Posts Tagged ‘Kaspersky Labs’
Monday, April 22, 2013 @ 05:04 PM gHale
A new spam campaign is out that leverages the name of Australian telecom company TPG Telecom in an effort to distribute a variant of the ZeuS Trojan.
Bearing the subject “Restoration of Mobile Phone Deposit,” researchers at Kaspersky Labs found the faux email reads:
The balance of your Mobile Phone Deposit has dropped below $5.00, and we have initiated a debit of $16.95 to restore the balance to $20.00. Please refer to the attached report with detailed status of your account.
Thank you for using the TPG mobile phone service. Your customer ID is 5212306”
The file attached to these malicious emails appears to be a harmless document. However, in reality, it’s an executable identified by Kaspersky as Trojan-Spy.Win32.Zbot.jqye, a threat designed to steal sensitive information from infected computers.
It’s worth noting that Trojan-Spy.Win32.Zbot.jqye is one of the most famous ZeuS variants.
If you come across such emails, be sure to ignore them. If you’ve already opened the attachment, scan your system immediately with an updated antivirus solution.
Friday, April 5, 2013 @ 05:04 PM gHale
Bitcoin’s digital currency has not escaped the notice of attackers, many of whom are turning their attention to finding ways to use the system for their own gains like introducing new pieces of malware.
There is now a piece of malware in circulation that is using Skype as a spreading mechanism and then using infected machines’ processing power to mine Bitcoins.
The new malware is sending links to Skype users with a message encouraging them to click to see a photo of themselves online. The campaign began yesterday and is still ongoing, with thousands of victims clicking on the malicious link every hour, according to an analysis by Dmitry Bestuzhev of Kaspersky Lab.
“The initial dropper is downloaded from a server located in India. The detection rate on VirusTotal is low. Once the machine is infected it drops to the system many other pieces of malware. Downloads come from the Hotfile.com service. At the same time the malware connects to its C2 server located in Germany,” Bestuzhev said.
Once the malware is on the victim’s machine, it goes about the business of usurping the PC’s processing power to mine for Bitcoins. The Bitcoin network relies on a complex system to create each Bitcoin and verify the currency is valid and being spent by the owner of those Bitcoins. Part of that process requires quite a bit of processing power, and that’s what the attackers behind this malware campaign are after.
Here’s how the Bitcoin Project explains the mining process:
“Bitcoin mining is the process of making computer hardware do mathematical calculations for the Bitcoin network to confirm transactions and increase security. As a reward for their services, Bitcoin miners can collect transaction fees for the transactions they confirm along with newly created bitcoins. Mining is a specialized and competitive market where the rewards are divided up according to how much calculation is done,” the Project said.
The malware, identified as Trojan.Win32.Jorik.IRCbot.xkt, causes a massive spike in the CPU usage on an infected machine, Bestuzhev said.
Wednesday, January 16, 2013 @ 02:01 PM gHale
Knowing users fail to update their installations, cybercriminals will always jump at the chance to take advantage of the vulnerabilities and that is why a 5-year-long cyber espionage campaign at one point was using an old Java exploit to push malware.
This revelation came out after Kaspersky Labs earlier this week unveiled the espionage program dubbed operation Red October that was tracking and following governments and other orgranizations.
‘Security Incident’ at Algeria Gas Field
India: Cyber Attacks Widespread
DHS: Infrastructure Attacks on Rise
Grid Vulnerable to Attack
Agencies Join in Security Plan
Security Legislation a Must: NSA Chief
Kaspersky experts have said the cybercriminals are leveraging vulnerabilities in Microsoft Word and Excel to push malware onto their victims’ computers.
However, according to Seculert, back in February 2012, they relied on an older Java vulnerability (CVE-2011-3544).
“In this vector, the attackers sent an email with an embedded link to a specially crafted PHP web page. This webpage exploited a vulnerability in Java, and in the background downloaded and executed the malware automatically,” the Seculert researchers said.
Oracle patched the security hole abused by this exploit back in October 2011, but the attackers utilized it in February 2012. This shows cybercriminals often make use of known vulnerabilities, knowing that users fail to update their installations.
Wednesday, November 7, 2012 @ 03:11 PM gHale
Users are not quickly patching Oracle and Adobe updates as these companies do not seem to be getting their users to fix products, a new study showed.
Oracle Java, Adobe Flash Player, Reader and Shockwave, Apple’s QuickTime and iTunes, and Nullsoft’s Winamp are in the top 10 of Kaspersky Labs’ IT Threat Evolution for the third quarter. 35 percent of the computers studied by Kaspersky suffered from vulnerabilities in Java, with just under 19 percent vulnerable to infection through the Adobe Flash Player.
Of the computers studied by Kaspersky in the third quarter, 35 percent suffered from a Java vulnerability and 19 percent from a vulnerability in an Adobe product.
Compared to the third quarter of 2011, Adobe has at least improved by a few percentage points. Sun/Oracle Java, however, remained stuck around the 30 percent mark since 2010. Java’s patch and update agents are behind the competition.
Adobe stands out in these security reports for the number of vulnerabilities which users have failed to fix and the number of affected products.
Adobe tends to occupy fifth place in Kaspersky’s top 10, also suggesting that Adobe’s update agents could do better.
Tuesday, October 30, 2012 @ 10:10 AM gHale
Germany just overtook the U.S. when it comes to email users getting the most malicious email messages.
Germany topped the chart with 13.87% of malicious mail directed at its users, followed by Spain (7.43%), Russia (6.85%), India (6.39%), Vietnam (5.95%), Australia (5.94%), China (5.80%) and the U.S (5.62%), according to a report on September’s spam by Kaspersky. The U.S. had led the chart for the previous eight months.
Kaspersky said 3.4% of all emails contained malicious files, a drop of 0.5 percent compared to the previous month. Germany saw a six percent point rise in its detections and Spain saw a four percent rise, while United Kingdom’s share dropped two percent to 4.67%.
It was also a month for drastic changes in the top ten malware detected by Kaspersky. Long-term leader “Trojan-Spy.HTML.Fraud.gen” fell out of the top ten completely, giving its top spot to “Backdoor.Win32.Androm.kv” (aka Backdoor.Trojan and PWS-Zbot.gen.ana), a backdoor Trojan which enables remote access, found in 6.32% of the malicious emails. Right behind was “Email-Worm.Win32.Bagle.gt”, an email address harvester and malicious program downloader, and then the “Email-Worm.Mydoom.m” and “Mydoom.l” email address harvesters. Also in the top ten were four ransomware Trojans.
Of the spam that didn’t have malicious programs attached, Kaspersky noted a rise in mails with an oil and gas theme, such as bogus lottery mails apparently from Russian energy companies Gazprom and Lukoil.
They also noted an increase in spam pointing users at infected coupon sites with good imitations of legitimate Groupon mailings, the appearance of Michelle Obama’s name in lottery email which claims to come from the “World Wide Web Owner” and mass English-language mailings of the controversial film “The Innocence of Muslims” which lacked the expected malicious attachments or dangerous links.
Overall, spam levels grew by 2.3 percent points from August to reach 72.5% of all email traffic, and phishing mails tripled, to reach 0.03%.
Monday, October 29, 2012 @ 09:10 AM gHale
Editor’s Note: This is an excerpt from the Practical SCADA Security blog at Tofino Security.
By Heather MacKenzie
The most destructive post-Stuxnet discovery of advanced threats is a malicious malware known as Shamoon. Like Stuxnet, Duqu and Flame, it targeted energy companies in the Middle East, this time Saudi Aramco, Qatar’s RasGas and likely other oil and gas concerns in the region.
It is a new species however, because it did not disrupt an industrial process as Stuxnet did, nor did it stealthily steal business information as Flame and Duqu did. Instead it removed and overwrote the information on the hard drives of 30,000 to 55,000 (yes those numbers are correct) workstations of Saudi Aramco (and who knows how many more at other firms).
Iran behind Shamoon Attack
Shamoon Mitigations Shelter Systems
Shamoon Malware and SCADA Security
Saudi Attack has ‘Inside’ Suspects
Shamoon Malware Variant Running
New Virus Hits Oil Giant, LNG Producer
Qatar’s RasGas Suffers Virus Hit
Saudi Aramco Back Up after Attack
Saudi Aramco Hacked
Nothing this damaging has been seen in a while. As a Kaspersky Lab expert commented “Nowadays, destructive malware is rare; the main focus of cybercriminals is financial profit. Cases like the one here do not appear very often.”
First discovered August 16 by Symantec, Kaspersky Labs, and Seculert, Shamoon was introduced into Saudi Aramco by a disgruntled insider that had full access to the system. It took control of an Internet connected computer and used that computer to communicate back to an external Command-and-Control server. It also infected other computers running Microsoft Windows that were not Internet connected. This type of malware is a “botnet” which is a collection of compromised computers under the control of a single individual or group.
The name Shamoon comes from a folder name within the malware executable: “c:\shamoon\ArabianGulf\wiper\release.pdb”
While the significance of the word “Shamoon” is not known, it is speculated that it is the name of one of the malware authors. Shamoon is the equivalent of Simon in Arabic.
Symantec describes Shamoon as having 3 components:
1. Dropper – the main component and source of the original infection. It drops components 2 and 3 onto the infected computer, copies itself to network shares, executes itself and creates a service to start itself whenever Windows starts.
2. Wiper – this is the destructive module. It compiles a list of files from specific locations on the infected computers, erases them, and sends information about the files back to the attacker. The erased files are overwritten with corrupted jpeg files, “obstructing any potential file recovery by the victim.”
3. Reporter – this module sends infection information back to the attacker’s central computer.
While all of this sounds sophisticated, Kaspersky Labs concluded, due to a number of errors found in the code, the developers of Shamoon are “skilled amateurs.” They are not in the same league as the sophisticated coders of Stuxnet and Flame.
On August 15 Saudi Aramco posted on its Facebook page “…the company has isolated all its electronic systems from outside access as an early precautionary measure that was taken following a sudden disruption that affected some of the sectors of its electronic network. The disruption was suspected to be the result of a virus that had infected personal workstations without affecting the primary components of the network.”
They later told Reuters: “Shamoon [the virus] spread through the company’s network and wiped computers’ hard drives clean. Saudi Aramco says damage was limited to office computers and did not affect systems software that might hurt technical operations.”
However, as CIO blogger Constantine von Hoffman said, “You don’t destroy 30,000 workstations without causing a vast amount of damage. It might be possible that the attack didn’t directly hit oil production or harm the flow of oil out of the ground. No one I’ve spoken to has suggested it did, but it’s clear that if the company’s statement is true then Aramco used a very strict reading of the phrase “oil production.”
von Hoffman went on to question the Saudi Aramco statement that all damage had been repaired by Aug 26. He also wonders, in the days of oil and gas projects being dominated by joint ventures, how other energy companies’ computers could not have been damaged by Shamoon.
Indeed, Leon Panetta, the U.S. Defense Secretary recently described Shamoon as the most destructive attack the business sector has seen to date and a “significant escalation of the cyberthreat.”
Jim Lewis, a computer expert at the Center for Strategic and International Studies (CSIS) in Washington added “There is a really significant dollar cost to this attack. The computers were out for as much as a week and had to be replaced.”
It is now known that the attack was initiated by a disgruntled insider, an Aramco employee, “an extraordinary development in a country where open dissent is banned” who may have been working with the Iranian government.
Bloomburg attributes the attack to a single perpetrator who did not have the skills to do advanced coding or attack the company’s oil production sites. Their view rests on the fact the forensic analysis of the code does not show advanced elements that typically suggest a nation state perpetrator. The motive in this case is believed to come from the disenfranchised Shiite minority in Saudi Arabia’s eastern province.
However, ISSSource describes how “Iran’s Cyber Army” has been building up its capability over time and attributes the attack to Iran working with an insider. It also puts forward two theories about why the Iranians might have instigated it.
One theory is the attacks were motivated by “deep wrath” at the Saudi government because of:
a. The mistreatment of the Shiites by Saudi Aramco.
b. The Saudi government’s assistance to Sunni factions in Syria and Bahrain.
The other theory is the attacks are retaliatory measures against the U.S. for:
a. Stuxnet, the U.S-Israeli backed malware that disrupted Iran’s nuclear enrichment program and
b. Payback for the severe U.S.-imposed sanctions that have sent the Iranian economy into a tailspin.
Shamoon was a destroyer of data on workstations of energy companies in the Arabian Gulf. There is no evidence it had any impact on SCADA or ICS systems.
What does it mean for automation professionals? The good news is that like Stuxnet, Flame and Duqu, Shamoon was highly targeted. But the bad news is that it is another indicator that industry, especially the energy industry is now a target.
You might want to update your risk assessments. Of great concern is the fact this attack lowers the bar for effective disruption of a business. One or more people with skills slightly better than amateurs and a relatively low level of effort were able to penetrate a well-protected network and destroy massive amounts of data (albeit with insider access). In addition, they did it at a scale and speed that is unprecedented.
Imagine the damage that could be done if any group of people with an axe to grind against your organization activates a similar attack against you? The success of Shamoon is sure to attract copycats. This rouses the kind of fear we have when we think of terrorists getting their hands on nuclear weapons. No rules of engagement apply.
Call it “cyber warfare” or “cyber hype,” the bottom line is the information/networked world is facing increased threats and SCADA and ICS systems are part of that world.
Heather MacKenzie is with Tofino Security. Click here to read the full version of the Practical SCADA Security blog.
Friday, September 21, 2012 @ 02:09 PM gHale
A whole family of Flame-related malware is running out in the cyber street, with much of it likely undetected as yet, said Security vendor Kaspersky Labs.
Earlier this week, Kasperksy said it detected three Flame-related pieces of malware.
Kaspersky’s chief malware expert Vitaly Kamluk said analysis of the command and control (C&C) servers used by Flame’s authors indicated the extent of the cyber espionage campaign may be larger than first thought.
“The code running on the C&C server is able to ‘speak the languages’ that three other malicious applications can understand and those applications are not Flame,” said Kamluk.
“We have confirmed that at least one of those three has spread as we have registered an incoming connection on our sinkhole server from a machine that ‘speaks’ one of these new ‘languages’ (communication protocols).”
Kumlak said there are likely more than the three new Flame-level threats currently operating undetected in the wild.
“It is very possible there are more variants. They started building RedProtocol, yet another ‘language’ for unknown malware. No known client types are using that one, which means that there is even more malware out there,” said Kumlak.
“It means that Flame is not the only one in this big family,” he said. “There are others and they aren’t just other known malwares such as Stuxnet, Gauss or Duqu.”
Last May, Kaspersky found Flame, a computer virus with data-snatching capabilities, not only hitting machines in Iran, but elsewhere in the Middle East, and was “20 times larger than Stuxnet.”
While the true call of duty for Flame remains a bit muddled, its creators did order infected computers still under their control to download and execute a component designed to remove all traces of the malware in a move to prevent forensic analysis, Symantec security researchers said.
Monday, August 20, 2012 @ 05:08 PM gHale
Android is under attack, there is no doubt about it, but how severe the attack is remains open to debate.
On one hand you have Kaspersky Labs saying the number of Android Trojans tripled in the second quarter of the year and now stands at 15,000.
On the other hand, F-Secure has seen only a moderate increase of 40 new Android malware. The difference appears easy to explain.
Kaspersky’s numbers relies upon unique samples. That means when a new bug appears, a hash value generates for the program. If this digital fingerprint is not in the company’s database, then it accounts for a new unique sample. In practice though, a new unique sample could generate by replacing an “A” with an “a” in the code, making a new hash value even though the malicious program remains the same. So, in the second quarter of 2012, 14,923 Android Trojans landed in the Kaspersky Malware Statistics.
F-Secure has, for some time, chosen a more sophisticated approach to how it analyzes the pests for its statistics, such as those it presents in its quarterly Mobile Threat Report. It bases its numbers for malware distribution on malware families or variants and therefore provides a much better measurement of the real threat compared to the inflated unique samples values.
F-Secure discovered in the April to June period, 40 new families or variants of existing families of malware emerged.
While the numbers may be different, both AV vendors agree on one thing: Android is the preferred mobile platform for attackers.
Monday, August 13, 2012 @ 06:08 PM gHale
After more analysis on the new virus called Gauss, it seems the tool has capabilities to attack national critical infrastructure and steal financial data.
While not confirmed, it appears as though the same masterminds behind this virus is the same as those that were behind the state-sponsored Flame and Stuxnet. ISSSource reported the masterminds behind Stuxnet and Flame were the U.S. and Isreael.
Stuxnet Fears: Iran Ministries Air Gap
Iran: ‘Massive Cyber Attack’ Detected
India on Stuxnet Alert
Flame Out: Certificate Management Changed
Flame Keeps Security Wags on Alert
Talk to Me: Stuxnet, Flame a Global Alert
Stuxnet Warfare: The Gloves are Off
Flame: ‘20 Times Larger than Stuxnet’
New Stuxnet Waiting for Green Light
Stuxnet Loaded by Iran Double Agents
Researchers at Kaspersky Labs discovered Gauss in June and it has already infected personal computers in Lebanon and other countries in the Middle East.
The sophisticated malware, which not only steals system information but has a potentially dangerous “mysterious payload,” also contains a module known as Godel which researchers have concluded contain a weapon for attacking industrial control systems.
Ross Brewer, vice president and managing director for international markets, LogRhythm, has made the following comments:
“This latest malware discovery clearly shows a developing trend of sophisticated cyber weapons, like the Stuxnet, Duqu and Flame viruses, which aim to take control of critical national systems. While Gauss’ initial purpose appears to be the theft of financial information, its inclusion of the ‘Godel’ module further proves that cyber warfare tactics between nation states can result in significant damage to physical infrastructure.
“A large proportion of today’s cyber security breaches – whether cyber espionage exercises such as data theft or full on cyber attacks that take control of critical systems – are a result of organizations lacking visibility into the activity taking place across their networks.”
Traditional perimeter cyber security defenses such as anti-virus software just aren’t enough to ensure protection, particularly as Gauss’s “cousin,” the Flame virus, avoided detection from 43 different anti-virus tools and took over two years to detect.
Critical infrastructure users need to keep a continuous monitoring of all log data generated by IT systems, so make sure there are not any aberrant network activity. And if there is to identify, anlyze and remediate it in real time.
Especially relevant in the detection of attacks on control systems like SCADA (supervisory control and data acquisition), constant monitoring of IT network log data also provides the traceability required to identify patterns in seemingly unrelated incidents enabling damage limitation strategies to be enacted before any destruction of national infrastructure can occur.