Posts Tagged ‘attackers’
Wednesday, August 21, 2013 @ 05:08 PM gHale
The use of the right-to-left override (RLO) character in Unicode, a tactic that enables malware authors to hide the real name of a malicious executable or a registry key, is seeing a rebirth.
Malware writers have been using the RLO technique for years, as it’s a simple and effective method for disguising the names of malicious files. Typically, attackers will try to make their malware appear to be something benign, such as a music player or setup file for a popular application. The RLO technique helps then accomplish this goal.
Malware authors give a malicious file a name that is somewhat close to a legitimate file name, and append an extension such .exe. But hidden in the file name will be a Unicode character that will reverse the order of the characters that follow it. So, for example, a file named “malwaregpj.exe” will appear as “malwareexe.jpg” when the Unicode character ends up used after the word “malware.”
Security researchers and malware analysts have known about this technique for quite a while, but it is beginning to surface once again.
Researchers at Microsoft have seen new malware samples attempting to impersonate the Google service that keeps software updated on users’ machines, and the malware is using the RLO technique in order to look like a legitimate registry key.
The malware is Sirefef, which is about a year old. It uses the RLO method to trick users into thinking the entries it puts into the infected machine’s registry are legitimate ones.
“The variants use the right-to-left-override character in the registry in order to hide its presence by mimicking a setting instantiated by a Google Chrome installation,” said Raymond Roberts of Microsoft.
When the Sirefef malware infects a new machine, it creates a registry entry that looks identical to the legitimate Google Update service. Even clicking on the entry to view its properties will show what appears to be a legitimate entry, aside from some odd-looking characters in the path of the executable. However, looking at the registry entry without Unicode support will reveal the problem. The Sirefef registry entry will show up as “etadpug” and the key will contain a slew of random characters rather than the description of the legitimate Google Update service.
“This demonstrates yet another concerted attempt by malware to hide itself in plain sight by pretending to be something it is not,” Roberts said. “It may make it difficult for someone doing a cursory check to determine if they are infected.”
Monday, July 8, 2013 @ 03:07 PM gHale
With all the public incidents where hackers attacked various organizations, it is still apparent companies do not prioritize cyber security as a strategic competency.
Corporations must develop a proactive strategy so they do not have to react when there is a threat or security breach, said a group of Iowa State University (ISU) researchers.
The cost to a corporation or the customer if hackers gain access to secure information is one factor to consider. With the growing demand for digitally shared data and information, companies can no longer considers security a necessary cost of business, said Anthony Townsend, an associate professor of supply chain and information systems in ISU’s College of Business.
“If you have an active and aggressive security team in the organization, you don’t have to get hacked,” Townsend said. “It’s like leaving your door unlocked. If a burglar comes to your house and can just walk through the door, well, that’s easy for him. But if he has to jimmy the lock and there’s good security, he’ll go someplace else.”
Companies are certainly not just sitting idly by, but too often those making the decisions about security lack information technology expertise, said Samuel DeMarie, an associate professor of management. If an organization waits to test the effectiveness of its cyber security until there is a problem, it’s too late.
“On a more global perspective, there needs to be more IT expertise at the very top of corporations,” DeMarie said. “The way organizations use information technology is critical to the success of a company. If you’re not doing it well, it doesn’t matter how great your product or service is, that can be enough to shut down a business.”
Connecting instantaneously with other firms is a necessity for businesses to share information quickly and efficiently. Unfortunately, it increases the security risk, said Brian Mennecke, an associate professor of supply chain and information systems. He expects businesses, especially small-to-midsize businesses, to outsource security as the threats to information systems become more complex.
“I think increasingly that’s what we’re going to see with organizations moving more of these sensitive operations that are vulnerable to attack, to platforms where they can trust a vendor to provide a higher level of security than they would be able to provide themselves,” Mennecke said.
On an individual level, Mennecke compares outsourcing security to the decision to purchase a bank lock box. It is a way to protect important documents that you fear cannot stay safe at home.
“There’s a cost involved, but there’s a greater good to achieve by making sure important documents and resources are maintained as secure,” Mennecke said.
Of course, there is also an inherent risk in outsourcing such a critical function as security. There is no 100 percent guarantee and it is difficult to repair the damage if a third party violates an agreement.
Making cyber security a priority within a firm’s operational plans is more than an investment; it’s a shift in the organizational culture. DeMarie said a company must weigh that investment with the potential costs and loss of business if hackers successfully shut down its information system.
“A cyber attack could be devastating to some companies,” DeMarie said. “Millions of dollars could be lost if they were shut down. I think a lot of companies just feel like they’ve got it covered. They hope their IT guys know what they’re doing.”
But DeMarie, Townsend and Mennecke see a strong cyber security system as a competitive edge to attract new clients and customers.
“A proactive and well-managed security function in the organization means your customer credit card numbers are safe. You’re not in the newspaper because you got hacked recently. It actually appears to convey a specific advantage in terms of customer retention and satisfaction with the firm knowing that you have decent security. It’s not an afterthought,” Townsend said.
Security will increasingly become a greater priority for customers and clients as more business functions end up handled online and digitally. Townsend said the organization with the stronger security presence will have the advantage.
Monday, June 17, 2013 @ 07:06 PM gHale
Security usually ends up being a matter of vigilance, so the longer it takes to understand the system is under attack, the harder it will become to ward off the bad guys.
That is why businesses are vulnerable to security breaches due to their inability to properly analyze or store big data, according to a new report out by security firm, McAfee.
The ability to detect data breaches within minutes is critical in preventing data loss, yet only 35 percent of firms said they have the ability to do this. In fact, 22 percent said they would need a day to identify a breach, and five percent said this process would take up to a week. On average, organizations said it takes 10 hours for a company to recognize a security breach.
“If you’re in a fight, you need to know that while it’s happening, not after the fact,” said Mike Fey, executive vice president and worldwide CTO at McAfee. “This study has shown what we’ve long suspected — that far too few organizations have real-time access to the simple question ‘am I being breached?’ Only by knowing this, can you stop it from happening.”
Nearly three quarters (73 percent) of respondents said they can assess their security status in real-time and they also responded with confidence in their ability to identify in real-time insider threat detection (74 percent), perimeter threats (78 percent), Zero Day malware (72 percent) and compliance controls (80 percent).
However, of the 58 percent of organizations that said they suffered a security breach in the last year, 24 percent found it within minutes. In addition, when it came to actually finding the source of the breach, 14 percent could do so in minutes, while 33 percent said it took a day and 16 percent said a week.
This false confidence highlights a disconnect between the IT department and security professionals within organizations.
The study of 855 incidents showed 63 percent took weeks or months for security professional to find them. On the other side, the stolen data was out the door from these organizations within seconds or minutes in 46 percent of the cases.
On average, companies are storing 11-15 terabytes of security data a week, a figure that Gartner Group predicts will double annually through 2016. To put that in perspective, 10 terabytes is the equivalent of the printed collection of the Library of Congress.
Despite storing such large volumes of data, 58 percent of firms admitted to only holding on to it for less than three months.
Wednesday, June 12, 2013 @ 02:06 PM gHale
Vietnam, India, China, and Taiwan users were a part of an attack campaign that uses Microsoft Word documents rigged with exploits in order to install a backdoor program that allows attackers to steal information, researchers said.
The targeted attacks used specifically crafted Word documents as bait in spear-phishing emails sent to the intended victims, said researchers from security firm Rapid7. The goal of these documents was to exploit known vulnerabilities that affect unpatched installations of Microsoft Office.
One of the malicious documents found by Rapid7 researchers is in Vietnamese and is about best practices for teaching and researching scientific topics. This suggests the targets of attacks were part of the Vietnamese academic community, Rapid7 researchers Claudio Guarnieri and Mark Schloesser said Friday.
A second document written in English discusses the state of telecommunication infrastructure, including GSM network coverage and Internet broadband availability, in Calcutta, India. The Rapid7 researchers believe this document targeted people working in the telecommunications industry in India or local government representatives.
When opened, the two documents attempt to exploit remote code execution vulnerabilities in the Windows common controls component. Identified as CVE-2012-0158 and CVE-2012-1856, respectively, these vulnerabilities affect Microsoft Office 2003, 2007 and 2010. Microsoft patched these vulnerabilities in 2012 as part of the MS12-027 and MS12-060 security bulletins.
Like a fine wine, these exploits age well as they consistently end up exploited by attackers, especially CVE-2012-0158. Two examples of targeted attacks where CVE-2012-0158 saw use include the NetTraveler and Hangover cyber espionage campaigns.
The malicious documents install a backdoor program called KeyBoy, after a text string found in one of the samples, said Rapid7 researchers. The malware registers a new Windows service called MdAdum that loads a malicious DLL (Dynamic Library Link) file called CREDRIVER.dll, the researchers said.
The KeyBoy malware steals credentials stored in Internet Explorer and Mozilla Firefox and installs a keylogger component that can steal credentials entered into Google Chrome. The backdoor program also allows the attackers to get detailed information about the compromised computers, browse their directories, and download or upload files from and to them, Rapid7 researchers said.
In addition, the malware can open a Windows command shell on the infected computers that can remotely to execute Windows commands, they said.
The backdoor samples collected by the Rapid7 researchers ended up compiled on April 1, suggesting the attacks are recent. The domain names used for the command-and-control servers contacted by the malware registered during April and May.
These attackers are definitely targeting users in several different countries, Guarnieri said. Rapid7 found evidence users in Taiwan, members of minority populations in China and possibly Western diplomats are targets of this campaign, he said.
“The campaign is not particularly sophisticated, the exploits are well known and the malware is fairly simple,” Guarnieri said. “However as we have seen in recent years, sophistication is not necessary for attackers to be successful and meet their ends. In fact the large majority of targeted attacks from and within the Asian region are generally very basic in complexity.”
Antivirus detection rates for the exploits and the backdoor malware are surprisingly low at the moment, he said. “For some reason this group didn’t receive particular attention (at least not publicly) so we expect detection to improve in the next days.”
Tuesday, May 14, 2013 @ 05:05 PM gHale
It’s no secret when it comes to attack platforms, Java is tops among the bad guys.
Besides enjoying installation pretty much across the board, it also has what attackers drool over, a ton of vulnerabilities.
While Oracle does a fine job fixing holes, bugs, and vulnerabilities, at the end of the day do users actually patch all the issues. Attackers know the answer to that one: No.
Attackers will wait for new patches to come out and then reverse engineer the fixes in order to find the specifics of the vulnerabilities, researchers said. It’s a concern, especially for companies like Microsoft, Adobe and Oracle whose software runs on hundreds of millions of machines and have regular, predictable patch cycles that attackers can depend on. This gives them a monthly or quarterly batch of fixes to reverse engineer. Again, that works because users do not always patch.
Microsoft is very good at getting users to use automatic updates, especially in the enterprise. But there still are plenty of users, particularly consumers, who don’t take advantage of automatic updates, leaving them open to attacks. When it comes to Java, anecdotal evidence has supported the idea that even though there has been a steady stream of new vulnerabilities over the last few years, attackers focus most of their attention on older flaws for which there are already patches.
Research from Microsoft shows there has been a spike in malware targeting Java vulnerabilities since the third quarter of 2011, and much of the activity centered on patched vulnerabilities in Java. Part of the reason for this may be attackers like vulnerabilities that are in multiple versions of Java, rather than just one specific version.
“In Q3 and Q4 of 2012 two new vulnerabilities, CVE-2012-4681 and CVE-2012-5076, were found. But we didn’t observe any prevalence of Java malware abusing these newer vulnerabilities above malware abusing the older Java vulnerabilities, CVE-2012-0507 and CVE-2012-1723,” said Microsoft’s Jeong Wook Oh. “The reason behind this might be that only Java 7 installations were vulnerable to CVE-2012-4681 and CVE-2012-5076, whereas CVE-2012-0507 and CVE-2012-1723 also target Java 6. As there are still many users that use Java 6, the malware writers might have tried to target Java 6 installations by including older vulnerabilities in the exploit package. We can assume that, for this reason, they didn’t do away with the older vulnerabilities.”
“So there were two kinds of Java vulnerabilities that appeared in 2012 overall: One is the category that applies to both multiple versions of Java including Java 6 and 7, and the other are the vulnerabilities that only applies to Java 7,” the Microsoft researcher said. “So when new vulnerabilities that are only applicable to Java 7 are discovered, the attacker’s strategy was usually to combine it with older vulnerabilities that cover more versions of Java. In that way, they could achieve more coverage than just using a single exploit in one package.”
Oh looked specifically at four Java vulnerabilities from 2012 that malware targeted, only one of which was a Zero Day. The other three flaws already had patches available when the malware targeting them appeared. This is the same kind of pattern followed by malware that targets vulnerabilities in Microsoft products and Adobe applications.
Wednesday, May 1, 2013 @ 02:05 PM gHale
Whether users install a patch or not, attackers like to jump on Adobe Reader vulnerabilities to drop malware onto their targets’ computers.
Quite a few advanced persistent threat (APT) campaigns are now relying on those very security holes.
At least three APTs rely on the CVE-2013-0640 vulnerability to distribute malware, said researches at Trend Micro. This exploit remains well known because it saw use in the MiniDuke campaign.
One of the campaigns that use the PDF exploit is Zegost. Experts identified PDF documents, written in Vietnamese, that are very similar to the files used in the MiniDuke attacks.
The dropped files and data are similar, their number is similar, and their purposes are also very much the same. However, the payload dropped in the Zegost attacks isn’t connected in any way with the MiniDuke malware payload.
Another series of malicious PDFs were in the PlugX campaigns. Cyber criminals, possibly not related to each other, have attempted to drop various versions of PlugX on the computers of users from Japan, India and South Korea.
While there have been some similarities between the Zegost and the MiniDuke operations, the researchers said these PlugX attacks are different.
“Our research indicates that attackers engaged in APT campaigns may have adapted the exploit made infamous by the MiniDuke campaign and have incorporated it into their arsenal,” said Nart Villeneuve, senior threat researcher at Trend Micro.
“At the same time, we have found that other APT campaigns seem to have developed their own methods to exploit the same vulnerability. The increase in malicious PDF’s exploiting CVE-2013-0640 may indicate the start of shift in APT attacker behavior away from using malicious Word documents that exploit the now quite old CVE-2012-0158.”
Friday, April 5, 2013 @ 05:04 PM gHale
Bitcoin’s digital currency has not escaped the notice of attackers, many of whom are turning their attention to finding ways to use the system for their own gains like introducing new pieces of malware.
There is now a piece of malware in circulation that is using Skype as a spreading mechanism and then using infected machines’ processing power to mine Bitcoins.
The new malware is sending links to Skype users with a message encouraging them to click to see a photo of themselves online. The campaign began yesterday and is still ongoing, with thousands of victims clicking on the malicious link every hour, according to an analysis by Dmitry Bestuzhev of Kaspersky Lab.
“The initial dropper is downloaded from a server located in India. The detection rate on VirusTotal is low. Once the machine is infected it drops to the system many other pieces of malware. Downloads come from the Hotfile.com service. At the same time the malware connects to its C2 server located in Germany,” Bestuzhev said.
Once the malware is on the victim’s machine, it goes about the business of usurping the PC’s processing power to mine for Bitcoins. The Bitcoin network relies on a complex system to create each Bitcoin and verify the currency is valid and being spent by the owner of those Bitcoins. Part of that process requires quite a bit of processing power, and that’s what the attackers behind this malware campaign are after.
Here’s how the Bitcoin Project explains the mining process:
“Bitcoin mining is the process of making computer hardware do mathematical calculations for the Bitcoin network to confirm transactions and increase security. As a reward for their services, Bitcoin miners can collect transaction fees for the transactions they confirm along with newly created bitcoins. Mining is a specialized and competitive market where the rewards are divided up according to how much calculation is done,” the Project said.
The malware, identified as Trojan.Win32.Jorik.IRCbot.xkt, causes a massive spike in the CPU usage on an infected machine, Bestuzhev said.