Tag: malware

A billion people get their data leaked

IBM logoA report from IBM’s security division estimates that in 2014 “at lease” a billion records of people across the world were leaked.

That’s about one in seven of this planet’s humanoid population.

IBM released its X-Force quarterly report and relays information about over 9,000 security “vulnerabilities” affecting over 2,600 vendors in 2014. That’s an increase of 9.8 percent compared to 2013 and Big Blue said it’s the highest single year total in the 18 years it’s been tracking such things.

The USA has suffered the most because at 74.5 percent that’s far higher than other territories. IBM said that 40.2 percent of the most common attacks didn’t get described by those surveyed but malware and DDoS accounted for as much as 17.2 percent each.

IBM said that there was a big rise in so-called designer vulnerabilities.

All operating systems seemed to be under attack – including Windows, Mac OS X and Linux.

One key vulnerability happened in October with a researcher showing there are thousands of security problems in Android apps.


Skeleton Key exposes password flaws

skeletonsSecureWorks, the security arm of Dell, has found malware which it has dubbed “Skeleton Key” which shows up weaknesses in the password system.

The attack consists of installing rogue software within Active Directory, and the malware then allows attackers to login as any user on the domain without the need for further authentication.

It has weaknesses as an attack vector — installation requires administrator access or a flaw on the server that grants such access.

But Skeleton Key has some interesting coding which could point to something even nastier in the future. It does not actually install itself on the filesystem. Instead, it’s an in-memory patch of Active Directory which makes detection even more difficult.

Access is not logged and the malware is completely silent and, as a result, extremely undetectable. Identifying the malware using traditional network monitoring also does not work due to the fact that Skeleton Key does not generate any network traffic.

In its current form, the malware does not survive a system reboot, which means that it has to be a continuous hack, but such things are possible, particularly if you have a disgruntled sysadmin.
Companies can also make the malware useless by having a two-factor authentication to connect to servers, VPN, email and the like. So in otherwords leaning on passwords is pretty much suicide.

Microsoft sues Windows scammers

Microsoft campusSoftware giant Microsoft has taken legal action against a company it claims is scamming people by representing itself as a Windows support outfit.

The Indian company, C-Cubed Solutions, is alleged to call people up saying people have had problems with their computers and conning them out of money.

The case claims that representatives from the company claim they represent Microsoft and then attempt to inveigle people into visiting web sites which are infected with malware, according to the Times of India. The caller may also attempt to get remote access to a computer and ask for payment using a credit card under the pretext of providing technical support.

Microsoft says it never cals people cold and advises people who get such calls never to give any information to people who claim to represent it.

The scam doesn’t only affect people in the USA – cold calls have been made to other countries including the UK, Ireland, Australia, Canada and New Zealand.

FBI warns of more North Korean cyber attacks

USmilitaryOUTThe Untouchables have warned businesses that North Korean hackers are using malicious software to launch a destructive cyberattack in the United States.

The alert appeared to describe the one that affected Sony, which would mark first major destructive cyber-attack waged against a company on US soil. Such attacks have been launched in Asia and the Middle East, but none have been seen in the United States. The FBI report did not say how many companies had been victims of destructive attacks.

Analysts think that the attack is a watershed event and that politics now serve as harbingers for destructive cyberattacks.

The five-page, confidential “flash” FBI warning issued to businesses last night provided some technical details about the malicious software used in the attack. It provided advice on how to respond to the malware and asked businesses to contact the FBI if they identified similar malware.

The malware overrides all data on hard drives of computers, including the master boot record, which prevents them from booting up.

“The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods,” the report said.

The document was sent to security staff at some U.S. companies in an email that asked them not to share the information.

The FBI released the document in the wake of last Monday’s unprecedented attack on Sony Pictures Entertainment, which brought corporate email down for a week and crippled other systems as the company prepares to release several highly anticipated films during the crucial holiday film season.

A Sony spokeswoman said the company had “restored a number of important services” and was “working closely with law enforcement officials to investigate the matter.”

The FBI said it is investigating the attack with help from the Department of Homeland Security. Sony has hired FireEye’s Mandiant incident response team to help clean up after the attack, a move that experts say indicates the severity of the breach.

Hackers used malware similar to that described in the FBI report to launch attacks on businesses in highly destructive attacks in South Korea and the Middle East, including one against oil producer Saudi Aramco that knocked out some 30,000 computers. Those attacks are widely believed to have been launched by hackers working on behalf of the governments of North Korea and Iran.

Sony may have been targeted by North Korea for releasing a film called “The Interview”.

The movie, which is due to be released in the United States and Canada on Dec. 25, is a comedy about two journalists recruited by the CIA to assassinate North Korean leader Kim Jong Un. The Pyongyang government denounced the film as “undisguised sponsoring of terrorism, as well as an act of war” in a letter to U.N. Secretary-General Ban Ki-moon in June.

The FBI report said some of the software used by the hackers had been compiled in Korean, but it did not discuss any possible connection to North Korea.

Government spyware threatens PCs

symantecAnti-virus company Symantec said it has uncovered a clever piece of spyware that was probably designed by a Western government.

The spyware, called Regin, has been around for about six years and is clever enough to steal your passwords, go onto your hard drive and resurrect deleted files, and take screenshots.

Apparently, according to a Symantec executive interviewed on the BBC 4 radio programme Today, it has hit PCs in Saudi Arabia, Ireland and Russia.

But she declined to say which Western organisation had invented Regin and let it loose on the online world.

Symantec thinks the malware has parallels with the Stuxnet worm, jointly developed by cyber warriors in Israel and the USA to mess up Iran’s nuclear programme.

AV companies are now hustling to get an antidote out against Regin.

Apple gear plagued with malware

giant bugPalo Alto Networks has discovered a new family of malware that can infect Apple desktop and mobile operating systems.

For a while now, Jobs’ Mob has made much of the fact it is “super secure” even while its gear is turned over in seconds at hacker conferences.  But now the hardware is becoming more popular it is clear that hackers are starting to write code that can disable anything that Apple comes up with.

The “WireLurker” malware can install third-party applications on regular, non-jailbroken iOS devices and hop from infected Macs onto iPhones through USB connector-cables.

Ryan Olson, intelligence director for the company’s Unit 42 division said that had seen indications that the attackers were Chinese. The malware originated from a Chinese third-party apps store and appeared to have mostly affected users within the country.

The malware spread through infected apps uploaded to the apps store that were in turn downloaded onto Mac computers. This is bad news for Apple which always claims that its store is closely vetted in comparison to the Google operation.

According to the company, more than 400 such infected apps had been downloaded over 350,000 times so far.

So far, there is no evidence that the attackers had made off with anything more sensitive than messaging IDs and contacts from users’ address books. But then again what sort of information would an Apple user have?  There cannot be many Chinese spooks who want a Coldplay or U2 collection. As far as companies are concerned,

Apple was told about the bug two weeks ago and has not done anything.  Once WireLurker gets on an iPhone, it can go on to infect existing apps on the device, somewhat akin to how a traditional virus infects computer software programs. Olson said it was the first time he had seen it in action. “It’s the first time we’ve seen anyone doing it in the wild,” he added.

Networks compromised by Backoff malware

Huntsman spider, Wikimedia CommonsSecurity company Damballa said it had recorded a 57 percent increase in Backoff Malware between August to September.

It compiles its reports from enterprise customers and global ISPs.

The biggest challenge for IT security teams is to find genuine attacks on networks from an avalanche of security alerts typically received.

During the third quarter of this year, Damballa noted the most affected enterprises received 138,000 events daily, up 32 percent from the second quarter. Enterprise customers said that’s an average of 37 infected devices per day.

But Damballa noted that Backoff, which is targeted POS (point of sales) malware infected 1,000 businesses.  The type of enterprises that suffered showed the malware had managed to bypass network prevention controls and while active, was hidden in networks.

Brian Foster, the CTO of Damballa, struck a pessimistic note saying the figures show prevention controls can’t stop malware infections.  “POS malware and other advanced threats can, and will, get through so we can’t completely build the walls around the network highter,” he said.

Enterprises need to look to build better better intelligence to idenify real threats.  “We’d advise enterprises to be prepared, to get ahead by assuming they will be compromised, and take proactive measures,” he added.

Infected ATMs discovered

pesetaMalware illegally installed in automatic teller machines (ATMs) is costing millions of dollars with INTERPOL involved in a fight to stem the thefts.

Kaspersky Labs said the Tyupkin malware works when crooks have physical access to the ATMs and use a bootable CD to install it.  The infected ATM runs on an infinite loop waiting for a command and runs only on specific times on Sunday and Monday nights.  Then the crooks strike, taking cash from infected machines without needing to use credit cards.

Kaspersky said the malware – Backdoor.MSIL.Tyupkin – has been detected on ATMs in Europe, Latin America and Asia.

The anti-virus company said that banks need to look at the physical security of ATMs and invest in good quality security systems.

They also need to replace master keys and locks on the top of ATMs and get rid of the default settings.  An alarm should also be installed because Kaspersky discovered the gangsters only infected ATMs with no security alarm.  The default BIOS passwords should be changed and the ATMs need to have up to date antivirus software installed.

Spam drowns business mail

Penny Blacks - Wikimedia CommonsA survey showed that 69 percent of organisations polled report that day to day business operations are severely disrupted by spam related incidents.

GFI Software commissioned the independent report that surveyed 200 IT decision makers.

Thirty six percent of the respondents said they have been affected up to three times in a year, meaning expense if PCs and servers need to be cleaned or re-installed after malware has been opened and executed by people.

Some respondents – 15 percent – said tthey had major spam related IT failures over 10 times in the last year.

The most common types of spam is phishing – 49 percent of respondents said it was the most prevalent type of spam.

Banking spam from real companies is the second biggest problem at 44 percent.

Third was dating site spam. 34 percent of respondents said it was their main worry.

And 56 percent surveyed said they’d notice a rise in spam levels over the past year.

Sergio Galindo, general manager at GFI software said crooks are using spam more and more to throw malware into the workplace for malicious reasons, to hold companies to ransom or to steal information that can be used for fraud.

Attackers quick to Bash Linux

linuxAttackers have been quick to exploit the Shellshock Bash command interpreter bug and a botnet that is currently trying to infect other servers.

Italian security consultancy Tiger Security’s Emanuele Gentili said the “wopbot” botnet is active and scanning the internet for vulnerable systems, including at the United States Department of Defence.

The botnet runs on Linux servers, named “wopbot” that uses the Bash Shellshock bug to auto-infect others, he said.

It has so far been used to launch a distributed denial of service attack against servers hosted by content delivery network Akamai, and is aiming for other targets, Gentili said.

The malware has conducted a massive scan on the United States Department of Defence internet protocol address range on port 23 TCP or Telnet “for brute force attack purposes,” he said.

Gentili said Tiger Security had contacted UK provider M247 and managed to get the wopbot botnet command and control system taken down from that network.

The botmaster server for wopbot, which is hosted by US network Datawagon, is still distributing malware.

He thinks that the wopbot botnet will grow like topsy as it can infect more than 200,000 zombies in an hour or so.

The ‘Shellshock’ remotely exploitable vulnerability in the Bash Linux command-line shell was discovered yesterday, with researchers warning of its potential to become larger than the severe Heartbleed OpenSSL flaw uncovered earlier this year.

Millions of Apache webservers around the world could be at risk if their common gateway interface (CGI) scripts invoke Bash. The malware can also recruit Apple gear into the botnet without too many problems.


SMEs targeted by malware

skullkSmall and medium sized enterprises (SMEs) are under attack by malware crooks, according to antivirus firm Bitdefender.

Bitdefender said that some SME employees in the UK are being hoodwinked into downloading trojans by suggesting the people have violeted company policy.

Apparently, the attacks grew last week, with .ARJ compressed files using the Zbot or Zeus malware.  British companies affected appear to be companies that offer military clothing or products to the defence or security industry.

Zbot/Zeus has a password stealing component intended to grab user names and passwords, email and FTP credentials.

The attack comes with a malicious email that opens an .rtf document that has information about policy violation.  In the background, the malware attempts to connect to Zbot infected websites.

Bitdefender has supplied a screen shot of a typical email.

Cisco throws weight behind firewall

Cisco FirewallNetworking giant Cisco claims it has introduced the first threat focused firewall.

Cisco ASA with FirePOWER Services uses contextual awareness and controls to automatically assess threats, provide intelligence and improve defences to protect network.

Aimed at large enterprises, it includes Sourcefire’s Advanced Malware Protection and Next Generation Intrusion Prevention Systems.

The software management gives authorised users dashboards and drill down reports of discovered hosts, dodgy applications, threats and indicators of compromised systems.

Cisco claims its firewall is enterprise class, and supports VPN, advanced clustering and granular application layer and risk based controls.  Open source integration with Snort, OpenAppID and ClamAV let companies customise security.

No details of pricing are available.

Scientists develop malware tool

Malware, Wikimedia CommonsA team of researchers at the Universidad Carlos III de Madrid (UC3M) claims to have developed a tool to analyse numbers of apps to trace the origin and family of malware.

Guillermo Suarez de Tangil, a researcher at the computer science department at the university, said malware can be in smartphones and even in washing machines.

“The amount of malware is constantly increasing and it is becoming more intelligent for that reason,” he said.  “Security analysts and market administrators are overwhelmed and cannot afford exhaustive checking for each app.”

The tool is called Dendroid and will track down the family and nature of the malware.  “Developers generally reuse components of other malwares, and that precisely is what allows us to construct this genetic map,” he said.

He said antivirus software used in smartphones use detection engines based on signatures and its effectiveness is questionable, largely because smartphone resources are limited compared to a PC.

IE is back to being Internet Exploder

rage-explosionAfter years of keeping its security flaws down in its Internet Explorer range, Microsoft appears to be under siege from malware writers.

Bromium Labs analysed public vulnerabilities and exploits from the first six months of 2014. The research determined that Internet Explorer vulnerabilities have increased more than 100 percent since 2013.

This makes IE worse than Java and Flash for vulnerabilities.

It does not appear to be Microsoft’s fault. Hackers had been increasingly targeting Internet Explorer and Vole had responded by a progressively shorter time to first patch for its past two releases.

In contrast, the number of Java zero-days have declined and in the first six months of 2014, there has not been a single public Java exploit.

Bromium thinks that so much attention was paid to JAVA exploits in 2013 and countermeasures such as disabling Java may have had a role in forcing attackers to switch to new targets this year. This resulted in a drop in Java being targeted generally.

The hackers have been using Action Script Spray which is an emerging technique that bypasses address space layout randomisation (ASLR) with a return-oriented program (ROP) chain.

Rahul Kashyap, chief security architect, at Bromium said web browsers have always been a favourite avenue of attack, but hackers are not only getting better at attacking Internet Explorer, they are doing it more frequently.

He said that Action Script Sprays are a new technique and similar techniques will start to appear in the months to come. This is further evidence that the world of Web browser plugins presents a weak link that is just waiting for exploitation.

Web browser release cycles are compressing and the interval between the general availability of a new release and the appearance of the first security patches has been decreasing recently, he noted.

“This may represent greater efforts on the part of software manufacturers to secure their products, or it may represent products being released to market with less security testing than earlier versions received,” Kashyap said.