PC PORTAL

Experienced. Trusted. Solutions.

Malware

By

Bad Apps: Protect Your Smartphone from Mobile Malware

Reading Time: ~2 min.

Smartphone apps make life easier, more productive, and more entertaining. But can you trust every app you come across? Malicious mobile apps create easy access to your devices for Android and iOS malware to wreak havoc. And there are many untrusted and potentially dangerous apps lurking around in app stores determined to outsmart your smartphone. With the average user having 35 apps installed on their phone, according to Google, it’s easy to see why smartphones can be such a easy target.

But my iPhone is safe, right?

Both Apple iOS and Android devices are targeted by hackers, and while the latter is a more popular target,  both platforms are both susceptible to various types of cyberattacks. After all, Apple’s latest version of iOS 11 was cracked just one day after its release via vulnerabilities in the Safari web browser, according to ZDNet.

Protect yourself from bad apps:

All of this means that unprotected smartphones are soft targets for cybercriminals, with weaknesses that hackers can ultimately exploit to generate revenue. The first defense is knowing that you can’t trust all apps. These tips will also help you stay protected as you search for the good ones:

  1. Download apps from reputable stores. The major, reliable providers are Galaxy Apps (Samsung), the App Store (iOS), Amazon App Store, and Google Play (Android).
    Google Play, for example, scans 50 billion apps daily to detect malware before publishing new ones.
  2. Disable “Unknown Sources” for Android devices, which prevents installing apps from sources other than the Google Play Store. So, if you use Amazon App Store, you’ll need to enable “Unknown Sources”. In that case, be mindful before allowing any other app or website to install something on your phone. It should also be noted that changes to this functionality are coming with the latest update to Android’s Oreo operating system.
  3. Keep Android USB debugging off. It can prevent outside malware from accessing your phone through corded connections, such as from a public charging station.
  4. Don’t jailbreak your iPhone. Allowing access and changes to your phone’s software can allows outsider apps that may not be trustworthy.
  5. Beware of any website, text, email, or anything asking you to install an app. Search for your own apps at the store and research all apps before installing.
  6. Beware of granting excessive permissions. Apps that perform basic functions, such as a flashlight, don’t need to access your personal information, for example.
  7. Read app reviews before installing, and review and report sinister apps. Users working together as a community can help alert unsuspecting victims to phony apps.
  8. Be cautious about providing your credit card or banking information. Avoid making transactions over apps that are not well known to you or the user community and be careful about hidden charges such as microtransactions.
  9. Install OS and other software updates. It always recommended to keep your OS and apps updated with the latest patches. It’s also smart to consider phones from vendors that release prompt security patches. Many software updates are designed to defend against malware and other emergent threats.
  10. Use trusted internet security software. No matter how careful you are, it is wise to employ a reputable layer of online security.

Prevention, prevention, prevention.

Sometimes free mobile apps, including free security software apps from unknown providers, are suspect. The convenience of a quick download and excessive trust are not worth saving a few seconds or cents. Do your research, follow these 10 tips, and protect your well-being on any mobile device.

 

The post Bad Apps: Protect Your Smartphone from Mobile Malware appeared first on Webroot Blog.

By

After the Hack: Tips for Damage Control

Reading Time: ~4 min.

According to the Identity Theft Research Center, in 2017 alone, nearly 158 million social security numbers were stolen as a result of 1579 data breaches. Once a cybercriminal has access to your personal info, they can open credit cards, take out loans that quickly ruin your credit, or leave you with a giant bill. But that’s not all. Many people don’t realize that, depending on how much information a hacker gets and what their intentions are, you could lose a lot more than money. From sending malware to your contacts from your account to spamming your coworkers with phishing attacks to compromise your employer’s network, the damage a hacker can wreak on your personal and professional life can extend far beyond the monetary bounds.

Additionally, according to Dave Dufour, VP of Engineering and Cybersecurity at Webroot, we’re seeing more evolution in cybercriminal tactics that take advantage of internet users and their trust:

“What’s happening lately is that people are hacking social media accounts. Why would anyone want your social media information? One reason is that, if I have access to one of your social media accounts, I can spread malware to all your followers who trust you. Pretending to be you, I can send out a link, your followers click it, and my malware is now on all of their devices.”

So, what do you do if you’ve been hit with malware, ransomware, phishing, or a social media attack? First, don’t panic. Second, follow these steps to deal with the fallout.

You’ve been hacked. Now what?

Change your passwords
The first step is one you’ve probably already heard: change all your passwords. Yes, all of them. Don’t forget make them strong by using at least 12 characters, changing out at least two or three of the characters to uppercase, using numbers or symbols (e.g., replacing an A with a @ or an S with a 5), avoid using places you’ve lived, acquaintances names, your pets, birthdays, or addresses—and don’t even think about using ABC or 123. If you have trouble keeping track of your passwords, we recommend you use to a secure password manager application that saves your credentials in an encrypted database and automatically fills them in when you log into a site.

Turn on two-factor authentication
Most accounts that house your personal information, such as email or banking, offer two-factor authentication. This provides an additional layer of security that goes beyond your username and password by asking you to confirm your login with an extra step, such as a short-term security code sent via text message or phone call. You can turn on two-factor authentication from the login screen of the account.

Check for updates
One of the best ways to keep your devices protected is to update your operating system regularly and ensure that any applications you use are patched and up to date. If you have questions, you can always call your device provider’s helpline. To make things even easier, most systems and software allow you to set up Automatic Updates, so you don’t have to worry about remembering to check for them manually.

Install antivirus protection and run a scan
Antivirus software is an extremely beneficial tool that doesn’t just help detect and remove malicious software that could be lurking on your computer, it can also stop threats before they infect your device in the first place. But be careful: avoid the temptation to download a free antivirus program, as these often come bundled with malware or potentially unwanted applications. Instead, invest in a reputable option. Once installed, be sure to run a scan and turn on automatic scans and updates.

Delete sensitive data from the compromised account
As soon as you realize you’ve been hacked, go to the compromised account and delete any sensitive data you can. For example, if you know you’ve stored your credit card information, bank statements, social security number etc. in your email or on any retail site, immediately delete them from those locations. This also goes for any personal photos or information you wouldn’t want released. And don’t forget to clear out your folders on any cloud services, such as Dropbox, Google Drive™ or iCloud®.

Monitor bank statements and account activity
One of the top motivations of a cyberattack is to steal your money or identity to go on a shopping spree or use your financial accounts in some way. Be vigilant about monitoring your accounts for recent activity and check to make sure no new shipping addresses, payment methods, or accounts have been added. Also, call your bank and let them know about the incident so they can have their fraud department monitor your accounts.=

Deauthorize apps on Facebook, Twitter, Google, etc.
To protect your accounts and remove malicious individuals, check which apps are connected to your social media accounts and deactivate all of them. Did you sign into a site using your Facebook so you could see which historical figure you look like? That’s an example of something you should deactivate. You can find directions on how to do this for each account in its help or settings section or by contacting the associated customer service line.

Tell friends you’ve been hacked, so they don’t become victims, too
Another important step to take after you’ve been hacked is to alert your contacts. Many social media and email attackers will send messages from your account that contain malicious links, attachments, or urgent requests for money. Letting contacts know right away that your account has been compromised, and what to watch out for, can save them from the same fate.

Because technology continues to advance and the number of connected devices is growing exponentially, being the target of a cyberattack or identity theft is becoming more commonplace. But we’re here to help. Learn more about protecting yourself and your family online, and what you can do to stay safe from modern cybercrime.

The post After the Hack: Tips for Damage Control appeared first on Webroot Blog.

By

TrickBot Banking Trojan Adapts with New Module

Since inception in late 2016, the TrickBot banking trojan has continually undergone updates and changes in attempts to stay one step ahead of defenders. While TrickBot has not always been the stealthiest trojan, its authors have remained consistent in the use of new distribution vectors and development of new features for their product. On March 15, 2018, Webroot observed a module (tabDll32 / tabDll64) being downloaded by TrickBot that has not been seen in the wild before this time.

It appears that the TrickBot authors are still attempting to leverage MS17-010 and other lateral movement methods coupled with this module in an attempt to create a new monetization scheme for the group.

You can teach an old bot older tricks

Analyzed samples

  • 0058430e00d2ea329b98cbe208bc1dad – main sample (packed)
    • 0069430e00d2ea329b99cbe209bc1dad – bot 32 bit

Downloaded Modules

  • 711287e1bd88deacda048424128bdfaf – systeminfo32.dll
  • 58615f97d28c0848c140d5e78ffb2add – injectDll32.dll
  • 30fc6b88d781e52f543edbe36f1ad03b – wormDll32.dll
  • 5be0737a49d54345643c8bd0d5b0a79f – shareDll32.dll
  • 88384ba81a89f8000a124189ed69af5c – importDll32.dll
  • 3def0db658d9a0ab5b98bb3c5617afa3 – mailsearcher32.dll
  • 311fdc24ce8dd700f951a628b805b5e5 – tabDll32.dll

Behavioral Analysis

Upon execution, this iteration of TrickBot will install itself into the %APPDATA%\TeamViewer\ directory. If the bot has not been executed from its installation directory, it will restart itself from this directory and continue operation. Once running from its installation directory, TrickBot will write to the usual group_tag and client_id files along with creating a “Modules” folder used to store the encrypted plug and play modules and configuration files for the bot.

Image 1: TrickBot’s plug and play modules used to extend the bots functionality

 

Many of the modules shown above have been previously documented. The systeminfo and injectDll module have been coupled with the bot since its inception. The mailsearcher module was added in December 2016 and the worm module was discovered in late July 2017. The module of interest here is tabDll32 as this module has been previously undocumented. Internally, the module is named spreader_x86.dll and exports four functions similar to the other TrickBot modules.

Image 2a: Peering inside tabDll.dll

Image 2b: Abnormally large .rdata section

 

The file has an abnormally large rdata section which proves to be quite interesting because it contains two additional files intended to be used by spreader_x86.dll. The spreader module contains an additional executable SsExecutor_x86.exe and an additional module screenLocker_x86.dll. Each module will be described in more detail in its respective section below.

 

Spreader_x86.dll

When loading the new TrickBot module in IDA, you are presented with the option of loading the debug symbol filename.

Image 3: Debug symbol filename of the downloaded module tabDll.dll

 

This gives us a preview of how the TrickBot developers structure new modules that are currently under development. When digging deeper into the module, it becomes evident that this module is used to spread laterally through an infected network making use of MS17-010.

Image 4: String references to EternalRomance exploit used for lateral movement

 

This module appears to make use of lateral movement in an attempt to set up the embedded executable as a service on the exploited system. Additionally, the TrickBot authors appear to be still developing this module as parts of the modules reflective dll injection mechanism are stolen from GitHub.

Image 5: Copied code from ImprovedReflectiveDLLInjection

Image 6: Printf statements from the copied project on GitHub

 

SsExecutor_x86.exe 

The second phase of the new module comes in the form of an executable meant to run after post exploitation. Again, it was very nice of the TrickBot authors to give us a look at the debug symbols file path.

Image 7: Debug symbol filename of the embedded PE file.

 

When run, this executable will iterate over the use profiles in registry and goes to each profile to add a link to the copied binary to the start up path. This occurs after lateral movement takes place.

Image 8: Iterate over user profiles and create

Image 9: Execution of the copied binary

 

ScreenLocker_x86.dll

Similarly, to the other TrickBot modules, this module was written in Delphi. This is the first time TrickBot has shown any attempt at “locking” the victims machine.

Image 10: Peering inside screenLocker_x86.dll

 

This Module exports two functions, “MyFunction” and a reflective DLL loading function. “MyFunction” appears to be the work in progress:

Image 11: Peering inside “MyFunction”

Image 12: Creation of the Locker Window

 

If the TrickBot developers are attempting to complete this locking functionality, this generates interesting speculation around the group’s business model. Locking a victim’s computer before you are able to steal their banking credentials alerts the victim that they are infected, thus limiting the potential for credit card or bank theft. However, extorting victims to unlock their computer is a much simpler monetization scheme.

It is notable that this locking functionality is only deployed after lateral movement, meaning that it would be used to primarily target unpatched corporate networks. In a corporate setting (with unpatched machines) it is highly likely that backups would not exist as well. The authors appear to be getting to know their target audience and how to best extract money from them. On a corporate network, where users are unlikely to be regularly visiting targeted banking URLs, exfiltrating banking credentials is a less successful money-making model compared to the locking of potentially hundreds of machines. 

Conclusion

The TrickBot authors continue to target various financial institutions across the world, using MS17-010 exploits in an attempt to successfully laterally move throughout a victim’s network. This is being coupled with an unfinished “screenLocker” module in a new possible attempt to extort money from victims. The TrickBot banking trojan remains under continual development and testing in a constant effort by its developers to stay one step ahead.

 

The post TrickBot Banking Trojan Adapts with New Module appeared first on Webroot Threat Blog.

By

10 Cybersecurity Predictions for 2018

It has been a turbulent year of devastating ransomware attacks (e.g. NotPetya) and gut-wrenching breaches (e.g. Equifax). Undoubtedly, the question on everyone’s mind is, “what’s in store for us in the New Year?” Webroot’s top 10 cybersecurity predictions for 2018 covers everything from ransomware and breaches to mobile, cryptocurrency, and government.We’ve grouped our predictions to help you navigate this glimpse into one possible cybersecurity future.

Malware will get smarter and threats more serious.

Malware campaigns will use AI to make secondary infection decisions based on what they’ve learned from previous campaigns. – Gary Hayslip, chief information security officer

We will see the first health-related ransomware targeting devices like pacemakers. – Eric Klonowski, sr. advanced threat research analyst

We haven’t seen the last of breaches.

I predict a minimum of 3 separate breaches of at least 100 million accounts each. I’d be willing to bet the data has already been compromised, but the affected organizations won’t learn of the breach until next year. – Tyler Moffitt, sr. advanced threat research analyst

Not even biometric security will be safe from malicious actors.

We will see the first biometric-access-based exploits using facial recognition or fingerprint access. – Eric Klonowski, sr. advanced threat research analyst

Consumers will want more from governments to keep them safe.

Consumers fighting back: 2018 will see major a major backlash from consumers (perhaps in the form of class action lawsuits), necessitating more regulations around data protection, particularly in the U.S. – David Kennerley, director of threat research

Infosec will become a C-level priority.

The CISO role will be mandatory for all organizations who do business with the Federal Government. – Gary Hayslip, CISO

Being a mobile-first society will come with greater costs.

We will see the first widespread worming mobile phone ransomware, perhaps spread by SMS or MMS. – Eric Klonowski, sr. advanced threat research analyst

Cryptocurrency will continue to rise and impending legislature is inevitable.

Malware distribution will rise and fall in conjunction with Bitcoin value. – Christopher Cain, associate malware removal engineer

GDPR will set a tone, for better or worse, and businesses should prepare on all sides.

Companies who trade with the European Union will suddenly panic over GDPR requirements and just encrypt everything in a knee-jerk response. – Jonathan Giffard, sr. product manager

The boom in the IoT space will bring stricter oversight to device manufacturers.

Data collected from IoT devices will be aggregated and used to develop an even larger, more involved picture of customers’ habits, constituting a major breach of privacy without consent. – Gary Hayslip, CISO

Do you have any cybersecurity predictions for 2018? Share your thoughts with us on Twitter with the tag #CyberIn2018.

The post 10 Cybersecurity Predictions for 2018 appeared first on Webroot Threat Blog.

By

Ransomware Spares No One: How to Avoid the Next Big Attack

With global ransomware attacks, such as WannaCry and not-Petya, making big headlines this year, it seems the unwelcomed scourge of ransomware isn’t going away any time soon. While large-scale attacks like these are most known for their ability to devastate companies and even whole countries, the often under-reported victim is the average home user.

We sat down with Tyler Moffit, senior threat research analyst at Webroot, to talk ransomware in plain terms to help you better understand how to stop modern cybercriminals from hijacking your most valuable data.

Webroot: For starters, how do you describe ransomware? What exactly is being ransomed?

Tyler Moffit: To put it simply, your files are stolen. Basically, any files that you would need on the computer, whether those are pictures, office documents, movies, even save files for video games, will be encrypted with a password that you need to get them back. If you pay the ransom, you get the password (at least, in theory. There’s no guarantee.)

How does the average home user get infected with ransomware?

Malspam” campaigns are definitely the most popular. You get an email that looks like it’s from the local post office, saying you missed a package and need to open the attachment for tracking. This attachment contains malware that delivers the ransomware, infecting your computer. It is also possible to become infected with ransomware without clicking anything when you visit malicious websites. Advertisements on legitimate websites are the biggest target. Remote desktop protocol (RDP) is another huge attack vector that is gaining traction as well. While controlling desktops remotely is very convenient, it’s important to make sure your passwords are secure.

How is the data ? Is the ransomed data actually taken or transmitted?

When you mistakenly download and execute the ransomware, it encrypts your files with a password, then sends that password securely back to the attacker’s server. You will then receive a ransom demand telling you how to pay to get the password to unlock your files. This is a really efficient way to prevent you from accessing your files without having to send gigabytes of information back to their servers. In very simple terms, the files are scrambled using a complex algorithm so that they are unreadable by any human or computer unless the encryption key is provided.

 

What types of files do ransomware attacks usually target?

Most ransomware is specifically engineered to go after any type of file that is valuable or useful to people. Around 200 file extensions have been known to be targeted. Essentially, any file that you’ve saved or open regularly would be at risk.

How does the attacker release the encrypted files?

The attacker provides a decryption utility via the webpage where you make the payment. Once you receive the decryption key, all you have to do is input that key into the tool and it will decrypt and release the files allowing you to access them again. Keep in mind, however, that the criminal who encrypted your files is under no obligation to give them back to you. Even if you pay up, you may not get your files back.

Tips for protecting your devices:
  • Use reliable antivirus software.
  • Keep all your computers up-to-date. Having antivirus on your computer is a great step towards staying safe online; however, it doesn’t stop there. Keeping your Windows PCs and/or Mac operating systems up-to-date is equally important.
  • Backup your data. Being proactive with your backup can help save your favorite vacation photos, videos of your kid’s first piano recital, not to mention sensitive information that could cost you thousands by itself.

 

Remember, being an informed and aware internet user is one of the best defenses against cyberattacks. Stay tuned in to the Webroot blog and follow us on your favorite social media sites to stay in-the-know on all things cybersecurity.

The post Ransomware Spares No One: How to Avoid the Next Big Attack appeared first on Webroot Threat Blog.