Monthly Archives: May 2017

Remove Malcious Apps From Your Android Device

Here’s a list of malicious apps developed by Kiniwini and if you have any of these installed on your device, remove it immediately:

  • Fashion Judy: Snow Queen style
  • Animal Judy: Persian cat care
  • Fashion Judy: Pretty rapper
  • Fashion Judy: Teacher style
  • Animal Judy: Dragon care
  • Chef Judy: Halloween Cookies
  • Fashion Judy: Wedding Party
  • Animal Judy: Teddy Bear care
  • Fashion Judy: Bunny Girl Style
  • Fashion Judy: Frozen Princess
  • Chef Judy: Triangular Kimbap
  • Chef Judy: Udong Maker – Cook
  • Fashion Judy: Uniform style
  • Animal Judy: Rabbit care
  • Fashion Judy: Vampire style
  • Animal Judy: Nine-Tailed Fox
  • Chef Judy: Jelly Maker – Cook
  • Chef Judy: Chicken Maker
  • Animal Judy: Sea otter care
  • Animal Judy: Elephant care
  • Judy’s Happy House
  • Chef Judy: Hotdog Maker – Cook
  • Chef Judy: Birthday Food Maker
  • Fashion Judy: Wedding day
  • Fashion Judy: Waitress style
  • Chef Judy: Character Lunch
  • Chef Judy: Picnic Lunch Maker
  • Animal Judy: Rudolph care
  • Judy’s Hospital: Pediatrics
  • Fashion Judy: Country style
  • Animal Judy: Feral Cat care
  • Fashion Judy: Twice Style
  • Fashion Judy: Myth Style
  • Animal Judy: Fennec Fox care
  • Animal Judy: Dog care
  • Fashion Judy: Couple Style
  • Animal Judy: Cat care
  • Fashion Judy: Halloween style
  • Fashion Judy: EXO Style
  • Chef Judy: Dalgona Maker
  • Chef Judy: ServiceStation Food
  • Judy’s Spa Salon

Android Malware ‘Judy’ Hits as Many as 36.5 Million Phones

Up to 36.5 million Android devices may have been infected by malware that produced fake ad clicks and lined the pockets of its developers.

As outlined by security firm Check Point, 41 apps developed by Korea-based Kiniwini and published under the moniker ENISTUDIO Corp., “infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the perpetrators behind it.”

It’s “possibly the largest malware campaign found on Google Play,” according to Check Point.

Google “swiftly” removed the apps from Google Play after being alerted to their existence, Check Point says, but not before they “reached an astonishing spread between 4.5 million and 18.5 million downloads.” Some were available on the store for several years and all were recently updated.

“It is unclear how long the malicious code existed inside the apps, hence the actual spread of the malware remains unknown,” Check Point says, but those download numbers mean “the total spread of the malware may have reached between 8.5 and 36.5 million users.”

Judy Malware

The malware was dubbed Judy by Check Point after the title character in Kiniwini’s apps. Chef Judy: Picnic Lunch Maker, for example, encourages players to “create delicious food with Judy.” But Judy-themed games ran the gamut, from “Animal Judy” and “Fashion Judy.”

How does Judy infect your device? Hackers create an innocuous app that can get around Google’s Bouncer security screening and is added to an app store.

“Once a user downloads a malicious app, it silently registers receivers which establish a connection with the [Command and Control] server,” Check Point says. “The server replies with the actual malicious payload, which includes JavaScript code, a user-agent string and URLs controlled by the malware author. The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website. Once the targeted website is launched, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure.”

Check Point likens Judy to two previous exploits: FalseGuide and Skinner. And like another bug, DressCode, Judy hid behind good reviews. “Hackers can hide their apps’ real intentions or even manipulate users into leaving positive ratings, in some cases unknowingly. Users cannot rely on the official app stores for their safety, and should implement advanced security protections capable of detecting and blocking zero-day mobile malware,” Check Point says.

Kiniwini develops apps for iOS and Android, Check Point says, but it did not mention any problems with the iOS apps. As of Sunday afternoon, 45 ENISTUDIO Corp. Judy apps are available in the App Store, most of which appear to have last been updated on March 31.

Crysis ransomware master keys released to the public – Download From Here

The world has been rocked by WannaCry causing disruption and upheaval across core services and businesses alike over the past week, but there is good news for victims of Crysis with the release of 200 master keys to the public.

Posted at the BleepingComputer forum, the keys can be used by victims of the ransomware as well as security firms in the creation of decryption tools.

The keys, uploaded to Pastebin, have been confirmed as valid by security researchers. Users of the keys have also confirmed that they have regained access to the files.

Ransomware is a particularly nasty form of malware which, once executed on a vulnerable PC, encrypts files and locks users out of their system.

 

In return for a ransom demand in the virtual currency Bitcoin which can reach thousands of dollars, the victims are told that they will be granted a key to decrypt their files and restore access.

However, there is no guarantee that such keys will work, and to pay up only fuels this expanding criminal industry.

Recently, one strain of the malware dubbed WannaCry caused widespread disruption. The ransomware targets elderly Windows operating system builds — Windows 10 has been protected with an automatic patch — and enjoyed a successful campaign which is still causing damage and disruption to date.

The ransomware hit the headline after taking down numerous UK National Health Service (NHS) hospital and trust systems, and since then, has spread worldwide.

In total, 386 samples of malware utilizing WannaCry have been detected in the wild, but if you have accepted automatic updates and keep your system up-to-date, there shouldn’t be any need to worry about becoming infected.

 

This is not the first time master keys for Crysis have been released; in fact, this is the third time. However, what sets this release apart is that the keys can also be used to decrypt files which have been encrypted with .wallet and .onion extensions.

“This has become a habit of the Crysis operators lately — with this being the third time keys were released in this manner,” ESET researchers say. “Since the last set of decryption keys was published, Crysis ransomware attacks have been detected by our systems over ten thousand times.”

Why the keys have been released remains a mystery — it may be that all who were likely to pay up have done so, and so there is no harm in releasing the keys, or perhaps after enjoying some time in the spotlight the campaign’s operators are happy to get out of the game.

If you have been affected by this strain of ransomware, you can download a decryption tool provided by security firm ESET here.

WannaCry: Ransom note analysis throws up new clues

As the world works towards identifying the perpetrators of the WannaCry ransomware campaign, one group of cybersecurity researchers says they’ve likely determined the native language of the writer of the ransom note, another potential step towards attributing the attack.

A number of cybersecurity firms have tentatively linked the attack to North Korea, but now analysis of WannaCry ransom notes in 28 languages by researchers at Flashpoint has led them to the conclusion that those behind the ransomware text are likely Chinese speaking.

Analysis of the ransom notes found that only the Chinese versions, both simplified and traditional, and the English versions, are likely to have been composed by a someone who spoke those languages.

Researchers suggest that minor errors in the Chinese ransom note mean it was typed using a Chinese-language input system.

Meanwhile, while the English language note is said to have been written with someone with a “strong command” of English, a grammatical error in the note suggests the author is not a native English speaker.

The other 25 ransom notes – in languages including Russian, Spanish, Turkish and Korean – have all been translated using Google Translate, with the English language version of the ransom demand used as the source text for machine translation.

However, when researchers tested the text with Chinese-English and English-Chinese translations, the results were inaccurate, further suggesting that the Chinese note wasn’t developed by using machine translation from English.

Other signs also point to a Chinese author; for example, one term for “week” is more common in South China, Hong Kong and Taiwan, while the term used for anti-virus is more common the Chinese mainland.

In addition to all of this, researchers note that the Chinese ransom demand is longer than those of other languages, with additional content and a differing format, again suggesting that it is written by someone who could speak the language.

Overall, linguistic analysis of the notes lead Flashpoint to conclude “with moderate confidence” that the Chinese ransom note was written by a fluent Chinese speaker and served as the original source for the English version, which was then used as the basis of machine translation for other notes.

Researchers therefore suggest that it’s highly possible that Chinese is the authors’ native tongue. However, they also suggest that it isn’t possible to rule out misdirection on behalf of the attackers, who might have used the machine translation to hide their native language.

Some security firms have linked the cyberattack to the Lazarus group, a hacking operation connected to a number of high-profile cyberattacks in recent years including the $80m Bangladeshi cyber bank heist, as well as attacks against financial institutions, banks, casinos, and systems used by software developers for investment companies around the world.

Researchers at Symantec say there are similarities between code linked to these Lazarus campaigns and the code behind the WannaCry ransomware outbreak, which they suggest means the two campaigns could be linked to the same author.

While some say the Lazarus hacking group works on behalf of North Korea, the group is actually believed to operate out of China, something which would lend weight to Flashpoint’s conclusions that the authors are fluent in Chinese.

However, there’s also the possibility that a group which just happen to have members who are fluent in Chinese are writing notes in the language to throw authorities off the scent.

The WannaCry ransomware epidemic hit over 300,000 PCs around the globe, using worm-like capabilities to spread and infect Microsoft Windows machines, particularly those using older operating systems.

While most of the affected organisations have now returned to normal, some are still recovering almost two weeks on from the outbreak.

Beware Of “EternalRocks” More Dangerous Than WannaCry

SAN FRANCISCO: After a host of different ransomware attacks that hit enterprises across the globe, security researchers have now identified a new strain of malware “EternalRocks” that is more dangerous than WannaCry and is potentially tougher to fight.

According to the researchers, “EternalRocks” exploits the same vulnerability in Windows that helped WannaCry spread to computers. It also uses a NSA tool known as “EternalBlue” for proliferation, Fortune reported on Sunday.

 
“…it also uses six other NSA tools, with names like EternalChampion, EternalRomance, and DoublePulsar (which is also part of WannaCry),” the report said.

In its current form, “EternalRocks” does not have any malicious elements — it does not lock or corrupt files, or use compromised machines to build a botnet — but leaves infected computers vulnerable to remote commands that could ‘weaponise’ the infection at any time.

“EternalRocks” is stronger that WannaCry because it does not have any weaknesses, including the kill switch that a researcher used to help contain the ransomware.

EternalBlue also uses a 24-hour activation delay to try to frustrate efforts to study it, the report noted.

The last 10 days have seen a wave of cyberattacks that have rendered companies helpless around the globe.
First it was WannaCrypt or WannaCry that spread by taking advantage of a Windows vulnerability that Microsoft released a security patch for in March. It encrypted files on infected machines and demanded payment for unlocking them.
WannaCry had some loopholes that made it easier to slow and circumvent.
After facing a massive “WannaCrypt” ransomware attack, another type of malware quietly started generating digital cash from machines it infected.
Tens of thousands of computers were affected globally by the “Adylkuzz attack” that targeted machines, let them operate and only slowed them down to generate digital cash or “Monero” cryptocurrency in the background.

“Monero” — being popularised by North Korea-linked hackers — is an open-source cryptocurrency created in April 2014 that focuses on privacy, decentralisation and scalability.

WannaKey: A new tool to tackle the WannaCry for free – Save 300$ From Hacker

The WannaCry or WannaCrypt malware has become the biggest global sensation after its mass-infection of Windows running computers around the world in the past one week.
The biggest problem with this malware is that it encrypts the entire data in the computer to make everything unreadable and demands a $300 ransom in Bitcoin from the user to set things right.
However, there’s finally a bit of good news for harassed users. A security researcher has reportedly claimed to have developed a new tool for restoring WannCry-infected PCs for free.
Dubbed WannaKey, the tool recovers the prime numbers of the RSA private keys used by WannaCry. Once it succeeds to recover the numbers, it can restore all the encrypted files back to their original state.
For the uninitiated, the encryption and decryption processes usually involve a key or a combination of numbers and letters, which get implied on the existing text with a formula. Once the key is added to the file text, the result becomes cryptic and unreadable even to the computer until one decrypts the text again using the same key.
This tool, however, doesn’t work with computers running on Windows 10, Windows 8 or Windows 7 as the key doesn’t work in these operating systems. This is because once the ‘CryptReleaseContext’ is triggered, the associated prime numbers in the key are erased.

Wannakey

WARNING

This software has only been tested and known to work under Windows XP. In order to work, your computer must not have been rebooted after being infected.

Please also note that you need some luck for this to work (see below), and so it might not work in every case!

Updates

v0.2

  • The generated private RSA key had invalid computed fields, which made the key not importable with CryptImportKey under Windows XP (fixed). wanafork and/or wanadecrypt can now be used directly from XP.
  • Updated the binary with this fix and a static build (no need for the MSVC runtime anymore)

 

v0.1

  • Original version

 

Introduction

This software allows to recover the prime numbers of the RSA private key that are used by Wanacry.

It does so by searching for them in the wcry.exe process. This is the process that generates the RSA private key. The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory.

This is not really a mistake from the ransomware authors, as they properly use the Windows Crypto API. Indeed, for what I’ve tested, under Windows 10, CryptReleaseContext does cleanup the memory (and so this recovery technique won’t work). It can work under Windows XP because, in this version, CryptReleaseContext does not do the cleanup. Moreover, MSDN states this, for this function : “After this function is called, the released CSP handle is no longer valid. This function does not destroy key containers or key pairs.”. So, it seems that there are no clean and cross-platform ways under Windows to clean this memory.

If you are lucky (that is the associated memory hasn’t been reallocated and erased), these prime numbers might still be in memory.

That’s what this software tries to achieve.

Usage

You can use the binary in the bin/ folder. You first need to find the PID of the wcry.exe process using the Task Manager, and locate the 00000000.pky file.

Once you’ve got this, launch using cmd.exe:

> search_primes.exe PID path\to\00000000.pky

If a valid prime is found in memory, the priv.key file will be generated in the current directory.

You can then use https://github.com/odzhan/wanafork/ or https://github.com/gentilkiwi/wanadecrypt to decrypt your files! (working on XP!)

Compile from source

You can use Visual Studio 2015 express to compile the associated project. Be sure to select the compatible Windows XP toolchain in the project properties!

Credits

  • @wiskitki who spotted the CryptReleaseContext issue with Windows 10 (which actually wipe the primes in memory).
  • @hackerfantastic for releasing the sample I used
  • Miasm (https://github.com/cea-sec/miasm) for its help extracting the DLL and reversing the whole thing
  • Wine sources for the Windows RSA private key format.

Ransomware attack: The clean-up continues after WannaCry chaos

While the WannaCry ransomware infections now seem to be declining, the chaos following the global attack is far from over.

The WannaCry ransomware spread rapidly last week, infecting more than 300,000 PCs, encrypting data unless users pay a ransom.

Hospitals across the UK seemed particularly badly hit — possibly because of a reliance on older version of Windows — and many are still dealing with the aftermath.

The country’s biggest hospital trust, Barts Health in London, said it was no longer diverting ambulances from any of its hospitals, but that it continues to “experience IT disruption”. This is causing delays and cancellations of appointments, and has reduced the volume of planned operations and clinics on Thursday to make sure it can run all services safely.

Others said that services were returning to normal, but the patients should expect some delays.

Southport and Ormskirk Hospital said services are returning to normal and patients with appointments should now attend as usual, although there may be some delays in clinics. East Lancashire Hopital Trust said all major clinical information systems are working as normal and that “as a priority, IT staff are working to repair/replace infected PCs and laptops”.

A note on the Barking, Havering and Redbridge University Hospital Trust website said it was “still dealing with some final issues caused by the cyber attack” but the majority of its services are now returning to normal. And Cheshire and Wirral NHS Trust’s website said it was still experiencing “significant IT disruptions” and that its business continuity plans are being implemented as it works to get its systems back up and running.

East and North Hertfordshire Trust said on its website: “Our IT team have been able to restore much of the Trust’s IT service over the past few days and most of these are now working.” It added that the trust is now running a “near normal” service.

Colchester Hospital University Trust said: “We are aware that our voicemail and answerphone system is not fully functioning and are working on a solution to this. Our Switchboard equipment was compromised in the cyber attack. We apologise to people trying to call our hospitals and ask you to bear with us.”

While organisations still struggle to reinstate normal service, there are fears that the vast spread of the ransomware will inspire more versions — and that many systems remain unpatched.

Raj Samani, chief scientist at security company MacAfee, said that when any new major piece of malware arrives, it tends to be followed by copycat versions that make small tweaks to the original code. He explained that some had been spotted already. “The reality is there are vulnerable systems out there,” he said.

Despite the 300,000 infections from the recent WannaCry attack, less than 300 victims have apparently paid the ransom so far. That’s less than 0.1 percent of those infected, raising a paltry $80,000 for its developers. In comparison the crooks behind the CryptoWall 3 ransomware could have made as much as $325m from their malware a couple of years back.

The search now is for patient zero — the first PC infected — which may provide clues to the identity of the developers of the malware.

​Google Play Protect wants to stop your Android apps from going rogue

Google has unveiled its latest attempt at improving the security of Android apps, Google Play Protect.

Android has had a bigger malware problem than iOS, and some of that malware had managed to get into Google’s own Play store. And while Google does a lot to to keep malicious Android apps outside of the Google Play store sometimes it misses them until notified by third-party malware researchers. Even though relatively few users are actually affected by Android malware, each bad app that sneaks into the Play Store creates an impression that Google isn’t doing enough.

Meanwhile, users don’t see that it actually has anti-malware features buried in the background, such as Verify apps, a part of Google Play Services that can scan installed apps for dangerous behavior, prevent users installing known harmful apps, and even remove malicious apps without require user action.

Google’s Play Protect aims to tackle this. It is part of the Google Play app and is designed to give users greater visibility into their device security. The feature appears to a rebranding of Verify Apps but now more prominently placed in the Google Play app.

Play Protect is aided by Google’s machine learning, which is trained to look for harmful apps based on scans of 50 billion apps each day. Apps are analysed before appearing on the Play Store, then Play Protect monitors apps for misbehavior once installed on the device, running automatically in the background.

Google is also making Find My Device part of Google Play Protect. This used to be called Android Device Manager and is still available as a standalone app under the new name. The app still helps users find and track a lost device, but as noted by Android Police, it got a much needed redesign, including a new icon, a friendlier interface, a new battery and Wi-Fi status indicator, and details about the last known location of the device.

The more prominent security feature coincides with a larger project at Google to fix Android’s nagging version fragmentation problem. Google now counts two billion active Android devices, but just 7.1 percent run Android 7.0 Nougat some 10 months after its release. Non-Google phones usually take months or more to get the latest version of Android.

And while carriers and handset makers are often blamed, a key link in the chain to delivering these updates are chipmakers like Qualcomm, which need to customize parts of Android to support their processors.

 

Under Treble, Google is by carving out the code that chipmakers customize to help reduce friction as Android moves between players in the ecosystem.

The project aims to cut down the months it takes to get new versions of Android on to existing phones. For example, T-Mobile only today released Nougat for the Galaxy S6 edge+.

Treble won’t completely solve the problem, as carriers and handset makers still need to deliver updates, but it still could result in a faster rollout for Android O.

Google to Tighten OAuth Rules to Block Phishing Attempts After Fake Docs Attack

Last week, people were receiving emails containing a fake Google Docs link that appeared to come from someone they knew. Upon tapping the link, the user was taken to a page where they were asked to give permissions go Google Docs. This, however, wasn’t the actual Google Docs coming from the Mountain View company, but a fake tool that sought to get account permissions.

Google dealt with the problem within an hour of getting the first reports, but by then plenty of people had tapped the link. Thankfully, removing permissions for the app was quite simple.

The bogus app used Google’s very own OAuth implementation to request access to the Gmail accounts of those targeted. Once the permission was granted, it sent the same phishing email to the victim’s contacts.

This is not a new technique used by the hackers. In fact, even Fancy Bear hackers who are responsible for the US and French election hacks, used the same technique.

More work to be done

Despite some of these incidents falling through the cracks, Google does have some mechanism to combat this type of phishing attack, such as machine-learning spam detection, the Safe Browsing system, as well as anti-virus scans on attachments. The company, however, will now also update its policies and enforcement on OAuth apps.

“We’re taking multiple steps to combat this type of attack in the future, including updating our policies and enforcement on OAuth applications, updating our anti-spam systems to help prevent campaigns like this one, and augmenting monitoring of suspicious third-party apps that request information from our users,” said Mark Risher, director of Google’s Counter Abuse Technology.

According to Risher, fewer than 0.1% of users were affected by this attack.