ISSSource White Papers

Posts Tagged ‘worm’

Tuesday, May 20, 2014 @ 06:05 AM gHale

There is a new variant of the worm known as VOBFUS that is very fluent in the languages of the operating system.

Similar to older versions, WORM_VOBFUS.JDN spreads by copying itself to removable drives as executable files. However, unlike previous variants, the latest VOBFUS names the files depending on the operating system language of the targeted computer, said researchers at Trend Micro.

Malware Attack Approach: Deceptive Tactics
Top Q1 Mobile Threat Target: Android
Firms Watch Data Walk Out the Door
Security and Safety: Perfect Together

Uses who speak English will see files named something like “I love you.exe,” “Naked.exe,” “Password.exe,” “Sexy.exe,” and “Webcam.exe.”

If the operating system is set to another language, the monikers end up translated. The worm can target speakers of the following languages: English, Indonesian, Arabic, Chinese, Bosnian, Czech, Croatian, German, French, Hungarian, Korean, Italian, Polish, Persian, Romania, Portuguese, Thai, Spanish, Slovak, Vietnamese and Turkish.

“Infection by way of ‘localized’ threats could be seen as one way for cybercriminals to transform unsuspecting users into victims,” said Mark Joseph Manahan, a threat response engineer at Trend Micro in a blog post.

“Seeing a file or a notification written in their language might pique users’ interest more than seeing one written in English. Users may also find a false sense of security in these ‘localized’ files and notifications as they might view these as less suspicious than other files.”

Friday, May 2, 2014 @ 06:05 PM gHale

A new piece of mobile malware, designed to infect Android mobile devices and carry out Trojan-like attacks is starting up in Russia, but could be crossing boarders pretty soon, researchers said.

“Android/Samsapo.A,” shares a characteristic similar to many worms – it spreads itself through automated systems, said researchers at security firm ESET. The automated process, in this case, is SMS messages.

Patched Router Not Really Patched
Backdoor Found in Routers
Innominate Fixes Heartbleed Hole
Weak Routers Bring DNS DDoS Attacks

Upon infection, the worm accesses and shoots out SMS messages to everyone in the victim’s contact list. The message it sends asks, “Is this your photo?” in Russian and contains a link that, when pressed, asks users to install the downloaded malicious APK file.

“It is not known how the first domino piece was set into motion, but the SMS spreading is the most interesting feature of this malware,” said Robert Lipovsky, a malware researcher with ESET. “It’s rather uncommon, since Android Trojans usually spread by masquerading as [sometimes cracked] legitimate apps.”

The worm is able to download malicious files from specified URLs, upload information on the mobile device to a remote server, register the phone number into a premium SMS service, block phone calls, and alter alarm settings, according to the post.

Although the worm can end up spotted as a running service on the device, ultimately, the malware can conceal itself by providing no graphical user interface, as well as no application icon, Lipovsky said, adding the best chance to spot it and stop it is during installation.

So far this is only in Russia, but it is quite likely to make its way to other countries, researchers said.

Tuesday, March 18, 2014 @ 05:03 PM gHale

A 27-year-old Moroccan man with Russian citizenship known on the hacking scene as Diabl0, is now under arrest in Thailand on suspicion of being involved in cyber attacks against Swiss financial organizations.

Police arrested Farid Essebar after Swiss police alerted Thai authorities through the embassy in Bangkok about the hacker and three other members of his gang being in Thailand, according to a report in the Bangkok Post.

Three Indicted in Cybercrime Ring
3 Busted in Korea for Stealing 17M IDs
Guilty Plea in SpyEye Virus Case
Bitcoin Bust: 2 Face Conspiracy Charges

In Switzerland, Essebar stands accused of hacking into the computer systems of several banks, causing damage estimated at around $4 billion (€2.87 billion).

Police in Thailand have been tracking Diabl0 for the past two years. Apparently, they wanted to make sure he’s the man wanted by Swiss authorities before arresting him. Police said Essebar visited Thailand, Hong Kong and other neighboring countries several times in the past years.

Police Colonel Songsak Raksaksakul, chief of the International Cases and International Crime Division of the Department of Special Investigation, said Essebar never gambled and never purchased any assets in Thailand, despite visiting a number of tourist destinations.

Diabl0 first ended up arrested in 2005 by Moroccan authorities. He ended up sentenced for his involvement in the creation of Zotob, a notorious worm that infected computers, including the ones of organizations like CNN, ABC News, NYT, Boeing and the US Department of Homeland Security.

He received a sentence of two years, but ended up released after one.

Monday, December 2, 2013 @ 04:12 PM gHale

Industrial control systems could feel the affect of a new Linux worm that exploits a PHP vulnerability. In addition to ICSes, other devices connected to the Internet, such as routers, set-top boxes, and security cameras could also fall victim.

The malware spreads by exploiting a PHP vulnerability patched back in May 2012, said researchers at Symantec. The developer used proof-of concept code published in October to create the worm Symantec called Darlloz.

Tor Traffic Skyrockets: Report
Big Boost in Cyber Investment
Energy Sector Attacks on Rise
DoE Awards to Boost Security Tools

“Upon execution, the worm generates IP addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability. If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target,” Symantec’s Kaoru Hayashi said in a blog post.

The variant analyzed by Symantec can infect only devices running on Intel architectures. However, researchers have also spotted versions for other architectures as well, including MIPS, PPC and ARM.

Researchers said while they haven’t spotted any Darlloz attacks in the wild, a large number of users who don’t even realize their devices are running Linux are at risk.

Symantec recommends users to check all their devices connected to the network and make sure they update their software.

Incoming HTTP POST requests to paths such as -/cgi-bin/php, -/cgi-bin/php5, -/cgi-bin/php-cgi, -/cgi-bin/php.cgi and -/cgi-bin/php4 should end up blocked.

Thursday, February 14, 2013 @ 01:02 PM gHale

The Dorkbot/Rodpicom worm, which spreads via messaging applications and leads to additional malware infections, is currently going out on Skype and MSN Messenger.

It all starts with potential victims receiving a direct message from a contact, asking “LOL is this your new profile pic?[removed]”. Those who follow the link land on a malicious site and end up infected with the worm, according to a report on Fortinet.

Mobile Ad Malware Toolkits on Rise
Defense Industry Spear Phishing Attack
Malware Spreads through Skype
Dorkbot Worm Goes Global

Apart from being able to send out the message to further potential victims, the malware is also capable of opening a backdoor into the infected system, downloading more malicious software, spamming, reaching out to its C&C server, downloading a new version of itself, and other malicious activities. The computer ends up taken over by a botnet and is ready to do the botnet master’s bidding.

The worm waits until the victims log into the chat app they use and then send out the messages. It is also able of changing the language of the message to be consistent with the language of the installed Windows operating system, making it more believable the message did go out from the user.

FortiGuard Labs researcher Raul Alvarez said the malware also has a number of evasive and obfuscation techniques aimed at hiding its existence from AV software and researchers.

Tuesday, November 27, 2012 @ 05:11 PM gHale

There is some new malware that appears to try to modify corporate databases especially in the Middle East.

While the malware is also showing up in other parts of the world, W32.Narilam first discovered Nov. 15 follows a similar pattern of other worms by copying itself onto infected machines, adding registry keys and propagating through removable drives and network shares, said researchers at Symantec.

Fake Certificates for Police Trojans
DNS Records Hacked
Best Practices for DKIM Hole
Email Signature Holes Fixed

“What is unusual about this threat is the fact that it has the functionality to update a Microsoft SQL database if it is accessible by OLEDB. The worm specifically targets SQL databases with three distinct names: alim, maliran, and shahd,” wrote Symantec security researcher Shunichi Imano in a blog post.

Once Narilam finds the targeted databases, it looks for financial terms such as “BankCheck,” “A_sellers” and “buyername” and Persian terms like “Pasandaz” (“Savings”) and “Vamghest” (“Instant Loans”). The malware also deletes tables with the following names: A_Sellers, person and Kalamast.

“The malware does not have any functionality to steal information from the infected system and appears to be programmed specifically to damage the data held within the targeted database,” Imano said. “Given the types of objects that the threat searches for, the targeted databases seem to be related to ordering, accounting, or customer management systems belonging to corporations.

The overall infection rate is low at the moment, but those whose networks do not have the proper protection could see business disrupted, Imano said.

“Unless appropriate backups are in place, the affected database will be difficult to restore. The affected organization will likely suffer significant disruption and even financial loss while restoring the database,” he said. “As the malware is aimed at sabotaging the affected database and does not make a copy of the original database first, those affected by this threat will have a long road to recovery ahead of them.”

Thursday, August 9, 2012 @ 03:08 PM gHale

Cyber criminals are now using the Police Virus malware as fully functioning ransomware, according to a new report.

The Police Virus is a common technique used by criminals to infect computers by masquerading as law enforcement agencies demanding money for fictional crimes, said researchers from security firm PandaLabs.

One Attack Starts at Web Site
Beware of Internet Scammers
Malware Continues Growth Cycle
Spam Drops; Malicious Attachments Hike

Scams like these across the globe demand money for things like copyright infringement, missed court dates and even parking tickets.

PandaLabs detected the evolution of the scam from standard scareware to ransomware in its latest quarterly threat report, which analyzed incidents from April through June 2012.

The firm went on to warn the campaigns are continuing to evolve at a rapid pace, with criminals creating increasingly effective ways to hold users data to ransom and demand payment for its safe return.

“The first versions of the new Police Virus only use encrypted .doc files, and the encryption wasn’t too hard to crack, so it was possible to decrypt the files without the key,” the report said.

“Now, however, a more sophisticated encryption is being used, and the decryption key is required to unlock the files. And not only that, the files are encrypted with a different key for each infected computer, so, unless you are able to access the server that stores all keys, it is absolutely impossible to access the files.”

The evolution came alongside a boom in the number of Trojan viruses hitting the cyber street. The report revealed Trojans are now the most common form of cyber attack, accounting for 79 percent of all threats.

Worms were the second biggest threat detected, responsible for 11 percent of all attacks, the report said.

Trojans continued to prove the most effective attack method during the quarter speaking for 76 percent of all infections, while viruses came second accounting for eight percent.

“It is interesting to note that worms have only caused six percent of infections despite accounting for almost 11 percent of all new malware”, said Luis Corrons, technical director of PandaLabs.

“The figures corroborate what is well known: massive worm epidemics have become a thing of the past and have been replaced by an increasing avalanche of banking Trojans and specimens such as the Police Virus.”

Looking to the future Corrons warned the scam is one of the numerous cyber crime kits currently on sale and will likely remain an ongoing problem in the foreseeable future.

“This so called Police Virus appears to be created for and distributed by a cyber criminal gang from Eastern Europe or Russia, and police forces from across Europe are working together to try and identify and arrest them,” said Corrons.

Wednesday, August 1, 2012 @ 01:08 PM gHale

Morto The Worm added file infection capability to its ability to compromise remote desktop protocol (RDP) connections by exploiting weak administrator passwords.

Microsoft warned last year that once Morto compromises a system, it connects to a remote server to download additional information and update its components. The worm also terminates processes for locally running security applications to ensure its activity continues uninterrupted.

Chem Co. Halts USB Stick Attack
Exploit Determines OS, then Attacks
Disabled Auto-Run Saves Energy Firm
ICS-CERT: Attacks on Rise

The new Morto variant “infects .EXE files found on fixed and removable drives as well as on default RDP and Administrative shares, but avoids infecting files that contain strings like ‘windows’, ‘winnt’, ‘qq’, ‘Outlook’, ‘System Volume Information’ or ‘RECYCLER’ in their path, said Edgardo Diaz Jr. with the Microsoft Malware Protection Center.

Morto also leaves an infection marker, ‘PPIF’ in infected files.”

Similar to earlier memory resident viruses, Morto’s payload and infection routine executes in the context of other processes, Diaz said. To avoid multiple injections in the same process (or running multiple copies of the virus), a mutex called “Global\_PPIftSvc” ends up created, he added.

Diaz cautioned organizations to use strong passwords for administrator and user accounts and to verify passwords are not similar to the ones the malware is using to spread.

Friday, July 6, 2012 @ 02:07 PM gHale

Unauthorized printing is becoming a nuisance as a computer worm propagates by exploiting a 2010 Windows vulnerability, according to security researchers from Symantec.

Companies have reported unauthorized printing incidents in recent weeks, prompting antivirus firms to investigate the possible causes.

Malware Forces Unwanted Printing
Contest Focuses on Security Exploit
Cisco Closes Multiple Holes
Networking Fixes from Cisco, Wireshark

On June 21, Symantec reported the rogue printouts were the result of computers suffering from the Trojan program called Trojan.Milicenso.

However, researchers have since determined the propagation routine of a separate piece of malware, a worm called W32.Printlove, can cause similar problems, Symantec researcher Jeet Morparia said Monday.

W32.Printlove infects other computers on the local network by exploiting a remote code execution vulnerability in the Microsoft Windows Print Spooler service patched in September 2010. Identified as CVE-2010-2729, Stuxnet also exploited this vulnerability.

The rogue printing behavior can occur when W32.Printlove unsuccessfully attempts to infect a Windows XP computer connected to a shared network printer.

The worm starts by sending a print request to a targeted computer specifically crafted to exploit the CVE-2010-2729 vulnerability. If the exploitation attempt is successful, a copy of the malware drops in the Windows system directory and then executes.

However, if the user patched the system against CVE-2010-2729, a copy of the worm ends up created in the computer’s printer spool directory — %SystemRoot%\system32\spool\printers — as a randomly named .spl (Windows Printer Spool) file.

The computer interprets the creation of this file as a new print job and instructs the network printer to print the file’s contents, therefore wasting paper and toner.

Because the worm periodically retries to infect a system, the rogue printing behavior will repeat until the user cleans up all network computers, Morparia said. “Tracking down the source of these junk print jobs can be more complicated when there are multiple infections on the network.”

Fortunately, the failed infection attempts leave behind .shd files in the printer spool directory that contain details about printing jobs, including the names of computers that initiated them. Administrators can inspect SHD files with a free tool called SPLViewer after shutting down the Print Spooler service, Morparia said.

The W32.Printlove worm might link to the previously reported Trojan.Milicenso, Morparia said. “We intend to continue our investigation to confirm any relationship between the two threats.”

Tuesday, May 29, 2012 @ 05:05 PM gHale

Editor’s Note: This is an excerpt from Eric Byres’ Practical SCADA Security blog at Tofino Security.
By Eric Byres
Over the weekend a new super worm exploded onto the cyber security landscape.

Known as Flame or sKyWIper, it appears to be targeting sites in the Middle East, just like Stuxnet and Duqu did. But what does it have to do with SCADA or ICS security? At this stage the answer appears to be nothing and — everything.

Let’s start with what Flame is. Rather than just being a typical worm, Flame appears to be a carefully crafted attack toolkit for industrial or political espionage. According to Aleks at Kaspersky Labs “it is a lot more complex than Duqu. It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master.”

Flame: ‘More Powerful than Stuxnet’
New Stuxnet Waiting for Green Light
Stuxnet Loaded by Iran Double Agents
Cyber Warning: Duqu’s Back
Duqu Still at Work
Duqu Report: Code is Old School
Stuxnet, Duqu Link Grows Stronger
Stuxnet to Duqu: The Waiting Begins
Duqu and Rumors of War
A New and Frightening Stuxnet

Now the first unusual thing about Flame is that it is massive. While the typical worm is 50 Kbytes in size, Flame weighs in at 20 Mbytes, nearly 400 times larger.

The reason for this large size is Flame is a multi-functional toolkit for information stealing, completely reconfigurable by its masters for new tasks.

According to the crysys report on sKyWIper (aka Flame):

sKyWIper has very advanced functionality to steal information and to propagate. Multiple exploits and propagation methods can be freely configured by the attackers. Information gathering from a large network of infected computers was never crafted as carefully as in sKyWIper. The malware is most likely capable to use all of the computers’ functionalities for its goals. It covers all major possibilities to gather intelligence, including keyboard, screen, microphone, storage devices, network, wifi, Bluetooth, USB and system processes.

Flame is a Swiss Army Knife of malware in the sense that it can intercept everything imaginable, but it is not a pile of existing malware code thrown together. It is very cleverly crafted. Like Stuxnet, it has multiple propagation vectors – USB keys, printer sharing, and domain controller rights to name a few.

Its modular architecture allows its creators to massively change functionality and behavior at any time. It also allows its operators to use a sophisticated scripting language called Lua to manage its activities. Plus its code injection techniques are pretty amazing.

Flame is no script kiddy project. It is probably not even an organized crime project. All reports from the anti-virus companies analyzing Flame indicate it was created by a well funded professional team of developers. As Kaspersky Labs put it:

“…the geography of the targets (certain states are in the Middle East) and also the complexity of the threat leaves no doubt about it being a nation state that sponsored the research that went into it.”

What does Flame have to do with SCADA and ICS Security?

On the surface, very little. As currently configured, Flame is clearly an information stealer. There is no evidence that it has SCADA or ICS related modules installed at this time.

That said, Symantec and others report that Flame appears to be the same worm that the Iranian Oil Ministry reported was impacting its facilities at the Kharg Island terminal last month. Iran’s National CERT (MAHER) is also now reporting on the existence of this worm inside Iran.

What does all this mean to the average control engineer? The good news is that like Stuxnet, Flame appears to be highly targeted. Like Duqu, it steals information rather than destroying equipment. But the bad news is that this worm clearly indicates that industry, especially the energy industry, is now a key target in a rapidly growing world of sophisticated, government sponsored malware.

Call it “cyber warfare” or “cyber hype”, the bottom line is that the information/networked world is getting nastier by the day and SCADA and ICS is part of that world.

Eric Byres is chief technology officer at Byres Security. Click here to read the full version of the Practical SCADA Security blog.

Archived Entries