April 21, 2014

Imperva says anti-virus spend not proportional to effectiveness

Imperva-logo(LiveHacking.Com) –  The business security firm Imperva has conducted a study together with students from The Technion – Israeli Institute of Technology into the effectiveness of anti-virus products and come up with some startling numbers. According to the report, only 5% of new viruses are detected with the existing techniques used by anti-virus products. In time the anti-virus vendors do update their signature databases but, put simply, the majority of anti-virus products can’t keep up with the rate of virus creation and propagation.

What this means is that if the detection of new, previously unknown viruses is used as the measure of success then consumers and businesses are spending a total of $7.4 billion a year on anti-virus products that don’t work. A lot of this spend comes from Enterprises attempting to adhere to some compliance standard. Imperva suggest that relaxing anti-virus compliance standards could free money which could be spent on other security software.

“One reason why security budgets devote too much money to antivirus is compliance. Easing the need for AV could free up money for more effective security measures,” wrote Imperva in the report.

Imperva recommends that existing anti-virus software should remain in place, but that security teams should use more resources on identifying aberrant behavior such as unusually fast access speeds or large volume of downloads.

The report also noted that the best way for a piece of malware to have long term success was to shun popularity. Antivirus products are much better at detecting malware that spreads quickly as the malware appears quickly on the radar of the anti-virus companies. However malware which has a limited distribution (such as government sponsored attacks) usually have a prolonged window of opportunity.

Has Iran been fighting off a fresh Stuxnet attack?

targeted attack(LiveHacking.Com) – There is some confusion about recent malware activity in Iran. A story broke in the last few days saying that a power plant and other industries in southern Iran have been targeted by Stuxnet but that the cyber attack has been successfully rebuffed and prevented from spreading. The story was carried by many of the world’s news agencies including the BBC and Agence France-Presse.

The original story comes from the Iranian Students News Agency (ISNA) which reported that cyberattackers had struck industrial infrastructure in the southern province of Hormuzgan. In it Ali Akbar Akhavan is quoted as saying that a virus had penetrated some manufacturing industries in Hormuzgan province, but that with the help of skilled hackers it had been repelled. Akhavan is quoted as saying that the malware was “Stuxnet-like” but he did not expand on what that meant.

Once the story was being reported Iran issued a correction. “At a press conference we announced readiness to confront cyber attacks against Hormuzgan installations, which was mistakenly reported by the agencies as a cyber attack having been foiled,” Ali Akbar Akhavan said. However ISNA is sticking with its original story and has published MP3 files which it claims contain Akhavan’s initial remarks.

The state of Iran’s industrial and IT infrastructure has been a topic of much discussion ever since the original Stuxnet worm was allegedly used to hamper Iran’s nuclear enrichment efforts in 2010. Since then Iran has has various malware troubles including reports of a piece of malware called Narilam which attacked Iranian business databases and a malware incident where Iran was been forced to disconnect some of the computers at its Kharg Island oil processing terminal.

The rise of the Sweet Orange exploit kit

(LiveHacking.Com) –  Since the main purpose of malware is to create money it is only to be expected that as many parts as possible of the process are streamlined and automated. This is why many bits of malware use command and control (C & C) servers to automated the infection, spreading and ultimately the fraudulent aspects of the malware. Another aspect which is the highly streamlined is the creation of the virus or trojan that infects and delivers the payload to a victim’s computer. To this end malware authors have developed things called exploits kits which allow the criminals to create new viruses with the desired payload in a very short amount of time. The most popular exploit kit is known as Black Hole, it accounts for some 40 percent of all toolkits detected.

Version 2.0 of Black Hole was recently released and it claimed to be harder for anti-virus programs to detect it. But Black Hole isn’t the only exploit kit in town. One of the competing exploit kits is known as “Sweet Orange.” According to Chris Larsen of Blue Coat, malware analysts are finding more and more examples of Sweet Orange based malware.

Sweet Orange is similar to other exploit kits in that it has a database backend to store information about successful infections and statistic gathering about exploits for Java, PDF, IE and Firefox. However it does claim something quite unique, according to the sales copy Sweet Orange is able to drive 150,000 unique visitors to a site every day.

Since the whole process is automated it means that the ferocity of Sweet Orange is high. With an infection rate of up to 15% and 150,000 unique visitors a day to the predefined malicious webpage that means that 10,000 new PCs are infected every day. That is 300,000 in one month, a huge pool of victim’s exposed to banking trojans or false AV malware etc.

Such a high rate of infection needs a substantial infrastructure, the problem is that this infrastructure remains hidden and only parts of it can be seen, rather like an iceberg.

“Thanks to WebPulse, and the amount of traffic that comes through each day, Blue Coat can see a lot more of the iceberg,” said Jeff Doty of Blue Coat. “In my research, I found 45 different IP addresses (and a total of 267 different domains) that are dedicated to Sweet Orange.”

SMS fraud malware now targets OS X users

(LiveHacking.Com) –  SMS fraud is nothing new and is one of the preferred methods of generating income for malware writers on Android and on Windows. The Russian security firm Dr. Web has discovered a piece of malware which attempts to perpetrate SMS fraud on unsuspecting OS X users. Dubbed Trojan.SMSSend.3666, it  is the first program of its kind that targets Mac OS X.

With SMS fraud the malware writers attempt to subscribe victim’s to premium rate SMS services which charges high fees for useless messages. The Android variant is to cause the phone to send a message to one of these premium rate numbers.

The new Mac malware is a fake installer which can be downloaded under the guise of useful software. In this case, the Trojan pretends to be an installer for a program called VKMusic 4, a program meant for use on the VK social network. VK claims it is the largest European social network with more than a 100 million active users.

“In order to continue the ‘installation’ fraudsters ask that the victim enter their cellphone number into an appropriate field and then specify the code found in a reply SMS. By performing these actions the user agrees to terms of a chargeable subscription and a fee will be debited from their mobile phone account on a regular basis,” wrote Dr. Web.

Recent outbreaks of OS X malware have used vulnerabilities in Java, however this Trojan doesn’t use a known or unknown vulnerability, rather it is a simple social engineering ploy to trick the user into subscribing to a costly phone service. A relativity small number of OS X users will be affected as first it targets users of VK, second the OS X user needs to download the fake version of VKMusic from an underground web site.

It is anticipated that Apple’s XProtect malware utility will be updated to identify this new Trojan in due course.

36 million euros stolen from banking customers across Europe using mobile malware

(LiveHacking.Com) –  A sophisticated and complex attack has been used to systemically steal millions from banking customers, both corporate and private, across Europe. By using a combination of malware for the PC and malware for mobile, the attackers have been able to  intercept SMS messages used by banks as part of their two-factor authentication process. First the attackers would infect the victim’s PC and then  infected their mobile. Once the two-factor authentication was bypassed, the criminals used the corresponding transaction authentication number (TAN), to automatically transfers of funds from the victims’ accounts. The sums varied in size from €500 to €250,000.

According to Check Point, the firewall maker, an estimated €36+ million has been stolen from more than 30,000 corporate and private bank accounts. This attack campaign has been named “Eurograbber” by Versafe and Check Point Software Technologies who have released a case study about the criminals activities. By using a variation of the Zeus-In-The-Mobile Trojan the  victim’s online banking sessions were completely monitored and manipulated by the attackers. The mobile part of the attack used malware developed for both the Blackberry and Android platforms.

“Cyberattacks are constantly evolving to take advantage of the latest trends. As online and mobile banking continue to grow, we will see more targeted attacks in this area, and Eurograbber is a prime example,” said Gabi Reish, Head of Product Management at Check Point Software Technologies. “The best way to prevent these attacks is with a multi-layered security solution that spans network, data, and endpoints, powered by real time threat intelligence.”

In the on-going battle between cyber-criminals and IT infrastructure designers, cyberattacks have become more sophisticated. The Eurograbber attack has found the weakest link in the chain, the banking customers and their devices. In this case by unwittingly installing malware on their PC and phone the victims allowed the attackers to launch and automate their attacks and avoid traceability.

Checkpoint has notified the banks involved and it is actively working with law enforcement  agencies to halt any current or future attacks. The report ends by reminding  individual users that they must be steadfast in ensuring all of their desktops, laptops and tablets have all possible security layers enabled and that they are kept current with software and security updates to ensure the best protection possible.

Banking Trojan tries to hide from security researchers

Shylock from Shakespeare’s Merchant of Venice. Engraving by G. Greatbach after a painting by John Gilbert.

(LiveHacking.Com) –  In the never-ending cat and mouse chase between malware writers and security researchers a twist has been observed by the security company Trusteer. Recent analysis of a piece of banking and financial malware called Shylock has shown that the authors are trying to add methods which stops the malware from being analyzed. Malware researchers often use virtual machines or remote computers in an operations center or “lab” to perform research on malware. To connect to the machines in the lab, researchers use remote desktop connections. Knowing this, Shylock has been altered to identify and avoid remote desktop environments.

“Like most malware strains, Shylock continues to evolve in order to bypass new defensive technologies put in place by financial institutions and enterprises,” Gal Frishman wrote in a blog post. According to Gal, Shylock tries to detect a remote desktop environment by feeding invalid data into a certain Windows function call and then observes the error code returned. It uses this return code to spot remote desktops. If it recognizes a remote desktop sessions it won’t install. It is also possible to use this method to identify other known or proprietary virtual/sandbox environments as well.

“This is good, general purpose financial malware that we see along with Zeus, SpyEye and a host of other malware families that target these institutions,” George Tubin told SC Magazine. “We do see malware doing more things to avoid so-called virtual environments. For instance, sometimes malware has a sleep function, so once it gets in, it won’t start for a time. We see an increasing trend in malware being able to evade virtual environments.”

To find out if it is running in a remote desktop environment Shylock makes a call to the SCardForgetReaderGroup() function in Windows. This innocent function is designed to remove a previously introduced smart card reader group from the smart card subsystem. However it turns out that if the function is called on a normal desktop machine the return values are different to the cases when it is called on a PC using a remote connection. Based on the return code Shylock decides to install or not.

New zero-day Java exploit on sale for a five digit sum

(LiveHacking.Com) – A new zero-day Java exploit has been offered for sale on an underground black market cyber criminal Internet forum. The new threat is advertised as working on Java JRE 7 Update 9, the most recent version of Java, but doesn’t affect Java 6 or earlier versions.

According to Brian Krebs, the exploit is serious enough that an attacker could use it to remotely seize control over any systems running the program. This typically means it would be used to spread malware. If a cyber criminal did buy this exploit it would most likely be used to spread a banking Trojan so that the buyer could recoup the money spent. In the end it is all about money (illegally and immorally gained of course).

The exploit has been offered for sale on an invite-only Underweb forum for an undisclosed sum but the seller suggested that it needs to be five digits (meaning $100,000 or more). There are not many details, but the vulnerability is said to be in ‘MidiDevice.Info,’ a Java class which handles MIDI devices. The seller has tested the exploit on Firefox and Internet Explorer running on Windows 7.

“I will only sell this ONE TIME and I leave no guarantee that it will not be patched so use it quickly,” the exploit seller is reported to have written.

Many security experts, including us here at Live Hacking, have lots of concerns about the number of possible vulnerabilities in Java. If you don’t need Java it is best to remove it completely from your system.

As an alternative you can also disable your current Java Plug-in temporarily to prevent being vulnerable to Java-based threats. For Windows systems, go to “Control Panel” and select “Java”. When the “Java Runtime Environment Settings” dialog box appears, select the “Java” tab. From there, click the “View” button. You will see a list of the currently installed versions of Java. Uncheck the “Enabled” check box to disable that installation from being used by Java Plug-in and Java Web Start. Oracle has published a detailed description of these settings.

Symantec says new worm attacking Iranian businesses – Iran says no, it isn’t true

(LiveHacking.Com) – Symantec is reporting that it has detected a new piece of malware called Narilam which is attacking business databases in Iran. Of course, the existence of such a worm that is attacking the Middle East, and Iran specifically, has drawn parallels with other well documented cyber-attacks on Iran including Stuxnet, Duqu and Flame.

According to Symantec, Narilam is designed to cause chaos by targeting and modifying corporate databases. It does this by attacking Microsoft SQL databases via OLEDB (Object Linking and Embedding, Database) and hunts out SQL databases with three distinct names: alim, maliran, and shahd. It then replaces certain items (including columns called Asnad.LastNo, Asnad.FirstNo and refcheck.amount) in the database with random values.

However the Iranian National Cert “Maher”, is saying that after its initial investigations there seems to be some misunderstanding about the malware. First, it isn’t new malware but old! Iran reckons it has been around since 2010 but under a different name. Secondly, the malware is not a major threat nor is it a sophisticated piece of malware. Thirdly, the malware isn’t that wide spread and it is only able to corrupt the database of a particular accounting package for small businesses.

Maher’s advise is not to panic and only the customers who use that particular accounting software should make sure they have good backups and that they scan their systems regularly with a decent antivirus product.

So who is right? It is difficult to tell. Malware which targets a very specific software product made and predominately used in Iran is very suspect, especially in light of other cyber attacks like Stuxnet, but at the same time if it is old and contains no functionality to steal information from infected systems then its impact will certainly be limited.

Chevron was a victim of Stuxnet

(LiveHacking.Com) – Chevron, the US headquartered international oil and gas company, has admitted that Stuxnet infected its IT network. Speaking to the Wall Street Journal, Mark Koelmel, general manager of the company’s earth sciences department said that the notorious malware was found on its networks in 2010.

Stuxnet is known for destroying centrifuges used in Iran’s uranium enrichment program. It is thought it was designed by a nation state with the intention of targeting Siemens supervisory control and data acquisition systems (SCADA) which controlled the industrial processes inside the enrichment facilities.

Chevron was not damaged by its encounter with Stuxnet and it appears that it got onto its network by accident. But this is the first time that a U.S. company has admitted that the malware got onto its systems. There are probably many more Stuxnet infections in the U.S. and mainland Europe that went unreported for reasons of security or to avoid embarrassment.

Stuxnet specifically targets industrial equipment that is controlled by devices known as programmable logic controllers, or PLCs. These devices have been sold and used in their millions all over the world and potentially the Stuxnet malware would have destroy other equipment across the global. Just like a real world virus, once it is out there, it can’t be controlled.

“I don’t think the U.S. government even realized how far it had spread,” Koelmel said. “I think the downside of what they did is going to be far worse than what they actually accomplished.”

The U.S. has almost admitted that it wrote Stuxnet, which makes the U.S. a probable target for any retaliatory cyber attacks. It now seems that the lid is off “Pandora’s box” and worse still the very weapons used to attack others have come back to haunt their creators.

Ultimately private enterprise will have to clean up in the aftermath of Stuxnet without any help from the government. “We’re finding it in our systems and so are other companies,” said Koelmel. “So now we have to deal with this.”

2.2 million homes were infected with the ZeroAccess botnet during Q3

(LiveHacking.Com) – According to a new report, 2.2 million home networks worldwide were infected with the ZeroAccess botnet during Q3 of 2012. The Kindsight Security Labs Q3 2012 Malware Report says that ZeroAccess was the most active botnet in Q3. It is estimated that 685,000 households in the United States were infected.

It seems that this malware is now also significantly affecting online advert revenue. ZeroAccess is an ad-click botnet where the bots engage in a sophisticated  ad-click fraud scheme that could be costing advertisers almost a million dollars each day.

ZeroAccess and its morphed successor ZeroAccess2 use an encrypted P2P protocol to communicate with other peers. The botnet maintains communication through super-nodes, which is an infected PC that is directly connected to the internet without an intervening home router or other network address translation (NAT) device.

To earn money, the bot operators have a large number of web sites that host pay-per-click adverts. The bots are programmed to click on ads that are hosted by these sites earning money for the operator and costing the advertiser money. The list of websites to use is dynamic, as is the visit frequency. To prevent ad-click fraud detection the follow the ad-click through to the advertiser’s landing page through several layers of redirection, loading all the html, java-script and graphics components as would a regular browser.

The botnets also earn money through ‘Bitcoin mining’, a technique which creates false Bitcoin transactions. It is thought that about half of the ZeroAccess bots are working as Bitcoin miners. Bitcoins are said to be worth about $10 each and Sophos has estimated that ZeroAccess could be earning over $2.7M per year, however it is not clear if real money is actually involved,  or if they are just used for playing Bitcoin games.

“The ZeroAccess botnet has grown significantly to become the most active botnet we’ve measured this year,” said Kevin McNamee, security architect and director, Kindsight Security Labs. “Cybercriminals are primarily using it to take over victim computers and conduct ad-click fraud. With ZeroAccess, they can mimic the human behavior of clicking online ads, resulting in millions of dollars of fraud.”