The Cyber Information Sharing and Protection Act, AKA CISPA, has once again passed in the US House of Representatives. Reminder that this bill gives government agencies and their other agencies access to personal, private user data to help monitor for the presence of hackers.
Now, when CISPA was first passed, Senate said NO! Also, President Barack Obama has said that he’d veto the bill if it came through his office. Because of the different privacy issues, many advocates against this bill will fight it to the end.
This bill has been backed by bigwig business for a long period of time, almost since the beginning of the talks of this bill. Maybe it could be the big government contract ($$$) for these big businesses that seem attractive or maybe could be the fact that these business truly believe to end hackers’ abilities.
Will it completely stop hacker initiatives? Probably not. However, it would provide the ability to try to limit some of the bigger initiatives.
Government sectors of China, Russia, etc. are a bit of a cyberthreat to the United States, information access is what the US will need if it wants ahead of the game. Do you agree?
Of course the president of the US doesn’t want it passed if it violates the rights of citizens. But, in the end, realize that if money among other things, like personally-identifiable-information were to be stolen every year — and people would realize this, then people should have no problem with their data being accessible to US authorities rather than hackers.
The bright side would be, is if government authorities have access to your private data, it isn’t going to spread around like wildfire, unlike what’d happen if a hacker got a hold of it.
It’s easy to do an Internet search for lists of email addresses, and pull up loads upon loads of private email addresses that hackers posted in public to humiliate those that haven’t been smart enough to keep it secret.
Spammers and phishers, all the time, access your private information on Facebook, if you accidentally click the wrong link or follow a malicious email link – which asks you to ‘enter your Facebook username and password to continue.’
Some people argue that the government doesn’t care for internet users but rather cares for the money they’d get. Well, actually, if you think about it, the government is paying these big businesses to participate in the information sharing process, so the American people’s pocketbooks/wallets can be protected, and their own privacy.
Who else has protested this? Anonymous:
Even the Reddit co-founder is urging the US Government to NOT pass it.
What should be our take? You decide. My vote is neutral. I see this bill as a good thing in spots (because of potentially ending hacker initiatives and malware/virus threats), however, it poses a major privacy threat. For most advocates of privacy, I agree with them.
Your opinion matters too! Contact your local senator and let your voice be heard. It’s usually best to write a letter, which provides good results. Providing written documentation of a fair but firm protest is the best way to go.
It seems as if security firm, Trusteer, has identified a new variant of the Gozi financial malware. This one is more sophisticated and requires your attention. This new variant infects the Master Boot Record (MBR) on your computer — which is a boot sector software device that resides at the beginning of your hard drive that tells your computer how to boot up.
Just like TDL4, another MBR infector, this malware is hard to detect and remove. The main idea behind Gozi, though, is to wait for Internet Explorer to be launched on the victim’s machine, and malicious code is injected into the Process. This allows the malware to intercept web traffic, and inject its own code to webpages, misleading the user and collecting financial information (as well as social security numbers, birth dates, etc.).
Some speculate other developers have taken over, since apparently the main developer as well as accomplices were arrested not long ago. Looks like the new developers have a more sophisticated twist on the whole situation.
What’s different? The MBR rootkit component. This component makes the malware more sophisticated, because the removal of such threat can cause the computer to fail booting. The main problem at trying to fix infections in the MBR is that occasionally, the backup code that is placed in a different sector, is modified to not work when the infection locks in. This makes you have to keep it on the machine. However, it’s more effective to use private tools to help remove it.
One of the private tools, well sort of private, is the Kaspersky Rescue Disc. There are others that are available also, including TDSSKiller, which may or may not work out correctly.
If you need further help, we would love to assist. Please comment at any time!
Ramnit is the name of a rootkit family, which is composed of a sophisticated virus-mutated rootkit, which tends to infect files with polymorphic code and then locks them to disk (some versions lock to disk).
What’s more? Now, it has a troubleshooting module, increased anti-detection capability, enhanced encryption & malicious payloads, and better-written polymorphic code.
“Ramnit is a frequently updated threat which gets updated by its developer every day,” said Tim Liu of the Microsoft Malware Protection Center in a blogpost on Thursday.
Ramnit originated in 2010, and focused on stealing personal credentials, and banking mining (laundering money).
“It looks like the troubleshooting module has become a common feature in recently developed botnets. The malware authors are analyzing the error reports and making the botnet component more stable,” Liu said.
A new payload module, Liu said, is called Antivirus Trusted Module v1.0; Ramnit kills all antivirus processes through this module, though only AVG AntiVirus 2013 has been moved into the module to date, Liu said.
Stuxnet, the government malware believed to have been created by a dual-venture of the US and Israel, and the one used to attack the Iran nuclear enrichment facility, is now believed to have an earlier attack link. It is believed now that sometime in 2008 was when the facility may have been in progress of attacks from Stuxnet.
Iran leaders met in Kazakhstan this week to discuss with members of the UN Security Council the nuclear program. The researchers there announced a new variant of the sophisticated Stuxnet cyberweapon.
Some have noted that the US and Israel may have partnered way before doing similar activities to try to take down the nuclear enrichment program in Iran.
The new variant was designed as a different attack vector against the centrifuges for the uranium enrichment program, versus later versions released. This “new variant” was apparently released in 2007. Here we are six years later, knowing the discovery of such variant. This shows that the current versions of Stuxnet were made in 2009, which means this variant now recognized predated the original code that researchers found. Therefore, its first version may have been in 2007. That tells security experts this: Stuxnet was attacking much earlier than previously thought.
Still to make a rebuttal, Iran is awaiting and planning new cyberwarriors, which can construct cyberattacks and cyberterrorism on the US.
Looking in the code of the 2007 version, it was used for Siemens PLCs, which are used in the Iran nuclear enrichment program in Natanz. It was aimed at sabotaging the valves’ operations, by controlling the flow of uranium.
The list of new information goes on. According to Wired Magazine, the new finding, described in a paper released by Symantec on Tuesday (.pdf), resolves a number of longstanding mysteries around a part of the attack code that appeared in the 2009 and 2010 variants of Stuxnet but was incomplete in those variants and had been disabled by the attackers.
We reported on all the recent cyberattacks lately, but didn’t catch this, so here’s an addendum to yesterday’s story:
Consistent with our security response practices, we chose not to make a statement during the initial information gathering process. During our investigation, we found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations. We have no evidence of customer data being affected and our investigation is ongoing.
After dealing with multiple attacks on several sites, including Apple, Facebook, and Twitter – this being Java exploits. Now, it’s time to deal with more hacks, including NBC.com (which has been serving up malware for a day now) and Twitter. As in recent reports now, Tumblr and Pinterest have been forewarned.
NBC.com’s hacked pages were modified to include additional HTML component called IFRAME, which is inline frame. This allows at least a 1px x 1px frame to be included independently in the webpage, which may contain malicious code. In HTML code, frames can be made to host web content. But, in the hands of the evildoers, aka cybercriminals, it is used as an effort to launch malware campaigns.
I recognized something was wrong with NBC.com, which may have already been hacked a few weeks ago, and I posted the information on my Twitter account that a downloaded file was sent to my browser asking me to save or open it. This was on a sister site/blog, RedTape. I asked people to replicate it. The Twitter status can be found here.
What type of malware was delivered? Citadel or ZeroAccess, which are both crimeware families and botnets. They are usually part of several exploit kits.
This drive-by download situation is no good, as the pages were taken offline. Therefore, that dropped the traffic of those specific areas of the site. It is sure that this situation is a matter of cybercrime aimed at a financial side of things, not defacement or pranks.
Was it a big deal that it was NBC? No. In fact, it is sure the hackers were aimed at using a high-profile site, and apparently NBC.com was the easiest or quickest to access. Hackers rely on time and many other factors to make their approach(es).
Zendesk hacks and other various warnings
Zendesk is all about customer support…therefore no one really knows, except for those in the business of customer support. Big names use this service, which include Tumblr, Twitter, and Pinterest, among others. Hackers broke into the Zendesk systems, accessing email addresses of those big name customers, namely Twitter, Tumblr, and Pinterest.
How “pinteresting” that another hack has been born, which is related to a social network. Zendesk detailed the hack:
We’ve become aware that a hacker accessed our system this week. As soon as we learned of the attack, we patched the vulnerability and closed the access that the hacker had. Our ongoing investigation indicates that the hacker had access to the support information that three of our customers store on our system. We believe that the hacker downloaded email addresses of users who contacted those three customers for support, as well as support email subject lines. We notified our affected customers immediately and are working with them to assist in their response.
The companies involved made a point to tell its customers that they haven’t been hacked, but private information was stolen. Luckily, no password thievery was involved.
Obviously, an incident like this, just like the NBC.com incident, needs to be taken very seriously. Something must be done to stop the continuous hacks.
Twitter hacks additionally are nothing new. Many times, hackers used a backdoor, such as the tools the support team uses, to infiltrate the information of Twitter users. It’s not a huge gain, more possibly a waste of time.
Kelihos appears again with a new variant as many researchers have discovered. The variant enables it to remain dormant on the machine with sinkholing techniques, and other rootkit-style operations. It hides domains, and does many other things to conceal itself, as researchers have discovered.
This is the third attempt for the Kelihos botnet. When it got shutdown back in 2011 by a collaborative effort between Kaspersky Lab and Microsoft, it was figured that it was a P2P botnet, which made it more difficult to shutdown completely all operations for the botnet. At least its main servers were cut off, but it didn’t stop the malware from spreading since tons of blackhats still had the malcode on their own server/computer.
Researchers at Deep End Research and FireEye have new samples that have been analyzing, and after some impressive research, it was found that the Kelihos network is back on the rise.
“Since automated analysis systems are configured to execute a sample within a specified time frame, by executing a sleep call with a long timeout, Nap can prevent an automated analysis system from capturing its malicious behavior. Besides making a call to the function SleepEx(), the code also makes a call to the undocumented API NtDelayExecution() for performing sleep,” Abhishek Singh and Ali Islam of FireEye wrote in an analysis.
Experts are trying to discover the new roots, and another takedown may be in order. This is insanity.
One hacker/malware writer of the DNSChanger malware has pleaded guilty. Only two out of the six have been extradited to the US, so far, to be charged. Valeri Aleksejev, one suspect, has now pleaded guilty and is looking at 25 years in prison, with the possibility of having to pay back up to $7M to victims. Deportation is probable as well.
When hackers change DNS settings, they have the ability to lead the victim(s) to other sites through redirects. Redirects can be used for fraudulent purposes, such as boosting affiliate sales, getting search traffic, etc.
The six suspects in this case effectively manipulated this method and other methods, and “were able to manipulate Internet advertising to generate at least $14 million in illicit fees.”
Virut is being targeted now in an effort of allied security forces. Virut is a very dangerous botnet, which when infecting your computer can cause irreversible damage to your files, can steal a lot of personal information, and cause you to lose almost all of your data.
(Our security arm, SecuraGeek Forums, published an article helpful to users about Virut a few years ago, here.)
This takedown effort involved researchers of Poland’s Computer Emergency Response Team (CERT), Russian CERT-GIB, and the Spamhaus Project that aimed at disrupting the operations of the Virut botnet, which involved 300,000 some infected machines.
In December, the Spamhaus Project helped to work against all the domains owned in the Virut botnet, and attempted to have them shutdown. Most of the domains, if not all, were registered under the .pl cc TLD. However, the gang behind the botnet moved all of the malicious domain names toward a new registrar called home.pl.
The botnet’s operations were limited a bit during this time, when NASK (Research and Academic Network) in Poland, began to move on the infrastructure of this botnet. The NASK operates the Poland CERT and is the national registry of the .pl domain. Therefore, its presence in this situation is very important.
“In past few days, Spamhaus has been in close contact with the sponsoring registrar (home.pl), the Polish Computer Emergency Response Team (CERT.pl) to get the domain names suspended,” Morrison blogged Jan. 19. “In cooperation with the Polish CERT and the registrar home.pl, we managed to get all the Virut domain names within the .pl ccTLD sinkholed.”
“In addition, Spamhaus reached out to the Austrian CERT and the Russian-based Company Group-IB CERT-GIB to shut down the remaining Virut domains within the .at and .ru ccTLDs,” he added. “In cooperation with Spamhaus, and due to the evidence and intelligence provided by Spamhaus, CERT-GIB was able to shut down all the Virut domains within the .ru ccTLD within a few hours.”
Symantec researchers have noted that the maintainers of Virut are also involved with the Waledac botnet. The evidence is due in part to the malware writers behind both botnets using affiliate programs to spread the threats. It’s been noted also that Virut has helped to spread malware such as TDL, Zeus, and others. Also, Symantec warned that Virut had been used to redeploy Waledac. Problem is, the Waledac botnet was seized by Microsoft in 2010. So, redeploying that botnet is opening up the fields for lots of trouble.
As this takedown has occurred, three dozen domain names have been seized in total, with no sign (to researchers) of them starting back up on a different network. Since domains are so critical in the infrastructure, it’s going to be difficult for the malware writers to orchestrate a new plan.
For the past five or so years, domains like ircgalaxy.pl, zief.pl, etc. were used by the botnet…now are seized! It’s not exactly clear how NASK will affect the future operations of Virut, but right now, things are looking good and steady!