June 14, 2021

Microsoft Malware Protection Engine can be disabled via a specially crafted file

microsoft logo(LiveHacking.Com) – Microsoft has released a security advisory about a denial of service vulnerability with its Malware Protection Engine. According to Microsoft, if the Malware Protection Engine scans a specially crafted file then it can cause a denial of service condition. This means that an attacker who manages to exploit the vulnerability could stop the Microsoft Malware Protection Engine from monitoring the filesystem, until the specially crafted file is manually deleted and the service is restarted. During this time the PC is susceptible to infection by other malware.

To exploit the vulnerability an attacker would need to place a specially crafted file on the target PC. This could be achieved in one of several different ways including via a website, via email message, or in an Instant Messenger message. If the affected anti-malware software has real-time protection turned on (which is the default), then the Microsoft Malware Protection Engine will scan the file automatically, leading to exploitation of the vulnerability.

The Malware Protection Engine is used by a variety of Microsoft products including Windows Security Essentials and Windows Defender. Microsoft has rated the vulnerability as “Important,” but not “Critical.”

Microsoft has fixed the vulnerability and the engine will be updated automatically when your PC next updates its malware definitions. Because the fix is part of the “normal” malware updates then Microsoft won’t be issuing a Security Bulletin about the problem, nor will it feature in a future Patch Tuesday. Microsoft estimates that the built-in update mechanisms will apply the fix within 48 hours of the release, however the exact time frame depends on the software used, Internet connection, and infrastructure configuration.

GameOver Zeus botnet disrupted by FBI, Microsoft and multi-national agencies

GameOver_Zeus_Scope(LiveHacking.Com) – A multi-national team of security experts and law enforcement agencies including the U.S. Department of Justice, the FBI, Europol, and the UK’s National Cyber Crime Unit have successfully disrupted  the GameOver Zeus botnet. The malware, which is a peer-to-peer (P2P) variant of the Zeus family of bank credential-stealing trojan, is thought to be responsible for the theft of millions of dollars from businesses and consumers all around the world.

Also known as P2P Zeus or GO Zeus, the malware uses a decentralized network system of compromised PCs and web servers to execute command-and-control. Its peer-to-peer nature meant that command instructions could come from any of the infected computers, and made the take down of the botnet more difficult.

The FBI took down portions of the command-and-control infrastructure by seizing domain names used by the malware. Microsoft helped the FBI by providing an analysis of the P2P network and by developing a cleaning solution. According to Richard Domingues Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit, “Based upon these actions, it is anticipated that the cybercriminals’ business model will be disrupted, and they will be forced to rebuild their criminal infrastructure. More importantly, victims of GameOver Zeus have been, and will continue to be, notified and their infected computers cleaned to prevent future harm.”

GameOver Zeus is primarily used by cybercriminals to harvest banking information including login credentials. Once a PC is infected it can be used by the cybercriminals to engage in other malicious activities, such as sending spam or participating in distributed denial-of-service (DDoS) attacks. The malware has also been linked to the CryptoLocker ransomware that restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files.

Andy Archibald, a Deputy Director at the UK’s National Crime Agency (NCA), said: “Nobody wants their personal financial details, business information or photographs of loved ones to be stolen or held to ransom by criminals. By making use of this two-week window, huge numbers of people in the UK can stop that from happening to them.” Mr Archibald continues: “Those committing cybercrime impacting the UK are often highly-skilled and operating from abroad. The NCA and its partners are alive to the threat, and pursuing new and collaborative ways to tackle and disrupt the perpetrators.”

At the same time as the botnet was being disrupted  a federal grand jury in Pittsburgh unsealed a 14-count indictment against the GameOver Zeus ringleader. Evgeniy Mikhailovich Bogachev, of Anapa, Russian Federation, is charged with with conspiracy, computer hacking, wire fraud,  bank fraud and money laundering. In a separate civil injunction, Bogachev was identified as the ringleader of the gang responsible for the development and operation of the Cryptolocker scheme.

Kaspersky unveils The Mask, a 5 year cyber-espionage operation

Kaspersky Labs has revealed details of Careto/The Mask, a complex advanced persistent threat (APT) that has been running since 2007. The Mask is highly complex and uses a sophisticated set of tools including malware, rootkits and bootkits to infect Windows, OS X and Linux machines.

Kaspersky first noticed The Mask when it observed attempts by the malware used to hide itself from Kaspersky Lab products by attempting to exploit vulnerabilities in those programs. the mask APT Those vulnerabilities where fixed five years ago and Kaspersky has been researching this operation since then. Kaspersky rate The Mask higher than Duqu in terms of its sophistication and it is possible that the operation was state sponsored.

The main targets of The Mask fall into the following categories:

  • Government institutions
  • Diplomatic offices and embassies
  • Energy, oil and gas companies
  • Research institutions
  • Private equity firms
  • Activists
  • In the top five infected countries were the United Kingdom, Spain and France with Morocco being the most target country with over 380 IP addresses found in Mask related traffic.

    Once a machine is infected, Mask intercepts all the communication channels and start stealing data including encryption keys, VPN configurations, SSH keys and RDP files. It is also possible that it steals data related to custom military/government-level encryption tools.

    “Detection is extremely difficult because of its stealth rootkit capabilities. In addition to built-in functionalities, the operators of Careto can upload additional modules which can perform any malicious task. Given the nature of the known victims, the impact is potentially very high,” wrote members of the Global Research & Analysis Team (GReAT) at Kaspersky Lab.

    Among the exploits used by The Mask is an Adobe Flash Player vulnerability which was discovered by VUPEN and used to win the CanSecWest Pwn2Own contest in 2012. The exploit, which included a tactic for escaping Google Chrome’s sandbox, was sold to VUPEN’s customers and not disclosed publically. It is possible that the group behind The Mask purchased the exploit from VUPEN.

    At the moment the command and control servers used by The Mask are offline. The attackers began taking them offline in January 2014 but it is possible that the attackers could resurrect the campaign at some point in the future. The high degree of professionalism on the part of those running The Mask, including the way it was shutdown and the use of wipe instead of delete for log files, is another reason to believe that the operating was state sponsored.

    New digitally signed malware targets Mac users

    os x mavericks desktopA new piece of digitally signed malware that targets Mac users has been discovered. The new malware, which has been dubbed OSX/LaoShu-A by Sophos and is considered as bot, is being used in an “undelivered courier item” email campaign which tries to trick users into downloading the malware as they try to see the description of an alleged undelivered parcel.

    In this particular case the email explains that the undelivered item contained some documents which have been scanned and are waiting for the user to inspect them. A link is provided which takes the unsuspecting user to a fake courier website (often a clone of a real courier website like FedEx or DHL) and then proceeds to download an attachment. If the malicious website detects that the web browser is running on Windows then a piece of malware called Mal/VBCheMan-C is downloaded.

    However for Mac users a .zip file is downloaded containing an application that looks like a PDF document. OS X will automatically unzip the file and leave the application in the Downloads folder. The app icon has been intentionally given the PDF icon to trick users into thinking it is a PDF document. However when clicked it will install the malware. Because the application is digitally signed OS X won’t produce a warning about the application coming from an unknown source, but rather it will only warn the user that it has been downloaded from the Internet. Although the warning does actually say “application” rather than “document” the dialog offers the user two possibilities to Cancel or to Open. The use  of the word Open by Apple rather than Run can leave the user with the impression that they are opening a document.

    According to Sophos OSX/LaoShu-A is a bot and takes commands from a C&C server, however its main function appear to be data stealing as it will search for files with extensions such as DOC, DOCX, XLS, XLSX, PPT and PPTX and try to upload them to the C&C server. However it can also download new program files and execute shell commands which means it will basically be able to do whatever the attackers tell it to do.

    In conclusion, don’t click on random links in unsolicited emails especially those with good link bait like the undelivered courier item emails.

    Microsoft stopping support for its anti-malware scanner on XP in 3 months time

    microsoft logoThe bell has been tolling for Windows XP for a long time and even though Microsoft has given its 2001 operating system the occasional reprieve it looks like Redmond is set on ridding itself of arguably its most popular OS. As well as mainstream ending support, including security updates, from April 8th 2014, Microsoft will also stop supporting its anti-malware scanner – Security Essentials.

    Microsoft Security Essentials helps guard against viruses, spyware, and other malicious software and new definitions files and updates are provided on a regular basis by Microsoft itself. At the moment the current minimum requirements for the malware scanner is Windows XP Service Pack 3, however according to Microsoft’s end of support for XP page, Microsoft will also stop providing Microsoft Security Essentials for download on Windows XP after April 8th.

    According to the latest data from NetMarketShare Windows XP is still running on 29 percent of PCs that access the Internet. That is a staggeringly large number of PCs and makes XP Microsoft’s second most popular operating system in use today. More PCs run XP than Windows Vista and Windows 8/8.1 put together. Only windows 7 is more popular than XP with some 47 percent of PCs using it.

    But despite its popularity Microsoft is pulling the plug in less than 90 days. Microsoft itself acknowledges that continuing to use Windows XP after the support ends will make your PC “more vulnerable to security risks and viruses.”

    What makes this even more concerning is that XP is still very much under attack from cyber criminals and hackers. Only last month  Microsoft issued a warning about a zero-day vulnerability in XP that allows attackers to gain elevated privileges. Once the attackers have system level privileges they can install programs; view, change, or delete data; or create new accounts with full administrative rights. December’s security updates from Microsoft contained several patches, some Critical, for Windows and only one of those patches didn’t apply to Windows XP. Extrapolating from this shows that Windows related security bulletins to be released after April will likely also affect XP but the OS will be left vulnerable. This means that cyber criminals will have a wealth of clues available for creating new exploits knowing that XP hasn’t been and won’t be patched.

    By removing support for Security Essentials it seems that Microsoft is sending a strong message to XP users that now is the time to upgrade.

    NSA deliberately infected 50,000 computer networks with malware

    nsa_aerial_300pxAccording to documents provided by former NSA-employee Edward Snowden, the US National Security Agency (NSA) infected 50,000 networks with malware designed to steal sensitive information. The revelations come from the Dutch newspaper NRC which says it has seen the documents first hand.

    A top secret presentation given in 2012 showed how the NSA hacked – called  ‘Computer Network Exploitation’ (CNE) by the NSA – over 50,000 networks using malware. It is thought that the infiltration discovered earlier this year at the Belgium telecom provider Belgacom is an example of the NSA’s infiltration techniques, this time according to NRC in conjunction with GCHQ. The malware infected Belgacom’s computers by luring employees to a fake LinkedIn page.

    This hacking work is carried out by a special department in the NSA called TAO (Tailored Access Operations), which is said to employ more than a thousand hackers. By 2008 the TAO had access to over 20,000 networks with the program recently expanded to include up to 50,000 networks around the world including some in Rome, Berlin, Pristina, Kinshasa, and Rangoon.

    The installed malware took its instructions from  a command and control server and could be turned on and off at will. The malware, known as ‘implants’, can be put into a sleeper mode and activated when needed. “The NSA-presentation shows their CNE-operations in countries such as Venezuela and Brazil. The malware installed in these countries can remain active for years without being detected,” wrote Floor Boon, Steven Derix and Huib Modderkolk of NRC.

    According to the NSA’s careers website the organization carries out three types of Computer Network Operations:

    • Computer Network Attack (CNA): Includes actions taken via computer networks to disrupt, deny, degrade, or destroy the information within computers and computer networks and/or the computers/networks themselves.
    • Computer Network Defense (CND): Includes actions taken via computer networks to protect, monitor, analyze, detect, and respond to network attacks, intrusions, disruptions, or other unauthorized actions that would compromise or cripple defense information systems and networks.
    • Computer Network Exploitation (CNE): Includes enabling actions and intelligence collection via computer networks that exploit data gathered from target or enemy information systems or networks.

    The presentation also revealed that along with CNE missions the NSA has access to large Internet cables at 20 different locations; runs over 80 regional Special Collection Service (SCS) installations that are part of a joint CIA-NSA program; and maintains liaison with 30 third-party countries outside of the Five Eyes partnership of Australia, Canada, the U.K. and New Zealand.

    Microsoft releases warning as hackers attack vulnerability in Vista and Office

    Windows-Vista-command-promptMicrosoft has released  Security Advisory 2896666 about a vulnerability in Windows Vista and Windows Server 2008, Microsoft Office 2003 to 2010, and all supported versions of Microsoft Lync, that is being exploited in the wild and targeting PC users mainly in the Middle East and South Asia.

    The attack uses an email with a specially crafted Word attachment.  If the user opens the attachment it will try to exploit the vulnerability via a malformed image embedded in the document. If successful the attackers gain the same user rights as the logged on user.

    According to Microsoft the remote code execution vulnerability exists because of bugs in the code which handles badly formed TIFF images. Only Windows Vista is affected and the current versions of Microsoft Office are not vulnerable.

    The current attacks use the Word document attached to the email as a container for the specially crafted TIFF file. However, Microsoft says that hackers could also exploit the issue via a web-based attack. “An attacker could host a specially crafted website that is designed to exploit this vulnerability and then convince a user to view the website,” it said.

    While Microsoft is working to fix the error and release a security update it recommends the following actions:

    • Apply the Microsoft Fix it solution, “Disable the TIFF Codec” that prevents exploitation of the issue. See Microsoft Knowledge Base Article 2896666 to use the automated Microsoft Fix it solution to enable this workaround.
    • Deploy the Enhanced Mitigation Experience Toolkit (EMET). This will help prevent exploitation by providing mitigations to protect against the issue and should not affect usability of any programs.  An easy guide for EMET installation and configuration is available inKB2458544.

    Cybercriminals looking to target SAP users

    SAP_logoFresh warnings have been issued by RSA Europe and ERPScan following the discovery of a modified banking Trojan that now also searches for SAP client applications on infected systems. Recently a new variant of the malware Trojan.ibank was found by researchers at Dr. WEB who then passed on the information to ERPScan, a company which develops security monitoring products for SAP systems.

    RSA Europe also issued a warning about the new malware variant suggesting that its existence could mean that there is a new wave of SAP based attacks coming. The issue of the malware was discussed by Alexander Polyakov, co-founder and CTO of ERPScan, at the RSA Europe security conference in Amsterdam which hosted sessions on the dangers of SAP and ERP vulnerabilities.

    According to Polyakov one of the likely ways that attackers could be using the new malware is to gather information that could then be sold on the black market. However an alternative scenario is that the attackers will wait until a larger number of systems are infected and then start to steal sensitive information via a specially crafted malicious SAP modules which the Trojan uploads from and command and control server.

    “There are dozens of ways to steal those passwords and use them,” said Polyakov to Dark Reading. “It is possible to connect to SAP Server and do any kind of fraud in the system or simply steal critical information such as client lists or employees’ personal information. We decided to warn people and SAP’s Security response team with whom we closely work before this can happen.”

    Once the malware has found a SAP client there are lots of ways to steal information including from configuration files that contain the IP addresses of the servers. There is also the possibility of sniffing for passwords. Once on to the servers the cyber-criminals can perform all many of malicious activities, including theft and fraud via false transactions.

    Tor users exposed due to vulnerability in Firefox 17

    Tor project logoUsers of the popular Tor anonymity tool have been exposed to malware which can reveal the user’s IP address. According to an announcement made a Tor mailing list, the Tor Browser Bundle is susceptible to a Firefox JavaScript vulnerability and that this vulnerability has been exploited in the wild.

    Although all Tor users are potentially vulnerable it appears that the malware, which is exploiting the bug, targets only Windows users. The vulnerability allows arbitrary code execution and the observed attack appears to collect the hostname and MAC address of the Tor user and send them to a remote web server. According to the Tor project, “it’s reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services.”

    While outlining what users can do, besides upgrade to the latest version of the Tor Browser Bundle which contains a fixed version of Firefox, the email suggested that, “switching away from Windows is probably a good security move for many reasons.”

    The malware used to discover the identities of the Tor users is possibly linked to the FBI as on Friday a vast number of “hidden services” disappeared from Tor and a man from Ireland was arrested on a warrant issued by the FBI in connection with child porn charges which allegedly used the Tor network.

    According to the Electronic Frontier Foundation, which issued a statement about the attack, the Tor anonymity tool is often used by human rights activists, journalists, political dissidents and whistleblowers since it allows them to use the web anonymously and avoid different surveillance and censorship techniques.

    Four-star General under investigation for leaking details of Stuxnet attack

    circuitboard(LiveHacking.Com) – New reports are suggesting that the FBI is starting a new investigation into the public leak  about the Stuxnet worm. According to NBC a retired four-star general US Marine, who had a close relationship to President Barack Obama, is under investigation for leaking details of the cyber-attack.

    Gen. James Cartwright, who was the former vice chairman of the Joint Chiefs of Staff,  has been told he is under investigation for allegedly disclosing details the USA’s cyber-attack on Iran’s nuclear facilities. The original FBI investigation looked into possible White House sources, however now the agency has turned its investigation towards possible military leaks including Cartwright.

    When the worm first escaped the confines of Iran’s Natanz plant and starting infecting computers across the global, the origin and purpose of the malware was unclear. Over time more and more details of the worm’s activity were analysed and finally thanks to an internal leak in the US Government, it was confirmed (but not publicly) that the National Security Agency had developed Stuxnet in tandem with the Israelis.

    According to the  New York Times report on 1 July, 2012, Stuxnet was created under a project known as “Operation Olympic Games” as part of an American and Israeli effort to undermine Iran’s nuclear program.

    Stuxnet was designed to destroy the centrifuges used in Iran’s uranium enrichment program and targeted Siemens supervisory control and data acquisition systems (SCADA) which controlled the industrial processes at the Natanz enrichment facilities.

    Chevron claimed it also had trouble with Stuxnet, once it had gone global, as it too uses SCADA based systems. However Chevron says none of its equipment was damaged.

    There is likley to be other cases of Stuxnet infections in industrial plants across the U.S. and mainland Europe that have been unreported for reasons of security or to avoid embarrassment.