Posts Tagged ‘worm’

Tuesday, March 18, 2014 @ 05:03 PM gHale

A 27-year-old Moroccan man with Russian citizenship known on the hacking scene as Diabl0, is now under arrest in Thailand on suspicion of being involved in cyber attacks against Swiss financial organizations.

Police arrested Farid Essebar after Swiss police alerted Thai authorities through the embassy in Bangkok about the hacker and three other members of his gang being in Thailand, according to a report in the Bangkok Post.

Three Indicted in Cybercrime Ring
3 Busted in Korea for Stealing 17M IDs
Guilty Plea in SpyEye Virus Case
Bitcoin Bust: 2 Face Conspiracy Charges

In Switzerland, Essebar stands accused of hacking into the computer systems of several banks, causing damage estimated at around $4 billion (€2.87 billion).

Police in Thailand have been tracking Diabl0 for the past two years. Apparently, they wanted to make sure he’s the man wanted by Swiss authorities before arresting him. Police said Essebar visited Thailand, Hong Kong and other neighboring countries several times in the past years.

Police Colonel Songsak Raksaksakul, chief of the International Cases and International Crime Division of the Department of Special Investigation, said Essebar never gambled and never purchased any assets in Thailand, despite visiting a number of tourist destinations.

Diabl0 first ended up arrested in 2005 by Moroccan authorities. He ended up sentenced for his involvement in the creation of Zotob, a notorious worm that infected computers, including the ones of organizations like CNN, ABC News, NYT, Boeing and the US Department of Homeland Security.

He received a sentence of two years, but ended up released after one.

Monday, December 2, 2013 @ 04:12 PM gHale

Industrial control systems could feel the affect of a new Linux worm that exploits a PHP vulnerability. In addition to ICSes, other devices connected to the Internet, such as routers, set-top boxes, and security cameras could also fall victim.

The malware spreads by exploiting a PHP vulnerability patched back in May 2012, said researchers at Symantec. The developer used proof-of concept code published in October to create the worm Symantec called Darlloz.

Tor Traffic Skyrockets: Report
Big Boost in Cyber Investment
Energy Sector Attacks on Rise
DoE Awards to Boost Security Tools

“Upon execution, the worm generates IP addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability. If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target,” Symantec’s Kaoru Hayashi said in a blog post.

The variant analyzed by Symantec can infect only devices running on Intel architectures. However, researchers have also spotted versions for other architectures as well, including MIPS, PPC and ARM.

Researchers said while they haven’t spotted any Darlloz attacks in the wild, a large number of users who don’t even realize their devices are running Linux are at risk.

Symantec recommends users to check all their devices connected to the network and make sure they update their software.

Incoming HTTP POST requests to paths such as -/cgi-bin/php, -/cgi-bin/php5, -/cgi-bin/php-cgi, -/cgi-bin/php.cgi and -/cgi-bin/php4 should end up blocked.

Thursday, February 14, 2013 @ 01:02 PM gHale

The Dorkbot/Rodpicom worm, which spreads via messaging applications and leads to additional malware infections, is currently going out on Skype and MSN Messenger.

It all starts with potential victims receiving a direct message from a contact, asking “LOL is this your new profile pic?[removed]”. Those who follow the link land on a malicious site and end up infected with the worm, according to a report on Fortinet.

Mobile Ad Malware Toolkits on Rise
Defense Industry Spear Phishing Attack
Malware Spreads through Skype
Dorkbot Worm Goes Global

Apart from being able to send out the message to further potential victims, the malware is also capable of opening a backdoor into the infected system, downloading more malicious software, spamming, reaching out to its C&C server, downloading a new version of itself, and other malicious activities. The computer ends up taken over by a botnet and is ready to do the botnet master’s bidding.

The worm waits until the victims log into the chat app they use and then send out the messages. It is also able of changing the language of the message to be consistent with the language of the installed Windows operating system, making it more believable the message did go out from the user.

FortiGuard Labs researcher Raul Alvarez said the malware also has a number of evasive and obfuscation techniques aimed at hiding its existence from AV software and researchers.

Tuesday, November 27, 2012 @ 05:11 PM gHale

There is some new malware that appears to try to modify corporate databases especially in the Middle East.

While the malware is also showing up in other parts of the world, W32.Narilam first discovered Nov. 15 follows a similar pattern of other worms by copying itself onto infected machines, adding registry keys and propagating through removable drives and network shares, said researchers at Symantec.

Fake Certificates for Police Trojans
DNS Records Hacked
Best Practices for DKIM Hole
Email Signature Holes Fixed

“What is unusual about this threat is the fact that it has the functionality to update a Microsoft SQL database if it is accessible by OLEDB. The worm specifically targets SQL databases with three distinct names: alim, maliran, and shahd,” wrote Symantec security researcher Shunichi Imano in a blog post.

Once Narilam finds the targeted databases, it looks for financial terms such as “BankCheck,” “A_sellers” and “buyername” and Persian terms like “Pasandaz” (“Savings”) and “Vamghest” (“Instant Loans”). The malware also deletes tables with the following names: A_Sellers, person and Kalamast.

“The malware does not have any functionality to steal information from the infected system and appears to be programmed specifically to damage the data held within the targeted database,” Imano said. “Given the types of objects that the threat searches for, the targeted databases seem to be related to ordering, accounting, or customer management systems belonging to corporations.

The overall infection rate is low at the moment, but those whose networks do not have the proper protection could see business disrupted, Imano said.

“Unless appropriate backups are in place, the affected database will be difficult to restore. The affected organization will likely suffer significant disruption and even financial loss while restoring the database,” he said. “As the malware is aimed at sabotaging the affected database and does not make a copy of the original database first, those affected by this threat will have a long road to recovery ahead of them.”

Thursday, August 9, 2012 @ 03:08 PM gHale

Cyber criminals are now using the Police Virus malware as fully functioning ransomware, according to a new report.

The Police Virus is a common technique used by criminals to infect computers by masquerading as law enforcement agencies demanding money for fictional crimes, said researchers from security firm PandaLabs.

One Attack Starts at Web Site
Beware of Internet Scammers
Malware Continues Growth Cycle
Spam Drops; Malicious Attachments Hike

Scams like these across the globe demand money for things like copyright infringement, missed court dates and even parking tickets.

PandaLabs detected the evolution of the scam from standard scareware to ransomware in its latest quarterly threat report, which analyzed incidents from April through June 2012.

The firm went on to warn the campaigns are continuing to evolve at a rapid pace, with criminals creating increasingly effective ways to hold users data to ransom and demand payment for its safe return.

“The first versions of the new Police Virus only use encrypted .doc files, and the encryption wasn’t too hard to crack, so it was possible to decrypt the files without the key,” the report said.

“Now, however, a more sophisticated encryption is being used, and the decryption key is required to unlock the files. And not only that, the files are encrypted with a different key for each infected computer, so, unless you are able to access the server that stores all keys, it is absolutely impossible to access the files.”

The evolution came alongside a boom in the number of Trojan viruses hitting the cyber street. The report revealed Trojans are now the most common form of cyber attack, accounting for 79 percent of all threats.

Worms were the second biggest threat detected, responsible for 11 percent of all attacks, the report said.

Trojans continued to prove the most effective attack method during the quarter speaking for 76 percent of all infections, while viruses came second accounting for eight percent.

“It is interesting to note that worms have only caused six percent of infections despite accounting for almost 11 percent of all new malware”, said Luis Corrons, technical director of PandaLabs.

“The figures corroborate what is well known: massive worm epidemics have become a thing of the past and have been replaced by an increasing avalanche of banking Trojans and specimens such as the Police Virus.”

Looking to the future Corrons warned the scam is one of the numerous cyber crime kits currently on sale and will likely remain an ongoing problem in the foreseeable future.

“This so called Police Virus appears to be created for and distributed by a cyber criminal gang from Eastern Europe or Russia, and police forces from across Europe are working together to try and identify and arrest them,” said Corrons.

Wednesday, August 1, 2012 @ 01:08 PM gHale

Morto The Worm added file infection capability to its ability to compromise remote desktop protocol (RDP) connections by exploiting weak administrator passwords.

Microsoft warned last year that once Morto compromises a system, it connects to a remote server to download additional information and update its components. The worm also terminates processes for locally running security applications to ensure its activity continues uninterrupted.

Chem Co. Halts USB Stick Attack
Exploit Determines OS, then Attacks
Disabled Auto-Run Saves Energy Firm
ICS-CERT: Attacks on Rise

The new Morto variant “infects .EXE files found on fixed and removable drives as well as on default RDP and Administrative shares, but avoids infecting files that contain strings like ‘windows’, ‘winnt’, ‘qq’, ‘Outlook’, ‘System Volume Information’ or ‘RECYCLER’ in their path, said Edgardo Diaz Jr. with the Microsoft Malware Protection Center.

Morto also leaves an infection marker, ‘PPIF’ in infected files.”

Similar to earlier memory resident viruses, Morto’s payload and infection routine executes in the context of other processes, Diaz said. To avoid multiple injections in the same process (or running multiple copies of the virus), a mutex called “Global\_PPIftSvc” ends up created, he added.

Diaz cautioned organizations to use strong passwords for administrator and user accounts and to verify passwords are not similar to the ones the malware is using to spread.

Friday, July 6, 2012 @ 02:07 PM gHale

Unauthorized printing is becoming a nuisance as a computer worm propagates by exploiting a 2010 Windows vulnerability, according to security researchers from Symantec.

Companies have reported unauthorized printing incidents in recent weeks, prompting antivirus firms to investigate the possible causes.

Malware Forces Unwanted Printing
Contest Focuses on Security Exploit
Cisco Closes Multiple Holes
Networking Fixes from Cisco, Wireshark

On June 21, Symantec reported the rogue printouts were the result of computers suffering from the Trojan program called Trojan.Milicenso.

However, researchers have since determined the propagation routine of a separate piece of malware, a worm called W32.Printlove, can cause similar problems, Symantec researcher Jeet Morparia said Monday.

W32.Printlove infects other computers on the local network by exploiting a remote code execution vulnerability in the Microsoft Windows Print Spooler service patched in September 2010. Identified as CVE-2010-2729, Stuxnet also exploited this vulnerability.

The rogue printing behavior can occur when W32.Printlove unsuccessfully attempts to infect a Windows XP computer connected to a shared network printer.

The worm starts by sending a print request to a targeted computer specifically crafted to exploit the CVE-2010-2729 vulnerability. If the exploitation attempt is successful, a copy of the malware drops in the Windows system directory and then executes.

However, if the user patched the system against CVE-2010-2729, a copy of the worm ends up created in the computer’s printer spool directory — %SystemRoot%\system32\spool\printers — as a randomly named .spl (Windows Printer Spool) file.

The computer interprets the creation of this file as a new print job and instructs the network printer to print the file’s contents, therefore wasting paper and toner.

Because the worm periodically retries to infect a system, the rogue printing behavior will repeat until the user cleans up all network computers, Morparia said. “Tracking down the source of these junk print jobs can be more complicated when there are multiple infections on the network.”

Fortunately, the failed infection attempts leave behind .shd files in the printer spool directory that contain details about printing jobs, including the names of computers that initiated them. Administrators can inspect SHD files with a free tool called SPLViewer after shutting down the Print Spooler service, Morparia said.

The W32.Printlove worm might link to the previously reported Trojan.Milicenso, Morparia said. “We intend to continue our investigation to confirm any relationship between the two threats.”

Tuesday, May 29, 2012 @ 05:05 PM gHale

Editor’s Note: This is an excerpt from Eric Byres’ Practical SCADA Security blog at Tofino Security.
By Eric Byres
Over the weekend a new super worm exploded onto the cyber security landscape.

Known as Flame or sKyWIper, it appears to be targeting sites in the Middle East, just like Stuxnet and Duqu did. But what does it have to do with SCADA or ICS security? At this stage the answer appears to be nothing and — everything.

Let’s start with what Flame is. Rather than just being a typical worm, Flame appears to be a carefully crafted attack toolkit for industrial or political espionage. According to Aleks at Kaspersky Labs “it is a lot more complex than Duqu. It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master.”

Flame: ‘More Powerful than Stuxnet’
New Stuxnet Waiting for Green Light
Stuxnet Loaded by Iran Double Agents
Cyber Warning: Duqu’s Back
Duqu Still at Work
Duqu Report: Code is Old School
Stuxnet, Duqu Link Grows Stronger
Stuxnet to Duqu: The Waiting Begins
Duqu and Rumors of War
A New and Frightening Stuxnet

Now the first unusual thing about Flame is that it is massive. While the typical worm is 50 Kbytes in size, Flame weighs in at 20 Mbytes, nearly 400 times larger.

The reason for this large size is Flame is a multi-functional toolkit for information stealing, completely reconfigurable by its masters for new tasks.

According to the crysys report on sKyWIper (aka Flame):

sKyWIper has very advanced functionality to steal information and to propagate. Multiple exploits and propagation methods can be freely configured by the attackers. Information gathering from a large network of infected computers was never crafted as carefully as in sKyWIper. The malware is most likely capable to use all of the computers’ functionalities for its goals. It covers all major possibilities to gather intelligence, including keyboard, screen, microphone, storage devices, network, wifi, Bluetooth, USB and system processes.

Flame is a Swiss Army Knife of malware in the sense that it can intercept everything imaginable, but it is not a pile of existing malware code thrown together. It is very cleverly crafted. Like Stuxnet, it has multiple propagation vectors – USB keys, printer sharing, and domain controller rights to name a few.

Its modular architecture allows its creators to massively change functionality and behavior at any time. It also allows its operators to use a sophisticated scripting language called Lua to manage its activities. Plus its code injection techniques are pretty amazing.

Flame is no script kiddy project. It is probably not even an organized crime project. All reports from the anti-virus companies analyzing Flame indicate it was created by a well funded professional team of developers. As Kaspersky Labs put it:

“…the geography of the targets (certain states are in the Middle East) and also the complexity of the threat leaves no doubt about it being a nation state that sponsored the research that went into it.”

What does Flame have to do with SCADA and ICS Security?

On the surface, very little. As currently configured, Flame is clearly an information stealer. There is no evidence that it has SCADA or ICS related modules installed at this time.

That said, Symantec and others report that Flame appears to be the same worm that the Iranian Oil Ministry reported was impacting its facilities at the Kharg Island terminal last month. Iran’s National CERT (MAHER) is also now reporting on the existence of this worm inside Iran.

What does all this mean to the average control engineer? The good news is that like Stuxnet, Flame appears to be highly targeted. Like Duqu, it steals information rather than destroying equipment. But the bad news is that this worm clearly indicates that industry, especially the energy industry, is now a key target in a rapidly growing world of sophisticated, government sponsored malware.

Call it “cyber warfare” or “cyber hype”, the bottom line is that the information/networked world is getting nastier by the day and SCADA and ICS is part of that world.

Eric Byres is chief technology officer at Byres Security. Click here to read the full version of the Practical SCADA Security blog.

Tuesday, May 29, 2012 @ 12:05 PM gHale

By Gregory Hale
A powerful computer virus with data-snatching capabilities is not only hitting machines in Iran, but elsewhere in the Middle East, and is “20 times larger than Stuxnet.”

The origin of the new spyware virus, called “Flame,” is not yet known, said researchers from Kaspersky Lab, who found the virus. While some reports say it could be coming from Israel, while others said Flame is a program that originated in Brazil, systems in the Middle East are still falling victim to the data-capturing virus.

This virus comes on the heels of an ISSSource report that in the event of war with Iran, Israel will deploy a vast array of high tech weapons that would “take out” Iran’s air defense systems by rendering them deaf, dumb and blind, and then insert and activate a new version of the Stuxnet virus to destroy its command centers, said serving and former U.S. intelligence officials.

New Stuxnet Waiting for Green Light
Stuxnet Loaded by Iran Double Agents
Cyber Warning: Duqu’s Back
Duqu Still at Work
Duqu Report: Code is Old School
Stuxnet, Duqu Link Grows Stronger
Stuxnet to Duqu: The Waiting Begins
Duqu and Rumors of War
A New and Frightening Stuxnet

While it is too early to tell if this latest virus is them invoking their cyber battle plan, Israel’s program also called for the destruction of all of Tehran’s communication and network surveillance including its electrical plants, radar sites and command centers, said officials who requested anonymity because of their close proximity to ongoing investigations.

Israel’s multi-billion dollar program, developed with U.S. assistance, would include other high value targets such as Iran’s electric grid, its Internet, cell phone network, and even emergency frequencies for firefighters and police officers, these sources said.

Israel has already prepared measures to take down Iran’s electric grid making a list of more than two dozen sites.

“The complexity and functionality of the newly discovered malicious program exceed those of all other cyber menaces known to date,” Kaspersky said in a release.

“The risk of cyber warfare has been one of the most serious topics in the field of information security for several years now,” said Eugene Kaspersky, chief executive and co-founder of Kaspersky Lab. “Stuxnet and Duqu belonged to a single chain of attacks, which raised cyberwar-related concerns worldwide. The Flame malware looks to be another phase in this war, and it’s important to understand that such cyber weapons can easily be used against any country. Unlike with conventional warfare, the more developed countries are actually the most vulnerable in this case.”

Flame came to being, Kaspersky Labs believes, no earlier than in 2010, but it is still undergoing active development to date. “Its creators are constantly introducing changes into different modules, while continuing to use the same architecture and file names. A number of modules were either created of changed in 2011 and 2012,” Kaspersky Lab’s Alexander Gostev said in a blog post.

The virus eluded detection because of its “extreme complexity” and the fact the virus is targeting only selected computers. Flame’s primary purpose, Kaspersky said, “appears to be cyber espionage, by stealing information from infected machines” and sending it to servers across the world.

“In size, Flame is about 20 times larger than Stuxnet, comprising many different attack and cyber-espionage features. Flame has no major similarities with Stuxnet/Duqu. Flame is a sophisticated attack toolkit, which is a lot more complex than Duqu. There are, however, some links which could indicate that the creators of Flame had access to technology used in the Stuxnet project — such as use of the “autorun.inf” infection method, together with exploitation of the same print spooler vulnerability used by Stuxnet, indicating that perhaps the authors of Flame had access to the same exploits as Stuxnet’s authors,” Gostev said.

“It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master,” Gostev said.

“Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on, Gostev said. “All this data is available to the operators through the link to Flame’s command-and-control servers.”

“Later, the operators can choose to upload further modules, which expand Flame’s functionality. There are about 20 modules in total and the purpose of most of them is still being investigated.”

The virus collected information in Iran, Israel and the Palestinian territories, Sudan, Syria, Lebanon, Saudi Arabia and Egypt, Kaspersky researchers said. Iran was county hit the most.

A unit of the Iranian communications and information technology ministry said it has produced an antivirus capable of identifying and removing the new malware. The Flame virus is the fourth known cyber attack on Iranian computer systems.

Israel’s vice premier did little to deflect suspicion about possible Israeli involvement in the latest attack.

“Whoever sees the Iranian threat as a significant threat is likely to take various steps, including these, to hobble it,” Vice Premier Moshe Yaalon said. “Israel is blessed with high technology, and we boast tools that open all sorts of opportunities for us.”

As ISSSource reported, Stuxnet was a comprehensive U.S.-Israeli program designed to disrupt Iran’s nuclear technology. This joint program first surfaced in 2009 and worked in concert with an earlier U.S. effort that consistently sabotaged Iran’s purchasing network abroad.

The Stuxnet scenario was possible, as ISSSource learned, because an Israeli proxy — an Iranian, who used a corrupt “memory stick.32” implanted the virus that damaged Iran’s nuclear program, said former and serving U.S. intelligence officials said.

In the continuing battle to hold off the Iranian nuclear program, Iranian proxies have also been active in assassinating Iran’s nuclear scientists, these sources said.

These sources, who requested anonymity because of their close proximity to investigations, said a saboteur at the Natanz nuclear facility, probably a member of an Iranian dissident group, used a memory stick to infect the machines there. They said using a person on the ground would greatly increase the probability of computer infection, as opposed to passively waiting for the software to spread through the computer facility. “Iranian double agents” would have helped to target the most vulnerable spots in the system,” one source said. In October 2010, Iran’s intelligence minister, Heydar Moslehi said an unspecified number of “nuclear spies” were arrested in connection with Stuxnet.33 virus.

Former and senior U.S. officials believe nuclear spies belonged to the Mujahedeen-e-Khalq (MEK), which Israel uses to do targeted killings of Iranian nationals, they said. “The MEK is being used as the assassination arm of Israel’s Mossad intelligence service,” said Vince Cannistraro, former head of the CIA’s Counterterrorism. He said the MEK is in charge of executing “the motor attacks on Iranian targets chosen by Israel. They go to Israel for training, and Israel pays them.” Other former agency officials confirmed this.

Israel, like the West, rejects Tehran’s statements saying its nuclear program is there to produce energy only. Israel considers Iran to be the greatest threat to its survival and repeatedly threatened to attack Iran’s nuclear facilities if Tehran doesn’t abandon its uranium enrichment project, a key element of bomb making.

Because Flame is so complex and not designed to hack into bank accounts and doesn’t have the hallmarks of amateur hackers, Kaspersky concluded the research that went into the code was government-sponsored.

The code offers no information that can tie Flame to any specific country, Kaspersky Lab researchers said.

Iran claims Stuxnet and other computer viruses have done no serious harm to Iran’s nuclear or industrial facilities, and sees them as part of a campaign by Israel, the U.S. and their allies, which includes the assassination of Iranian nuclear scientists, to undermine the Iranian nuclear program.

Monday, May 21, 2012 @ 04:05 PM gHale

While spam message volume is declining, the level of maliciousness continues to ratchet upward in attachments, a new study said.

The number of malware-driven attachments in January this year rose four percent from the same period of last year, even as the overall number of spam messages sent dropped by more than 16 percent in the first quarter of 2012 from the last quarter of 2011, Bitdefender research showed. Of the 264.6 billion spam messages sent daily, 1.14 percent carry attachments — about 300 million of which are malicious.

Email Provider Phishing Attacks Up 333%
Phishing Ploy Garners Logins
Russian Cybercrime Consolidates, Grows
Spammers: It Just Keeps Working

After increasing in January, the growth of malicious attachments leveled off amid an apparent pause in spam campaigns even though spam continued to fall overall. Attachments may come in the form of phishing forms that trick users into typing in credit card credentials for scammers to use whenever they want. Or they may pack malware such as Trojans, worms and viruses that can cause trouble.

As this type of attachment has become a growing concern around the web, Bitdefender discovered the top malware that ends up in users’ inboxes.

First discovered in 2008 – MyDoom – a mass mailing worm continues to be among the most persistent pieces of malware to pierce users’ inboxes. The worm sends itself to all email addresses found on that system using a variety of senders, subject tags and body text samples.

The second most widely spread malicious attachment is a generic Javascript downloader that comes in the form of an obfuscated JS inside the HTML attachment. When the user opens the attached HTML file, the obfuscated Javascript executes itself and injects an iFrame in the same HTML page it resides in. This iFrame loads malicious contents from third-party servers, which results in system compromise.

The third ranked malicious attachment is Netsky — a mass mailer like MyDoom that, apart from sending itself to all email addresses found on the compromised system, also spreads via FTP, P2P or shared files. The crafty subject tags range from accusations and error messages to love declarations or money transactions, and include celebrity names to make them more appealing to the victim. If the user opens the attachment, the worm displays a message (made to look as though coming from the locally installed AV solution) saying that no virus is on the system.

In fourth place is Mytob — a worm known to prevent users from connecting to a multitude of security solutions vendors’ sites while opening a backdoor to allow access to ill-intentioned remote intruders. This way the system is open to any sort of malicious exploitation.

The Bagle worm comes in fifth, as a mass mailer gathering addresses and sending itself to all email addresses it stumbles upon on the compromised system. It also downloads further addresses from an embedded list of online locations. To pass undetected it terminates processes mostly related to locally installed anti-virus solutions. It then downloads and executes files from numerous dubious websites.

Archived Entries