A week in security (December 11 – December 17)

A week in security (December 11 – December 17)

Posted: December 18, 2017 by Malwarebytes Labs
Last updated: January 15, 2018

Last week we explained what fast flux is and how it’s being abused, we showed you all kinds of Bitcoin-related scams, presented a video recording of a tech support scammer trying to sell free software, and pointed out some free software to keep an eye on your Internet traffic. We also informed you about an ad server found predominantly on adult websites, which has taken the lead in the number of URLs blocked by our web protection module.

Other news

  • South Korea is preparing a bill that will ban minors and foreigners from trading in cryptocurrencies or opening investment accounts for them within South Korea. (Source: Techspot)
  • Security researchers have publicly disclosed an unpatched zero-day vulnerability in the firmware of AT&T DirecTV WVB kit after trying to get the device manufacturer to patch this flaw over the past few months. (Source: The Hacker News)
  • Intel will implement a hardware lock on management engine equipped chips to defend against patch rollbacks. (Source: The Register)
  • Dutch security firm Fox-IT handled a security breach in an exemplary way after a man-in-the-middle (MitM) attack. (Sources: Fox-IT and Security Affairs)
  • Lawsuit based on a surreptitiously recorded phone call claims Google doesn’t refund advertisers who spend money on fraudulent clicks. (Source: Business Insider)
  • Australian airport hack was “a near miss,” says government’s cybersecurity expert, and could easily have been prevented. (Source: Hot for Security)
  • Hackers utilizing the Triton malware have managed to close down industrial operations in the Middle East, researchers warned. (Source: ZDNet)
  • A two-decade-old security hole lets hackers unlock encrypted data and was found in the software of at least eight IT vendors and open-source projects. (Source: The Register)
  • MoneyTaker, a cybercriminal group believed to be operating out of Russian-speaking territories, has hit at least 20 banks and financial companies and stolen millions of US dollars in the process. (Source: BleepingComputer)
  • Politicians from California, Washington, and New York said they’ll use a mix of legislative action and legal moves to fight the FCC’s repeal of net neutrality regulation, shortly after the vote. (Source: Cnet)

Stay safe, everyone!

Meltdown and Spectre: what you need to know

UPDATE (as of 1/12/18)Several vendors have produced patches for Meltdown and Spectre, however performance problems dog the fixes. Details on the patches were published here.

UPDATE (as of 1/04/18)Since the Malwarebytes Database Update 1.0.3624, all Malwarebytes users are able to receive the Microsoft patch to mitigate Meltdown.

If you’ve been keeping up with computer news over the last few days, you might have heard about Meltdown and Spectre, and you might be wondering what they are and what they can do. Basically, Meltdown and Spectre are the names for multiple new vulnerabilities discovered and reported for numerous processors. Meltdown is a vulnerability for Intel processors while Spectre can be used to attack nearly all processor types.

The potential danger of an attack using these vulnerabilities includes being able to read “secured” memory belonging to a process. This can do things like reveal personally identifiable information, banking information, and of course usernames and passwords. For Meltdown, an actual malicious process needs to be running on the system to interact, while Spectre can be launched from the browser using a script.

Microsoft, Google, Mozilla, and other vendors have been releasing patches all day to help protect users from this vulnerability. Some of the updates from Microsoft may negatively interact with certain antivirus solutions. However, Malwarebytes is completely compatible with our latest database update. The best thing to do to protect yourself is to update your browsers and your operating system with these patches as soon as you see an update available.

For a quick guide on how to protect yourself from this threat, please check out “Meltdown and Spectre Vulnerabilities – what you should do to protect your computer” on the Malwarebytes support knowledge base.


The Google Project Zero team, in collaboration with other academic researchers, has published information about three variants of a hardware bug with important ramifications. These variants—branch target injection (CVE-2017-5715), bounds check bypass (CVE-2017-5753), and rogue data cache load (CVE-2017-5754)—affect all modern processors.

If you’re wondering if you could be impacted, the answer is most certainly yes.

The vulnerabilities, named Meltdown and Spectre, are particularly nasty, since they take place at a low level on the system, which makes them hard to find and hard to fix.

Modern computer architecture isolates user applications and the operating system, which helps to prevent unauthorized reading or writing to the system’s memory. Similarly, this design prevents programs from accessing memory used by other programs. What Meltdown and Spectre do is bypass those security measures, therefore opening countless possibilities for exploitation.

The core issue stems from a design flaw that allows attackers access to memory contents from any device, be it desktop, smart phone, or cloud server, exposing passwords and other sensitive data. The flaw in question is tied to what is called speculative execution, which happens when a processor guesses the next operations to perform based on previously cached iterations.

The Meltdown variant only impacts Intel CPUs, whereas the second set of Spectre variants impacts all vendors of CPUs with support of speculative execution. This includes most CPUs produced during the last 15 years from Intel, AMD, ARM, and IBM.

It is not known whether threat actors are currently using these bugs. Although due to their implementation, it might be impossible to find out, as confirmed by the vulnerability researchers:

Can I detect if someone has exploited Meltdown or Spectre against me?
Probably not. The exploitation does not leave any traces in traditional log files.

While there are no attacks reported in the wild as of yet, several Proof of Concepts have been made available, including this video that shows a memory extraction (using a non-disclosed POC). This is particularly damaging because 1. There aren’t many options for protection currently and 2. as previously stated, even if threat actors do spring to action, it might be impossible to verify if that’s the case. 


Because the Meltdown and Spectre variants are hardware vulnerabilities, deploying security programs or adopting safer surfing habits will do little to protect against potential attack. However, a patch for the Meltdown variant has already been rolled out on LinuxmacOS, and all supported versions of Windows.

According to our telemetry, most Malwarebytes users are already able to receive the latest Microsoft update. However, we are working to ensure that our entire user base has access to the patch.

Unfortunately, Microsoft’s fix comes with significant impact on performance, although estimates of how much vary greatly. An advisory from Microsoft recommends users to:

  1. Keep computers up to date.
  2. Install the applicable firmware update provided by OEM device manufacturers.

If you are having issues getting the Windows update, please refer to this article, as Microsoft has stated some possible incompatibility issues with certain security software.

No software patch for Spectre is available at the time of this article. Partial hardening and mitigations are being worked on, but they are unlikely to be published soon.

The Spectre bug can be exploited via JavaScript and WebAssembly, which makes it even more critical. It is therefore recommended to apply some countermeasures such as Site Isolation in Chrome. Mozilla is rolling out a Firefox patch to mitigate the issue while working on a long-term solution. Microsoft is taking similar action for Edge and Internet Explorer.

Cloud providers (AmazonOnline.netDigitalOcean) also rushed to issue emergency notifications to their customers for upcoming downtimes in order to prevent situations where code from the hypervisor could be leaked from a virtual machine, for example.

The aftermath from these bugs is far from being completely understood, so please check back on this blog for further updates.

Vendor advisories:

A week in security (January 1 – January 7)

A week in security (January 1 – January 7)

Posted: January 9, 2018 by Malwarebytes Labs
Last updated: January 15, 2018

New year, new threats, as 2018 gets underway.

On our blog, we had dubious searches aplenty for those hunting for Malwarebytes information, and we also covered the huge Meltdown/Spectre bug, affecting hardware going back to 10 years.

Other news

  • Coin miners are at it again, with a proof of concept for hacking public Wi-Fi and injecting cryptomining code into browsing sessions. (source: The Register)
  • Around 240k people have been tied up in a “privacy incident” over at the DHS. (source: DHS)
  • Browser makers are looking to mitigate risks from Meltdown and Spectre. (Source: Help Net Security)
  • 36 rogue apps wound up on the Google Play store, reminding us to be extra vigilant even when on an official site. (Source: Trend Micro)
  • Yet another cryptominer doing the rounds, this time dragging Linux machines into a cash spinning botnet. (source: F5)
  • Face recognition: nice idea, but being fooled by photographs is a bit much. (source: Naked Security)
  • A well put together phishing mail is causing headaches for those who may have purchased items from retailer Debenhams. (Source: South Wales Argus)
  • Unusually, you may be able to reclaim money lost to wire fraud scams, regardless of where you live. This doesn’t happen often, so check it out if you’ve been stung! (Source: Birmingham Mail)
  • Malware-laden emails laced with more malware are being used to steal data related to the Winter Olympics. (Source: BBC)

Stay safe, everyone!

Of princes and perpetrators: Beware of getting ensnared in 419 scams

We’ve mentioned before that 419 scams don’t always originate from Nigeria. It’s a very simple and popular scam that can be attempted by pretty much anyone with a flair for social engineering. Indeed, 419 scams are so associated with the region that many scammers in non-Nigerian countries know they have an additional layer of “It wasn’t me” potentially obfuscating their identity.

This may help the non-Nigeria based criminal better hide once life savings have been stolen. Law enforcement and the victims themselves are probably going to make assumptions about who’s doing the money swiping, which simply helps the actual criminal go deeper underground.

By the same token, 419 scammers seek to obfuscate their location further by making use of so-called money mules: innocent victims tangled up in scams, sending stolen money to and from a variety of bank accounts. More often than not, they’re enticed by the prospect of too-good-to-be-true job adverts posted online, typically in the field of remote work administration or “payroll management.”

A fancy-sounding title, the promise of big money for little work, and an awful lot of “we’ll explain how that thing works later,” and you have yourself a money mule.

What’s so good about having an army of disposable web flunkies at your disposal?

When the cops come calling, they make a beeline for the point of least resistance (the scammer pulling strings is supposed to be based in Nigeria, remember?) In practice, this probably means your recently retired grandfather looking for a bit of extra pocket cash, or your penniless friend at University is going to jail. If you’re a money mule, you’re engaged in illegal activity and can be prosecuted for it. “I didn’t know” won’t save you.

Take this individual, recently charged with no less than 269 counts of wire fraud and money laundering.

From the Slidell Police department Facebook page:

Reports are a little confused, as some articles claim he’s the mastermind while others (including the police statement up above) plainly state he’s the middleman. Additional details are thin on the ground, so we don’t really know at this stage if he was “merely” responsible for wiring money, or if he was physically typing out “Hello, I’m a Prince” emails to hoodwink potential victims.

Either way, he’s in a whole lot of trouble with law enforcement and though some of the pieces mention “co-conspirators in Nigeria,” it’s unlikely any of them will be caught. In effect, whether unaware of what was really going on, or an active participant (and it’s entirely possible some money mules will happily get involved for a bigger cut of the proceeds), what we have here is a fall guy within easy reach of the police.

Wait, did I just say “active participant?” I sure did. And guess what? It’s not just retirees wandering into trouble. Younger folks are also getting in on the act, often due to lack of cash and the idea that this might be a safe, fast way to make some money. Data from 2017 suggests that more than 8,500 people aged between 18 to 24 had their bank accounts used by criminals.

Given that a lot of money muling can tie directly into crimes such as drug distribution and people trafficking, those individuals will probably have a short, sharp dose of reality when the police come knocking. As Cifas, a UK fraud prevention service, points out, loans, contracts, and other financial services may be hard to come by should your bank account be closed due to laundering—and that’s before you get to the part where you could spend up to 14 years in prison for it.

All things considered, not a sensible career choice. If you’re approached by strangers offering too-good-to-be-true job opportunities—especially for remote work and handling money/sending said cash through various bank accounts—give it a wide berth. You’ll probably be very glad that you did.

Meltdown and Spectre fallout: patching problems persist

Meltdown and Spectre fallout: patching problems persist

Posted: January 11, 2018 by Jérôme Boursier
Last updated: January 14, 2018

Last week, the disclosure by multiple teams from Graz and Pennsylvania University, Rambus, Data61, Cyberus Technology, and Google Project Zero of vulnerabilities under the aliases Meltdown and Spectre rocked the security world, sending vendors scurrying to create patches, if at all possible, and laying bare a design flaw in nearly all modern processors.

The fallout from these revelations continues to take shape, as new information on the vulnerabilities and the difficulties with patching them comes to light daily. In the days since Meltdown and Spectre have been made public, we’ve tracked which elements of the design flaw, known as speculative execution, are vulnerable and how different vendors are handling the patching process. By examining the applied patches’ impact against one of our own products, Adwcleaner, we found that they are, indeed, causing increases in CPU usage, which could result in higher costs for individuals billed by Cloud providers accordingly.

What is speculative execution?

Speculative execution is an effective optimization technique used by most modern processors to determine where code is likely to go next. Hence, when it encounters a conditional branch instruction, the processor makes a guess for which branch might be executed based on the previous branches’ processing history. It then speculatively executes instructions until the original condition is known to be true or false. If the latter, the pending instructions are abandoned, and the processor reloads its state based on what it determines to be the correct execution path.

The issue with this behaviour and the way it’s currently implemented in numerous chips is that when the processor makes a wrong guess, it has already speculatively executed a few instructions. These are saved in cache, even if they are from the invalid branch. Spectre and Meltdown take advantage of this situation by comparing the loading time of two variables, determining if one has been loaded during the speculative execution, and deducing its value.

As explained in our post last week, the potential danger of an attack using these vulnerabilities includes being able to read “secured” memory belonging to a process. This can do things like reveal personally identifiable information, banking information, and of course usernames and passwords. On cloud environment, these vulnerabilities allow extracting data from the host and other VMs.

Example of speculative execution

Using the Project Zero example below, the process will evaluate the condition if(untrusted_offset_from_caller < arr1->length) at a later time, and start a speculative execution of both branches, leading to two different index2 values. This example corresponds to variant 1 of Spectre (CVE-2017-5753) and works on most Intel, AMD, ARM, and IBM CPUs.

 struct array { unsigned long length; unsigned char data[]; }; struct array *arr1 = ...; /* small array */ struct array *arr2 = ...; /* array of size 0x400 */ /* >0x400 (OUT OF BOUNDS!) */ unsigned long untrusted_offset_from_caller = ...; if (untrusted_offset_from_caller < arr1->length) { unsigned char value = arr1->data[untrusted_offset_from_caller]; unsigned long index2 = ((value&1)*0x100)+0x200; if (index2 < arr2->length) { unsigned char value2 = arr2->data[index2]; }

If the processor predicts that the condition is true, value will load:

 unsigned char value = arr1->data[untrusted_offset_from_caller]; 

Based on value, it’s possible to load index2, which can be 0x200 or 0x300 due to the bitwise operation:

 unsigned long index2 = ((value&1)*0x100)+0x200; 

The second condition is then executed and the last instruction loads value2 as arr2->data[0x200] or arr2->data[0x300].

Once the initial condition has been evaluated and the processor notices that the execution flow above is wrong, the value of value2 stays in the L1 cache. It’s then possible to compare the loading time of arr2->data[0x200] and arr2->data[0x300], and deduce which one has been evaluated during the speculative execution. From there, it’s easy to figure out related variables: Here the value of arr1->data[untrusted_offset_from_caller] is a value that shouldn’t be possible to retrieve according to the expected code flow, since it allows to leak out-of-bound memory.

In order to exploit this behaviour, the code pattern above has to be present on the victim’s machine. As detailed in Jann Horn’s writeup, a locally installed software, a JIT (Javascript is a particularly interesting candidate), or an interpreter (he used eBPF) meet the requirements.

Four variants

While it was initially reported that Spectre and Meltdown correspond to three vulnerabilities, four variants actually exist:

Variants 1 and 2 of Spectre impact Intel, IBM, ARM, and AMD CPUs. Meltdown appears to be exclusive to Intel CPUs, and allows attackers to read privileged memory from an unprivileged context, still using the speculative execution feature. Its variant 3a is exploitable on a few ARM CPUs only.

The fact that these vulnerabilities impact the CPUs themselves make them difficult to patch. A software-only solution may bring important performance issues, as would a hardware-only fix. Thus, various hardware vendors have been working together in the past months working on fixes. However, while major players like Amazon and Microsoft got early access to the vulnerabilities reports, other providers did not. They discovered the vulnerabilities at the same time as the disclosure on January 3.

Vendors band together

Those who weren’t in on the secret formed a task group with other providers in order to exchange information and to pressure hardware manufacturers. Scaleway, OVH, Linode, Packet, Digital Ocean, Vultr, Nexcess, and prgmr.com have been part of it, later joined by Amazon, Tata Communications, and also parts of the RedHat and Ubuntu teams. On January 9, part of the researchers (Moritz Lipp, Daniel Gruss, Michael Schwarz from the Graz University of Technology) who discovered the vulnerabilities also joined in.

Some Open-Source developers also explained that they had not received any information prior the public disclosure, but were actively working on providing patches.

We have received *no* non-public information. I’ve seen posts elsewhere by
other *BSD people implying that they receive little or no prior warning, so
I have no reason to believe this was specific to OpenBSD and/or our


Mitigations began to land upstream in the Linux kernel shortly after the public disclosure to address the vulnerabilities separately. Some require a hardware-vendor-issued microcode to be applied to the processor in order to make the software patch effective. Most of these patches are simply workarounds, however, to avoid making the CPU behave as explained above. We may expect some hardware change in future generations of processors at some point, but there’s no easy, quick fix for now.

Available patches for hardware and OSes

The upstream Linux patch for Meltdown (variants 3 and 3a) takes advantage of KPTI (Kernel Page Table Isolation) and has been backported to Linux 4.14, 4.9 and 4.4. It’s is available in most distribution’s official kernels. Debian has shipped it in most releases, as RedHat has done. Ubuntu published theirs a few hours ago, although some critical issues have been discovered and quickly addressed. Tails published an update, too. The patches for ARM64 haven’t been merged yet but are expected to be merged later.

Variant 1 (Spectre) requires changes to compilers behaviour and Intel suggests adding LFENCE (see 3.1 Bounds Check Bypass Mitigation; other vendors have other suggestions) as a barrier to stop speculation in specific places. This means that the kernel and software has to be recompiled in order to avoid making the processor use the speculative execution when it’s problematic. Again, although we may expect hardware changes in future generations of Intel chips, we can’t expect this to happen for a long time.

Variant 2 (also Spectre) requires both a microcode patch from CPU vendors and a patch from the kernel to leverage IBRS (Indirect Branch Speculation Feature), STIBP, and IBPB. Another suggestion called “retpoline” has been introduced by Paul Turner from Google and is also being implemented in various compilers, including GCC and LLVM, even though some questions still remain about its efficiency on certain CPU models.

Vulnerability (Linux) Software mitigation Hardware mitigation
Meltdown (3 & 3a)
KPTI Not needed
Spectre 1 n/a n/a
Spectre 2 IBRS / Retpoline Microcode

Proprietary vendors have also published several updates:

  • Apple addressed the two Meltdown variants in iOS 11.2, macOS 10.13.2, and tvOS 11.2. Spectre is being mitigated in iOS 11.2.2 and the macOS 10.13.2 Supplemental Update, even though only recompiled software are an effective mitigation for variant 1.
  • Google has included some mitigations for the three variants in its Android Security Bulletin on January 5. Note that further mitigations are expected in next month’s updates, especially a kernel with KPTI.

Regarding Microsoft, the process has been bumpier. They’ve released various fixes for the platform, but made several requirements for the patches for Spectre and Meltdown to be effective:

  1. If an antivirus solution is registered in the Windows Security Center, it needs to set the following registry key:
 Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWAREMicrosoftWindowsCurrentVersionQualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD” Data="0x00000000” 

Only then can the January Patch Tuesday patch be applied. Note that Malwarebytes users have been able to successfully receive the patch since its publication.

2. As pointed out by Kevin Beaumont, a specific manipulation must be done on Windows Server to apply the patch and enable it. After creating the following keys and restarting the host, the mitigation should be in place:

 reg add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management” /v FeatureSettingsOverride /t REG_DWORD /d 0 /f reg add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management” /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f reg add “HKLMSOFTWAREMicrosoftWindows NTCurrentVersionVirtualization” /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d “1.0” /f 

A few moments later, users began to report computers running with AMD processors becoming unbootable after applying the patch. Microsoft has stopped delivering the patch to those configurations while working with AMD to find a solution.

Available software patches

Apart from hardware manufacturers and OS vendors, software editors have also been quick to mitigate the exploitation of Spectre. Browser vendors and virtualization solutions are particularly exposed to these vulnerabilities and have been the fastest to respond.

  • Xen published an advisory sharing details about the vulnerabilities in its hypervisor’s scope alongside a documentation page explaining how to mitigate.
  • Mozilla released Firefox 57.0.4 soon after publishing an article explaining how they managed to exploit Spectre remotely using Javascript and WebAssembly. This update makes time source less precise, thus making the exploitation a lot more unreliable while more in-depth fixes are engineered.
  • Google Chrome followed shortly after with an explanatory article about how Spectre could be exploited using WebKit’s JavascriptCore and listing the upcoming mitigations in Webkit.

Numerous Proof of Concepts have been published to demonstrate the exploitation of the different variants, from reconstructing an image to applying it against a specifically-crafted Intel SGX enclave. It’s also possible to test if mitigations are in place: Microsoft released a solution that can be used remotely based on the new PowerShell SpeculationControl module, and several solutions are available on Linux-based OSes.

Patches impact on AdwCleaner’s infrastructure

Disclaimer: The following is not a benchmark, but feedback based on what we have observed in our hardware environment and software stack. The observed behaviour is highly dependent on the workload, and there may be no changes observed in yours.

As part of our security process, we’ve applied fixes as soon as they were made available by our distributions and hosting providers. We were expecting some performance increase, especially on AdwCleaner storage backend, but it was hard to quantify.

CPU load before and after KPTI patch on AdwCleaner storage backend.

CPU load before and after KPTI patch on AdwCleaner storage backend.

After applying the new Linux kernel with the KPTI backport, we’ve observed a 10 to 15 percent increase of CPU usage. (We applied the patch slightly before 00:00 UTC on January 6). These servers do not take advantage of PCID, which could make the difference in performance less visible. As this usage increase appears to be the new baseline for some time, this is likely to at least temporary lead to important cost increases for users of providers billing based on CPU usage, although some providers are reported working with severely impacted customers.

As the situation still evolves quickly every day, some updates may be added to both the original story and this blogpost.

Particularly interesting literature:

Alleged creator of Fruitfly indicted for 13 years of spying

Alleged creator of Fruitfly indicted for 13 years of spying

Posted: January 12, 2018 by Malwarebytes Labs

Way back at the start of last year, we took a look at something called Fruitfly, a Mac backdoor using old code that had been around for a long time and could (deep breath) upload files to computers, record images and video, snoop around in victims’ information, take screenshots, and also log keystrokes. The malware, made up of just two files, was a mixture of “wow, that’s clever,” ancient system calls, and basic persistence techniques. Possessing the ability to download additional files from a Command and Control server, alongside a seemingly overt interest in being able to capture images, we also discovered Windows versions of the files communicating with the same C&C.

At the time, a lot of questions were raised about what it was being used for, alongside the possibility that professional hacking groups were behind its creation.

With that in mind, news has broken that a 28-year-old man, Phillip R. Durachinsky of North Royalton, Ohio, has been charged with using this piece of malware since the age of 15(!) to allegedly:

Very serious allegations. In addition to being charged with 16 counts of charged with Computer Fraud and Abuse Act violations, Wiretap Act violations, production of child pornography, and aggravated identity theft, it’s also claimed he’s the creator of Fruitfly, which would be quite the revelation. From the indictment:

The “medical records” reference leaps out. From our linked blog:

That would definitely appear to sync up with the medical record pilfering, and we’re wondering what else will come out in the wash by the time this one has passed through the courts.

According to the indictment, Durachinsky also used stolen login credentials to access and download information from third-party websites. He’s further alleged to have watched and listened to victims without their knowledge or permission, and intercept oral communications taking place in the room where the infected computer was located. In some cases, Durachinsky’s malware alerted him if a user typed words associated with pornography. He apparently saved millions of images and often kept detailed notes of what he saw.

Reading through the charges paints more and more of a disturbing picture.

“For more than 13 years, Phillip Durachinsky allegedly infected with malware the computers of thousands of Americans and stole their most personal data and communications,” said Acting Assistant Attorney General Cronan. “This case is an example of the Justice Department’s continued efforts to hold accountable cybercriminals who invade the privacy of others and exploit technology for their own ends.”

Getting away with more than a decade of stealing data like this on such a grand scale is quite the feat, and one hopes the victims of the most salacious offenses receive justice.

WPA3 will secure Wi-Fi connections in four significant ways in 2018

CES, the annual consumer electronics extravaganza in Las Vegas, isn’t just a showcase for virtual reality and poorly-timed power outages. It’s also an opportunity to get a peek at the future of network security.

That’s why on the first day of CES, the Wi-Fi Alliance announced the newest security protocol for Wi-Fi devices: WPA3. The new protocol is the most significant upgrade to Wi-Fi security since WPA2 was ratified in 2004.

Details are thin, but the announcement outlined four new security capabilities that will protect wireless connections in the years to come.

1. Protection against brute force “dictionary” attacks

Despite a generation of irritated admins requesting that users choose stronger passwords, the most popular passwords are still common words like “password” or “football.” That makes networks vulnerable to simple brute force attacks that systematically submit every word in the dictionary as a password. Online tutorials of this Wi-Fi hack are trivially easy to find.

WPA3 should make that issue a thing of the past by “delivering robust protections even when users choose passwords that fall short of typical complexity recommendations.” Some security experts have speculated that this refers to a type of key exchange called Dragonfly. According to the Internet Engineering Task Force (IETF), Dragonfly “employs discrete logarithm cryptography to perform an efficient exchange in a way that performs mutual authentication using a password that is probably resistant to an offline dictionary attack.”

2. Easier Internet of Things (IoT) security

WPA3 promises to “simplify the process of configuring security for devices that have limited or no display interface.” That’s a nod to the growing number of devices that are enhanced by network connections, such as smart door locks, home personal assistants, and (apparently) toothbrushes. Since IoT devices rarely have a graphical interface, it’s difficult to configure them for optimal security. You can’t type a password directly on a toothbrush, after all. This can naturally lead to less secure connections and vulnerable devices. Hackers could, for example, access your smart speakers and play whatever audio they want in your living room.

The Wi-Fi Alliance hasn’t yet offered details on how WPA3 overcomes this challenge. But researchers have successfully enhanced security on IoT devices by configuring them with a smartphone.

3. Stronger encryption

WPA2 requires a 64-bit or 128-bit encryption key. But WPA3 uses a stronger standard: 192-bit encryption and alignment with the Commercial National Security Algorithm (CNSA) Suite. This promises consumers the kind of beefier security that’s currently used to protect governments and corporations.

4. Secure public Wi-Fi

Public Wi-Fi connections, like the kind you might use in a coffee shop or library, are always less secure than private ones. That’s partly due to the inherent security limitations of open wireless networks, and party due to the fact that librarians and coffee shop owners aren’t typically network security masters. The new standards promise to “strengthen user privacy in open networks through individualized data encryption.” Though the announcement doesn’t offer specifics on how that will be achieved.

Curiously, during its CES announcement, the Wi-Fi Alliance made no mention of KRACK, the vulnerability in WPA2 that impacted all Wi-Fi devices. However, Mathy Vanhoef, the researcher who discovered the vulnerability, wrote several enthusiastic tweets about WPA3.


In one, he speculates that WPA3 will include Opportunistic Wireless Encryption. This enables connection on an open network without a shared and public Pre-Shared Key (PSK). That’s important because a PSK can give hackers easy access to the Traffic Encryption Keys (TEKs), thus allowing them access to a data stream. In other words, the new protocol should help prevent hackers from snooping on your web browsing while you’re at Starbucks.

Before we start to see the benefits of WPA3, the Wi-Fi Alliance has to certify hardware that uses the security protocol. So there’s no telling when people can start enjoying the enhanced security protections. But you shouldn’t be surprised if you start seeing devices that use the new protocol later this year.

Guest post by Logan Strain, author for Crimewire
Father, writer, and reformed Usenet troll. Lives in San Diego. Doesn’t surf, but should learn.
Follow Logan on Twitter @LM_Strain

Fake Spectre and Meltdown patch pushes Smoke Loader malware

The Meltdown and Spectre bugs have generated a lot of media attention, and users have been urged to update their machines with fixes made available by various vendors.

While some patches have created more issues than they fixed, we came across a particular one targeted at German users that actually is malware. In fact, German authorities recently warned about phishing emails trying to take advantage of those infamous bugs.

We identified a recently registered domain that is offering an information page with various links to external resources about Meltdown and Spectre and how it affects processors. While it appears to come from the German Federal Office for Information Security (BSI), this SSL-enabled phishing site is not affiliated with any legitimate or official government entity.

Moreover, the same fraudulent domain has a link to a ZIP archive (Intel-AMD-SecurityPatch-11-01bsi.zip) containing the so-called patch (Intel-AMD-SecurityPatch-10-1-v1.exe), which really is a piece of malware.

Upon running it, users will infect themselves with Smoke Loader, a piece of malware that can retrieve additional payloads. Post-infection traffic shows the malicious file attempting to connect to various domains and sending encrypted information:

The Subject Alternative Name field within the abused SSL certificate shows other properties associated with the .bid domain, including one that is a German template for a fake Adobe Flash Player update.

We immediately contacted Comodo and CloudFlare to report on this abuse and within minutes the site did not resolve anymore thanks to CloudFlare’s quick response. Malwarebytes users were already protected at zero-hour against this malware.

Online criminals are notorious for taking advantage of publicized events and rapidly exploiting them, typically via phishing campaigns. This particular one is interesting because people were told to apply a patch, which is exactly what the crooks are offering under disguise.

It’s always important to be cautious, especially when urged to perform an action (i.e. calling Microsoft on a toll-free number, or updating a piece of software) because there’s a chance that such requests are fake and intended to either scam you or infect your computer. There are very few legitimate cases when vendors will directly contact you to apply updates. If that is the case, it’s always good to verify this information via other online resources or friends first.

Also, remember that sites using HTTPS aren’t necessarily trustworthy. The presence of a certificate simply implies that the data that transits between your computer and the site is secure, but that has nothing to do with the intentions or content offered, which could be a total scam.

Indicators of compromise

Fraudulent site:


Fake patch (Smoke Loader):

sicherheit-informationstechnik.bid/Download/Sicherheitsupdate/Intel-AMD-SecurityPatch-11-01bsi.zip CD17CE11DF9DE507AF025EF46398CFDCB99D3904B2B5718BFF2DC0B01AEAE38C

Smoke Loader callbacks:

coolwater-ltd-supportid[.]ru localprivat-support[.]ru service-consultingavarage[.]ru

Stripchat bot spells block

Here at Malwarebytes, we spent a lot of time and effort scouring the Internet looking for malicious websites that we can protect our users from. Sometimes, these websites are pushing malware or some kind of scam. Other times it comes down to bad advertising practices that are used to fool the user into clicking on something.

We used to see a lot of this kind of trick with fake download buttons that redirected users to sites for installer downloads or to surveys. More recently, we found a site using a different type of deception, and it’s shot up to our second-most common detection over the last month. The site is called creative.stripchat.com.

Stripchat.com is an online streaming video service operated by Technius LTD and offered on a number of popular websites. The streaming service targets adult audiences for the purposes of online sexual encounters. The service boasts many active subscribers and a number of channels available for use.

Stripchat has a number of valid channels, feeds, and websites, but one particular subdomain has caught the attention of Malwarebytes for implementing various deceptive tactics and misleading techniques.  The website, creative.stripchat.com, is a domain which is used for advertising purposes. Once opened in a web browser, the website purports to engage the user via a “live” chat window and the ability to chat with a model. This, however, is not the case.

The reported live video feed is nothing more than a video retrieved from the Internet and subsequently looped, or in some cases terminated with a message indicating the model is in a private chat. These messages are deceptive, as the feeds are not live as claimed to be and the responses are pre-programmed, as can be seen from the Javascript code and subsequent chat session.

Malwarebytes blocks the creative.stripchat.com sub-domain for the use of these misleading marketing tactics.

However, if you’d like to continue visiting this sub-domain, you can add an exception. Scroll down to the “How to add an exception” heading of this post on why we block CoinHive to learn how.

A week in security (January 8 – January 14)

A week in security (January 8 – January 14)

Posted: January 15, 2018 by Malwarebytes Labs

It’s very early in the year, yet everyone has already had a complete meltdown (pun intended) over a number of serious vulnerabilities found in legacy and modern microprocessors. Last week, rightly so, vendors released patches for hardware and OSes to help mitigate these threats. However, problems in patching persisted.

As if this wasn’t challenging enough, some online criminals jumped on the bandwagon to take advantage of the hullabaloo to push out the Smoke Loader malware to inconspicuous user systems.

On our blog, we also touched on WPA3, misleading marketing tactics, more 419 scams, and the indictment of alleged Fruitfly creator—a win for the security community.

Lastly, in the realm of cryptocurrency, we saw an increase in malware payloads from the RIG exploit kit.

Other news

Stay safe, everyone!