Haxxors use Facebook to help conceal malware

Talk about internet security, computer security, personal security, your social security number...
Post Reply
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Haxxors use Facebook to help conceal malware

Post by barbaz »

*Always* check the changelogs BEFORE updating that important software!
-
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Haxxors use Facebook to help conceal malware

Post by GµårÐïåñ »

Funny, as this is the same trick "trainers" like those for games that use Flash (ie. FarmVille) will use to generate "ad revenue" to "support" their tools. Most of them were easy to defeat, just prevent internet access, so they can't download the dropper code (often called by AV engines - WisdomEye) but they began just launching links to adf.ly or bit.ly links since they assume clearly a browser is open to play the game, which can easily be broken with say a blocker like uBlock. As recently as a couple of weeks ago, I was impressed to find that one of them actually figured out how to embed the "ad" code inside the game's flash component which it is patching and you can't really block to "load" the ads inside the game which to most would appear to come from the game maker.

It's a game of whack-a-mole, just gotta grin and bear it and white knuckle through it. Ultimately the best defense is adopting a clear, persistent and constant discipline in using the internet and handling files, that's it. I have been using a computer since 1986 and I have NEVER, EVER, had a virus, worm, trojan, or been compromised in any way and I do some crazy ass things like analyzing live virus code right on my daily driver production machine. It's like working at the CDC, you know the f-ing ebola test tube can kill you but you go in each day, handle it, then go have lunch and go home, no biggie. Why you ok? Because you handle it right, there are protocols, as long as people apply something similar to their activity, they will be fine. When you take the security for granted and slack, then you get nailed.

But in my case, I have a feeling that one of these days these nasty payloads might slip my grasp if I am not careful but until then, I don't even blink. If/when should it happen, I have no one to blame but myself :)
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 7.0; Win64; x64; rv:53.0) Gecko/20100101 Firefox/53.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Haxxors use Facebook to help conceal malware

Post by barbaz »

GµårÐïåñ wrote:I have been using a computer since 1986 and I have NEVER, EVER, had a virus, worm, trojan, or been compromised in any way and I do some crazy ass things like analyzing live virus code right on my daily driver production machine. It's like working at the CDC, you know the f-ing ebola test tube can kill you but you go in each day, handle it, then go have lunch and go home, no biggie. Why you ok? Because you handle it right, there are protocols, as long as people apply something similar to their activity, they will be fine.
Wow. If you could please explain what security measures you use for that stuff, it would be much appreciated! :)
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Haxxors use Facebook to help conceal malware

Post by GµårÐïåñ »

My security is simple but effectively consistent, most people misunderstand that security needs to be complicated or overwhelming.

1. Control ALL internet traffic (a fine grained firewall like Comodo will do the trick) this means don't set EVERY app to auto check for updates, don't give every app internet access because they ask for it, even if benign, understand EXACTLY what they are doing when they DO have access, that requires packet inspection (something as simple as Wireshark will do the trick, but if you want to get more anal, there are other options)

2. Hash scanners (a robust but non-intrusive av - for example defender does the trick - as far back as when it was called MSE, I put a review a long time ago on here) - just one, don't over do it, don't put a bunch of them, and they all behave the same, so don't follow the hype, they ALL scan the same damn hash and use the same damn heuristic, regardless of what garbage they tell you, I need them to alert me to the persistent shit, I will handle the zero-days myself through habitual protocol. Sophos is also good, but overzealous, so you need to temper the settings a bit, Comodo AV is ok but sometimes too overreaching but can be tweaked to reduce the false positive but ultimately they all rip of ClamAV to some extent, so you can just get a stand alone scanner for manual scanning and just use that.

3. CHECK EVERY FILE BEFORE YOU OPEN IT, RUN IT, COPY IT, MOVE IT, STORE IT, or whatever to it. Run a simple test with something like VirusTotal (to get multispectrum analysis) or Metadefender if you want to be able to do larger files. Lock down all your system files, simple DEP will handle that. If you are a masochist, you can try Comodo's HIPS but it is excessively confusing for most but it will have one advantage, when dealing with an app whose behavior you DON'T know, this will expose everything it does, and can provide you all the interactions which can help you diagnose if safe or not but I would NOT use their HIPS 24x7 that would be exhaustively counterproductive. When you do open a file or run it, make sure your "temp" or "scratch" folders are all isolated with ONLY SYSTEM and ADMIN user access, NO ONE ELSE, that way you will guarantee that no one can actually leverage them against you; and also make sure you are opening it (at least the first time) inside a sandbox. Some good ones are Sandboxie (free-ish) but be careful configuring it for convenience, you might just be letting the devil in without realizing it. Another open option which does pretty well is Comodo's sandbox which they are Auto-Containment, I don't have it auto, just manual through right click when I need it. Side note, the crippled folder I told you will be created for each file you open in this method by default, so there is that nice feature.

That's it as far as the system is concerned (Defender, comes installed) and Comodo Firewall (which gives me the other items I mentioned too built-in) and VirusTotal/Metadefender are online, that's it. When it comes to securing the browser, I need TWO things, mostly just one but the second one makes me feel better, so no harm. uBlock (with third party frames and scripts disabled globally by default) and a few major malware, tracking lists and a shit load of custom filters and rules and NOTHING gets passed it and Disconnect. Plus if I need something to run, I can do it temporarily for that session which resets automatically when I am done and that's that. Hell I have even configured my browser to keep my cookies and use CCleaner to trim the unwanted ones to ensure that I always stay logged into certain places, like here for example. Never been session or cookie hijacked, that's a testament to the robust setup and I get the convenience of not having to constantly log into the my most used tools. That being said, I NEVER EVER EVER EVER EVER stay logged into anything like a bank, credit card, or whatnot. That I log in, finish, log out and that's it. I mean think about how annoying it would be if every time a student sent me a message and I had to log in to respond, it gets annoying quickly but the way I do it, the session remains, although they have their own "max" session which logs me out eventually on a schedule but at least. I also set my cache to 0, history to nothing and disable all GEO and WebRTC features and Media autoplays and keep all "plugins" disabled by default.

That's it. Now there are slight adjustments in the browser behavior between Firefox and Chrome but how I configure them, they behave nearly IDENTICAL. For example, on FX, I use uBlock, Disconnect, GreaseMonkey and VPN for going into the deep ;) and on Chrome (which I effectively have stopped using after a period of developing on it) I use uBlock, Disconnect, TamperMonkey and VPN - so you can see, nearly identical. Now on FX, I use about:config to disable geo, peerconnection, media autoplay, hardware "accelerations" (they are vulnerable to malicious decoding code) - and a few other personal tweaks that are less security and more anal retentive. On Chrome, I use the about:flags to disable geo, google "phone home" services, webrtc/rtcpeer, hardware and automatic tab discarding. That's it in a nutshell. It seems like a lot of work, and it is, I won't dismiss that but once you get the system to the level I have it now, it becomes a self regulating beast that following MY BEHAVIOR so ultimately I am the weak point in all of it, if _I_ fail, then the whole system fails, it's not the hacker or the computers fault, it is mine as the user, simple as that. You sleep on the job, you get hit, simple as that. You stay vigilante, doesn't mean you don't get hit but at least you are ready for it and can defend it. There is no magic to it, just being proactive.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 7.0; Win64; x64; rv:53.0) Gecko/20100101 Firefox/53.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Haxxors use Facebook to help conceal malware

Post by barbaz »

Many thanks for the detailed answer! Image
GµårÐïåñ wrote:Lock down all your system files, simple DEP will handle that. If you are a masochist, you can try Comodo's HIPS but it is excessively confusing for most but it will have one advantage, when dealing with an app whose behavior you DON'T know, this will expose everything it does, and can provide you all the interactions which can help you diagnose if safe or not but I would NOT use their HIPS 24x7 that would be exhaustively counterproductive. When you do open a file or run it, make sure your "temp" or "scratch" folders are all isolated with ONLY SYSTEM and ADMIN user access, NO ONE ELSE, that way you will guarantee that no one can actually leverage them against you; and also make sure you are opening it (at least the first time) inside a sandbox. Some good ones are Sandboxie (free-ish) but be careful configuring it for convenience, you might just be letting the devil in without realizing it. Another open option which does pretty well is Comodo's sandbox which they are Auto-Containment, I don't have it auto, just manual through right click when I need it. Side note, the crippled folder I told you will be created for each file you open in this method by default, so there is that nice feature.
These exact measures seem Windows-specific. I run Ubuntu, how much of this does using either firejail or Apparmor cover?
GµårÐïåñ wrote:I use uBlock, Disconnect,
Question, do you use both because defense-in-depth, or because the functionality doesn't completely overlap?
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Haxxors use Facebook to help conceal malware

Post by GµårÐïåñ »

barbaz wrote:Many thanks for the detailed answer! Image
You are very welcome.
barbaz wrote:These exact measures seem Windows-specific. I run Ubuntu, how much of this does using either firejail or Apparmor cover?
Yes, as that is my primary environment but I have countless flavors of Unix/Linux and Mac on tap as well, but they are strictly research, compatibility and debugging purposes and are run in completely isolation, they are basically cold boxes. So since I am doing what I am doing to them on purpose, I expect them to break as needed to serve that end, but when I am done, it gets zeroed and goes back to healthy state, so I don't really have to invest in much there, they behave quasi-live in nature.

That being said, for non-windows/mac environments (although some of what I say will work with Mac's linux backend) you need to only really watch TWO things like a hawk and the rest, just be vigilant. 1) Watch your route tables, symlinks and aliases. If you spend any amount of time looking at these, which I am sure you have, you will know why. 2) Protect your system partition's access, in fact I highly recommend you keep everything on a custom data partition and micromanage the access to system counterparts using symlinks. But don't put it on there and give it direct access. That's pretty much it. With Linux boxes, I also would recommend not relying too much on a soft firewall but rather put it behind a decent (not expensive, just solid) router with granular M.A.C. filtering, port control and generally robust hardware firewall. And when possible, generally avoid IPv6 traffic altogether by disabling it globally when you can. Unless you are in a region where you have no choice of IPv4.
barbaz wrote:Question, do you use both because defense-in-depth, or because the functionality doesn't completely overlap?
neither entirely nor both but mostly for observational redundancy. Meaning, are they both seeing the same thing? If not, WHY? That's all. Sometimes I even employ external packet monitor to validate connections. I forgot to add that the external monitor is to ensure that execution order of u+d is not causing a knockout effect between them. I assumed that was clear, but wanted to make sure.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 7.0; Win64; x64; rv:53.0) Gecko/20100101 Firefox/53.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Haxxors use Facebook to help conceal malware

Post by barbaz »

GµårÐïåñ wrote:1) Watch your route tables, symlinks and aliases. If you spend any amount of time looking at these, which I am sure you have, you will know why.
Interesting. I never thought of symlinks and aliases that way before.

Re: route tables, this is actually the first time I've even heard of it. So I guess just run "route" and/or "route -n" in a terminal, right? What should I consider suspicious?
GµårÐïåñ wrote:2) Protect your system partition's access, in fact I highly recommend you keep everything on a custom data partition and micromanage the access to system counterparts using symlinks. But don't put it on there and give it direct access.
Sounds like one reason why I use firejail and/or VM for some stuff.

Thanks again.
*Always* check the changelogs BEFORE updating that important software!
-
Post Reply