Archive | September 2012
September 28, 2012  

Fall Malware Threats 2012

Latest release of Fall Malware for 2012 from seCURE Connexion

The goal in releasing a comprised list of threats that security companies will be dealing with the most this Fall is to help instruct users on the latest vectors, so that they know how important it is to maintain an updated antivirus program.

Most of the malware threats listed below are audience aggregated, which means what most security companies are dealing with currently, and there is no hope of it ending anytime soon. These are in order of the most distributed.

KEY: Vir=Virus, Rtk=Rootkit, Trj=Trojan, WM=Worm, Adw=Adware, Spy=Spyware

  1. Trj.ZeroAccess(Sirefef)
  2. Trj.Agent
    • The Agent trojan is a backdoor proxy trojan, that attempts to change the proxy on the target computer to help redirect search results and browsing activity in attempts to mine money or bitcoins.
    • Outlook: Seems this trojan is the most updated trojan ever seen, and will continue to be a problem with all of its low-to-medium risk threats.
  3. Vir.Sality
    • See Microsoft’s writeup
    • Outlook: Sality has been a problem for a few years now, and it still will be a problem. It infects almost every user/system file on the operating system.
  4. Rtk.TDL4/TDSS
    • See Microsoft’s writeup
    • Outlook: TDL4 has continued to be a problem and will continue to be a problem as long as computers have a working master boot record.
  5. Adw.FakeAV
    • See Microsoft’s writeup
    • Outlook: Fake or rogue antivirus has been a problem for over four years of scamming users in to buying antivirus software. It will continue to be a problem for at least the next six months to a year.

Get best protection now:

Recommended reading:
September 27, 2012  

IEEE data breach echoes across the world

A Denmark-based Romanian computer scientist, Radu Dragusin, apparently found publicly readable code on a FTP server of the IEEE. It seems the results of his study included that the FTP server was used as a drop for log files from IEEE.org (its official site) and spectrum.IEEE.org (its online magazine), and that it contained info about 400,000,000 HTTP requests. Impressive!

Also, according to the report, some 400,000 log entries included the usernames and passwords (in plaintext of course) of about 100,000 unique users. Dragusin was unsure of what to do with the data he discovered on the 18th of September, but finally submitted the information about his study to the IEEE, where they developed (at least) a partial fix. What’s more important, is that experts are wondering why Radu didn’t tell the IEEE sooner, where the issue would have been fixed faster…

 

Protect your computer from viruses/malware with Kaspersky Internet Security for only $59.95 (a $79.95 value):

Kaspersky Internet Security 2012

September 27, 2012  

Windows 8 Security Features Explained (mini-whitepaper)

Windows 8 is apparently more secure than Windows 7. Perhaps this is true, and it is best to learn what security features there are for the new operating system. Some of these security features are verified to help out very well in the security of Windows 8, and some may not be in time, or lastly some may not work at all.

One of the most discussed security features is Secure Boot. Now, Secure Boot is a Unified Extensible Firmware Interface (UEFI) specified in the boot process to check cryptographic signatures of kernel-mode drivers, making sure they aren’t modified or corrupted. In other words, the boot process is now made to check if the operating system has been corrupted by malware or some other issue.

This is all part of a hardware restriction process called Hardware DRM. All non-ARM devices have the option to turn Secure Boot off, however ARM devices must keep it on. Experts state that it will be resistant to rootkits, since the MBR and BIOS cannot be accessed, unless if someone working on the computer penetrates it.

Next, Windows 8 features better built in antivirus software, with a much better improved Windows Defender. The software in Windows 8 is combined with the optional tool Microsoft Security Essentials. Now, with Windows Defender super-powered with MSE, it has much more anti-malware features.

With better anti-malware features, Internet Explorer is now made with better features as well. It has the ability to prevent zero-day exploits much greater than previous versions of Internet Explorer. With the challenges of exploiting Windows 7, there was the issue risen up again for Java and Flash Player, so hackers can gain control over the operating system. Those browser plugins are now easier to exploit than the Internet Explorer’s code.

A new application sandboxing environment called AppContainer provides the ability to run all apps in a controlled environment, where it controls how apps work. This prevents apps from disrupting the operating system. Of course, this is just supplemented by Internet Explorer’s SmartScreen filter, which prevents the download/install of known malicious software. However, Windows 8 now has SmartScreen available for any app, allowing even more prevention. Of course, this means Microsoft employees are going to increase in numbers, if they really want to keep up. Now that hackers know their new challenges, they will be relentless.

The questions are still played on whether Windows 8 will be a repeat of Vista or not. The reality of the situation, is if Windows 8 has big popularity, then the security issues will also light up big time. However, many will stick to Windows 7, so the security issues for Windows users are not close to be over. Feel free to take a look at related articles below for Symantec’s opinions, which aren’t too well on the new OS.

Added October 31, 2012: Trusted Platform Module, read more

Keep up with the latest security tips on our blog here. In addition, please donate to help us continue to write these awesome whitepapers.

Related articles
September 26, 2012  

Senator blames Iran for attacks against US banks

US Senator Joe Lieberman blamed Iran for the attacks against US banks last Friday, with thoughts that Iran did so out of revenge for the Stuxnet case. The victims of last week’s attacks included Bank of America and JPMorgan Chase. Although not attacked, speculation is that CitiGroup has been a target over the past year. All of these denial of service campaigns seemed to have begun in late 2011.

In C-SPAN’s taping of “Newsmakers,” Lieberman labeled the recent DDoS attacks against the banks a “powerful example of our vulnerability”.

Now, from the perspective of Lieberman, it makes sense to make such claims. When we reported in June about a potential US and Israeli connection for malwares like Flame and Stuxnet, labeled “Operation Olympic Games”, we saw the counterattack that continued cyberwarfare between Iran and the US (as well as other countries). This could be just one of possibly many counterattacks from Iran, and it’s going to be quite dangerous to companies that are vulnerable to cyberattack.

Cyberattacks will continue with DDoS and other hacks, and it could target almost any major organization around the world. The main idea is to craft the correct cybersecurity strategies, and be aware of any attack vectors (like if there are too many people trying to hack in to the networks). It’s important to learn from issues like this, and be able to adapt the latest strategies for businesses. Which means: If you don’t have a director for information security at your major company, it’s about time to get one and soon!

Keep all of your devices FULLY safe from hackers:

Buy Now!

September 25, 2012  

Fake Windows Update emails attempt to steal Yahoo!, Gmail, and Outlook mail passwords

It is now known that emails that apparently come from “privacy@microsoft.com” are fraudulent, especially if they involve subjects such as Microsoft Windows Update. Lately, there has been a rise in the email spam targeting vulnerable users of very popular companies, we reported about Chase bank.

The attack from the “privacy@microsoft.com” is an attempt to try to steal Yahoo!, Gmail, AOL, or Outlook.com (Windows Live formerly) passwords.

The body text:

Dear Windows User,
It has come to our attention that your Microsoft windows Installation records are out of date. Every Windows installation has to be tied to an email account for daily update.

This requires you to verify the Email Account. Failure to verify your records will result in account suspension. Click on the Verify button below and enter your login information on the following page to confirm your records.

VERIFY

Thank you,

Microsoft Windows Team.

To see an actual image, see the one from Naked Security.

More on this, see the post from Naked Security.

September 24, 2012  

Report: Oracle databases vulnerable to hacking

A researcher showed today that Oracle’s databases could be hacked with brute-force attacks using only the database’s name and a username, according to Kaspersky Lab Security News.

Esteban Martinez Fayo, who works for AppSec Inc., was demonstrating his discovery at a security conference in Argentina and said that within just five hours on a regular PC using a special tool he could hack through easy passwords and access users’ data.

This isn’t the first time that security flaws have been found on Oracle databases. In January, the company squashed 78 software bugs in a major patch that stemmed from a flaw that allowed hackers into its databases remotely. And, just last month, new vulnerabilities that can be exploited to run arbitrary code were discovered in Oracle’s latest Java 7 update.

Read more on CNET

September 21, 2012  

Cyber attacks on US banks continue

It’s been reported that many US banks are on high alert because of recently targeted cyber attacks.

We just reported about a different target, with spammers targeting email users, however, the banks themselves are being targeted as well.

Computer World notes:

The Financial Services Information Sharing and Analysis Center (FS-ISAC) has put U.S. banks on high alert against cyberattackers seeking to steal employee network login credentials to conduct extensive wire transfer fraud.

The alert warns banks towatch out for hackers using spam, phishing emails, Remote Access Trojans and keystroke loggers to try and pry loose bank employee usernames and passwords.

The FBI has noticed a new trend where cyber criminals use stolen employee credentials to wire transfer hundreds of thousands of dollars from U.S. customer accounts to overseas banks, the FS-ISAC noted.

On their Pastebin posts, hackers have noted the following:

In the name of Allah the companionate the merciful

My soul is devoted to you Dear Prophet of Allah

“Operation Ababil” started over BoA :

http://pastebin.com/mCHia4W5
http://pastebin.com/wMma9zyG

In the second step we attacked the largest bank of the united states, the “chase” bank. These series of attacks will continue untill the Erasing of that nasty movie from the Internet.

The site “www.chase.com” is down and also Online banking at “chaseonline.chase.com” is being decided to be Offline !

Down with modern infidels.

### Cyber fighters of Izz ad-din Al qassam ###

However, CNN reports no evidence backing up claims and could be related to what happened to Go Daddy, saying: “But there was no immediate evidence to support the hackers’ claims, and several recent ones turned out to be hoaxes. Earlier this month, a person affiliated with the hacktivist collective Anonymous said the group took down the web hosting service Go Daddy, and in June the group UGNazi claimed responsibility for downing Twitter. Both outages were later revealed to be technical issues.”

Related articles
September 21, 2012  

Fake Chase account summary emails now widespread

Be careful of new spammy emails from (apparently) Chase.com. These emails state that your account has been locked out, and to “click here” to unlock your account. However, doing so can compromise your computer. Only click links that appear to be real, which means when you hover over the link, it should show the same address in the status bar at the bottom of the browser. If it really is from Chase.com, you should see https://www.chase.com/ as the first part of the address. If there is anything extra placed after the .com part, except for a forward slash (as noted in the link example highlighted red), distrust it. Don’t click on it. If anything, call Chase customer support about the email rather than clicking the link.

It’s also very obviously a spammy email, because of the grammar/spelling errors involved. And also because of the following (when I view the full header):

  • Return-Path: <armagedo@c12.iservidorweb.com>
  • Received-SPF: none (domain of c12.iservidorweb.com does not designate permitted sender hosts)
  • Received: from armagedo by c12.iservidorweb.com with local (Exim 4.77)
    (envelope-from <armagedo@c12.iservidorweb.com>)
  • Message-Id: <e1tf5am-00009j-dx@c12.iservidorweb.com> id 1TF5am-00009J-DX
  • X-AntiAbuse: Sender Address Domain – c12.iservidorweb.com
  • IP: 69.175.87.58

See for yourself:

Fake Chase email

You can avoid spammy issues like this coming to your inbox by downloading the following tool:

Spam Filter for Outlook and Outlook Express

Related articles
September 19, 2012  

ZeroAccess/Sirefef infects up to 9 million PCs

The ZeroAccess rootkit, some know as Sirefef, has grown its command and control servers over the past year. Now, it has spanned all around the globe to infect up to 9 million PCs. It’s botnet started growing rapidly once it hit one million infections, and now has multiplied it by 9.

Like the new TDL4 variant, it can create its own hidden partition, which can be problematic for PC users, especially because it normally is unknown that a hidden partition exists. Tools like TDSSKiller, though, can see through its disguise. There are two total botnets, each for a 32-bit and 64-bit version (totaling 4 botnets), and usually distributed by exploits.

Fast facts:

The latest versions seem to have no kernel mode components, therefore they do not infect drivers like previously did. It instead uses usermode components and drops their own GUID (CLSID) in the following locations:

  • c:\windows\installer\{GUID STRING}
  • c:\users\<user>\AppData\Local\{GUID STRING}
  • C:\Windows\System32\config\systemprofile\AppData\Local\{GUID STRING}
  • C:\RECYCLER\S-x-x-x\${RANDOM STRING}

It also parks its own infections in these locations:

  • C:\Windows\assembly\GAC\Desktop.ini
  • If on x64: c:\windows\assembly\GAC_32\Desktop.ini AND c:\windows\assembly\GAC_64\Desktop.ini
  • Infects c:\windows\system32\services.exe

For the ports that it uses for each version of the botnet:

  1. Port numbers 16464 and 16465 are used by one botnet for both 32 and 64 bit platforms.
  2. Post numbers 16470 and 16471 are used by the other botnet for both platforms.

It commits two types of fraudulent activity:

  1. Click fraud
  2. Bitcoin mining

 


Get the review of Malwarebytes’ Anti-Malware

September 19, 2012  

New TDL4 variant affecting government, ISPs, etc.

TDL4 is the newest type of the TDSS rootkit, which is a classic rootkit malware/virus that has been infecting computers and constructing a botnet since 2006. Now, with its new dangerous properties, it has the ability to sneak in to government agency computers, ISPs, and even popular companies. It uses stealthy properties and exploits to get itself installed, where it can hide itself in a different partition on the computer or create its own partition.

The new threat, which has been assigned the generic name DGAv14 until its true nature is clarified, has affected at least 250,000 unique victims so far, including 46 of the Fortune 500 companies, several government agencies and ISPs, the Damballa researchers said in a research paper released Monday.

In collaboration with researchers from the Georgia Tech Information Security Center (GTISC), the Damballa researchers registered some of the domain names the new threat was attempting to access and monitored the traffic it sent to them.

TDL4, also known as TDSS, is considered to be one of the most sophisticated malware threats ever created and used by cybercriminals – without counting threats like Stuxnet, Flame,Gauss and others that are believed to have been created by nation states for cyberespionage purposes.

TDL4 is part of a category of malware known as bootkits – boot rootkits – because it infects the hard disk drive’s Master Boot Record (MBR), the sector that contains information about a disk’s partition table and the file systems. The code that resides in the MBR is executed before the OS actually starts.

Much of this information pulled from TechWorld.

 

One of the newer partition infections includes a dropper located at c:\windows\svchost.exe

 

Protect your computer from rootkits by the makers of TDSSKiller, Kaspersky Lab for only $59.95 (a $79.95 value):

 

Kaspersky Internet Security 2012

Related articles
« Older Posts