The Pinkslipbot Is Back, Mobile App Collusion Threats On The Rise
In its latest Threats Report, McAfee Labs identifies three security vulnerabilities that organizations should keep a close eye on: mobile app collusion, cryptographic hashing functions and the reappearance of the Pinkslipbot Trojan.
In the security field, few reports are at the top of a practitioner's must read list. One such report is Verizon's Data Breach Report (the latest edition is available here). This year's report provides an analysis and review of 2015 data breach patterns, though not without some controversy. Intel Security's Foundstone Services incident response group provides anonymized breach data that was used in Verizon's analysis. With Verizon, Intel Security coauthored a section of the report focusing on what happens to the data after it has been stolen. This post-breach fraud and the aftermath are discussed in this webcast.
Starting in 2012, McAfee Labs began issuing quarterly security threat reports, though the reports originally considered only email and web threats. In its latest report released today [PDF available here], McAfee analyzes three new security threats in considerable depth:
- Mobile App Collusion - Apps running on mobile operating systems may take advantage of multiple communication systems to communicate between themselves. These separate actions may be malicious, but only in concert. Each mobile app by itself would appear harmless. Previously considered theoretical, McAfee Labs has now observed this in the wild.
- Hashing Functions Under Attack - As processor and compute performance improves, hashing functions are increasingly subject to cyber attacks. Hash functions are used to sign certificates, which let the user know that a message is authentic and unmodified. What was considered secure only a few years ago no longer affords sufficient protection, and has implications on critical infrastructure.
- W32/Pinkslipbot - This aggressive backdoor Trojan with worm capabilities was launched in 2007, but became dormant in the last few years. It has re-emerged, capable of stealing banking credentials, email passwords, and signing certificates. Not only do these new versions boast self-update and multiple binaries (more than 4200 in a few months) to evade malware checks, but the resurgent Pinkslipbot also includes anti-analysis and multi-layered encryption capabilities.
Below we'll take a look at each of these security threats in more detail, summarizing what McAfee Labs has found, as well as the recommendations for protecting against these threats.
Mobile App Collusion
Modern mobile operating systems include techniques to promote app isolation and restrict privileges, including sandboxing and granular permission control. But Android, for example, includes ways for apps to communicate across sandbox boundaries, called Intents (interprocess mesages). A malware writer may seek to combine capabilities, so that an app with sensitive information may communicate with an app that has internet access.
McAfee is conducting research into colluding apps with researchers at City University London, Swansea University, and Coventry University to automate detection of malicious activity (the project homepage is acidproject.org.uk). Both malicious apps must be homed on the same device and there are three methods used to engage in malicious colluding:
- Split malicious and privacy-exploiting functions between two or more apps.
- Build and distribute a library used for many apps, but that may enable apps to unknowingly communicate between them.
- Exploit a vulnerability in a third party app or library. More than a few known apps leak data and/or violate permissions.
Protection against colluding apps includes scanning and removing individually known harmful apps, disabling the ability to install apps from unknown sources, avoiding software with embedded advertising, avoiding unknown third party libraries, and embedded anti-collusion filters (enabled by the app vendor).
Cryptographic Hashing Vulnerabilities
Digital authentication, non-repudiation, and integrity are typically provided by digital signatures, which authenticate the hash of the message, and not the message itself. Cryptographic hashing is much shorter than the original message, and by design, should not be invertible; in other words, no other way exists of creating that exact digest (hash).
We call what happens when another file output is the same as the different, original file a collision. Because of the increase in computing power generally available, including cloud, botnets, and GPUs, the time to generate a collision has decreased. MD-5 (from 1992) hashes may now be collided in less than a second on commodity server hardware, and SHA-1 (from 1995) hashes, it is estimated that hashes may take several months. This is a problem, and not a theoretical one, depending on the sensitivity of the material.
Many certificates are based on these or other hashing algorithms. Given the broad deployment of certificates, it can take months or more to change the underlying hashing mechanism and re-issue new certificates; during this time the messaging could prove vulnerable if an attack were found in the wild. Chrome no longer trusts SHA-1 digital certificates, and Microsoft has discontinued issuing new SHA-1 certificates for code signing.
Because of these and other concerns, McAfee recommends not using MD-5 nor SHA-1. McAfee ran a query against a computer scientist used search engine (Censys) for SHA-1 signed certificates. They located 20.7 million SHA-1 signed certificates on public websites, and over 4,000 such signed certificates on critical systems.
Like Godzilla, Pinkslipbot Reawakens
Pinkslipbot steals personal and financial data, but also may completely control infected machines through a C&C (command and control) backdoor as well as a VNC backdoor. Pinkslipbot is spread via removable drives and network shares, as well as drive by downloads from exploit kits such as RIG and Sweet Orange.
In an initial Pinkslipbot infection, the executable is encrypted to avoid detection and runs partially in memory, so a reboot is necessary to remove it. Once installed, Pinkslipbot attempts to move laterally. Because the Trojan attempts to find open network shares, a careless domain administrator could quickly let an entire organization become infected. If the share is password protected, Pinkslipbot uses a dictionary attack in an attempt to gain access.
In its new Threat Report, McAfee describes in detail Pinkslipbot's evolution, working parameters, virtual machine checks and API hook. The increasing sophistication of this malware family is actually quite interesting. McAfee provides a list of IOC (Indicators of Compromise) to check on domain servers, and lists three steps for prevention. Those steps involve keeping anti-malware signatures up to date, keeping patching up to date, and creating a custom access rule to keep Pinkslipbot from communicating with its control server.
The report notes that even a weak Windows system password could be enough to get Pinkslipbot through and once a machine is infected all system activity is automatically logged and sent directly to the attackers.
Aside from McAfee's self-congratulatory note about predicting the rise of ransomware, this report highlights three threat vectors of high interest to most organizations. That these threats are described in detail resulting from a high level of research effort when other threats generate the headlines is all the more reason to read and absorb the information. A full copy of McAfee's latest report can be downloaded here.
McAfee is a member of the Cyber Threat Alliance, which it co-founded along with three other security vendors, largely to promote threat information sharing. Good information sharing, even among Information and Sharing and Analysis Organizations (ISAO) is not the norm, which means McAfee's efforts should be applauded. McAfee is also leading the ISAO Standards Organization, funded by DHS, to improve ISAO functioning.