Archive for the ‘Anti-Virus’ Category

« Older Entries

U.S. Department of Labor website infected with malware

Wednesday, May 1st, 2013

The malware has been linked to a China-based hacking campaign that struck a Fortune 500 company in 2011

A subdomain of a U.S. Department of Labor website appeared offline on Wednesday after an apparent hack that looks similar to a known China-based hacking campaign nicknamed DeepPanda.

The tampered page, called Site Exposure Matrices (SEM), contains information on toxic substances at U.S. Department of Energy facilities, according to security vendors AlienVault and Invincea.

Hackers planted code on the main SEM page which redirected victims to other pages within the department’s website that attacked visitors’ computers. Invincea wrote that the site has been fixed, but it appeared to be offline late Wednesday.

When someone was redirected to an infected page, a script surveyed the computer to figure out what versions of software such as Microsoft Office, Adobe Systems’ Reader, Java or various antivirus programs it is running, wrote Jamie Blasco, director of AlienVault’s Labs.

The attack code then tries to exploit a vulnerability in older versions of Internet Explorer, wrote Anup Ghosh, founder and CEO of Invincea. The vulnerability, CVE-2012-4792, has been patched by Microsoft.

The style of attack is known as a drive-by download. It is particularly dangerous since potential victims merely need to visit a site in order for the attack to be executed.

Once installed, the malicious software attempts to contact a command-and-control server using a protocol linked with “a known chinese actor called DeepPanda,” Blasco wrote.

The department could not be immediately reached for comment.

The security company CrowdStrike published a white paper that described DeepPanda as a China-based operation that tried to attack a large Fortune 500 company in December 2011. That attack sought to install remote-access Trojans (RATs), which would allow hackers to steal information from an infected computer.

The U.S. and China have clashed in recent months over cybersecurity. U.S. companies have become increasingly vocal over what they say are technically sophisticated long-term infiltration campaigns originating from within China.

Source:  computerworld.com

Posted in Anti-Virus | No Comments »

Attack hitting Apache websites is invisible to the naked eye

Monday, April 29th, 2013

Newly discovered Linux/Cdorked evades detection by running in shared memory.

Ongoing exploits infecting tens of thousands of reputable sites running the Apache Web server have only grown more powerful and stealthy since Ars first reported on them four weeks ago. Researchers have now documented highly sophisticated features that make these exploits invisible without the use of special forensic detection methods.

Linux/Cdorked.A, as the backdoor has been dubbed, turns Apache-run websites into platforms that surreptitiously expose visitors to powerful malware attacks. According to a blog post published Friday by researchers from antivirus provider Eset, virtually all traces of the backdoor are stored in the shared memory of an infected server, making it extremely hard for administrators to know their machine has been hacked. This gives attackers a new and stealthy launchpad for client-side attacks included in Blackhole, a popular toolkit in the underground that exploits security bugs in Oracle’s Java, Adobe’s Flash and Reader, and dozens of other programs used by end users. There may be no way for typical server admins to know they’re infected.

“Unless a person really has some deep-dive knowledge on the incident response team, the first thing they’re going to do is kill the evidence,” Cameron Camp, a security researcher at Eset North America, told Ars. “If you run a large hosting company you’re not going to send a guy in who’s going to do memory dumps, you’re going to go on their with your standard tool sets and destroy the evidence.”

Linux/Cdorked.A leaves no traces of compromised hosts on the hard drive other than its modified HTTP daemon binary. Its configuration is delivered by the attacker through obfuscated HTTP commands that aren’t logged by normal Apache systems. All attacker-controlled data is encrypted. Those measures make it all but impossible for administrators to know anything is amiss unless they employ special methods to peer deep inside an infected machine. The backdoor analyzed by Eset was programmed to receive 70 different encrypted commands, a number that could give attackers fairly granular control. Attackers can invoke the commands by manipulating the URLs sent to an infected website.

“The thing is receiving commands,” Camp said. “That means that suddenly you have a new vector that is difficult to detect but is receiving commands. Blackhole is a tricky piece of malware anyway. Now suddenly you have a slick delivery method.”

In addition to hiding evidence in memory, the backdoor is programmed to mask its malicious behavior in other ways. End users who request addresses that contain “adm,” “webmaster,” “support,” and similar words often used to denote special administrator webpages aren’t exposed to the client exploits. Also, to make detection harder, users who have previously been attacked are not exposed in the future.

It remains unclear what the precise relationship is between Linux/Cdorked.A and Darkleech, the Apache plug-in module conservatively estimated to have hijacked at least 20,000 sites. It’s possible they’re the same module, different versions of the same module, or different modules that both expose end users to Blackhole exploits. It also remains unclear exactly how legitimate websites are coming under the spell of the malicious plugins. While researchers from Sucuri speculate it takes hold after attackers brute-force the secure-shell access used by administrators, a researcher from Cisco Systems said he found evidence that vulnerable configurations of the Plesk control panel are being exploited to spread Darkleech. Other researchers who have investigated the ongoing attack in the past six months include AV provider Sophos and those from the Malware Must Die blog.

The malicious Apache modules are proving difficult to disinfect. Many of the modules take control of the secure shell mechanism that legitimate administrators use to make technical changes and update content to a site. That means attackers often regain control of machines that are only partially disinfected. The larger problem, of course, is that the highly sophisticated behavior of the infections makes them extremely hard to detect.

Eset researchers have released a tool that can be used by administrators who suspect their machine is infected with Linux/Cdorked.A. The free python script examines the shared memory of a sever running Apache and looks for commands issued by the stealthy backdoor. Eset’s cloud-based Livegrid system has already detected hundreds of servers that are infected. Because Livegrid works only with a small percentage of machines on the Internet, the number of compromised Apache servers is presumed to be much higher.

Source:  arstechnica.com

Tags: ,
Posted in Anti-Virus, Linux, Security, Server, Web | No Comments »

Cyberwar risks clamity, Eugene Kaspersky warns UK Government and spooks

Monday, April 29th, 2013

State-of-the-art cyberweapons are now powerful enough to severely disrupt nations and the organisations responsible for their critical infrastructure, Kaspersky Lab founder and CEO Eugene Kaspersky has warned in a speech to a select audience of UK police, politicians and CSOs.

That Kaspersky was invited to give the speech to such a high-level gathering is a clear signal that the message accords with the Government and UK security establishment’s view of the threat posed by cyber-weapons.

“Today, sophisticated malicious programs – cyberweapons – have the power to disable companies, cripple governments and bring whole nations to their knees by attacking critical infrastructure in sectors such as communications, finance, transportation and utilities. The consequences for human populations could, as a result, be literally catastrophic,” said Kaspersky.

As an illustration of his point, the number of malware samples analysed by Kaspersky Lab had risen from 700 per day in 2006 to 7,000 per day by 2011. Today the number including polymorphic variants had reached 200,000 each day, enough to overwhelm the defences of even well-defended firms.

The sophistication of threats had also risen dramatically since 2010 with the discovery of state-sponsored threats such as Red October, Flame, MiniFlame, Gauss, Stuxnet, Duqu, Shamoon and Wiper, some of which had been uncovered by Kaspersky Lab itself..

Countering this would be impossible as long as organisations tackled the problem one by one, each in isolation from others. Intelligence sharing was no longer a luxury and had become essential.

This would require intimate cooperation between the private sector and government bodies, he said. The heads of organisations had to internalise this as a new reality.

“But why should state intelligence and defence bother cooperating with the private sector? In the words of Francis Maude, UK Minister of the Cabinet Office, ‘We need to team up to fight common enemies but the key to cooperating, in a spirit of openness and sharing, are guarantees to maintain the confidentiality of data shared,” said Kaspersky.

Audience members included, City of London Police Commissioner Adrian Leppard, National Fraud Authority head Stephen Harrison, former Counter Terrorism and Security Minister Pauline Neville Jones, Minister for Crime and Security James Brokenshire, and CSOs from HSBC, Unilever, Vodafone and Barclays.

Although best known as a celebrity icon of the company that bears his name, Kaspersky has in recent times become vocal on issues of cyber-weapons and their geo-political as well as technical implications.

Although ostensibly preaching the orthodox position that cyber-defence should be a coalition of forces, his words contain nuances, warnings about the dangers of state-sponsored cyber-weapons, including those from the UK and its allies.

Most of the most advanced cyber-weapons uncovered by Kaspersky’s company are suspected of being created by the US, the early-adopter of such offensive capabilities. His point seems to be that the US and its allies will find themselves on the receiving end of the same if international standards of cyber-etiquette are not established.

Earlier this year, Interpol announced that Kaspersky Lab would be a key partner in its new Global Complex for Innovation (IGCI) in Singapore cybercrime fighting hub in Singapore, due for completion next year.

Source:  pcadvisor.com

Posted in Anti-Virus, Privacy, Security, Web | No Comments »

Malware found scattered by cyber espionage attacks

Monday, April 29th, 2013

 

Researchers following a cyberespionage campaign apparently bent on stealing drone-related technology secrets have found additional malware related to the targeted attacks.FireEye researchers have been tracking so-called “Operation Beebus” for months, but only last week reported the connection to unmanned aircraft often used in spying. Drones have also been used by the Obama administration to assassinate leaders of the Al-Qaeda terrorist group.

Malware linked to spying

FireEye researcher James Bennett, who was the first to make the drone connection, said last week that he has found two new malware associated with the attack, bringing the total to four.

The first two were versions of the same malware called Mutter. The new malware includes one that uses the same custom encryption scheme, but a different command-and-control protocol. The fourth malware is completely different from Mutter, but uses the same C&C infrastructure.

Bennett has yet to fully analyze the new malware, which he hopes will provide “more threads to follow.”

Operation Beebus is a cyberespionage campaign that FireEye has linked to the infamous Comment Crew, which security firm Mandiant has identified as a secret unit of China’s People Liberation Army. The hacker group attempts to steal information from international companies and foreign governments.

Bennett reported in a blog last week that he had uncovered evidence of cyberattacks against a dozen organizations in the U.S. and India. The attacks against academia, government agencies, and the aerospace, defense and telecommunication industries targeted individuals knowledgeable in drone technology.

The spear-phishing campaign included sending email that contained decoy documents meant to trick recipients into clicking on the file, which would download the malware. One such document was an article about Pakistan’s unmanned aerial vehicle industry written by Aditi Malhotra, an Indian writer and associate fellow at the Centre for Land Warfare Studies in New Delhi.

How it worked

Once downloaded, the Mutter malware opened a backdoor to the infected systems in order to receive instructions from C&C servers and to send stolen information. To avoid detection, Mutter is capable of remaining dormant for long periods of time, so that it will eventually be categorized as benign by malware analysis systems.

Despite the exposure, Operation Beebus is still active, although its infrastructure has changed. All but one of the domain names studied by Bennett is no longer in use, but several IP addresses are still active, probably being used with other domains.

“We are still seeing active communications going out with this Mutter malware, so we do know that it’s still going,” Bennett said.

One in five data breaches are the result of cyberespionage campaigns, according to the latest study by Verizon. More than 95 percent of cases originated from China, with targets showing an almost fifty-fifty split between large and small organizations.

Source:  pcworld.com

 

Tags:
Posted in Anti-Virus, Privacy, Security | No Comments »

Recent reports of DHS-themed ransomware

Monday, March 25th, 2013

US-CERT has received reports of apparently DHS-themed ransomware occurring in the wild. Users who are being targeted by the ransomware receive an email message claiming that use of their computer has been suspended and that the user must pay a fine to unblock it. The ransomware falsely claims to be from the U.S. Department of Homeland Security and the National Cyber Security Division.

Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware, or perform a clean reinstallation of their OS after formatting their computer’s hard drive.

US-CERT and DHS encourage users and administrators to use caution when encountering these types of email messages and take the following preventive measures to protect themselves from phishing scams and malware campaigns that attempt to frighten and deceive a recipient for the purpose of illegal gain.

  • Do not click on or submit any information to webpages.
  • Do not follow unsolicited web links in email messages.
  • Use caution when opening email attachments. Refer to the Security Tip Using Caution with Email Attachments for more information on safely handling email attachments.
  • Maintain up-to-date antivirus software.
  • Users who are infected should change all passwords AFTER removing the malware from their system.
  • Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
  • Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

Source:  US-CERT

Tags: , ,
Posted in Anti-Virus, Privacy, Security | No Comments »

Symantec finds Linux wiper malware used in S. Korean attacks

Friday, March 22nd, 2013

The cyber attacks used malware called Jokra and also targeted Windows computers’ master boot records

Security vendors analyzing the code used in the cyber attacks against South Korea are finding nasty components designed to wreck infected computers.

Tucked inside a piece of Windows malware used in the attacks is a component that erases Linux machines, an analysis from Symantec has found. The malware, which it called Jokra, is unusual, Symantec said.

“We do not normally see components that work on multiple operating systems, so it is interesting to discover that the attackers included a component to wipe Linux machines inside a Windows threat,” the company said on its blog.

Jokra also checks computers running Windows XP and 7 for a program called mRemote, which is a remote access tool that can used to manage devices on different platforms, Symantec said.

South Korea is investigating the Wednesday attacks that disrupted at least three television stations and four banks. Government officials reportedly cautioned against blaming North Korea.

McAfee also published an analysis of the attack code, which wrote over a computer’s master boot record, which is the first sector of the computer’s hard drive that the computer checks before the operating system is booted.

A computer’s MBR is overwritten with either one of two similar strings: “PRINCPES” or “PR!NCPES.” The damage can be permanent, McAfee wrote. If the MBR is corrupted, the computer won’t start.

“The attack also overwrote random parts of the file system with the same strings, rendering several files unrecoverable,” wrote Jorge Arias and Guilherme Venere, both malware analysts at McAfee. “So even if the MBR is recovered, the files on disk will be compromised too.”

The malware also attempts to shut down two South Korean antivirus products made by the companies Ahnlab and Hauri. Another component, a BASH shell script, attempts to erase partitions Unix systems, including Linux and HP-UX.

Security vendor Avast wrote on its blog that the attacks against South Korean banks originated from the website of the Korean Software Property Right Council.

The site had been hacked to serve up an iframe that delivered an attack hosted on another website, Avast said. The actual attack code exploits a vulnerability in Internet Explorer dating from July 2012, which has been patched by Microsoft.

Source:  infoworld.com

Posted in Anti-Virus, Linux, Microsoft, Network, OS, Privacy, Security, Server, Web | No Comments »

FCC invests $10M in new network security but leaves backdoor unlocked

Wednesday, February 13th, 2013

GAO finds job was rushed, sloppy—some problems too severe to share with public.

In August of 2011, while in the middle of upgrading its network security monitoring, the Federal Communications Commission discovered it had already been hacked. Over the next month, the commission’s IT staff and outside contractors worked to identify the source of the breach, finding an unspecified number of PCs infected with backdoor malware.

After pulling the infected systems from the network, the FCC determined it needed to do something dramatic to fix the significant security holes in its internal networks that allowed the malware in. The organization began pulling together a $10 million “Enhanced Secured Network” project to accomplish that.

But things did not go well with ESN. In January, a little less than a year after the FCC presented its plan of action to the House and Senate’s respective Appropriations Committees, a Government Accountability Office audit of the project, released publicly last week, found that the FCC essentially dumped that $10 million in a hole. The ESN effort failed to properly implement the fixes, and it left software and systems put in place misconfigured—even failing to take advantage of all the features of the malware protection the commission had selected, leaving its workstations still vulnerable to attack. In fact, the full extent of the problems is so bad the GAO’s entire findings have been restricted to limited distribution.

“As a result of these and other deficiencies, FCC faces an unnecessary risk that individuals could gain unauthorized access to its sensitive systems and information,” the report concluded. And much of the work done to deploy the security system must be redone before the FCC’s systems approach anything resembling the security goals set for the project.

The FCC’s leadership acknowledges there’s a lot left to be done. “The GAO’s review of this project covers a period of time during which the Commission faced an unusual level of urgency, and we look forward to sharing our further progress with Congress and GAO at a later time, when these security initiatives are more fully deployed and developed,” FCC Managing Director David Robbins wrote in response to the GAO’s findings. But the commission also has some personnel issues to address—all of this is transpiring as the FCC looks for a new chief information officer. Ironically, the FCC’s CIO Robert Naylor stepped down in January to take a new job; he is now the CIO of a cyber security firm that caters to the intelligence community.

Measure once, cut twice

The FCC is a small organization as government agencies go, with about 2,000 employees and a budget request for 2013 of $340 million. It relies heavily on outside help for its IT operations—and on more outside help to figure out how to buy that help. The aquisition of the  ESN project was managed by Octo Consulting Group, a company led by three former Gartner executives and the former CIO of the Department of Agriculture’s Forest Service. The company claims on its website to have “designed the FCC Cyber Security Strategy, and managed and executed three defining Cyber Security contracts.” The consulting firm also provided contracting support for the FCC’s CIO as all of its major IT support contracts were preparing to expire mid-2012.

Update: “Octo was responsible for providing ‘acquisition support to the FCC’ for the ESN contract  (i.e. Assisting FCC Acquisition & Contracts personnel with developing the Statement of Work used to acquire the hardware and services for the $10M ESN contract you referenced),” Octo Consulting Group president Mehul Sanghani said in an email to Ars. “”Once the contract was awarded, Octo was also tasked with providing project management support to supplement the FCC IT staff that was tasked with overseeing the work.” The actual work on ESN was done by MicroTech and subcontractor Booz Allen Hamilton.

At the time of the discovery of the network intrusion in 2011, the FCC’s network security was dated at best. The ESN project, which was originally projected to be completed this month, is intended to “enhance and augment FCC’s existing security controls through changes to the network architecture and by implementing, among other things, additional intrusion detection tools, network firewalls, and audit and monitoring tools,” according to the GAO. The program was also supposed to provide the FCC with an ongoing “cyber threat analysis and mitigation program” that would do continuous risk assessment and reduction and control the damage from attacks that managed to breach the commission’s security measures.

Contracts to do the work on ESN were awarded in April of 2012, just two months after plans for the project were submitted to Congress. By June, all of the security hardware and software licenses had been purchased. Implementation was in full swing.

But apparently the work was done so quickly that no one bothered to check it. While new security hardware and software was deployed, the GAO found that “FCC did not effectively implement or securely configure key security tools and devices to protect these users and its information against cyber attacks… Certain boundary protection controls were configured in a manner that limited the effectiveness of network monitoring controls.”

The rush to get things in place also led to some other sloppy work. The GAO’s auditors found that passwords to gain access to some of the network monitoring systems “were not always strongly encrypted.” And while tools had been put in place to detect malware and block malicious network traffic, the tools had been left only partially configured.

The mishandling of security is being raised as an issue by some who do business with the FCC, especially because news of the original breach was never disclosed to the public—even as the FCC was formulating a proposed a rule that would require people with commercial interests in broadcast stations to submit their social security numbers to an FCC database. As Harry Cole, a communications lawyer with the firm Fletcher, Heald, and Hildreth put it in a post to the firm’s blog,” it seems extraordinarily inappropriate for the Commission, knowing of those vulnerabilities, to then propose that a huge number of folks must provide to the FCC the crown jewels of their identity, their social security numbers.”

Source:

Tags: ,
Posted in Anti-Virus, Hardware, Network, Security, Software | No Comments »

Massive search fraud botnet seized by Microsoft and Symantec

Thursday, February 7th, 2013

Hundreds of thousands of Bamital bots made ring of 18 operators over $1M a year.

Users with computers infected by the Bamital botnet malware will see this page every time they click a search result.

A botnet that redirected clicks from millions of PCs has been, at least for the moment, shut down by Microsoft and Symantec. Based on the fraudulent traffic generated by the Bamital botnet, the two companies estimate that its operators netted more than $1 million a year by redirecting unsuspecting computer users to websites they didn’t intend to go, cashing in on the traffic with online advertising networks.

Acting on a court order they obtained from the US District Court in Alexandria, technicians from the two companies—accompanied by federal marshals—showed up at two data centers today to take down the servers controlling the Bamital botnet. A server in an ISPrime data center in Weehawken, New Jersey was seized, while the operators of a LeaseWeb data center in Manassas, Virginia voluntarily shut down a server at the company’s headquarters in the Netherlands. LeaseWeb is providing an image of that server to Microsoft and Symantec. ”These servers were command and control servers, and were also absorbing the malicious traffic the botnet was creating,” said Vikram Thakur,  Principal Security Response Manager at Symantec in an interview with Ars.

Richard Boscovich, Microsoft’s General Counsel, said that while the malware had been identified as far back as 2011, nailing down the exact servers they needed to go after took some time. “The malware was morphing back and forth, so it made difficullt to identify the targets,” he said. But when the botnet stabilized a few months ago, “it offered a window of opportunity to go after them. The legal portion took about two months.”

Based on forensic evidence collected from infected computers by Symantec and Microsoft, there have been several generations of Bamital, with activity dating back at least three years. Early variants of the malware attacked users’ Web browsers with HTML injection. “They injected an iframe into every page,” Thakur said, “so whatever page loaded also loaded content from the bad guys.”

In later variants of Bamital, the malware simply redirected any click on a search page to the botnet’s own servers, which in turn used HTML redirects to feed the victims’ traffic into an advertising network. That network acted as a clearinghouse for other advertiser networks, so a click could go through several sets of redirects before it actually landed on a website—and not the one the user expected.

Because of the nature of Bamital, Microsoft is now in a position that’s different from some of its previous botnet takedowns—it has a direct line to victims of the malware. “One of things we’re doing a little differently in this case is we’re doing direct victim notification,” Boscovich said. Users with systems infected by Bamital will now be redirected to a Microsoft webpage offering tools to help remove the Bamital malware—as wellas any other malware that’s out there. “There are AV signatures out there for this malware already,” Boscovich said.

“They may have an OS that’s unpatched, or antivirus software that’s outdated. We’re taking control of the command and control network so that every time someone types in a search query, they’re going to get redirected to a page directly by Microsoft.”

Thakur said that the Bamital malware was initially delivered by a combination of methods, including in packages over peer-to-peer filesharing networks disguised as other content. But the majority of systems infected were the victim of “driveby downloads” from websites configured with malicious software intended to exploit browser security flaws. “We have evidence of [the botnet operators] polluting search engine results for certain search terms with links to servers with exploits,” he said.

As new variants of the botnet were developed, the operators made efforts to “upgrade” systems they had already infected. “But along the way they seemed to have left behind a number of people,” Thakur said. The older servers that had been used with previous versions of the malware appear to have been abandoned as well.

In 2011, Microsoft and Symantec were able to monitor the traffic going to one of the botnet’s servers. “We got back data that showed that 3 million clicks were being hijacked by that server on a daily basis,” Thakur said. Based on a conservative estimate of a payment for one-tenth of a percent of the advertising value for each click, the companies determined the fraud ring was pulling in over $1 million a year from advertising networks.  “And it could have been 2 or 3 times that much,” he said.

The advertising networks connected to Bamital themselves may be completely fraudulent.  They acted as clearinghouses for the traffic, and resold it to other, legitimate advertising networks and affiliate programs.  “Bamital went through several ad networks before it even displayed content,” Thakur said. “It was super convoluted.”

Microsoft and Symantec are hoping the data obtained through the seizure of the server in New Jersey will help them get a better understanding of the underground ecosystem of advertising networks that drives botnets like Bamital.  But it’s too early to tell if it will help catch the actual perpetrators. “We still have to go through the evidence,” Boscovich said, but he noted that Microsoft had had some success in the past in identifying botnet operators, as it did with Kelihos.

Source:  arstechnica.com

Tags: ,
Posted in Anti-Virus, Microsoft, Network, Privacy, Security, Server, Web, Windows | No Comments »

Kaspersky anti-virus cuts web access of thousands of PCs

Thursday, February 7th, 2013

Thousands of computers running Microsoft’s Windows XP operating system were unable to connect to the internet after installing an anti-virus update.

Users said they were also unable to access their internal company networks.

Russian IT security company Kaspersky Labs told users to disable its anti-virus software or roll back the update.

Two hours later it issued a fix – but since their PCs were unable to auto-install new code from the net, users had to perform several tasks first.

Kaspersky told its customers: “Please disable the web AV component of your protection policy for your managed computers.”

It then told them to go the repositories section, download an update and re-enable the protection.

Repair jobs

The company issued a statement, apologising “for any inconvenience caused by this database update error”.

“Actions have been taken to prevent such incidents from occurring in the future,” it said.

Dorset-based IT consultant Graham Lord wrote on the micro-blogging site Twitter: “Bravo on breaking the internet on all your XP clients.”

“Your update just set back one of my repair jobs by a day’s work.”

But Spain-based security blogger David Barroso tweeted: “So Kaspersky QA [quality assurance] team failed with this update but they quickly released a fix, which it is something good.”

Source:  BBC

Tags:
Posted in Anti-Virus, Network, Security, Web | No Comments »

Malware strikes with valid digital certificate

Tuesday, February 5th, 2013

One of the foundational elements of ecommerce is the web of trust enabled by digital certificates. When you go to a web site, you can feel confident that it’s legitimate because it has a certificate from a recognized certificate authority that validates it. But the certificates themselves can be vulnerable. Case in point: Security firm Malwarebytes recently discovered some malware in the wild with a valid, signed digital certificate.

“One of our security researchers identified this piece of malware,” says Jerome Segura, senior security researcher at Malwarebytes. “It’s a typical Trojan with one peculiarity: It was signed, and unlike a lot of malware that uses signatures, this one was valid.”

The malware is a banking/password stealer that Segura says uses email to spread. It appears to be a PDF invoice with a valid certificate issued to a real Brazilian software company called “Buster Paper Comercial Ltda,” Segura says. The certificate was issued by SSL certificate authority DigiCert. Segura notes that although DigiCert has been notified about the malware, the certificate has not yet been revoked.

“I don’t think it’s stolen, per se,” Segura says. “It looks like what [the criminals] did is they looked at this company in Brazil, which is a software company, and essentially made a request in their name to DigiCert. From the point of view of the certificate authority, it looks normal. [The criminals] probably spoofed the email address to buy the certificate. It looks to me as if it’s too easy for anybody who does a bit of research to either impersonate a company or set up a fake web site as if it were a company and then buy a certificate.”

When someone clicks on this particular piece of malware, Segura says, it opens what appears to be a PDF invoice. But it also creates a number of processes that connect to an enterprise cloud storage company.

“This is a sub-domain for a cloud storage company focusing on file sharing for the enterprise,” Segura says. “Well, in our case, it’s file storage for the criminals.”

The fake PDF downloads two very large files–WIDEAWAKE1.zip and WIDEAWAKE1.ecl. Segura notes that Malwarebytes has also reached out to the cloud storage company about the issue but have yet to receive a response.

Segura notes that ThreatExpert, provider of an automated threat analysis system, found a similar Trojan with a valid digital certificate last November. That Trojan’s certificate has since been revoked.

“What we have here is a total abuse of hosting services, digital certificates and repeat offenses from the same people,” Segura says. “Clearly if digital certificates can be abused so easily, we have a big problem on our hands.”

Digital certificates used for spear-phishing attacks

“Digital certificate theft can be used in targeted attacks as [for] spear phishing, for example,” Segura says. “As we know, one of the weakest links in the security chain is the end-user (and this is especially true in the enterprise world). An attacker can easily find out or guess what antivirus a company is running and craft a piece of malware that will not be detected by it. Because such attacks are very narrow, the sample will not be disseminated around the world, making its discovery less likely.”

Segura recommends that end-users still check for valid digital certificates before opening an attachment received via email (even if they know the sender). But he also recommends following two basic but “powerful” rules:

  • Check the file extension and beware the multiple file extension trick (i.e., document.pdf.xls.exe)
  • Never trust file icons; just because it looks like a Word document or PDF, that doesn’t mean it is

Source:  pcadvisor.co.uk

Tags: , , ,
Posted in Anti-Virus, Cloud, Security, Server | No Comments »

« Older Entries