Rules on deepfakes take hold in the US

For years, an annual, must-pass federal spending bill has served as a vehicle for minor or contentious provisions that might otherwise falter in standalone legislation, such as the prohibition of new service member uniforms, or the indefinite detainment of individuals without trial.

In 2019, that federal spending bill, called the National Defense Authorization Act (NDAA), once again included provisions separate from the predictable allocation of Department of Defense funds. This time, the NDAA included language on deepfakes, the machine-learning technology that, with some human effort, has created fraudulent videos of UK political opponents Boris Johnson and Jeremy Corbyn endorsing one another for Prime Minister.

Matthew F. Ferraro, a senior associate at the law firm WilmerHale who advises clients on national security, cyber security, and crisis management, called the deepfakes provisions a “first.”

“This is the first federal legislation on deepfakes in the history of the world,” Ferraro said about the NDAA, which was signed by the President into law on December 20, 2019.

But rather than creating new policies or crimes regarding deepfakes—like making it illegal to develop or distribute them—the NDAA asks for a better understanding of the burgeoning technology. It asks for reports and notifications to Congress.

Per the NDAA’s new rules, the US Director of National Intelligence must, within 180 days, submit a report to Congress that provides information on the potential national security threat that deepfakes pose, along with the capabilities of foreign governments to use deepfakes in US-targeted disinformation campaigns, and what countermeasures the US currently has or plans to develop.

Further, the Director of National Intelligence must notify Congress each time a foreign government either has, is currently, or plans to launch a disinformation campaign using deepfakes of “machine-generated text,” like that produced by online bots that impersonate humans.

Lee Tien, senior staff attorney for Electronic Frontier Foundation, said that, with any luck, the DNI report could help craft future, informed policy. Whether Congress will actually write any legislation based on the DNI report’s information, however, is a separate matter.

“You can lead a horse to water,” Tien said, “but you can’t necessarily make them drink.”

With the NDAA’s passage, Malwarebytes is starting a two-part blog on deepfake legislation in the United States. Next week we will explore several Congressional and stateside bills in further depth.

The National Defense Authorization Act

The National Defense Authorization Act of 2020 is a sprawling, 1,000-plus page bill that includes just two sections on deepfakes. The sections set up reports, notifications, and a deepfakes “prize” for research in the field.

According to the first section, the country’s Director of National Intelligence must submit an unclassified report to Congress within 180 days that covers the “potential national security impacts of machine manipulated media (commonly known as “deepfakes”); and the actual or potential use of machine-manipulated media by foreign governments to spread disinformation or engage in other malign activities.”

The report must include the following seven items:

  • An assessment of the technology capabilities of foreign governments concerning deepfakes and machine-generated text
  • An assessment of how foreign governments could use or are using deepfakes and machine-generated text to “harm the national security interested of the United States”
  • An updated identification of countermeasure technologies that are available, or could be made available, to the US
  • An updated identification of the offices inside the US government’s intelligence community that have, or should have, responsibility on deepfakes
  • A description of any research and development efforts carried out by the intelligence community
  • Recommendations about whether the intelligence community needs tools, including legal authorities and budget, to combat deepfakes and machine-generated text
  • Any additional info that the DNI finds appropriate

The report must be submitted in an unclassified format. However, an annex to the report that specifically addresses the technological capabilities of the People’s Republic of China and the Russian Federation may be classified.

The NDAA also requires that the DNI notify the Congressional intelligence committees each time there is “credible information” that an identifiable, foreign entity has used, will use, or is currently using deepfakes or machine-generated text to influence a US election or domestic political processes.

Finally, the NDAA also requires that the DNI set up what it calls a “deepfakes prize competition,” in which a program will be established “to award prizes competitively to stimulate the research, development, or commercialization of technologies to automatically detect machine-manipulated media.” The prize amount cannot exceed $5 million per year.

As the first, approved federal language on deepfakes, the NDAA is rather non-controversial, Tien said.

“Politically, there’s nothing particularly significant about the fact that this is the first thing that we’ve seen the government enact in any sort of way about [deepfakes and machine-generated text],” Tien said, emphasizing that the NDAA has been used as a vehicle for other report-making provisions for years. “It’s also not surprising that it’s just reports.”

But while the NDAA focuses only on research, other pieces of legislation—including some that have become laws in a couple of states—directly confront the assumed threat of deepfakes to both privacy and trust.

Pushing back against pornographic and political deception

Though today feared as a democracy destabilizer, deepfakes began not with political subterfuge or international espionage, but with porn.

In 2017, a Reddit user named “deepfakes” began posting short clips of nonconsensual pornography that mapped the digital likenesses of famous actresses and celebrities onto the bodies of pornographic performers. This proved wildly popular.

In little time, a dedicated “subreddit”—a smaller, devoted forum—was created, and increasingly more deepfake pornography was developed and posted online. Two offshoot subreddits were created, too—one for deepfake “requests,” and another for fulfilling those requests. (Ugh.)

While the majority of deepfake videos feature famous actresses and musicians, it is easy to imagine an abusive individual making and sharing a deepfake of an ex-partner to harm and embarrass them.  

In 2018, Reddit banned the deepfake subreddits, but the creation of deepfake material surged, and in the same year, a new potential threat emerged.

Working with producers at Buzzfeed, comedian and writer Jordan Peele helped showcase the potential danger of deepfake technology when he lent his voice to a manipulated video of President Barack Obama.

“We’re entering an era in which our enemies can make anyone say anything at any point in time, even if they would never say those things,” Peele said, posing as President Obama.

This year, that warning gained some legitimacy, when a video of Speaker of the House of Representatives Nancy Pelosi was slowed down to fool viewers into thinking that the California policymaker was either drunk or impaired. Though the video was not a deepfake because it did not rely on machine-learning technology, its impact was clear: It was viewed by more than 2 million people on Facebook and shared on Twitter by the US President’s personal lawyer, Rudy Giuliani.

These threats spurred lawmakers in several states to introduce legislation to prohibit anyone from developing or sharing deepfakes with the intent to harm or deceive.

On July 1, Virginia passed a law that makes the distribution of nonconsensual pornographic videos a Class 1 misdemeanor. On September 1, Texas passed a law to prohibit the making and sharing of deepfake videos with the intent to harm a political candidate running for office. In October, California Governor Gavin Newsom signed Assembly Bills 602 and 730, which, respectively, make it illegal to create and share nonconsensual deepfake pornography and to try to influence a political candidate’s run for office with a deepfake released within 60 days of an election.

Along the way, Congressional lawmakers in Washington, DC, have matched the efforts of their stateside counterparts, with one deepfake bill clearing the House of Representatives and another deepfake bill clearing the Senate.

The newfound interest from lawmakers is a good thing, Ferraro said.

“People talk a lot about how legislatures are slow, and how Congress is captured by interests, or its suffering ossification, but I look at what’s going on with manipulated media, and I’m filled with some sense of hope and satisfaction,” Ferraro said. “Both houses have reacted quickly, and I think that should be a moment of pride.”  

But the new legislative proposals are not universally approved. Upon the initial passage of California’s AB 730, the American Civil Liberties Union urged Gov. Newsom to veto the bill.

“Despite the author’s good intentions, this bill will not solve the problem of deceptive political videos; it will only result in voter confusion, malicious litigation, and repression of free speech,” said Kevin Baker, ACLU legislative director.

Another organization that opposes dramatic, quick regulation on deepfakes is EFF, which wrote earlier in the summer, that “Congress should not rush to regulate deepfakes.”

Why then, does EFF’s Tien welcome the NDAA?

Because, he said, the NDAA does not introduce substantial policy changes, but rather proposes a first step in creating informed policy in the future.

“From an EFF standpoint, we do want to encourage folks to actually synthesize the existing knowledge and to get to some sort of common ground on which people can then make policy choices,” Tien said. “We hope the [DNI report] will be mostly available to the public, because, if the DNI actually does what they say they’re going to do, we will learn more about what folks outside the US are doing [on deepfakes], and both inside the US, like efforts funded by the Department of Defense or by the intelligence community.”

Tien continued: “To me, that’s all good.”

Wait and see

The Director of National Intelligence has until June to submit their report on deepfakes and machine-generated text. But until then, more states, such as New York and Massachusetts, may forward deepfake bills that were already introduced last year.

Further, as deepfakes continue to be shared online, more companies may have to grapple with how to treat them. Just last week, Facebook announced a new political deepfake policy that many argue does little to stop the wide array of disinformation posted on the platform.

Join us next week, when we take a deeper look at current Federal and statewide deepfake legislation and at the tangential problem of fraudulent, low-tech videos now referred to as “cheapfakes.”

The post Rules on deepfakes take hold in the US appeared first on Malwarebytes Labs.

How to prevent a rootkit attack

If you’re ever at the receiving end of a rootkit attack, then you’ll understand why they are considered one of the most dangerous cyberthreats today.

Rootkits are a type of malware designed to stay undetected on your computer. Cybercriminals use rootkits to remotely access and control your machine, burrowing deep into the system like a latched-on tick. Rootkits typically infect computers via phishing email, fooling users with a legitimate-looking email that actually contains malware, but sometimes they can be delivered through exploit kits.

This article provides an overview of the different types of rootkits and explains how you can prevent them from infecting your computer.

What is a rootkit?

Originally, a rootkit was a collection of tools that enabled administrative access to a computer or network. Today, rootkits are associated with a malicious type of software that provides root-level, privileged access to a computer while hiding its existence and actions. Hackers use rootkits to conceal themselves until they decide to execute their malicious malware.

In addition, rootkits can deactivate anti-malware and antivirus software, and badly damage user-mode applications. Attackers can also use rootkits to spy on user behavior, launch DDoS attacks, escalate privileges, and steal sensitive data.

Possible outcomes of a rootkit attack

Today, malware authors can easily purchase rootkits on the dark web and use them in their attacks. The list below explores some of the possible consequences of a rootkit attack.

Sensitive data stolen

Rootkits enable hackers to install additional malicious software that steals sensitive information, like credit card numbers, social security numbers, and user passwords, without being detected.

Malware infection

Attackers use rootkits to install malware on computers and systems without being detected. Rootkits conceal the malicious software from any existing anti-malware or antivirus, often de-activating security software without user knowledge. As a result of deactivated anti-malware and antivirus software, rootkits enable attackers to execute harmful files on infected computers.

File removal

Rootkits grant access to all operating system files and commands. Attackers using rootkits can easily delete Linux or Windows directories, registry keys, and files.


Cybercriminals leverage rootkits to exploit unsecured networks and intercept personal user information and communications, such as emails and messages exchanged via chat.

Remote control 

Hackers use rootkits to remotely access and change system configurations. Then hackers can change the open TCP ports inside firewalls or change system startup scripts. 

Types of rootkit attacks

Attackers can install different rootkit types on any system. Below, you’ll find a review of the most common rootkit attacks.

Application rootkits

Application rootkits replace legitimate files with infected rootkit files on your computer. These rootkits infect standard programs like Microsoft Office, Notepad, or Paint. Attackers can get access to your computer every time you run those programs. Antivirus programs can easily detect them since they both operate on the application layer.

Kernel rootkits

Attackers use these rootkits to change the functionality of an operating system by inserting malicious code into it. This gives them the opportunity to easily steal personal information.

Bootloader rootkits

The bootloader mechanism is responsible for loading the operating system on a computer. These rootkits replace the original bootloader with an infected one. This means that bootloader rootkits are active even before the operating system is fully loaded.

Hardware and firmware rootkits

This kind of rootkit can get access to a computer’s BIOS system or hard drives as well as routers, memory chips, and network cards.

Virtualized rootkits

Virtualized rootkits take advantage of virtual machines in order to control operating systems. They were developed by security researchers in 2006 as a proof of concept.

These rootkits create a virtual machine before the operating system loads, and then simply take over control of your computer. Virtualized rootkits operate at a higher level than operating systems, which makes them almost undetectable.

How to prevent a rootkit attack

Rootkit attacks are dangerous and harmful, but they only infect your computer if you somehow launched the malicious software that carries the rootkit. The tips below outline the basic steps you should follow to prevent rootkit infection.

Scan your systems

Scanners are software programs aimed to analyze a system to get rid of active rootkits.

Rootkit scanners are usually effective in detecting and removing application rootkits. However, they are ineffective against kernel, bootloader, or firmware attacks. Kernel level scanners can only detect malicious code when the rootkit is inactive. This means that you have to stop all system processes and boot the computer in safe mode in order to effectively scan the system.

Security experts claim that a single scanner cannot guarantee the complete security of a system, due to these limitations. Therefore, many advise using multiple scanners and rootkit removers. To fully protect yourself against rootkits attacks at the boot or firmware level, you need to backup your data, then reinstall the entire system.

Avoid phishing attempts

Phishing is a type of social engineering attack in which hackers use email to deceive users into clicking on a malicious link or downloading an infected attachment.

The fraudulent email can be anything, from Nigerian prince scams asking to reclaim gold to fake messages from Facebook requesting that you update your login credentials. The infected attachments can be Excel or Word documents, a regular executable program, or an infected image.

Update your software

Many software programs contain vulnerabilities and bugs that allow cybercriminals to exploit them—especially older, legacy software. Usually, companies release regular updates to fix these bugs and vulnerabilities. But not all vulnerabilities are made public. And once software has reached a certain age, companies stop supporting them with updates.

Ongoing software updates are essential for staying safe and preventing hackers from infecting you with malware. Keep all programs and your operating system up-to-date, and you can avoid rootkit attacks that take advantage of vulnerabilities.

Use next-gen antivirus

Malware authors always try to stay one step ahead of the cybersecurity industry. To counter their progress, you should use antivirus programs that leverage modern security techniques, like machine learning-based anomaly detection and behavioral heuristics. This type of antivirus can determine the origin of the rootkit based on its behavior, detect the malware, and block it from infecting your system.

Monitor network traffic

Network traffic monitoring techniques analyze network packets in order to identify potentially malicious network traffic. Network analytics can also mitigate threats more quickly while isolating the network segments that are under attack to prevent the attack from spreading.

Rootkit prevention beats clean-up

A rootkit is one of the most difficult types of malware to find and remove. Attackers frequently use them to remotely control your computer, eavesdrop on your network communication, or execute botnet attacks

This is a nasty type of malware that can seriously affect your computer’s performance and lead to personal data theft. Since it’s difficult to detect a rootkit attack, prevention is often the best defense. Use the tips offered in this article as a starting point for your defense strategy. To ensure continual protection, continue learning. Attacks always change, and it’s important to keep up.

The post How to prevent a rootkit attack appeared first on Malwarebytes Labs.

A week in security (January 6 – 12)

Last week on Malwarebytes Labs, we told readers how to check the safety of websites and their related files, explored the shady behavior taking place within the billion-dollar search industry, broke down the top six ways that hackers target retail businesses, and put a spotlight on the ransomware family Phobos.

We also broke a major new story when we discovered that a government-subsidized mobile phone is being shipped with pre-installed, unremovable malware.  

Other cybersecurity news

Stay safe, everyone!

The post A week in security (January 6 – 12) appeared first on Malwarebytes Labs.

Threat spotlight: Phobos ransomware lives up to its name

Ransomware has struck dead on organizations since it became a mainstream tool in cybercriminals’ belts years ago. From massive WannaCry outbreaks in 2017 to industry-focused attacks by Ryuk in 2019, ransomware’s got its hooks in global businesses and shows no signs of stopping. That includes a malware family known as Phobos ransomware, named after the Greek god of fear.

Phobos is another one of those ransomware families that primarily targets organizations by employing tried-and-tested tactics to infiltrate systems. Sometimes called Phobos NextGen and Phobos NotDharma, many consider this ransomware an off-shoot or variant—if not a rip-off—of the Dharma ransomware family, which is also called CrySis. This is attributed to Phobos’ operational and technical likeness to recent Dharma strains.

Phobos ransomware, like Sodinokibi, is sold in the underground in ransomware-as-a-service (RaaS) packages. This means that criminals with little to no technical know-how can create their own ransomware strain with the help of a kit, and organize a campaign against their desired targets.

However, Coveware researchers have noted that, compared to their peers, Phobos operators are “less organized and professional,” which has eventually led to extended ransom negotiations and more complications retrieving files and systems for Phobos ransomware victims during the decryption process.

Phobos ransomware infection vectors

Phobos can arrive on systems in several ways: via open or insecure remote desktop protocol (RDP) connections on port 3389, brute-forced RDP credentials, the use of stolen and bought RDP credentials, and old-fashion phishing. Phobos operators can also leverage malicious attachments, downloads, patch exploits, and software vulnerabilities to gain access to an organization’s endpoints and network.

Phobos ransomware primarily targets businesses; however, there have been several reports of consumers finding themselves face-to-face with this adversary, too.

Symptoms of Phobos ransomware infection

Systems affected by variants of the Phobos ransomware display the following symptoms:

Presence of ransom notes. Upon infection, Phobos drops two ransom notes in text (.TXT) and in executable web file (.HTA) format. The latter automatically opens after Phobos finishes encrypting files.

The HTA ransom note, which was noted to be a re-branded version of Dharma’s ransom note

Here’s a snippet of the note:

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email address 1]

Write this ID in the title of your message [generated ID]

If there is no response from our mail, you can install the Jabber client and write to us in support of [email address 2]

You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.

As you can see, Phobos operators are requiring victims to contact them in the event of their ransomware infection.

In some notes from other variants, instructions to reach threat actors via Jabber are not included.

Aside from pertinent channels victims can reach the threat actors, this ransom note also contains information on how they can acquire Bitcoins and how to install the messenger client.

The TXT ransom note, which is notably shorter than its HTA counterpart. This means that non-tech savvy victims would have to resort to doing their own research to understand unfamiliar terms. Note that while this contains the email addresses also found in the HTA file, it doesn’t contain the generated ID.

!!! All of your files are encrypted !!!

To decrypt them send e-mail, to this address: [email address 1]

If there is no response from our mail, you can install the Jabber client and write to us in support of [email address 2]

After triggering the opening of the HTA ransom note, which supposedly signifies the end of Phobos’ encryption, we have observed that it is an aggressive ransomware that continues to run in the background and encode new files it is programmed to encrypt. It can do this with or without an Internet connection.

Encrypted files with a long, appended string after the extension name. Phobos encrypts target files using AES-256 with RSA-1024 asymmetric encryption. Both Phobos and Dharma implement the same RSA algorithm; however, Phobos uses it from Windows Crypto API while Dharma uses it from a third-party static library. Upon encryption, it appends a compound extension name at the end of encrypted files. This implements the format or formula:

.ID[ID][email address 1].[added extension]

In the formula, [ID] is the generated ID number specified in the ransom note. It is a two-part alpha-numeric string: the victim ID and the version ID, separated by a dash. [email address 1] is the email address victims are prescribed to use in reaching out to the threat actors. This is also specified in the ransom note. Lastly, [added extension] is an extension that Phobos threat actors decide to associate their ransomware with. Below are known extensions Phobos uses:

  • 1500dollars
  • actin
  • Acton
  • actor
  • Acuff
  • Acuna
  • acute
  • adage
  • Adair
  • Adame
  • banhu
  • banjo
  • Banks
  • Banta
  • Barak
  • bbc
  • blend
  • bqux
  • Caleb
  • Cales
  • Caley
  • calix
  • Calle
  • Calum
  • Calvo
  • com
  • DDoS
  • deal
  • deuce
  • Dever
  • devil
  • Devoe
  • Devon
  • Devos
  • dewar
  • eight
  • eject
  • eking
  • Elbie
  • elbow
  • elder
  • Frendi
  • help
  • karma
  • mamba
  • phobos
  • phoenix
  • PLUT
  • zax

For example, the new file name of sample.bmp after encryption is[23043C5D-2394].[].Caleb.

Phobos encrypts files with the following extensions:

However, it skips encoding the following OS files and files in the C:\Windows folder:

  • boot.ini
  • bootfont.bin
  • ntldr
  • io.sys

Phobos fully encodes files with sizes that can be classed as typical. For large files, however, it performs a different algorithm wherein it partially encrypts selected portions of such files. This is an effective method to severely cut down the time it takes to encrypt large files and, at the same time, maximize the damage it could do to such a file if something goes wrong with its decryption.

This ransomware attacks files in all local drives as well as network shares.

Terminated processes. Phobos ransomware is known to terminate the following active processes on affected systems so that no programs can stop it from accessing files to eventually encrypt:

Deleted shadow copies and local backups. Like Sodinokibi and other ransomware families, Phobos deletes shadow copies and backup copies of files to prevent users from restoring encrypted files, thus, forcing them to do the threat actors’ bidding.

Systems not booting in recovery mode. Recovery mode is innate in Windows systems. If users encounter a technical flaw leading to the system crashing or getting corrupted, they have the option to restore the OS to its normal state by reloading its last known state before the flaw. Phobos removes this option by preventing users from entering this mode.

Disabled firewall. As we already know, malware that firewalls stop could be allowed into the affected system.

Protect your system from Phobos ransomware

Malwarebytes’ signature-less detection, coupled with real-time anti-malware and anti-ransomware technology, identifies and protects consumer and business users from Phobos ransomware in various stages of attack.

We recommend both consumers and IT administrators take the following actions to secure and mitigate against Phobos ransomware attacks:

  • Set your RDP server, which is built in in the Windows OS, to deny public IPs access to TCP port 3389, the default port Windows Remote Desktop listens on. If you or your organizations have no need for RDP, better to disable the service altogether. Critical systems or systems with sensitive information should not have RDP enabled.
  • Along with RDP port blocking, we also suggest the blocking of TCP port 445, the default port a Server Message Block (SMB) uses to communicate in a Windows-based LAN at the network perimeter. Note that you or your organization may have to do in-depth testing to see how your system and/or programs are impacted by this block. As a rule of thumb, block all unused ports.
  • Allow RDP access to IPs that are under you or your organization’s control.
  • Enable the logging of RDP access attempts and review them regularly to detect instances of potential intrusion.
  • Enforce the use of strong passwords and account lockout policies for Active Directory domains and local Windows accounts.
  • Enforce multi-factor authentication (MFA) to RDP and local account logons whenever possible.
  • Enforce the use of a virtual private networks (VPNs) if your organization allows employees to work remotely.
  • Come up with and implement a sound backup strategy.
  • Maintain an inventory of running services and applications on your system, and review it regularly. For critical systems, it’s best to have an active monitoring and alerting scheme in place.
  • Have a disaster recovery scheme in place in case of a successful breach via RDP happens.
  • Keep all your software, including OS and anti-malware, up-to-date.

On a final note, if you have all your personal or organization resources properly locked down and secured, and you or your organization adhere to good cyber hygiene practices, there is little to be feared about Phobos or any ransomware in general.

Indicators of Compromise (IOCs)

  • e59ffeaf7acb0c326e452fa30bb71a36
  • eb5d46bf72a013bfc7c018169eb1739b
  • fa4c9359487bbda57e0df32a40f14bcd

Have a threat-free 2020, everyone!

The post Threat spotlight: Phobos ransomware lives up to its name appeared first on Malwarebytes Labs.

United States government-funded phones come pre-installed with unremovable malware

A United States–funded mobile carrier that offers phones via the Lifeline Assistance program is selling a mobile device pre-installed with not one, but two malicious applications. Assurance Wireless by Virgin Mobile offers the UMX U686CL phone as their most budget conscious option. At only $35 under the government-funded program, it’s an attractive offering. However, what it comes installed with is appalling.

Not just malicious, but pre-installed

In October 2019, we saw several complaints in our support system from users with a government-issued phone reporting that some of its pre-installed apps were malicious. We purchased a UMX U686CL to better assist our customers and verify their claims.

We informed Assurance Wireless of our findings and asked them point blank why a US-funded mobile carrier is selling a mobile device infected with pre-installed malware? After giving them adequate time to respond, we unfortunately never heard back. Here’s what we discovered.

The first questionable app found on the UMX U686CL poses as an updater named Wireless Update. Yes, it is capable of updating the mobile device. In fact, it’s the only way to update the mobile device’s operating system (OS). Conversely, it is also capable of auto-installing apps without user consent.

Thus, we detect this app as Android/PUP.Riskware.Autoins.Fota.fbcvd, a detection name that should sound familiar to Malwarebytes for Android customers. That’s because the app is actually a variant of Adups, a China-based company caught collecting user data, creating backdoors for mobile devices and, yes, developing auto-installers.

From the moment you log into the mobile device, Wireless Update starts auto-installing apps. To repeat: There is no user consent collected to do so, no buttons to click to accept the installs, it just installs apps on its own. While the apps it installs are initially clean and free of malware, it’s important to note that these apps are added to the device with zero notification or permission required from the user. This opens the potential for malware to unknowingly be installed in a future update to any of the apps added by Wireless Update at any time. 

Not just pre-installed, but unremovable

It’s with great frustration that I must write about yet another unremovable pre-installed malicious app found on the UMX U686CL phone: the mobile device’s own Settings app functions as a heavily-obfuscated malware we detect as Android/Trojan.Dropper.Agent.UMX. Because the app serves as the dashboard from which settings are changed, removing it would leave the device unusable.

Android/Trojan.Dropper.Agent.UMX shares characteristics with two other variants of known mobile Trojan droppers. The first characteristic is that it uses the same receiver and service names. The receiver name ends with ALReceiver and the service name ends with ALAJobService. These names alone are too generic to make a solid correlation. But, coupled with the fact that the code is almost identical, and we can confidently confirm a match. 

The only difference between the two codes are their variable names. The more discernible variant of this malware uses Chinese characters for variable names. Therefore, we can assume the origin of this malware is China.

Variant of malware with Chinese variable names

The second characteristic it shares is containing an encoded string within the code. Decoding this string reveals a hidden library file named

Decoded string with

Let’s take some time to look at how the code flows while decoding It first grabs the encoded string and decodes using Base64 decoding.

Encoded string

Base64 decoding

It then loads the decoded library into memory using DexClassLoader.

DexClassLoader loading decoded string

After the library is loaded into memory, it then drops another piece of malware known as Android/Trojan.HiddenAds.

Although we have yet to reproduce the dropping of additional malware ourselves, our users have reported that indeed a variant of HiddenAds suddenly installs on their UMX mobile device.

The malware origin

In addition to the malware being of Chinese origin, it’s noteworthy to mention that this UMX mobile device is made by a Chinese company as well. This could simply be a coincidence rather than explicit malcontent—we cannot confirm if the makers of the device are aware there is Chinese malware pre-installed.

No current resolution

Although we do have a way to uninstall pre-installed apps for current Malwarebytes users, doing so on the UMX has consequences. Uninstall Wireless Update, and you could be missing out on critical updates for the OS. We think that’s worth the tradeoff, and suggest doing so. 

But uninstall the Settings app, and you just made yourself a pricey paper weight. We do offer an attempt to remediate such pre-installed malware in our blog: The new landscape of pre-installed mobile malware: malicious code within. See section: Attempting to remediate.

Pre-installed malware getting worse, as foreshadowed

As I have highlighted in this blog and blogs past, pre-installed malware continues to be a scourge for users of mobile devices. But now that there’s a mobile device available for purchase through a US government-funded program, this henceforth raises (or lowers, however you view it) the bar on bad behavior by app development companies.

Budget should not dictate whether a user can remain safe on his or her mobile device. Shell out thousands for an iPhone, and escape pre-installed maliciousness. But use government-assisted funding to purchase a device and pay the price in malware? That’s not the type of malware-free existence we envision at Malwarebytes.

Final words on UMX U686CL

Having an actual UMX U686CL in my hands, I can tell you it is not a bad phone. It feels solid in hand and runs smoothly. Sure, it’s not the fastest mobile device, but it’s a fully capable smart phone. In general, without the malware, this device is a good option for anyone on a budget. 

It’s important to realize that UMX isn’t alone. There are many reports of budget manufactures coming pre-installed with malware, and these reports are increasing in number. Although I don’t have the answer to this widespread issue, I can say that US citizens using the Lifeline Assistance Program and many others on a tight budget deserve more. Stay safe out there.

The post United States government-funded phones come pre-installed with unremovable malware appeared first on Malwarebytes Labs.

6 ways hackers are targeting retail businesses

Retail hacking is no new phenomenon, although it has increased in frequency over the last few years. In fact, retailers experienced more breaches than any other industry in 2019, and they’ve lost over $30 billion to cybersecurity attacks.

Both brick-and-mortar and online businesses experience retail hacking. Cybercriminals must often work harder to access online stores because these companies’ reputations ride on secure transactions. However, they’re not exempt from the flood of break-ins that happen during high-volume shopping seasons, including back-to-school, Black Friday, and the winter holidays.

Last-minute shoppers become the victims of retail hackers looking for simple ways in. Many consumers rush to buy gifts before the holidays sneak up on them, meaning they’re less diligent about scams and fraudulent sites. Shoppers might be willing to visit stores and webpages they’ve never been to before in search of hard-to-find items. Threat actors know this and take advantage of it with scarily authentic scams.

Even though the holidays have passed, shoppers should remain vigilant about scams and retail attacks—especially as web skimmers up the ante with social engineering tactics and evasion methods. Businesses, too, will benefit from strengthening their security protocols and staying up-to-date on the latest hacking methods.

1. Credential stuffing

Retail hackers frequently use credential stuffing, or the use of stolen usernames and passwords, to break into systems because it’s one of the easiest ways to siphon off data. Many people use the same passwords across multiple sites, which leaves them open to invasion. Hackers collect these credentials via purchase from the dark web or databases of personally identifiable information left online after massive breaches, and use them to hack into retailers and buy products.

Chipotle experienced a breach like this earlier in 2019, where costumers’ credit cards racked up hundreds of dollars in food purchases. However, many customers argued that their passwords were unique to Chipotle, which begs the question of how else cybercriminals could have accessed their accounts.

2. Near field communication (NFC)

Price scanners, cell phones, and card readers are notorious targets for NFC breaches. NFC technology allows customers to use their phones to purchase goods by tapping them against a reader.

Similarly, someone can scan a QR code and gain access to an exclusive app or land on a site where they can purchase items. Though NFC is convenient, retail hackers have little problem intercepting the data from its transactions and stealing information.

Even malware can pass from infected phones to retail systems. NFC technology is prevalent in face-to-face transactions, but more sites are hosting QR codes for users to scan. Hackers generally use several different ways to manipulate data transmitted over a distance:

  • Corruption: They use a third device to intercept a connection between two other electronic devices, which destroys the information being sent.
  • Eavesdropping: Cybercriminals pick up on private information by recording communications between two devices. Using this technique can give someone access to credit cards and other payment information.
  • Modification: The hacker manipulates the data before it reaches its intended source—meaning they can alter important details or inject malware or other harmful components.

3. RAM scraping

RAM scraping is a procedure hackers use to enter point-of-sale software. Every card transaction leaves data in the retailer’s terminal system. This information lasts temporarily as a part of the machine’s RAM, but threat actors can implant POS malware that reads this input before it disappears. By scraping this information, they obtain all the items stored on a card’s tracks—such as the account number, CVN, and expiration date.

The massive Target breach of 2013 is one example of RAM scraping in action. Text strings containing credit card information can remain in a retailer’s database for seconds, minutes, or hours. The longer it stays, the more chances hackers have for grabbing it before it goes.

4. Card readers

The magnetic strips on credit and debit cards make them frequent targets for cybersecurity attacks. Hackers don’t always need to force their way into online accounts—they can glean data from a single card swipe. Card data, which includes PINs and card numbers, remains encrypted until the moment of the swipe. Skilled criminals can take this opportunity to snatch the information and use it for themselves or sell it to others.

Many retailers and card companies have switched to chips instead of magnetic strips. Chips create a unique code that is only used for a single purchase. This form of EMV technology—which stands for Europay, Mastercard, and Visa—makes it harder to duplicate information and use it for subsequent transactions.

5. Web skimming

Web skimmers had quite a year in 2019, helped along by the criminal groups known collectively as Magecart, which were responsible for developing a slew of new techniques for stealing from online retailers and consumers alike.

Web skimmers sneak malware into website codes to glean personal information from customers. All e-commerce sites have a payment page for completing purchases, most of which are securely encrypted. However, those without airtight security are prime targets for web skimmers. This malware is hard to detect—especially for small businesses without advanced tech—and it can affect hundreds of customers at a time, making it a favorite among threat actors.

Skimmers enter sites through a third party, such as plug-in or an e-commerce page. These entryways are easier to get through because they often contain weaker code structure. (First-party entry commonly happens only to those small sites without strong cybersecurity measures in place.) Once the script infects the webpage, it funnels passwords, social security numbers, and credit card numbers back to the cybercriminals’ servers.

6. Social engineering

Social engineering might sound like a term too vague to be real, but this tactic is one of the oldest in the criminal book, useful for preying on emotions. In the pre-Internet days, someone might dress up as an employee of a department store and pretend to work there to access private information. They might ask other employees for information, knowing that some harried workers will readily supply it so they can return to their tasks. Others might loiter in front of a store and scam people out of cash using the old shoeshine technique.

Online, social engineering looks a bit different for retailers and shoppers. Websites might sell counterfeit goods at too-good-to-be-true prices, then snatch the personal information of customers while they’re at it. Watering hole attack strategies target hundreds of users at a time by analyzing their Internet browsing habits then laying siege at sites known to attract particular user groups, such as mommy blogs, gamers, or foodies. Phishing emails might pose as favorite retailers asking for account updates, while delivering malware or ransomware instead.

Beating web threats

With so many ways to steal information, it’s plain to see why retail cybercriminals often see success during the holidays and otherwise. Although retail hacking runs rampant during high shopping seasons, it doesn’t have to deter shoppers from completing their last-minute purchases. The onus is on businesses to secure their data and build trust with their consumers and partners.

Though no system is entirely unhackable, businesses should follow standard cybersecurity procedures and aim for the best defenses possible. Prioritizing user safety will allow them to build trustworthy relationships with their shoppers.

The post 6 ways hackers are targeting retail businesses appeared first on Malwarebytes Labs.

Dubious downloads: How to check if a website and its files are malicious

A significant amount of malware infections and potentially unwanted program (PUP) irritants are the result of downloads from unreliable sources. There are a multitude of websites that specialize in distributing malicious payloads by offering them up as something legitimate or by bundling the desired installer with additional programs.

In November 2019, we learned that Intel removed old drivers, BIOS updates, and other legacy software from their site. While this software relates to products released in the last century and early years of the 2000s, many users still rely on old Intel products and have been left scrambling for specific downloads.

Users that follow older links to certain drivers and updates will find this instead:

Following the links to search the site or the download center only leads users around in circles—those downloads are gone. While some might argue that it is Intel’s right to remove drivers and updates after a decade, others understand that whenever legacy software is abandoned, a security nightmare ensues.

When users can no longer download files from official sources, desperate people will roam the Internet for a place where they can find the file they need. And what they usually find instead are malicious websites and downloads.

Malvertising using popular downloads

Habitually, threat actors find out which search terms are gaining in popularity as users seek out terminated software downloads and try to lure searchers to their site. They will use SEO techniques to rank high in the search results or may even spend some dollars to show up in the sponsored results for certain keywords. They can hide their malware in malvertising in the form of downloads or even drive-by-downloads, in which users needn’t install a single file, only visit the site, to be infected.

After all, a victim that is desperately looking for a file he needs to get a system up and running again is really all a malware peddler could wish for. All they have to do is make the user of the site believe they have found the file they are looking for. Once they are convinced, they will download and install the alleged driver all by themselves.

All the threat actor has to do is upload the malware under some convincing filename and attract visitors to the site. This is basically the same modus operandi that you will find in use when people go looking for cracks and keygens.

So, what can users do to avoid falling victim to such a scam? A couple of things, as it happens. We will provide you with some checks you can do before you visit the download site. And there are some checks you can perform before you run the downloaded file, too.

Checks you can perform to assess the website

When you have found a site that offers a file for download, there are a few actions you can take to check whether the site is trustworthy. They are:

  • Check for the green padlock
  • Read third-party reviews of the website
  • Use a trusted antivirus or browser extension, such as Browser Guard

Checking for the presence of the green padlock is a good start to ensure a site has purchased a security certificate, but it’s also not a guarantee that the website is safe. SSL certificates are cheap, and your neighborhood cybercriminal knows where to get them practically for free. If you click on the green padlock, you can find out who issued the certificate and for which site.

Recommended reading: Explained: security certificates

There are many websites that offer reviews of download sites and domains, and while many of these sites are reputable, they tend to fall a little bit behind in adding Internet newcomers. Our cybercriminal can afford to dump a domain like a hot potato once it has racked up too many bad reviews, then purchase a new site from which to run his scheme.

In short, you can trust reviews about sites that have been around for a while, but the lack of reviews for a site could mean they only started or they may be up to no good.

Some cybercriminals are brilliant programmers. Most are not. But all the successful ones have one skill in common: They are well-versed in tricking people. So, don’t accept a website as trustworthy just because it features logos of other trustworthy companies on its pages. Logo images are easily found in online searches, and they could be planted on the site for exactly that reason: to gain the visitors’ trust. Logos could also be stolen, unauthorized, or handed out for different reasons than you might expect.

Some browsers and some free applications warn you about shady sites—especially sites they know to be the home of malware and scammers. Malwarebytes Browser Guard, for example, can be installed on Chrome and Firefox, adding to the browsers’ own capabilities to recognize malicious domains and sites.

How do I filter possible malware from the downloaded files

There are some methods you can use to weed out the bad boys in your download folder:

  • Compare the checksum to the original file
  • Look at the file’s digital signature
  • Run a malware scan

A checksum is a sequence of numbers and letters used to check data for errors. If you know the checksum of the original file, you can compare it to the one you have downloaded. Windows, macOS, and Linux have built-in options to calculate the checksum of a file.

The digital signature of a Windows executable file (a file with an .exe extension) can be verified after the file has been downloaded and saved. In your Downloads folder, right-click the downloaded .exe file and click Properties. Here you can click on the Digital Signatures tab to check whether the downloaded file is signed by the expected party.

Finally, use your anti-malware scanner to double-check that you are not downloading an infected file. You can also use online scanners like VirusTotal, which will also provide you with a SHA-256 hash for the file and save you the trouble of calculating a checksum.

Much ado about what?

All this may seem like a lot of work to those who habitually download files without a worry in the world. However, even the most practiced downloader eventually has their moment of truth—when that downloaded file wrecks their computer or all those bundled applications are harder to remove than expected.

People who download all the time have better instincts about which sites to trust or not, but that doesn’t mean they can’t be fooled. From experience, they know the sites that offer malware under a different filename from the sites that offer clean files. But sometimes, we reach for the shiny golden delicious and, once we take a bite, discover it has a worm.

We don’t all have the stomach or the knowledge to clean an infected computer. And some systems are not ours to put at risk.

Even if you follow all these pointers to the letter, it is still riskier to download files from unknown sites than it is to download from the company that made them. So we would like to urge companies to keep their “old files” available on their own site, even if the number of downloads has dwindled.

Stay safe, everyone!

The post Dubious downloads: How to check if a website and its files are malicious appeared first on Malwarebytes Labs.

Billion-dollar search engine industry attracts vultures, shady advertisers, and cybercriminals

Search engines make money by showing users sponsored advertisements—a lot of money. This attracts attention, competition, and plenty who want a piece of the action without doing the actual work or considering the impact to those on the other end of the search bar. Because in the search business, even the crumbs are interesting.

In this post, we look at the ways in which shady advertisers, cybercriminals, and other vultures try to siphon off profits from the search engine business using sneaky tech tactics that ultimately harm users more than the search engines themselves.

How exactly do search engines make money?

Every time someone clicks on a sponsored advertisement, the requisite search engine earns money on a pay-per-click basis. They are paid by advertisers, who shell out for beneficial placement in the search results for keyword phrases of their choice.

As a result of the popularity of these search engines—Google in particular—US companies spend an estimated $80 billion on search engine optimization (SEO) alone. And the leading search engines are owned by some of the most valuable technology companies around.

Default search engine

Knowing this may make it easier to understand why browser hijackers are so keen on changing the default search engine on your favorite browser. They get a piece of the pie for referrals, and this entices them to use several methods to have your searches run through their hands. If a hijacker manages to change your default search engine to their own, they can profit from your searches.

But there are other profitable ways to interfere with your search results:

  • Newtabs are browser hijackers that open a new tab with a site or page set by the hijacker. These pages usually contain a search bar. The goal is to get the user to enter his queries in that search form instead of searching from the address bar, which would still point to the default search engine.
  • Startpage hijackers change the startpage of the affected browser for very much the same reasons as newtabs, just on different browsers.
  • Searchpage hijackers are mostly browser extensions that can read and change the data on a number of websites. In these cases, the websites are the major search engines. Search hijackers come in a few major flavors:
    • Redirects from major search engines are forced to a site owned by the hijacker. Sometimes the results will be displayed there, but sometimes you get sent back with only a referral added to your query. The referrals are what pays the hijackers.
    • Sponsored results are added to the results retrieved by major search engines and sometimes presented as if you are using a whole new search engine. At other times the changes are so minimal you may never notice.
    • Sponsored results are added to the results of major search engines and presented as if they were the original results.
    • Redirected searches occur from a major search engine to another search engine. The hijacker feeds your query to another engine and adds its referral on the fly.

Each of the above methods are in use by major families of potentially unwanted programs (PUPs) and adware. While neither of these threat categories are considered malware, they inhibit users’ ability to view clean, original search results using the engine of their choice, ultimately interfering in their online experience.

More invasive methods of profiting from search results

Seeing the potential for profit windfall, PUPs and adware have found other, more invasive ways of making money from your searches—methods that interfere with the displayed results. These include:

  • Search result changers that give paying sites a better position without disclosing that they are paid.
  • SEO poisoning that artificially acquires a better page rank.
  • Ad fraud, which dupes advertisers into believing they have displayed their advertisement on affected machines, while the user of such machine may not have noticed anything at all.

Page rank describes how high up in the search results your entry shows up. The higher the better is the general consensus, but you surely want to be on the first page. If people spot a search result likely to fulfill their quest for knowledge on the first page of results, they typically click on that link before even bothering to look at the other pages of results. Many are known to follow the first link beneath the sponsored results.

How do you achieve a good page rank? Search engines use many different algorithms to decide on the order in which to display results, but one of the main criteria is to have lots of incoming links to the webpage, with the understanding that links from reputable sites have heavier weight.

SEO poisoning is hard to do on the major search engines: They’ve seen every trick in the book and are vigilant about banning those tactics as fast as they can. So if you abuse the position of being marked as a reputable site, you might lose it a lot faster than you gained it. It will only render short-term effects, which works for those going for fast cash, but not for long-term business.

Fake privacy extensions

There are many ways to make changes to search engines and search results on a system affected with PUPs or adware, but the most popular method is to seduce victims into installing a browser extension that promises some kind of functionality.

It is typical to see search hijackers promising to guard your online privacy or act as an ad blocker, as both of those plugins require users to grant them permission to view or have control over a wide range of data and computer settings. Because of this, it is important users vet potential privacy extensions and ad blockers thoroughly before downloading.

Example hijackers

Let us show you some examples of the different search hijackers and the permissions they need to pull off their dirty work. I’ll use the permissions prompts for Chrome extensions only, but most of these hijackers also exist in the Firefox realm.

Example 1: Changing default search

change search settings

Your default search settings will be changed, which is a red flag. This type of extension usually promises you some functionality that explains the need for such a permission.

Example 2: Changing results

change results of major search engines

Changing your data in this case means they will alter the search results from the three major search engines: Bing, Google, and Yahoo. The fourth listing is for the origin of this extension.

Example 3: Adding a search bar on the new tab:

change the newtab to something with a search form

The page that gets displayed when you open a new tab will hold a search form that leads to the search site belonging to the extension.

Example 4: The kitchen sink

changes settings and newtab

This extension changes the newtab and the default search; a multi-vector attack so to speak. It also requires other permissions, such as reading browsing history and managing downloads, that I would shy away from for privacy reasons.

Example 5: Adding sponsored results to your Google results:

adds sponsored results to Google

This one fetches the results from Google and then adds a tiny header and a bunch of sponsored results.

Flowsurf indicator
This will be shown next to the sponsored results.

Search engine thieves are hard to find

We see a lot of complaints from people wondering what caused their search experience to change and how. Most of the time, it is because of an extension like the examples shown above. Many people don’t realize the extensions are the culprit because they were installed for a different reason, sometimes even from a reputable source or as part of a bundle—sometimes pretending not to install at all. But reading between the lines of the fine print in those permission requests—or just plain reading them at all—can give you insight into how your search engine and browser experience became tangled up in PUPs and adware.

We hope that this post (and a scan from a reputable antivirus program like Malwarebytes or Browser Guard) will help solve those problems in the future.

Stay safe, everyone!

The post Billion-dollar search engine industry attracts vultures, shady advertisers, and cybercriminals appeared first on Malwarebytes Labs.

A week in security (December 30 – January 5)

Last week on Malwarebytes Labs, we took a dive into edge computing, looked at new web skimmer techniques, and rolled our eyes at silly people doing silly things.

Other cybersecurity news:

Stay safe, everyone!

The post A week in security (December 30 – January 5) appeared first on Malwarebytes Labs.

Mac threat detections on the rise in 2019

Conventional wisdom has been that, although not invulnerable to cyberthreats (as some old Apple ads would have you believe), Macs are afflicted with considerably fewer infections than Windows PCs. However, when reviewing our 2019 Mac detection telemetry, we noticed a startling upward trend. Indeed, the times, they are a-changin’.

To get a sense of how Mac malware performed against all other threats in 2019, we looked at the top detections across all platforms: Windows PCs, Macs, and Android. Of the top 25 detections, six of them were Mac threats. Overall, Mac threats accounted for more than 16 percent of total detections.

Perhaps 16 percent doesn’t sound impressive, but when you consider the number of devices on which these threats were detected, the results become extremely interesting. Although the total number of Mac threats is smaller than the total number of PC threats, so is the total number of Macs. Considering that our Mac user base is about 1/12 the size of our Windows user base, that 16 percent figure becomes more significant.

Detections per device

The most interesting statistic that emerged from our data was how many Mac detections we saw per machine in 2019. On Windows, we saw 4.2 detections per device this year. Our Mac users, on the other hand, saw 9.8 detections per device—more than double the amount of detections than Windows users.

Of course, there are obviously biases in this data. For example, these machines are all devices with Malwarebytes installed, and many Mac users still believe antivirus software is not needed. This means the Macs represented by the data may be machines that already had some kind of suspected infection, which is why Malwarebytes was installed in the first place.

However, the same could be said for PC users, who often believe that free Windows Defender is adequate protection, but then download Malwarebytes for Windows when their computer begins demonstrating signs of infection. Still, the overall threat detection rate for all Macs (and not just those with Malwarebytes installed) is likely not as high as this data sample.

Top five global threats

For the first time ever, Mac malware broke into the top five most-detected threats in the world. In fact, Mac malware represented the second- and fifth-most detected threats.

The Malwarebytes detection ranked as the second-highest of 2019 is a Mac adware family known as NewTab, clocking in at around 4 percent of our overall detections across all platforms.

NewTab is adware that uses browser extensions to modify the content of web pages. It can be found in the form of Chrome extensions, with some older versions available as outdated Safari extensions. However, due to Apple phasing out support for these older Safari extensions in favor of extensions bundled inside apps, NewTab often poses as apps, such as flight trackers, maps/navigation, email access, or tax forms.

Recently, NewTab has proliferated and is using a variety of seemingly randomly-chosen names. Although some earlier variants tricked users into downloading an app from something like a fake flight or package tracking website, more recently these have been bundled into more widely-distributed adware bundle installers.

Samples of NewTab apps

In fifth place, at 3 percent of the total detections, we see a detection named PUP.PCVARK. These are a variety of potentially unwanted programs from a particular developer, most of them clones of Advanced MacKeeper. (This app was so notorious that its site was eventually blacklisted by Google Safe Browsing, which is not something that typically happens for PUPs.)

PUP (n): abbreviation for potentially unwanted program

PUPs are programs that are generally not installed intentionally by the user, or that may use a variety of scare tactics or other unethical techniques to trick the user into installing or purchasing.

Growing Mac threat

If we delve further into our data, we see that Mac detections primarily consist of adware and PUPs. Traditional, “full” malware does exist for the Mac, of course, but it tends to be more targeted or otherwise limited in scope. For example, the Mokes and Wirenet malware targeted Mac users through a Firefox vulnerability this year, but only users at certain cryptocurrency companies were targeted, so infections were not widespread.

We’ve known for a long time that the “Macs don’t get viruses” wives’ tale was completely wrong. As time goes on, though, we’re seeing that Macs are increasingly popular targets, and the bad guys are ramping up their efforts to get a piece of the Mac market. If you use a Mac, stay alert, use antivirus software, and don’t allow yourself to be lulled into a false sense of security.

The post Mac threat detections on the rise in 2019 appeared first on Malwarebytes Labs.