Category: Uncategorized

Newest addition to a happy family: KBOT

Date of publication: 17/05/2016, mak

At the beginning of the May here in Poland we have couple of free days. 3rd May is Constitution Day, and May 1st is Labour Day. Most of us use those days to unwind after winter, but some malware authors apparently didn’t: a few weeks ago, our friends started a new campaign, spreading some poorly obfuscated Javascript and quite an interesting modification of KBOT from the Carberp leak.
Read more

GMBot: new ways of phishing data from mobile web browsers

Date of publication: 16/05/2016, Malgorzata Debska

GMBot (also known as slempo) was described on our blog on October 2015. This malicious application for phishing login and password associated with a specific user of electronic banking uses known and common techniques of application overlay. It is nothing else but a normal phishing attack, very similar to the webinject-based malware known from Windows OS. As we expected earlier, using application overlay has become quite popular in android malicious applications. In the last six months, a few new versions of GMBot (and similar applications) were developed. In each case the overlay only involved the applications installed on the phone (banking applications, messaging, e-mail). Last week, our lab received a sample, which is also trying to overlay mobile web browser in order to steal the authentication credentials.

Read more

SECURE 2016 – Call for Speakers

Date of publication: 26/04/2016, przemek

SECURE, held on 25th and 26th of October in Warsaw, Poland, is a conference dedicated entirely to IT security and addressed to administrators, security team members and practitioners in this field. SECURE’s unique feature is the organisers’ commitment to providing participants with reliable information about everything that is current and meaningful in IT security. A high professional level of the talks is ensured by CERT Polska during the paper selection process. Particular emphasis is on practical solutions, analysis of the current threats, latest trends in countering threats as well as important legal issues. Participants have an opportunity to gain the latest knowledge, improve their qualifications and exchange experience with experts.

Network attacks are having more and more serious consequences. Targeted elaborate phishing schemes are appearing on a larger scale, leading to losses of amounts measured in millions of euros. Ransomware has exploded, hitting virtually everyone, including new victims such as health care institutions or law firms. We have also witnessed further attacks on industrial systems, such as those targetting the energy/power sector in the Ukraine. The Internet of Things is final arriving, full of “smart” but insecure devices. The attack surface is thus increasing. The challenge in combating serious attacks involves among other things, attribution – the need to reliably assign actors to concrete actions. However, many of the mechanisms for providing accountability on the Internet encounter resistance due to the need to protect the privacy of users. Will these interests always remain in conflict?

If you want to share your experience in these topics, or if you are an expert in one of the areas below, this Call for Speakers is for you.

SECURE 2016 will be held on October 25-26, at the Airport Hotel Okęcie in Warsaw, Poland. The conference topics will be roughly grouped in the following tracks:

  • technical – practical aspects of implementation and integration of security solutions
  • organisational – new trends in attacks, threats and their mitigation
  • legal

Presentation topics

We are looking for speakers willing to deliver a talk covering one or more of the following subjects:

  • malware evolution and analysis, including viruses, worms and botnets
  • intrusion detection
  • innovatory honeypot and sandbox applications
  • Advanced Persistent Threat attacks
  • monitoring of network threats
  • security of smartphones and other mobile systems
  • security events visualisation
  • security of SCADA/ICS
  • early warning against network threats
  • incident handling
  • standards for security incident data exchange
  • DDoS attacks and their mitigation
  • efficiency of methods for mitigation of new attack vectors
  • open source security tools
  • protection of online identity
  • privacy, confidentiality and anonymity
  • steganography
  • Polish and European law in regards to computer and information security
  • law enforcement actions in regards to cybercrime mitigation
  • research projects in the area of computer and information security
  • securing the human

Important facts

  • proposals for presentations must be submitted only via EasyChair:
  • proposals should include at least a title, short abstract, name and bio of the speaker
  • any questions regarding the submission and selection process should be directed to [email protected]
  • time for presentation: 45 minutes, including q&a
  • commercial presentations will not be accepted
  • all materials should be submitted in one of the following formats: OpenOffice, Microsoft Office, PDF
  • slides of presentations will be made available to all participants in an electronic version unless strictly prohibited by the speaker
  • authors of accepted proposals will receive full conference package (workshops not inclusive), but they are responsible for their travel and accomodation

Important dates

  • Proposals submission until: July 4, 2016
  • Acceptance notice by: August 2, 2016
  • Presentation submission by: October 10, 2016

Malicious iBanking application with new uninstall countermeasures

Date of publication: 16/03/2016, Malgorzata Debska

Our CERT laboratory recently received a sample of iBanking malware (along with a malicious JavaScript code snippet associated with it), posing as the mobile Trusteer Rapport antimalware solution. The attack scenario isn’t new, it has been used many times in the past, but recently we see an increase in attacks on Polish users of electronic banking using this method. In comparison to previous, similar programs, the analyzed application has proven much more difficult to remove and it’s code was much better obfuscated.

Read more

MadProtect, not that mad

Date of publication: 09/03/2016, mak

Some weeks ago we stumbled on a packer that our tools could not break. Surprisingly, this is actually not that common since most of the malware in the wild uses some sort of RunPE technique which is relatively trivial to break using simple memory tracing.

MadProtect is not any different, it looks like a “HackingForums-grade” packer – nevertheless our tools failed to handle it properly. At first we did not look into the original binary, which was a mistake that could have saved us a lot of unnecessary effort into debugging our code. Instead, it turned out to be enough to look at the logs from tracer and binaries it produced.

The dumped binaries looked somewhat weird with a bunch of nops and other junk code which seems to do nothing. What struck us as odd was the regularity of nop-blocs: all of them seemed to be 0×10 bytes long (yes, we know we cannot count  ), and we can see a lot of 0×10 bytes writes in tracer logs: coincidence?
Read more

Dorkbot botnets disruption

Date of publication: 04/12/2015, CERT Polska

CERT Polska has partnered together with Microsoft, ESET and law enforcement agencies including US-CERT/DHS, FBI, Interpol and Europol in activities aimed at disrupting of the Dorkbot malware family. This disruption – which includes sinkholing of the botnet’s infrastructure – took place yesterday. Dorkbot is a well-known family of malware, operating somewhat under the radar since 2011. Its main objective is to steal data (including credentials), disable security applications (such as antivirus programs), and to distribute other types of malware. According to early estimates, Dorkbot has infected at least one million PCs running Windows worldwide last year, with an average monthly infection size of about 100,000 machines. Polish users were among the targets.
Read more

Talking to Dridex (part 0) – inside the dropper

Date of publication: 10/11/2015, CERT Polska


Dridex mostly comes to us as spam which contains a .doc with some macros, responsible for downloading a dropper. One can quickly analyze it using and looking through vbscript, or naturally, just try to run it in a sandbox and obtain the dropped files.
Read more