver Zeus botnet was shut down following an international police effort. Behind this malware was an organized group responsible for stealing data and money from millions of users.

This malware has been around for several years and is known and blocked by Avira. The latest version had been somewhat harder to detect due to encryption and was bundled since March with a Necurs rootkit.

 

How it works

Victims are often infected via their mailbox: they receive spam (for instance a false invoice, a voice message, or job offer) with an attached file. If the file, which looks like a regular document, is opened, the machine will get infected by the GameOver Zeus malware.

The GameOver Zeus is a P2P (peer to peer) variant of the Zbot (Zeus) family, which steals online banking credentials. It is also used for other malicious activities such as spamming, spreading other malware or distributing denial of service (DDoS) attacks. GameOver Zeus is estimated to have infected 1 million users around the world and has induced over tin losses.

One illustration of malware it spreads was the Cryptolocker, also known as Ransomware. Unlike common Ransom files, which usually freeze the PC and ask for money to unlock it, this malware encrypts the files of the hard drive (e.g., photos or documents). Access to these files is restricted until the user pays a ransom to unlock them. An estimated 250,000 computers have been infected and over 25 million dollars were paid to remove the Cryptolocker.

cryptolocker

 

 

Technical background

Here are some of the decrypted strings from GameOver Zbot related to data theft:

0×51: “inject”

0×53: “bitcoin-qt.exe”

0×54: “bitcoind.exe”

0×55: “wallet.dat”

0×56: “bitcoin\wallet.txt”

0×57: “bitcoin\wallet.dat”

0×58: “MY”

0×59: “pass”

0x5C: “Grabbed”

0×60: “ftp”

0×61: “ftps”

0×62: “pop3″

0×63: “pop3s”

0×64: “anonymous”

0×65: “Google Talk”

0×66: “message”

0×67: “from”

0×68: “to”

0×69: “body”

0x6A: “From: %s – To: %s

 

0×83: “Macromedia\Flash Player”

0×86: “Windows Address Book”

0×89: “Windows Contacts”

0x8C: “EmailAddressCollection/EmailAddress[%u]/Address”

0x8D: “Windows Mail Recipients”

0x8E: “Outlook Express Recipients”

0×90: “account{*}.oeaccount”

0×92: “Software\Microsoft\Windows Live Mail”

0×94: “Salt”0×96: “Windows Mail”

0×97: “Windows Live Mail”

0×98: “MessageAccount”

0×99: “Account_Name”

0x9A: “SMTP_Email_Address”

0x9B: “%sAccount name: %s

E-mail: %s

 

0x9C: “%s: Server: %s:%u%s – Username: %s – Password: %s

 

0x9D: “%s_Server”

0x9E: “%s_User_Name”

0x9F: “%s_Password2″

0xA0: “%s_Port”

0xA1: “%s_Secure_Connection”

0xA2: “SMTP”

0xA3: “POP3″

0xA4: “IMAP”

0xA5: ” (SSL)”

 

How can you protect yourself?

  • Keep all OS and applications updated: updates are vital for patching vulnerabilities and other known issues that the OS or app might have
  • Change passwords regularly
  • Be safe online with an antivirus software: http://www.avira.com/en/avira-free-antivirus
  • Keep Avira Antivirus updated with the latest signatures and run periodical scans.

 

What to do in case of infection?

We strongly recommend running a system scan using the Avira Rescue System which blocks malware from affecting scan results.

Here are some additional steps you can take in case your computer has a malware infection.

The most important thing: Never, ever pay the ransom!

Unfortunately, it is not possible to decrypt the files that the malware encrypted on your own. The asymmetric cryptography makes this task almost impossible. The only option to get your files back is restoring them from a backup.

 

References

http://www.us-cert.gov/ncas/alerts/TA14-150A

Mikel Echevarria Lizarraga

Oscar Anduiza

How to check if you were affected by the eBay data breach

The eBay Security breach announced by the company today is potentially the biggest security breach of all time. Yet again sloppy security standards on the part of a major consumer internet company has allowed cybercriminals to gain access to up to 233 million eBay user credentials, including emails, passwords and personal details including dates of birth, addresses and phone numbers. In November 2013 another consumer internet company, Adobe, announced 160 million user details had been exposed in similar fashion.

Even more troubling is that the eBay breach happened over 3 months ago, but was only discovered in the last 2 weeks. And only announced today!

EBay Inc. said beginning later today it will be “asking eBay users to change their passwords because of a cyberattack that compromised a database containing encrypted passwords and other non-financial data.
[...] The database, which was compromised between late February and early March, included eBay customers¹ name, encrypted password, email address, physical address, phone number and date of birth.”

While eBay owned PayPal is said by the company to be unaffected by the breach, there remains the risk that many eBay users use the same credentials for both their eBay and PayPal accounts.

EBay’s advice is for all users to change their passwords asap and this is certainly the best thing to do. But do not stop there! Once a cybercriminal has your email and password for one service they will try and use the same details to break into your bank, social network or email clients looking for any ways to steal your money or access your personal details. If you think your ebay details may have been compromised, you should change your password details across all services where you may have used the same password. Choose a strong password, using a mixture of upper case, lower case and numbers, and try to avoid using words from the dictionary, or words using any personal details!

Identity theft is big business and is the fastest growing area in 2014 for cybercriminals. At Avira, we are working hard to develop new ways to combat the threat. Our free Identity Safeguard feature, available on both iOS and Android lets users stay alerted to the latest security breaches, and check whether their email address has been breached and publicly posted on the internet”.

To get Identity Safeguard on your  mobile device, install Avira Mobile Security for iOS (via iTunes) or Android (via Google Play).

Leon Crutchley

Avira Mobile Security

Improve your browser’s security and privacy in 5 steps

No matter which source for statistics you take, all agree that the most used browsers are Chrome, Firefox and Internet Explorer.

ie_7Google Chrome Logofirefox

 

There have been many studies and tests done to find out which is the most secure of them.

However, the tests are only able to show how each browser is matching a set of fixed tests, usually called “security baseline”. And that baseline changes radically every month.

No browser is 100% bulletproof, even if some browsers fix the security vulnerabilities faster than others.

Here is how you can make your browsing experience better. “Better” in this context means more secure, more private and maybe even a bit faster (indirectly).

 

1.  Keep the browser up to date

This is the first step in hardening the browser because a vulnerable browser can be exploited by just visiting certain websites without you knowing anything.

Always allow the automatic updates and install them as soon as they are available. In case of uncertainty, install free tool that monitors your software for vulnerabilities. Read more about this here.

 

2. Increase the built-in security of the browser

This is the second step in hardening the browser and can mean a lot of things:

- configure to reject third party cookies

- deactivate the plugins that you usually don’t need, like: ActiveX, Java, Flash and so on.

- enable the already built in anti-phishing and anti-malware protection

- configure the browser to send a “Do Not Track” request with your browsing traffic

- whenever possible, deactivate active scripting. Be aware though that some websites will simply not function without scripting (especially JavaScript).

In Internet Explorer many of these settings can be set up by changing in Settings the “Security” and “Privacy” levels to High.

- Turn on the built-in popup blocker

- Disable any old-school toolbars that don’t bring you any kind of benefit (do you really need to see the weather or have a translator at hand all the time?)

 

3. Choose carefully what plugins you install

The plugins or addons are a very powerful mechanism to easily extend the functionality of the browser. But having so much power comes with the other side of the coin as well. There are many plugins even in the official browser stores which are either malicious or have very big security and privacy issues. The worst part is that for the normal user these issues are not visible until it is too late. Always keep in mind that a plugin has full access to everything what you click and see in the browser. Yes, including everything that you browse over encrypted connections. The plugin resides in the browser and it has access to what the user sees. So, the content is already decrypted and there is absolutely nothing that can prevent a malicious plugin to send everything (bank information, personal data, etc.) to a certain internet address.

Always have a look at the ratings given by other users before you install an addon. Also, keep an eye on the permissions requested by the addon as well. For example, if an instant messaging addon requires access to all your URLs, this might be suspicious.

 

4. Install security and privacy plugins

There are some addons which improve your security by doing some filtering on the URLs that you visit or even dynamically analyzing the content of the webpages. Such an example is Avira Browser Safety.

If you prefer to choose the extensions by yourself, here is a longer list to prevent tracking and here to prevent advertising.

You should also give Web of Trust (also known as WOT) a try as it is based on crowdsourcing and promises an independent view on the status of the URLs.

 

5. Force the usage of SSL whenever possible

Addons such as HTTPS Anywhere try to choose the HTTPS connection over the HTTP one whenever available.

 

Sorin Mustaca

IT Security Expert

 

Link shortening service Bitly hacked, users asked to reset credentials

Link shortening service Bitly late Thursday announced it has suffered a data breach, and urged all users to reset their credentials. 

Bitly’s CEO wrote in the blogpost that they have “reasons to believe that Bitly account credentials have been compromised; specifically, users’ email addresses, encrypted passwords, API keys and OAuth tokens”.

This is really bad because it is not enough just to reset the password. Each user has actually to change all applications that were using the service using the OAuth tokens.

bitly

Even if the company assures users that they have no indication at this time that any accounts have been accessed without permission, this is no guarantee. And indeed, Bitly reset Twitter and Facebook connections. Fortunately, they can be restored with just one click.

Following are step-by-step instructions to reset your API key and OAuth token:

1) Log in to your account and click on ‘Your Settings,’ then the ‘Advanced’ tab.

2) At the bottom of the ‘Advanced’ tab, select ‘Reset’ next to ‘Legacy API key.’

3) Copy down your new API key and change it in all applications. These can include social publishers, share buttons and mobile apps.

4) Go to the ‘Profile’ tab and reset your password.

5) Disconnect and reconnect any applications that use Bitly. You can check which accounts are connected under the ‘Connected Accounts’ tab in ‘Your Settings.’

 

 

Sorin Mustaca

IT Security Expert

One month beyond the end of support of Windows XP

It is now a month since the official support from Microsoft has ended for Windows XP. Read here about strategies to move away from it.

In the meanwhile, all XP users are getting this message:

xp-eol

If you click on the link in the above picture, you see this page where you are kindly explained to move away from Windows XP and take Windows 8:

xp-eos

 

What happened in a month?

Not much… except for one security update for Windows XP and a lot of companies (especially banks) and governments (Google search link) that paid for special support for Windows XP.

Yes, despite the fact that the support has been officially stopped, Microsoft was forced to release an out of band patch for Internet Explorer 6-8 for Windows XP.

xp-updated

 

 

What’s next ?

The honest answer is, we don’t know. But, the events in the past years showed us that there will be many zero-day exploits. It remains to be seen if Microsoft will choose to fix them for XP as well.

 

If you don’t want to be nervous while Microsoft thinks whether or not to patch the Windows XP, read this article and act accordingly.

 

Sorin Mustaca

IT Security Expert

 

Microsoft fixes the Zero-Day exploit for IE 6 to 11, also on Windows XP

We wrote about the new Zero-day vulnerability in the Internet Explorer affects all IE Versions from 6 to 11 which is being exploited in limited and targeted attacks. This vulnerability, identified as CVE-2014-1776, could allow remote code execution even if the user doesn’t click on anything.

Microsoft kept their promise and fixed the problem in only 5 days after informing the public.

Most of the customers have automatic updates enabled and will not need to take any action, but if you want to manually trigger an update, just visit Windows Update.

microsoft_logo

What comes as a surprise is that Microsoft issued the update also for the already beyond End Of Life, Windows XP. Microsoft writes in a blog post:

“We have made the decision to issue a security update for Windows XP users. Windows XP is no longer supported by Microsoft, and we continue to encourage customers to migrate to a modern operating system, such as Windows 7 or 8.1. Additionally, customers are encouraged to upgrade to the latest version of Internet Explorer, IE 11.”

If you want to get the latest version of Internet Explorer, visit the dedicated page here.

ie11

Note that for Windows XP you can only install IE up to version 8. IE 9-11 are not running on Windows XP anymore.

 

Sorin Mustaca

IT Security Expert

How to protect yourself against the zero-day exploit for Internet Explorer 6 to 11

A new Zero-day vulnerability in the Internet Explorer affects all IE Versions from 6 to 11 and is being exploited in limited and targeted attacks. This vulnerability, identified as CVE-2014-1776 ,could allow remote code execution even if the user doesn’t click on anything. Remote code execution means that attackers could distribute malware via a drive-by installation.
The bad news is there is still no patch at the time writing this article.
The good news is that the attacks seen in the wild so far seem to have relied on hitting IE 9, 10 and 11, using Adobe Flash as a lever. This doesn’t mean that the older versions are not being hit. It can be that the efforts of the cybercriminals are focused on the masses which have IE 9 and newer.

 

How can you protect yourself

The current exploit can be mitigated by disabling Adobe Flash Player, which is the vehicle used in exploiting the IE flaw. Note that the bug isn’t in Flash, so this is not something Adobe can fix, nor its it Adobe’s fault (as unbelievable as it may seem). Using specially crafted Flash files can help attackers prepare the contents of the memory on your computer in order to make a successful attack possible.

Additionally, you should configure that IE asks you when a page requires Active Scripting. Ideally, you should disable active scripting, but many websites will simply not function if this is activated. You have to change the settings by going in IE’s settings, click on Security, Custom Level and scroll down to the Scripting area.

activescripting

The probably better option is to deploy the latest version of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). The utility contains security mitigation technologies that can protect the software running on your computer against attacks, even those that target Windows XP systems.

emet
Just installing the application with default settings will give you some peace of mind.
Once Microsoft fixes the problem, you’ll have to update your Windows.

Of course, the last solution is to stop using Internet Explorer (you can’t uninstall it) and use an alternative browser. There are plenty out there, but start your search from Google Chrome, Mozilla Firefox, Opera.

 

What about Windows XP?

Well, XP is also vulnerable, and unfortunately, it will remain like this. This means that Microsoft will not push the updates to this operating system, once they are available.

However, by using the mitigation techniques presented above you can still secure IE running on Windows XP as well.

Read more about Windows XP in this article.

 

 

Sorin Mustaca

IT Security Expert

What you need to know about the OpenSSL vulnerability “heartbleed”

At the beginning of this week a new vulnerability in OpenSSL called Heartbleed was made public.

OpenSSL is the library used by most computers to encrypt data sent across the Internet and not only. OpenSSL is perhaps the most widely deployed SSL library and appears in a wide variety of applications, including a number of Linux distributions (see below).

The vulnerability has by now a dedicated ID CVE-2014-0160 (see references): essentially it lets an attacker pull the keys used to encrypt your data directly from the memory of a vulnerable web server, thereby letting him read any traffic sent from that server including usernames, passwords, financial information and more.

hearbleed

Some technical details

The vulnerability lies in the way that OpenSSL handles the heartbeat extension in the TLS protocol. OpenSSL replies a requested amount up to 64kB of random memory content as a reply to a heartbeat request. Sensitive data such as message contents, user credentials, session keys and server private keys have been observed within the reply contents. More memory contents can be acquired by sending more requests. The attacks have not been observed to leave traces in application logs.

To make it clear, this vulnerability does not hack the server and it does not extract from the server’s database usernames and passwords. It “only” reads chunks of 64 KB memory from the server’s RAM and it sends it to the attacker. If, in that very moment when the attacker reads the memory, also confidential data is in transit through the memory, then potentially that data gets to the attacker. Once the attacker gets the secret key, it also allows the attacker to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.

What can you do?

Administrators

The worse part is that there is no way to tell if you have been exploited. There is no log, no error message, nothing.

For website administrators, check if the OpenSSL in use is vulnerable. OpenSSL versions from 1.0.1 to 1.0.1f are vulnerable.

Vulnerable Linux distributions include:

  • Red Hat Enterprise Linux 6.5 (OpenSSL 1.0.1e)
  • Debian Wheezy (before OpenSSL 1.0.1e-2+deb7u5)
  • Ubuntu 12.04 LTS, 13.04, 13.10

If it is, it means that the most prudent thing to do now is to update OpenSSL to v 1.0.1g and then revoke the server certificate used to encrypt the traffic and get a new one. This sometimes comes for free, but most of the time it costs, if you want to have an official certificate instead of a self-generated one.

 

Clients

As a client of an affected webserver, you can’t do much.  After the administrator fixed the problem, you should change your password.

Because this bug is already two years old pretty much anything can happen, so you maybe want to think better what you put online in the future.

If you are curious if your favorite website is or was affected, you can check it here:

https://lastpass.com/heartbleed

 

HINT:

Don’t change all your passwords now. It might be that some of the websites will need a while until they are able to do the above mentioned changes.

 

 

References

Sorin Mustaca
IT Security Expert

New case of identity theft – BSI in possession of 18 Million new accounts

The Federal Office for Security in Information Technology (BSI) has informed the press (in German) about a new case of identity theft. Also this time a lot of German users are affected, according to the source, more than 3 million email addresses. BSI is working with big telecom providers like Telekom, Freenet, GMX, Kabel Deutschland, Vodafone, Web.de in order to inform their customers that are affected.

For those that don’t want to wait for the official email coming from the above mentioned providers, BSI continues to support the website https://www.sicherheitstest.bsi.de where any user can check if his email address is affected by this incident.

The accounts were discovered as part of a police investigation and BSI assumes that the cybercriminals have used various sources to get access to the login data: infected computers that transmit the data to some servers in the world.

There are, however, other possible sources like phishing websites and social engineering schemes.

If you are one of the affected users, please take the following actions to make sure that you will no longer be affected:

- clean up your computer  using Avira’s PC Cleaner

More details about the PC Cleaner can be found in this TechBlog article: http://techblog.avira.com/2014/01/09/avira-pc-cleaner-a-second-opinion-scanner/en/

- Change all your passwords, especially those that were using the affected email address.

First, make sure you are still in possession of that email address. Try to login via webmail and change the password used to access the emails. If you can do this, means that you’re still owning that account. If not, try to recover the password and change the passwords as part of this process.

If you have used the email address to login to a website (e.g. Facebook, Twitter, Amazon, etc.) you must change those passwords as well, and make sure you are not using the same password used to access the email account. Here are good tips to create a good password.

- Use antivirus software like Free Antivirus and keep it up to date.

- Keep your system up to date because many viruses are making use of vulnerabilities in unpatched software

- Print these security tips and keep them at reach.

 

Avira has released recently its iOS security application which contains the feature Identity SafeguardAvira is the only security vendor to offer iOS users such a feature which ensures an individual’s personal email is not one of the 160 million that have been caught in security breaches in the last 6 months alone. Users can see if their personal identity details have been leaked in any security breaches, and an on demand scanner allows the user to scan their entire address book to detect any compromised contacts. If any contacts have been compromised, users can email any breached contacts directly to alert them about the danger. On average, between 5% and 10% of a typical user’s address book contains email addresses that have been compromised.

 

Sorin Mustaca

IT Security expert

 

New features in the Avira products for mobiles: Identity Safeguard, Browser Safety and more

Because of the growth of mobile commerce and the need to keep users safe as they increasingly use mobile devices, we are proud to announced today that we significantly upgraded the mobile solutions for iOS and Android.

 

Avira Mobile Security for iOS

The free app gets two new features:

  • Identity Safeguard

Avira is the only security vendor to offer iOS users a feature called Identity Safeguard, which ensures an individual’s personal email is not one of the 160 million that have been caught in security breaches in the last 6 months alone. Users can see if their personal identity details have been leaked in any security breaches, and an on demand scanner allows the user to scan their entire address book to detect any compromised contacts. If any contacts have been compromised, users can email any breached contacts directly to alert them about the danger. On average, between 5% and 10% of a typical user’s address book contains email addresses that have been compromised.

 

  • Locate Device (up to five iOS and/or Android devices)

iOS users get a new feature called Locate Device, which monitors and keeps track of up to five devices. Users can see at any time on a map where a specific iPhone, iPad, Android phone or tablet device is and those devices can be made to ring to help locate them. The app can be used on any iPhone or iPad to manage all the devices.

Cost and Availability

Avira Mobile Security for iOS v.1.4 is and remains free.

It is available for devices running iOS 7.0 and above and is optimized for iPhone 5. It is currently available for German and English language devices but other languages will be added as quickly as possible.

Click here to download it directly from the AppStore.

 

Avira Antivirus Security Pro for Android

Android gets a new premium app which is now available for every Android smartphone and tablet owner.  These are the premium features:

  • Browse Safety

Infectious websites are blocked using powerful real time URL monitoring technology so users will not be duped by fraudsters or phishing attacks.

  • Hourly Updates

Mobile devices are always at risk from the most recent malware attacks, so Avira will keep the device safe with frequent updates so users have confidence that they’re always protected.

  • Quick Support Access

If a user has a problem, Avira experts are just a call or a click away.

Click here to download it directly from the Google Play Store.

 

Cost and Availability

Avira Antivirus for Android is and remains free.

Avira Antivirus Security Pro upgrade costs $9.99 (€7.95). Both apps are available directly from Avira’s website http://www.avira.com/en/free-antivirus-android. The product is available for Android 2.2 and up and is currently localized for German, English, Italian, French, Spanish, Japanese, and Korean.

 

Links

  • Download Avira Antivirus Security Pro for Android here.
  • Download Avira Mobile Security for iOS here.
  • For more information on Avira’s new Avira Mobile Security for iOS v.1.4, please visit this site.
  • For more information about all the features included for Android users of Avira Antivirus Security Pro, please visit this site.
  • Join the Avira community on Facebook:  www.facebook.com/avira

 

 

Sorin Mustaca

IT security expert