Skip to content
Jul 23 14

Indexeus, the search engine which menaced hacking community

by paganinip

Indexeus is a new search engine that indexes user account information acquired from data breaches, including hackers’ accounts stolen in the underground.

A new search engine for underground hacking dubbed Indexeus has been launched, it retrieves all the available information on user account acquired from hundreds recently data data breaches. The data collected includes information on malicious hackers stolen recent hack, including Adobe and Yahoo!

The search engine Indexeus was developed by the Portuguese Jason Relinquo, a 23-year-old hacker which has built a searchable archive containing “over 200 million entries”. Relinquo has collected a huge amounts of data related to the accounts used by hackers, including IP addresses, email addresses, usernames, passwords, physical addresses, birthdays and other many other personal information.
“This is a service which provides easy access to hundreds of databases, which is very useful if you don’t want to bring your databases around or if you just don’t have any,”  “The goal is to make people realize that using the same information all over is stupid and will lead to you getting your information stolen, but also showing you how badly administrators keep your private data stored.” reports the Indexeus website.
Almost all the information proposed by the young guy on malicious hackers come from data breaches and hacks of popular hacking forums, it is considerable today the largest database of hackers’ personal information publicly available.
The Indexeus search engine also includes data belonging members of hackforums[dot]net, the hacking forum attended by script kiddies who are offering and buying different hacking services.

Recently another search engine captured the attention of security community, Grams Darknet Market Search Engine, specialized for researches in the underground markets, including BlackBank, C9, Evolution, Mr. Nice Guy, Pandora, The Pirate Market, and SilkRoad2.


Indexeus search engine


The Relinquo’s initial idea is that any hacker that desires to remove its credentials and data from the archive or blacklist himself from the search engine have to pay $1 per record, an economic demand for those wishing to operate in the shadows that will not be accepted willingly. Of course, this is not legal and violates directive like the EU’s “right to be forgotten“. After the popular blog Krebson Security discovered the search engine, Relinquo has changed the terms of service requesting so that users don’t have to pay to remove or completely blacklisted them from the Indexeus.

We’re going through some reforms (free blacklisting, plus subscription based searches), due some legal complications that I don’t want to escalate,” Relinquo wrote in a chat session. “If [Indexeus users] want to keep the logs and pay for the blacklist, it’s an option. We also state that in case of a minor, the removal is immediate.” states the new TOS.

The Indexeus website also seeks to sensitize its members on security issues and how they data are managed by administrators of various web services they access.

 “The purpose of Indexeus is not to provide private informations about someone [sic], but to protect them by creating awareness. Therefore we are not responsible for any misuse or malicious use of our content and service.” states the disclaimer on the search engine website.

Anyway Indexeus website was rapidly targeted by other hackers, a few days ago the search engine was defaced by hacker group Pernicious Developers which also deployed a backdoor shell on the website.

“This is the Original Pernicious Developers, we’re still here. Even if you don’t know which version of the group who did this.” states the defacement left by the hackers.

In time I’m writing is down.


indexeus hacked



indexeus website-hacked

It’s  my opinion that privacy in today’s society is utopia, search engines like Indexeus are the demonstration that it is quite easy to collect information also on individuals with a a considerable skill.  Data breaches represent an amazing source of data that could be easily obtained and analyzed by mining tools to discover also hidden links between accounts and individuals in the cyberspace.

What do you think about online privacy?

Pierluigi Paganini

Security Affairs –  (Indexeus , hacking)

Jul 22 14

Gyges, the mixing of commercial malware with cyber weapon code

by paganinip
cyber weapon

Sentinel Labs firm discovered a sophisticated malware dubbed Gyges that is the mixing of commercial malicious code with code of alleged cyber weapon.

Experts at Sentinel Labs security firm have discovered Gyges malware in the wild in March 2014, the malicious code appears very sophisticated to the researches which attributed it to a state-sponsored project. The level of complexity of Gyges is very high, the experts have found similarities with malware used by the Russian Government as cyber weapon, but the concerning aspect of the story is that the malware is targeting commercial sector.

It is not clear how the experts have associated Gyges code to state-sponsored operation, the report doesn’t provide too much details on this aspect, it just highlights that the code was detected in previous targeted attacks, the experts also confirmed that there is no commercial malware with such level of complexity. .

As explained by the experts in an official report issued by Sentinel Labs Gyges seems to be the result of the “contamination” of a very complex code used to avoid detection and the more quick and dirty executable that directs the payload.

The most complex part of Gyges is represented by the evasion techniques, the malware is able to avoid controlled execution of the malicious code in a sandbox or in a virtual environment, a technique used by the security analysts to qualify the cyber threat. The author of the malware also designed a set of features to make harder the reverse engineer or debug of the malicious code.

“This specific Gyges variant was detected by our on-device heuristic agents and caught our attention due to its sophisticated anti-tampering and anti-detection techniques. It uses less well-known injection techniques and waits for user inactivity, (as opposed to the more common technique of waiting for user activity). This method is clearly designed to bypass sandbox-based security products which emulate user activity to trigger malware execution.” Gyges uses a hooking bypass technique that exploits a logic bug in Windows 7 and Windows 8  (x86 and x64 versions) “states the report.

As explained in the report, Gyges also includes sophisticated components for data exfiltration, keylogging and eavesdropping of targeted networks. The dirty components added to the code by criminal gangs behind the malware campaign includes ransomware capabilities and a banking data stealer, revealing the financial motivations of the bad actors.

The circumstance that source code developed by a government is in the hands of cyber criminals is worrying and in line with predictions of security experts. F-Secure’s Chief Mikko Hyppönen at the TrustyCon explained the risk that a Government-built malware and cyber weapons will run out of control.

“Governments writing viruses: today we sort of take that for granted but 10 years ago that would have been science fiction,” “If someone had come to me ten years ago and told me that by 2014 it will be commonplace for democratic Western governments to write viruses and actively deploy them against other governments, even friendly governments, I would have thought it was a movie plot. But that’s exactly where we are today.” he said during his speech. 

The uncontrolled diffusion could happen in various ways, a data breach or the outsourcing of part of the development of the malicious code to malware authors.

“It comes as no surprise to us that this type of intelligence agency-grade malware would eventually fall into cybercriminals’ hands,” “Gyges is an early example of how advanced techniques and code developed by governments for espionage are effectively being repurposed, modularized and coupled with other malware to commit cybercrime.” wrote Sentinel Labs research head, Udi Shamir.

Despite Russia is considered one of the most advanced cyber-powers, it’s hard to link a component of a malicious code discovered in the wild to its cyber units, today there is little knowledge of Russian cyber arsenal and its real capabilities that evolve rapidly. Recently BAE Systems Applied Intelligence disclosed a Russian cyber espionage campaign codenamed as SNAKE that targeted Governments and Military Networks.

The attackers behind the operation SNAKE penetrated highly secured systems all around the world, but most interesting revelation is that the Uroburos rootkit recently discovered by German security firm G Data Software was just one component of the overall SNAKE campaign.

Another interesting discovery was made early this month by experts at F-Secure firm which detected another strain of malware called Cosmu, which they suggested could be a Russian cyber weapon.

“The Gyges variant not only demonstrates the growing sophistication of malware, but more importantly shows how the lines are blurring between government-grade and mainstream attack code. The fact that “carrier” code can be “bolted on” to any type of malware to carry out invisible attacks is another indication that current approaches to security have reached their end-of-life for detecting advanced threats.” concludes the report.

The mixing of commercial malware with high sophisticated components derived by cyber weapons could generate new powerful cyber threats hard to detect and dangerous for every entities in the cyber space.

Pierluigi Paganini

Security Affairs –  (Gyges , malware)

Jul 22 14

Hidden services in iOS devices could allow users’ surveillance

by paganinip
iOS hiddel services 3

Apple has worked hard to make iOS devices reasonably secure but hidden services could be exploited to steal every user’s data in a stealthy way.

Have you tried to enumerate the functionalities and services in your Apple iOS?

You’d be surprised to find that numerous hidden features and services are not documented, some of them could be abused to bypass security functionalities like the backup encryption on iOS devices.

These functionalities could represent a serious threat to users’ privacy and could be exploited by hackers to access large amounts of users’ personal data. The researcher Jonathan Zdziarski has conducted different studies on the architecture of iOS discovering that different services are unnecessary for users and could be used to bypass security defenses.  Zdziarski is a prolific expert, he designed many of the initial methods for acquiring forensic data from Apple iOS mobile devices.

Zdziarski presented his discoveries in a speech at the HOPE X conference, the scientist highlighted the presence of the mobile file_relay ( services on iOS that can be accessed remotely or via USB to bypass the backup encryption, exploiting the feature an attacker can access all of the data encrypted via the data protection if the device has not been rebooted since the last time the user entered the PIN.

iOS hiddel services

The file_relay tool can be used to steal user’s information from iOS device, including email, location, social media accounts, the address book and the user cache folder, below the description provided in the presentation:

  • Accounts A list of email, Twitter, iCloud, Facebook etc. accounts configured on the device.
  • AddressBook A copy of the user’s address book SQLite database; deleted records recoverable.
  • Caches The user cache folder: suspend screenshots (last thing you were looking at), shared images, offline content, clipboard/pasteboard, map tile images, keyboard typing cache, other personal data.

“Between this tool and other services, you can get almost the same information you could get from a complete backup,” “What concerns me the most is that this all bypasses the consumer backup encryption. When you click that button to encrypt the backup, Apple has made a promise that the data that comes off the device will be encrypted.” Zdziarski said in an interview. 

Zdziarski explained that different hidden services that bypass the encrypted backup protection don’t require the use of developer mode, he also confirmed the presence on the mobile iOS of a packet capture tool which could be used to dump all of the inbound and outbound HTTP data and runs in stealthy mode.

The expert also mentioned a component of the file_relay service called HFSMeta that is implemented in iOS 7 and can create a complete metadata image of the device’s file system, the information includes metadata on all files and all installed apps.

“Some of this data shouldn’t be on the phone. HFSMeta creates a disk image of everything that’s on the phone, not the content but the metadata,”“There’s not even an engineering use for that.”  Zdziarski explained. 

iOS hiddel services HFSMeta

The fact that Apple iOS includes such functionalities is not surprising, in one of the document leaked by Edward Snowden it is described  DROPOUTJEEP as a spyware developed by ANT (Advanced or Access Network Technology) division of the NSA that is used to gain backdoor access to the mobile.

Zdziarski clarified that his study hasn’t the purpose to demonstrate that the above features were designed for surveillance purposes, but he believes that Intelligence agencies are exploiting them.

“I’m not saying at all that Apple is working with the NSA,” he said. “But at the very least, there’s a very strong case to say that the NSA knows about and exploits these capabilities.”

Give a look to the slides of the presentation their are a mine of interesting information.

Pierluigi Paganini

Security Affairs –  (iOs, hidden services)

Jul 21 14

Hacked BigBoss, the biggest Cydia’s repository

by paganinip
cydia BigBoss

The BigBoss app repository, the default package store for Cydia application, has been hacked by a group of hackers which named itself “Kim Jong-Cracks”.

The BigBoss repository, one of the biggest and most popular repositories for jailbreak tweaks in Cydia, has suffered a major data breachCydia is an application very popular within the community of iOS Apple users, it is the jailbreaker’s App Store alternative for iOS. The unofficial store contains thousands of apps, themes, and many other downloads. Using Cydia iOs users can find and install applications on their jailbroken iOS Apple devices, the majority of the software in the store are available for free.
The BigBoss repository is the default repository for iOS devices jailbroken with Cydia, it is a privileged target for cybercriminals.
A group of hackers which name itself “Kim Jong-Cracks” gained the access to all packages present in the BigBoss repository and made them available through their own repository. As a proof to the hack, the groups made the deb index and BigBoss database available for download, which includes the log file reporting packages and their MD5.
The other post more than likely broke rule 1 because it linked the site directly. To anyone that didn’t see the post the BigBoss repo was (supposedly) hacked by either an individual or group of people and they have a repo out there with all of BigBoss’s packages (paid and free). Their proof.log shows that they have the original MD5 sums,” the news of the hack was spread through Reddit post.
The The hackers have made available all the applications on their website dubbed ripBigBoss, the site seems to include the entire collection of apps, nearly 13,954, available in BigBoss packages all for free.
I’m not linking to the ripBigBoss website to avoid diffusion of malware that the manager could serve trough the site. At the time I was writing BitDefender AV is making it as infected website.
Cydia hack

“The website and companion repo are using Saurik’s recent “Competition vs Community” as a motivation for their acts,” iDownloadBlog reports, but security experts are skeptical. I strongly suggest you to avoid the ripBigBoss repo, despite Kim Jong-Cracks announced that all the apps published are not infected. I remind you that it is quite easy for hackers to trojanize  legitimate applications initially present in the BigBoss store.

To discourage Cydia users to refer BigBoss repository, Kim Jong-Cracks claims to have injected those free packages with malware. Jay Freeman, also known as as Saurik, the creator of Cydia, believes that the menaces of the group are not true. Saurik has augmented his thesis saying that he has verified that the content on BigBoss did not change from the analysis of the index of all historical changes to the repository.
This article mentions malware being potentially injected into the BigBoss repository; we do not believe this to be the case, Saurik said in a statement to iDB. “Packages in Cydia repositories are cryptographically verified from the repository package index. I have an index of all historic changes to the package indices for default repositories, and have verified that the content on BigBoss did not change in ways that the repository administrators did not expect.”
Anyway, I strongly suggest you to avoid installing or updating any jailbreak tweak from the BigBoss repository in this phase neither from ripBigBoss repository.

Pierluigi Paganini

Security Affairs –  (cydia, BigBoss)

Jul 21 14

Siemens industrial products affected by OpenSSL vulnerabilities

by paganinip
Siemens industrial products OpenSSL vulnerabilities

The ICS-CERT has issued a security advisory related to the existence of OpenSSL vulnerabilities affecting different Siemens industrial products.

Several Siemens industrial products are affected by four vulnerabilities in their OpenSSL implementation which could be remotely exploited to run a man-in-the-middle (MitM) attack or to cause the crash of web servers of the products.

Critical infrastructure are under unceasing attacks, the security of internal systems is a crucial issue and bad actors are very active in the exploitation of known flaws in SCADA/ICS components.


Siemens stellt neue Controller-Generation für mittleren und oberen Leistungsbereich vor / Siemens presents new generation of controllers for the medium to upper performance range


The US Industrial Control Systems Cyber Emergency Response Team (ISC CERT) last week issued a security advisory (Advisory (ICSA-14-198-03))  in which warns on the availability on the Internet of the exploits that target these OpenSSL vulnerabilities.

“Siemens has identified four vulnerabilities in its OpenSSL cryptographic software library affecting several Siemens industrial products. Updates are available for APE 2.0.2 and WinCC OA (PVSS). The ROX 1, ROX 2, S7-1500, and CP1543-1 products do not have a patch at this time; however, Siemens has made mitigation recommendations. Siemens is continuing to work on patching these vulnerabilities.” states the advisory.

“The affected Siemens industrial products are for process and network control and monitoring in critical infrastructure sectors such as Chemical, Critical Manufacturing, Energy, Food and Agriculture, and Water and Wastewater Systems,” “The vulnerabilities identified could impact authenticity, integrity, and availability of affected devices.”ISC CERT added. 

The following six products are affected by the OpenSSL vulnerabilities, but as explained by the ISC CERT, the patches are available only for two of them. Siemens has promptly released a list of recommendations to mitigate the risk of attacks based on the exploitation of the OpenSSL vulnerabilities.

  • APE versions prior to Version 2.0.2 (only affected if SSL/TLS component or Crossbow is used),
  • CP1543-1: all versions,
  • ROX 1: all versions (only affected if Crossbow is installed),
  • ROX 2: all versions (only affected if eLAN or Crossbow is installed),
  • S7-1500: all versions, and
  • WinCC OA (PVSS): Version 3.8 – 3.12

Security updates for patching the holes are available only for APE 2.0.2 and WinCC OA (PVSS). 

The man-in-the-middle attack could allow a bad actor to to hijack a session between an authorized user and the device, the flaws are considerable serious due their impact on the availability of the industrial components by causing the web server of the product to crash.

“Impact to individual organizations depends on many factors that are unique to each organization,” “An attacker with a moderate skill would be able to exploit these vulnerabilities,” states the Advisory.

The advisory provides further insights on how to protect industrial systems, for example warning of spear phishing attacks, by suggesting deploying the systems behind firewalls and isolating them from the business network.

Pierluigi Paganini

Security Affairs –  (OpenSSL vulnerabilities, SCADA)

Jul 21 14

Cybercrime exploits the crash of Malaysia Airlines Flight MH17

by paganinip
MH17 Malysian Airlines 2

Security experts at TrendMicro have detected a spam campaign via Twitter which exploits the incident occurred to Malaysia Airlines Flight MH17.

Unfortunately tragedies like the one occurred to the Malaysia Airlines Flight MH17 or the recent escalation in Gaza are an excellent occasions for cyber criminals that try to exploit the public attention to carry out illegal activities.

Cyber criminals could arrange spam campaign and phishing attacks to collect victims’ personal information and serve malware.

Security experts have observed cyber attacks which are explicitly using news on the Malaysia Airlines Flight MH17 crash to deceive Internet users.  Media agencies sustain that the Boeing 777 Flight MH17 of the Malaysia Airlines,  carrying 298 individuals (including passengers and crew members), was struck by a missile launched by a mobile ground station.

Russian and Ukrainian governments are exchanging mutual accusations on the terroristic attack, public opinion is blaming pro-Russian separatist rebels sustaining that the Kremlin is helping them to destroy the clues.

Social media are flooded by news and images on the crash of Malaysia Airlines Flight MH17, cyber criminals are using social engineering techniques to spread malware tricking victims into visit compromised web site.

Experts at security firm Trend Micro have detected tweets written in Indonesian language which spread news related tothe crash of the Malaysias Airlines Flight MH17, the tweet includes the hashtag #MH17 to lure victims that search for information on the incident.

The cyber criminals behind this malicious campaign started their operations just after the crash on July 17th, one of the tweet states:

 “Malaysia Airlines has lost contact of MH17 from Amsterdam. The last known position was over Ukrainian airspace.

The message was retwetted by hundreds of users, that in an unconscious were advantaging the scammers spreading the malicious links.


MH17 Malysian Airlines


The experts at TrenMicro discovered that the URLs used by criminals resolve to the following IPs:

  • 72[dot]8[dot]190[dot]126
  • 72[dot]8[dot]190[dot]39

The analysis revealed that the IPs belong to a shared hosting in the US, many other domains are mapped on these addresses, some of them legitimate. The experts discovered that the spam campaign related Malaysia Airlines Flight MH17 has as a primary purpose the increase of hits/page views on sites or ads managed by cyber criminals.

The malicious domains were mainly used to spread a ZeuS variant SALITY malware.

ZeuS/ZBOT are known information stealers while PE_SALITY is a malware family of file infectors that infect .SCR and .EXE files. Once systems are infected with this file infector, it can open their systems to other malware infections thus compromising their security.” reports the blog post from TrendMicro.

Cybercriminals always exploit news on tragic events, in the past security experts have seen several scams and threats that leveraged news like the Boston marathon and 2011 tsunami/earthquake in Japan, be aware because they will continue to do this and the crash  of the Malaysia Airlines Flight MH17 is still an excellent news to ride.

Pierluigi Paganini

Security Affairs –  (MH17, cybercrime)

Jul 20 14

WhatsApp profile picture: a risky feature? In the mind of a hacker

by paganinip
whatsapp 2

In this post I’ll show you how an apparently insignificant information on Whatsapp could be used by hackers in a more dangerous targeted attack.

When you add a random phone number to your contact list, WhatsApp will show you the profile picture of that user. Given the fact that you don’t know that person, there shouldn’t be any inherent risk with that feature. Am I right?

If you think that I am, please read the following story.

Selling a used television

Imagine that you are browsing a classified ads site, and you come up with an ad in which someone called Bob is selling a nice 52″ smart TV, with little use and ready to have a new owner by just $1,000. The ad includes a phone number, that can be used to contact Bob in order to get further information or close the deal.

At this time, we have got very interesting information about our victim. He is Bob, we know his phone number, where he is based, and that he’ll be expecting people contacting him about his used TV.

Right, this has just started.

Facebook time

It’s time to know who Bob is.

The first step is to add his phone number to our contact list: this way, his nice picture will pop up. Now, with the name, the picture and the city where he lives, we can quickly find his Facebook profile by performing a couple of searches and going through the results.

Yes, we found him.

The public profile doesn’t say much about him, but it’s adding one additional detail: where he studied. That is more than enough to get access to his private profile. We create one fake profile appearing to be someone that studied in the same college and withing the same time period. Wouldn’t you be accepting a friend request that might be an old mate?

Bob does.


Getting into the circle of trust

Now we have access to Bob’s friends list, which means that we can have a pretty good understanding of his social and professional environment.

We quickly discover that he works for a consumer business corporation as Assistant Manager in the Accounting department. Sounds interesting, but let’s leave it there for now.

Please notice that, beyond professional details, his circle of trust also becomes readily available to us. This circle might include best friends, relatives, professional mates, and perhaps some old friends with whom he hasn’t been in contact for a long time.

We are interested in the latter group. How can we find that particular profile? Easy task. Just browse Bob’s news feed, and see who hasn’t been really active with regards to his posts in the last few months. Or perhaps find that guy that just reply from time to time with messages promising to meet at the earliest opportunity.

Yeah, this guy will be very helpful.

Guess why?

Yes, you are right, that old friend will not be friendly anymore.

Impersonating an old friend

As you might have guessed, it’s the time to impersonate John, who is the one looking to fit in our target profile. We just have to pick up some random details about his relationship with Bob, in order to build a credible message when we impersonate him.

What are our weapons? References to past events, other friends, news that might be relevant to Bob, topics he is interested in, products or brands Bob likes, and the like.

We notice that Bob loves roller-coasters. That sounds like a plan: we’ll be sending him a link to a news article describing an accident occurred in one of the most popular roller-coasters in the US.

But the goal is to build a message that Bob will believe to be coming from John. Obviously, it will be coming from us instead. How can we manage to do that then?

Ok, here is the thing: John has changed his phone number since last time he met Bob. However, Bob will trust that he is talking to John for three reasons: we know things that only someone in his circle of trust could know (what he likes), we have his telephone number (from the ad) and, more importantly, Bob will see John’s profile picture when he reads our WhatsApp message.

Where we got that profile picture from? Yeah, you are right, we downloaded from Bob’s Facebook friends list.

The final stage

Bob will receive a WhatsApp message containing a link referencing relevant news for him from a trusted source.

What would you do if you were Bob’s? I would bet that you’d check it out. The malicious link will trigger a drive-by download that will infect his mobile phone. The malware will be unique, designed for this particular attack, so the antivirus will go unnoticed.

We got it. Now we have access to his e-mails, files and contacts, thus rendering private information readily available for us. And what value has that information? Bob is just someone selling a used TV.

But Bob is more than that. He is an Assistant Manager in the Accounting department of a corporation, so getting access to his mobile phone gives us access to confidential data that he will be exchanging with dozens of collagues every day.

What’s next?

What would you do now? Research e-mails? Download attachments? Trying to browse corporate websites?

I’ll tell you what I would do.

I would send a message from his account to his most frequent contacts. The message would include a malicious link. And most of the recipients would click on it.

Guess why? Yeah, you are right. You have now become Bob.

And the game starts again.

Lessons learned

Bob’s adventure is becoming a frequent story as advanced attacks become more targetted, persistent and sophisticated.

The following lessons can be learnt from it:

  • Cyber attacks are no longer a one-shot task. Cybercriminals take time to accomplish the mission for a given target, spliting the attack into a series of tasks that, seen alone, don’t seem to constitute a significant risk, or even a risk at all.
  • Cyber attacks mimic methods used in the past, but are becoming advanced and sophisticated by combining these methods with new techniques, as well as arranging full-featured campaigns involving multiple actors, increasing chances for success.
  • Mobile is a key threat vector. The popularity of smartphones and social media services, including instant messaging, make it easier for cybercriminals to achieve their goals in a shorter time and in a stealthy manner.

Rafael San Miguel
Senior Manager – Strategic Alliances – EMEA

Rafael San Miguel is an experienced Information Security professional with 10+ years of Information Security background.
He has worked for international companies as Deloitte (consulting), Santander (financial) and Telefónica (telecom), always in positions requiring strong management and engineering skills.
Rafael has taken a leading role in fields as service delivery, business operations, alliances management, business development and project management. He has also performed field work in areas as penetration testing and security systems integration.
Rafael currently works for FireEye as Strategic Alliances Manager in Southern Europe, helping first-class Consulting Firms to become successful cybersecurity partners for their clients.

Pierluigi Paganini

Security Affairs –  (WhatsApp, FireEye)

Jul 20 14

Discovered a new Havex variant which hit SCADA via OPC

by paganinip
havex opc 2

Researchers at FireEye have detected a new variant of Havex RAT, which scans SCADA network via Object linking and embedding for Process Control (OPC).

Security experts at F-Secure and Symantec have recently announced a surge of malicious campaigns based on “Havex” malware against critical infrastructure. The bad actors behind the Havex campaign mainly targeted companies in the energy industry with the intent to conduct industrial espionage against several American and European companies.
It has been estimated that the number of compromised energy companies in the US and Europe is nearly 1000, an impressive number that gives us an idea of the impact of the Havex operation.
Experts at FireEye have recently detected a new variant of the Havex RAT that implements a function to scan OPC (Object linking and embedding for Process Control) systems. The new Havex variant is able to collect system information and data directly from targeted machines through the OPC standard. In industrial scenarios, ICS or SCADA systems includes OPC client component that exchanges data with OPC server, which communicates  with a PLC (Programmable Logic Controller) to control industrial hardware.
“The OPC is a software interface standard that allows Windows programs to communicate with industrial hardware devices.” states the OPC datahub
The bad actors behind the new Havex campaign, implementing an OPC scan feature, could gather any data stored on the machines in the targeted networks and also details about the connected devices, the information collected are then send back to the command-and-control server.
havex opc
The malware actively search for servers ordinarily used for controlling SCADA (Supervisory Control and Data Acquisition) systems in critical infrastructure as explained by FireEye.

Threat actors have leveraged Havex in attacks across the energy sector for over a year, but the full extent of industries and ICS systems affected by Havex is unknown,” “We decided to examine the OPC scanning component of Havex more closely, to better understand what happens when it’s executed and the possible implications.” wrote in a blog post Kyle Wilhoit, threat intelligence researchers at FireEye.

Researchers at FireEye have prepared a test lab to analyze the Havex malware while target a typical OPC server, they noticed that once infected the targeted network, the RAT downloader invokes the runDll export function and then starts scanning of OPC servers.
“The scanning process starts when the Havex downloader calls the runDll export function.  The OPC scanner module identifies potential OPC servers by using the Windows networking (WNet) functions.  Through recursive calls to WNetOpenEnum and WNetEnumResources, the scanner builds a list of all servers that are globally accessible through Windows networking.  The list of servers is then checked to determine if any of them host an interface to the Component Object Models (COM) listed below:” “This is the first “in the wild” sample using OPC scanning. It is possible that these attackers could have used this malware as a testing ground for future utilization, however,” added the FireEye expert in the post.
Security experts believe that the new variant of Havex trojan is an excellent tool for intelligence, the variant analyzed didn’t present any component use for sabotage. Actually, there is no information on the motivation of the attack (e.g. Sabotage,  industrial cyber espionage) neither its (e.g. cybercrime, state-sponsored hacking), for this reason investigation of the malware is still ongoing.
Stay tuned for updates.

Pierluigi Paganini

Security Affairs –  (Havex, SCADA)

Jul 19 14

A new PushDo botnet variant infected 11,000 machine in 24 hours

by paganinip

Security Experts at Bitdefender report that a new PushDo variant emerged from the underground compromising 11,000 machine in 24 hours.

Security experts at BitDefender have recently detected a surge in the number of Pushdo trojan infections analyzing data from e sinkholing of C&C domains used by the malware. The experts discovered that the new Pushdo campaign is linked to a significant botnet globally distributed, with the majority of victims located in AsiaPushdo is a multi-purpose malware Trojan that has for many years on the world stage, it was detected for the first time in 2007 and it is primarily known for delivering several financial malware like  as ZeuS and SpyEye
“We managed to successfully intercept Pushdo traffic and gain some idea of the size of this botnet,” “The sheer scale of this criminal operation, unsophisticated as it may be, is rather troubling and there are indications that the botnet is still in a growth phase. We shall be continuing our investigation as a key priority and further updates shall be made available in the coming days.” states Catalin Cosoi, chief security strategist at Bitdefender.

Pushdo is considered one of the oldest active malware families, it was also popular in the cybercrime ecosystem for delivering of spam campaigns through the Cutwail botnet,  one of the largest malicious architecture in terms of the amount of infected hosts (in 2009 the botnet was composed of 1.5 – 2 million computers with a capability of sending 74 billion spam messages a day).  Despite Pushdo is well known, it is far from being eradicated, the malware in fact has recently infected more than 11,000 computers in just 24 hours. The Romanian firm reckons 77 machines have been infected in the UK via the botnet in the past 24 hours, it has been estimated that  more than 11,000 machines were compromised worldwide in the same period.

“After sinkholing one of them, we managed to receive 8840 requests from 2336 unique IP addresses in less than 3 hour” reports Bitdefender.s.”

What’s new in the new variant?

The new Pushdo variant implements a new domain-generation algorithm (DGA) as a fallback mechanism to its normal command-and-control (C&C) communication methods.

“Instead of relying upon a static list of preconfigured domain names that corresponded to the location of the bad guys C&C servers, it used an algorithm to calculate candidate domain names – and then tried reaching out to a handful of the candidates in a vein attempt to locate an active C&C server.” explained Gunter Ollmann, VP Research at Dumballa.

DGAs is the algorithm used to generate a list of domain names and only making one live at a time, implementing the technique cyber criminals can overcome domain blacklisting and avoiding dynamic analysis and extraction of C&C domain names. The DGA implementation isn’t the unique improvement for the Pushdo botnet, the author of malware have also resurfaced the couple of encryption keys used to protect malicious traffic to/from C&C servers and they added an “encrypted overlay” to the Pushdo binaries to allow the malware execution only under specific conditions specified in the overlay.

“The public and private keys used to protect the communication between the bots and the Command and Control Servers have been changed, but the communication protocol remained the same,” “To harden the analysis, the symmetric key used to protect the communication between the C&C and its bots is encrypted with RSA. The PushDO bot contains its private key and the server’s public key hardcoded into its binaries. The public key is used to encrypt the data sent to the server, and the private key is used to decrypt the response received from the server.” states Bitdefender in a blog post.

As visible in the following map Vietnam, India and Indonesia are most targeted countries, many infections have been observed also in the US, Turkey and Iran.
new pushdo campaing
  • Vietnam – 1319
  • India - 1297
  • Indonesia - 610
  • United States - 559
  • Turkey - 507
  • Iran, Islamic Republic of - 402
  • Thailand - 345
  • Argentina - 315
  • Italy - 302
  • Mexico - 274

This last wave of attack demonstrates the intense activity of cybercrime that is  able to resume and improve also older cyber threats like Pushdo trojan, making life harder for law enforcement agencies.

Pierluigi Paganini

Security Affairs –  (cybercrime, Pushdo)

Jul 19 14

Critroni, a sophisticated ransomware which uses Tor Network as C&C

by paganinip
Critroni ransomware

A security researcher has detailed Critroni ransomware, a new sophisticated malware which is being sold in different underground forums.

In 2013 ransomware were among the menaces that monopolized the threat landscape, malware such as Cryptolocker infected hundreds of thousand machines worldwide.

Critroni (aka CTB-Locker) is the name of the last ransomware which captured the attention of security experts, the malware is being sold in different underground forums in the last weeks and recently it has been included in the Angler exploit kit.

A detailed analysis of the ransomware was posted on “” by the French security researcher Kafeine.

Critroni implements many functionalities that makes it a ransomware out of the ordinary, for example, it uses of the Tor network to host its command and control.

“Placing a server in onion-domain (TOR), close to domain abuse can not be practically impossible to trace the owner and shut down the server. 

Connection to the server only after encryption of all files. Early Detection is not possible on the traffic, it is impossible to block the work of the locker. Blocking TOR prevents only payment the user, not the program. Analogs are connected to the server until the crypt and can block. ”  states the adv for the malware.

The diffusion of ransomware like Critroni was advantaged by the takedown of the GameOver Zeus operated by law enforcement in a multinational effort, the botnet in fact was used by cyber criminals to serve CryptoLocker ransomware.

Around the same time in mid-June, security researchers began seeing advertisements for the Critroni ransomware on underground forums, the malware is offered for around $3,000. Critroni was initially spread exclusively in Russia, but actually its infections have been observed in other countries. Several criminal gangs are using the ransomware Critroni, in many cases served through the Angler exploit kit which drops a spambot on victims’ machines. The spambot module is used by malware authors to drop a couple of other payloads, one of them is Critroni.

As many other ransomware, Critroni encrypts a variety of files on the victim’s PC and then displays a dialogue box that demands a payment in Bitcoins in order to decrypt the files.

“Persistent cryptography based on elliptic curves. Decrypt files without payment impossible. Equivalent resistance RSA-3072, exceeding all analogs. At the same encryption speed is much higher. “

Critroni ransomware 2

Victims have to pay the ransom within 72 hours, in the case that haven’t any Bitcoins, the ransomware provides some detailed instructions on how to acquire them.

Also other security firms have detected the malware, Kaspersky Lab researchers are working on this ransomware, which they identified as Onion Ransomware, the results of their investigation will be released next week.

Pierluigi Paganini

Security Affairs –  (Critroni , ransomware)