Steps to Keep Your Site Clean: Updates

Steps to Keep Your Site Clean: UpdatesThis is the second post of a series about Steps to Keep Your Site Clean. In the first post, we talked about Access Points; here we are going to offer more insight on Updates.

Updates

Repeatedly we see websites being infected or reinfected when important security updates are not taken seriously. Most software updates are created due to a security breach that has been fixed. Updating to the new version keeps your site safe from vulnerabilities that are very likely to affect your site.

Continue reading Steps to Keep Your Site Clean: Updates at Sucuri Blog.

Source: Scuri check

NoSolicitado False Positives

Blacklists operate using DNS system where a blacklist publishes a set of IP addresses that are blacklisted. We query these lists in real-time to give you a consolidated report of the blacklist reputation of and IP address. Sometimes a DNS server at a blacklist operator may get out of sync with the entire pool or the pool may get out of sync with the database. Regardless of the root cause, we always display what we receive when we query the blacklist providers’ DNS servers.

Currently, we are noticing some issues where the Blacklist NoSolicitado is showing some IP addresses blacklisted and then quickly delisting them. These bounces are affecting customers with blacklist monitors and those searching IP addresses. We will update when there is more information.

Source: MXtoolbox

From Baidu to Google’s Open Redirects

From Baidu to Google’s Open RedirectsLast week, we described how an ongoing massive malware campaign began using Baidu search result links to redirect people to various ad and scam pages.

It didn’t last long. Soon after the publication of that article, the bad actors changed the links to use compromised third-party sites and a couple of day later they began using Google’s goo.gl URL shortening service.

This is a snippet from their decoded script:

The Redirect Chain

If you check Google’s own information about that shortened URL, it shows that the URL redirects to another Google owned URL maps.app.goo.gl which looks quite benign.

Continue reading From Baidu to Google’s Open Redirects at Sucuri Blog.

Source: Scuri check

Malicious Activities with Google Tag Manager

Malicious Activities with Google Tag ManagerIf I were to ask if you could trust a script from Google that is loading on your website, the majority of users would say “yes” or even “absolutely”. But when malicious behavior ensues, everything should be double-checked and suspected, even assets that come from “trusted sources” like Google, Facebook, and Youtube.

In the past, we saw how adsense was abused with a malvertising campaign. Even more recently, we saw how attackers injected malware that called Google AdSense ads to generate revenue for the attackers, however, there’s an even more troublesome part of the toolkit that Google offers to webmasters – Google Tag Manager.

Continue reading Malicious Activities with Google Tag Manager at Sucuri Blog.

Source: Scuri check

Multisandbox project welcomes Cyber adAPT ApkRecon

Two weeks ago we announced the release of our new VirusTotal Droidy Android sandbox, a virtual environment that executes Android applications in an automated fashion in order to capture all the actions that the given app performs on the operating system.

Today we are excited to announce that Cyber adAPT is becoming a multisandbox project partner and will be contributing data from its ApkRecon product to the fight against malware. Like Droidy, its solution also focuses on the Android environment. In their own words:

ApkRecon is a sandbox environment developed by the research team at Cyber adAPT.  Amongst many features, the sandbox boasts a baited Android environment, a decrypted network application level capture, and an attack payload triggering system to gain insight into the true intent of each piece of analyzed malware. ApkRecon is also used to generate detection logic for Cyber adAPT’s Mobile Threat Detection product to keep users safe all around the world.


These are some example reports displaying the data contributed by Cyber adAPT:

It is worth highlighting the usefulness of this kind of data. When facing unknown files for which you have no context it can be very rich contextual information that allows analysts to have an initial judgement of the file before diving into dissecting it. For example, looking at the last example report above we notice that the file performs an HTTP POST to:

hxxp://85.206.166.7/index.php?action=command

This is a URL that we can look up in VirusTotal Graph and jump to the host referenced in the URL, i.e. 85.206.166.7. When exploring this host we notice that only the file under consideration has communicated with it, however, we do notice that expansions are available according to the referrer files relationship. This relationship pinpoints files that contain the given host within its body, even if they have not been seen communicating with it. Let’s follow this notion, something shady seems to be going on:

Badness is much easier to spot when studying the sample characterised in this other report:

In this case the APK reaches out to the URL:

hxxp://zzwx.ru/apkfff?keyword=BBM

From there we can jump to the domain entity, i.e. zzwx.ru, and expand URLs observed under such domain, as well as files communicating with it. Just two hops and we already have a preliminary idea about the initial APK that reached out to the aforementioned URL being malicious:

These examples highlight the importance of extracting as many attributes and behavioral details as possible from files, not only because they allow us to better understand a particular threat, but because they connect the dots and reveal entire campaigns. For instance, very often blocking a given network location will render ineffective all malware variants of a given campaign (inability to reach the mothership server), so even when certain variants fly under detection radars, there is still hope that network security measures will stop a given attack.

This kind of approach to block badness is something that we have shaped into a particular paper hosted in our www.virustotal.com/learn space, more specifically the paper entitled VirusTotal Intelligence for banking trojans. In this paper malicious network infrastructure is shut down by contacting the pertinent domain registrars and hosting providers, however, organizations can also blacklist these locations in their network security controls.
Source: VirusTotal

Content Security Policy

Content Security PolicyAs a website owner, it’s a good idea to be aware of the security issues that might affect your site. For example, Cross-site Scripting (XSS) attacks consist of injecting malicious client-side scripts into a website and using the website as a propagation method.

You probably know too that client-side scripts can be programmed to do pretty much anything. They can be as simple as showing an alert message in your website, to animating images, mining cryptocurrencies or showing pop-ups that contain NSFW pharma products.

Continue reading Content Security Policy at Sucuri Blog.

Source: Scuri check

Unwanted Ads via Baidu Links

Unwanted Ads via Baidu LinksThe malware attack that began as an installation of malicious Injectbody/Injectscr WordPress plugins back in February has evolved since then.

Some of the changes were documented asUpdates at the bottom of the original blog post, however, every week we see minor modifications in the way they obfuscate the scripts or the files they inject them into.

Encrypted WordPress JavaScript Files

At this moment, the most common injection targets are core WordPress JavaScript files:

wp-includes/js/jquery/jquery-migrate.min.js
wp-includes/js/jquery/jquery.js
wp-includes/js/wp-embed.min.js

Hackers add the malicious code and then obfuscate the entire file contents along with the original legitimate code so that the only way to clean the files without breaking the site functionality is to replace them with their original clean copies.

Continue reading Unwanted Ads via Baidu Links at Sucuri Blog.

Source: Scuri check

Hacked Website Trend Report – 2017

Hacked Website Trend Report – 2017We are proud to be releasing our latest Hacked Website Trend Report for 2017.

This report is based on data collected and analyzed by the Sucuri Remediation Group (RG), which includes the Incident Response Team (IRT) and the Malware Research Team (MRT).

The data presented stems from the analysis of 34,371 infected websites summarizing the latest trends by bad actors. In this report, we build from data points seen in the 2016/Q3 report to identify the latest tactics, techniques, and procedures (TTPs) detected by the Remediation Group.

Continue reading Hacked Website Trend Report – 2017 at Sucuri Blog.

Source: Scuri check

Meet VirusTotal Droidy, our new Android sandbox

Recently we called out Additional crispinness on the MacOS box of apples sandbox, continuing with our effort to improve our malware behavior analysis infrastructure we are happy to announce the deployment of a new Android sandbox that replaces the existing system that was developed back in 2013.
This setup characterises the actions that Android APKs perform when installed and opened; it has been baptised as “VirusTotal Droidy”. Droidy has been integrated in the context of the multisandbox project and extracts juicy details such as:
  • Network communications and SMS-related activity. 
  • Java reflection calls. 
  • Filesystem interactions. 
  • SQLite database usage. 
  • Services started, stopped, etc. 
  • Permissions checked. 
  • Registered receivers. 
  • Crypto-related activity. 
  • Etc. 
You may find below a couple of reports showcasing this new functionality. Just select the “VirusTotal Droidy” entry in the multisandbox report selector (whenever there are multiple reports):
Don’t forget to also check the detailed report:
This advanced view allows you to dig into the hooked calls and take a look at the screenshots generated when running the apps:
The multisandbox project is in good shape, and now many samples have reports for multiple sandboxes. For instance, the following report allows you to see the output of Tencent HABO and VirusTotal Droidy:
As you can see, they are pretty complementary, proving the value of having different sandboxing technologies studying the same files.
To understand the extent to which this is an improvement with respect to the 2013 setup, you can take a look at the following report. It displays by default the output of the old sandbox. Use the selector to see the new report with VirusTotal Droidy:

Now, these may seem like minimal features to improve VirusTotal’s “microscope” capabilities for better understanding a particular threat. In fact, the changes go much deeper. All of our sandboxing information nurtures other services such as VirusTotal Intelligence and VirusTotal Graph. The richer the information that we generate for individual data set items, the greater the telescopic capabilities of VirusTotal. This is how we manage to fill in the dots and quickly see all activity tied to certain resources that often show up in malware investigations. For example, let us look at the graph of one of the domains seen in the previous reports:
At a glance you can understand that something shady is going on with wonderf00l.gq and you are able to discover other malicious domains such as flashinglight.tk, checkingupd.tk, flashupdservice.cf, etc. Some of these, for instance checkolimpupd.tk, are not only used as C2 infrastructure for malware but also serve as malware distribution points.
Very often during an investigation, you might not have enough context about an individual threat, and so being able to look at the connected URLs, domains, files, IP addresses, etc. becomes crucial in understanding what is going on. My colleague Evan explains this far better than I can do in just a couple of paragraphs, so make sure you check out his video dissecting a cryptomining attack at https://www.virustotal.com/learn/watch/.
Wrapping up, don’t think of this as just new functionality to dissect individual threats. All of this data contributes to the bigger picture and increases the power of our telescope lens that sheds light into malicious behaviors on the Internet.  



Source: VirusTotal

Obfuscation Through Legitimate Appearances

Obfuscation Through Legitimate AppearancesRecently, I analyzed a malware sample provided by our analyst Edward C. Woelke and noticed that it had been placed in a core WordPress folder. This seemed suspicious, since no such core WP file like it exists: ./wp-includes/init.php

Deceiving Appearances

I started with a standard analysis and my first thought was, this has to be a legitimate file! Nicely structured, with very legit-looking function names. It even used Object Oriented PHP, which doesn’t happen very often in the case of malware.

Continue reading Obfuscation Through Legitimate Appearances at Sucuri Blog.

Source: Scuri check

Meet FORTUNE COOKIE

VirusTotal is always working to improve our users’ experience and our partner ecosystem. We have a robust community of security professionals who research, study, and collaborate through VirusTotal’s diverse tools and capabilities.

In our labs, our top engineers are working hard to develop new ways of understanding how samples relate to each other, to campaigns, and to the users who ultimately fall victim to them.

We’re thrilled to share with you the brand new VirusTotal Free Object Randomized Tester Utilizing Nil Evaluative Code with Object Oriented K-means Inference Engine, or FORTUNE COOKIE for short.

FORTUNE COOKIE is a bleeding edge system that brings about a highly accurate randomized verdict for your entertainment and enjoyment. It knows very little about malware, reverse engineering, or file analysis, but could theoretically be capable of leveraging machine learning, blockchain, and/or random numbers to bring about an entirely new class of verdicts.

An example of its detection capabilities can be found here:
https://www.virustotal.com/#/file/95fdc4563751b74260f9c75c1ed1e66c3449c1d368fb6f2c09a2ac7e162f8a9d/detection
We think FORTUNE COOKIE will change the way you use VirusTotal, and due to the incredibly amazing power it offers, it will only be available for a short time.

Enjoy!
Source: VirusTotal

What is Virtual Hardening?

What is Virtual Hardening?If you want to make your website security more robust, you need to think about hardening. To harden your website means to add different layers of protection to reduce the potential attack surface. Hardening often involves manual measures of adding code or making changes to the configuration. To virtually harden your site involves allowing a Web Application Firewall (WAF) or security plugin to automatically harden your website.

The concept of hardening is part of a defense-in-depth strategy that protects your web server and database from vulnerability exploitation.

Continue reading What is Virtual Hardening? at Sucuri Blog.

Source: Scuri check

GitHub Hosts Infostealers Part 2: Cryptominers and Credit Card Stealers

GitHub Hosts Infostealers Part 2: Cryptominers and Credit Card StealersA few days ago, we reported that hacked Magento sites had been pushing infostealing malware under the disguise of Flash player updates.

In this post, we’ll reveal how this recent attack is related to an extremely hot topic – cryptocurrencies and cryptomining.

Infostealer Analysis

The malware binary files we found were packed with Themida, so the file analyses didn’t provide much useful information (which explains all of the generic detections on VirusTotal we saw previously).

Continue reading GitHub Hosts Infostealers Part 2: Cryptominers and Credit Card Stealers at Sucuri Blog.

Source: Scuri check

GitHub Hosts Infostealer

GitHub Hosts InfostealerA few months ago, we reported on how cybercriminals were using GitHub to load a variety of cryptominers on hacked websites. We have now discovered that this same approach is being used to push binary “info stealing” malware to Windows computers.

Infected Magento Sites

Recently, we identified hundreds of infected Magento sites with the following injected script:

https://strongbit.wo[.]tc/js/lib/js.js/strong

The contents of the js.js file included:

This code creates a hidden div and after a short delay displays a fake Flash Player update banner above the normal site content.

Continue reading GitHub Hosts Infostealer at Sucuri Blog.

Source: Scuri check

Steps to Keep Your Site Clean: Access Points

Steps to Keep Your Site Clean: Access PointsUnfortunately, most website owners know what it’s like to have a site hacked – the panic, the rush to find anyone out there that can help, and the worry it causes. Maybe you were able to get your site back on track or had a company clean the site for you, but the important thing is that your site is finally safe, or so you thought.

Avoid Website Reinfections

There are many ways in which a site can become reinfected after a cleanup.

Continue reading Steps to Keep Your Site Clean: Access Points at Sucuri Blog.

Source: Scuri check

Summary Emails Hiccup

On March 11th, we had a small issue with the creation of weekly summary emails.  This may cause your email to look like a login page.  If so, this is simply a bug on our end and not some attempt at phishing by a 3rd party.  We have fixed the bug so next week’s summary emails will be fine.  We apologize for the inconvenience.

Source: MXtoolbox