Necurs – hybrid spam botnet

Date of publication: 02/09/2016, Adam Krasuski

Necurs is one of the biggest botnets in the world – according to MalwareTech there are a couple millions of infected computers, several hundred thousand of which are online at any given time. Compromised computers send spam email to large number of recipients – usually the messages are created to look like a request to check invoice details or to confirm purchase. The attachments contain packed scripts which install malware when ran. Currently, the dropped ransomware is Locky, which encrypts the hard disk and then asks for money (often in Bitcoin) in order to retrieve the original files. Necurs is an example of hybrid network in terms of Command and Control architecture – a mixture of centralized model (which allows to quickly control the botnet), with peer-to-peer (P2P) model, making it next to impossible to take over the whole botnet by shutting down just a single server. For those reasons, the huge success of Necurs is no surprise.
Read more

Network traffic periodicity analysis of dark address space

Date of publication: 01/08/2016, piotrb

Network traffic directed to dark address space of IPv4 protocol can be a good source of information about current state of the Internet. Despite the fact that no packets should be sent to such addresses, in practice various traffic types can be observed there, for example echoes of Denial of Service (DoS) attacks, automated port scanners or misconfiguration of some client software. Example of a DFT plotOften the packets are sent periodically, i.e. in regular intervals. This periodicity can be analyzed by applying the Discrete Fourier Transform (DFT) to the network traffic. Our report shows how such analysis can be performed and also its results. You can read the report here.

Agreement on establishment of National CERT

Date of publication: 05/07/2016, alex

On 4th of July, Minister Anna Streżyńska, Krzysztof Pietraszkiewicz, chairman of Polish Bank Association and Director of NASK Wojciech Kamieniecki signed an agreement on establishing National CERT, intended as communications hub for governement administration and business to coordinate engagement against Internet threats.

Minister Anna Streżyńska i prezes ZBP Krzysztof Pietraszkiewicz podpisują porozumienie

National CERT is a part of National Cybersecurity Center, new division of NASK, intended as competence center in combating cyber threats. CERT Polska is now analytical part of NCC. CERT Polska activities, projects and services are operating without any changes.

Polish Internet Security Landscape – CERT Polska Report for 2015

Date of publication: 20/06/2016, alex

We hereby present you our report on security of Polish internet and of our activities in 2015.

We have split the document in following parts: timeline, describing the crucial events, our activities, threat landscape and extensive statistics based on our data.

We invite you to read the report and join our projects, activities and initiatives. Internet security depends on everybody.

For the report please click here

Newest addition to a happy family: KBOT

Date of publication: 17/05/2016, mak

At the beginning of the May here in Poland we have couple of free days. 3rd May is Constitution Day, and May 1st is Labour Day. Most of us use those days to unwind after winter, but some malware authors apparently didn’t: a few weeks ago, our friends started a new campaign, spreading some poorly obfuscated Javascript and quite an interesting modification of KBOT from the Carberp leak.
Read more

GMBot: new ways of phishing data from mobile web browsers

Date of publication: 16/05/2016, Malgorzata Debska

GMBot (also known as slempo) was described on our blog on October 2015. This malicious application for phishing login and password associated with a specific user of electronic banking uses known and common techniques of application overlay. It is nothing else but a normal phishing attack, very similar to the webinject-based malware known from Windows OS. As we expected earlier, using application overlay has become quite popular in android malicious applications. In the last six months, a few new versions of GMBot (and similar applications) were developed. In each case the overlay only involved the applications installed on the phone (banking applications, messaging, e-mail). Last week, our lab received a sample, which is also trying to overlay mobile web browser in order to steal the authentication credentials.

Read more

SECURE 2016 – Call for Speakers

Date of publication: 26/04/2016, przemek

SECURE, held on 25th and 26th of October in Warsaw, Poland, is a conference dedicated entirely to IT security and addressed to administrators, security team members and practitioners in this field. SECURE’s unique feature is the organisers’ commitment to providing participants with reliable information about everything that is current and meaningful in IT security. A high professional level of the talks is ensured by CERT Polska during the paper selection process. Particular emphasis is on practical solutions, analysis of the current threats, latest trends in countering threats as well as important legal issues. Participants have an opportunity to gain the latest knowledge, improve their qualifications and exchange experience with experts.

Network attacks are having more and more serious consequences. Targeted elaborate phishing schemes are appearing on a larger scale, leading to losses of amounts measured in millions of euros. Ransomware has exploded, hitting virtually everyone, including new victims such as health care institutions or law firms. We have also witnessed further attacks on industrial systems, such as those targetting the energy/power sector in the Ukraine. The Internet of Things is final arriving, full of “smart” but insecure devices. The attack surface is thus increasing. The challenge in combating serious attacks involves among other things, attribution – the need to reliably assign actors to concrete actions. However, many of the mechanisms for providing accountability on the Internet encounter resistance due to the need to protect the privacy of users. Will these interests always remain in conflict?

If you want to share your experience in these topics, or if you are an expert in one of the areas below, this Call for Speakers is for you.

SECURE 2016 will be held on October 25-26, at the Airport Hotel Okęcie in Warsaw, Poland. The conference topics will be roughly grouped in the following tracks:

  • technical – practical aspects of implementation and integration of security solutions
  • organisational – new trends in attacks, threats and their mitigation
  • legal

Presentation topics

We are looking for speakers willing to deliver a talk covering one or more of the following subjects:

  • malware evolution and analysis, including viruses, worms and botnets
  • intrusion detection
  • innovatory honeypot and sandbox applications
  • Advanced Persistent Threat attacks
  • monitoring of network threats
  • security of smartphones and other mobile systems
  • security events visualisation
  • security of SCADA/ICS
  • early warning against network threats
  • incident handling
  • standards for security incident data exchange
  • DDoS attacks and their mitigation
  • efficiency of methods for mitigation of new attack vectors
  • open source security tools
  • protection of online identity
  • privacy, confidentiality and anonymity
  • steganography
  • Polish and European law in regards to computer and information security
  • law enforcement actions in regards to cybercrime mitigation
  • research projects in the area of computer and information security
  • securing the human

Important facts

  • proposals for presentations must be submitted only via EasyChair:
  • proposals should include at least a title, short abstract, name and bio of the speaker
  • any questions regarding the submission and selection process should be directed to [email protected]
  • time for presentation: 45 minutes, including q&a
  • commercial presentations will not be accepted
  • all materials should be submitted in one of the following formats: OpenOffice, Microsoft Office, PDF
  • slides of presentations will be made available to all participants in an electronic version unless strictly prohibited by the speaker
  • authors of accepted proposals will receive full conference package (workshops not inclusive), but they are responsible for their travel and accomodation

Important dates

  • Proposals submission until: July 4, 2016
  • Acceptance notice by: August 2, 2016
  • Presentation submission by: October 10, 2016

Malicious iBanking application with new uninstall countermeasures

Date of publication: 16/03/2016, Malgorzata Debska

Our CERT laboratory recently received a sample of iBanking malware (along with a malicious JavaScript code snippet associated with it), posing as the mobile Trusteer Rapport antimalware solution. The attack scenario isn’t new, it has been used many times in the past, but recently we see an increase in attacks on Polish users of electronic banking using this method. In comparison to previous, similar programs, the analyzed application has proven much more difficult to remove and it’s code was much better obfuscated.

Read more

MadProtect, not that mad

Date of publication: 09/03/2016, mak

Some weeks ago we stumbled on a packer that our tools could not break. Surprisingly, this is actually not that common since most of the malware in the wild uses some sort of RunPE technique which is relatively trivial to break using simple memory tracing.

MadProtect is not any different, it looks like a “HackingForums-grade” packer – nevertheless our tools failed to handle it properly. At first we did not look into the original binary, which was a mistake that could have saved us a lot of unnecessary effort into debugging our code. Instead, it turned out to be enough to look at the logs from tracer and binaries it produced.

The dumped binaries looked somewhat weird with a bunch of nops and other junk code which seems to do nothing. What struck us as odd was the regularity of nop-blocs: all of them seemed to be 0×10 bytes long (yes, we know we cannot count  ), and we can see a lot of 0×10 bytes writes in tracer logs: coincidence?
Read more