June 18, 2013

You are here: Home / Archives for Malware

Chevron was a victim of Stuxnet

November 12, 2012 by

(LiveHacking.Com) – Chevron, the US headquartered international oil and gas company, has admitted that Stuxnet infected its IT network. Speaking to the Wall Street Journal, Mark Koelmel, general manager of the company’s earth sciences department said that the notorious malware was found on its networks in 2010.

Stuxnet is known for destroying centrifuges used in Iran’s uranium enrichment program. It is thought it was designed by a nation state with the intention of targeting Siemens supervisory control and data acquisition systems (SCADA) which controlled the industrial processes inside the enrichment facilities.

Chevron was not damaged by its encounter with Stuxnet and it appears that it got onto its network by accident. But this is the first time that a U.S. company has admitted that the malware got onto its systems. There are probably many more Stuxnet infections in the U.S. and mainland Europe that went unreported for reasons of security or to avoid embarrassment.

Stuxnet specifically targets industrial equipment that is controlled by devices known as programmable logic controllers, or PLCs. These devices have been sold and used in their millions all over the world and potentially the Stuxnet malware would have destroy other equipment across the global. Just like a real world virus, once it is out there, it can’t be controlled.

“I don’t think the U.S. government even realized how far it had spread,” Koelmel said. “I think the downside of what they did is going to be far worse than what they actually accomplished.”

The U.S. has almost admitted that it wrote Stuxnet, which makes the U.S. a probable target for any retaliatory cyber attacks. It now seems that the lid is off “Pandora’s box” and worse still the very weapons used to attack others have come back to haunt their creators.

Ultimately private enterprise will have to clean up in the aftermath of Stuxnet without any help from the government. “We’re finding it in our systems and so are other companies,” said Koelmel. “So now we have to deal with this.”

Filed Under: Malware, News Tagged With: , , ,

2.2 million homes were infected with the ZeroAccess botnet during Q3

October 31, 2012 by

(LiveHacking.Com) – According to a new report, 2.2 million home networks worldwide were infected with the ZeroAccess botnet during Q3 of 2012. The Kindsight Security Labs Q3 2012 Malware Report says that ZeroAccess was the most active botnet in Q3. It is estimated that 685,000 households in the United States were infected.

It seems that this malware is now also significantly affecting online advert revenue. ZeroAccess is an ad-click botnet where the bots engage in a sophisticated  ad-click fraud scheme that could be costing advertisers almost a million dollars each day.

ZeroAccess and its morphed successor ZeroAccess2 use an encrypted P2P protocol to communicate with other peers. The botnet maintains communication through super-nodes, which is an infected PC that is directly connected to the internet without an intervening home router or other network address translation (NAT) device.

To earn money, the bot operators have a large number of web sites that host pay-per-click adverts. The bots are programmed to click on ads that are hosted by these sites earning money for the operator and costing the advertiser money. The list of websites to use is dynamic, as is the visit frequency. To prevent ad-click fraud detection the follow the ad-click through to the advertiser’s landing page through several layers of redirection, loading all the html, java-script and graphics components as would a regular browser.

The botnets also earn money through ‘Bitcoin mining’, a technique which creates false Bitcoin transactions. It is thought that about half of the ZeroAccess bots are working as Bitcoin miners. Bitcoins are said to be worth about $10 each and Sophos has estimated that ZeroAccess could be earning over $2.7M per year, however it is not clear if real money is actually involved,  or if they are just used for playing Bitcoin games.

“The ZeroAccess botnet has grown significantly to become the most active botnet we’ve measured this year,” said Kevin McNamee, security architect and director, Kindsight Security Labs. “Cybercriminals are primarily using it to take over victim computers and conduct ad-click fraud. With ZeroAccess, they can mimic the human behavior of clicking online ads, resulting in millions of dollars of fraud.”

 

Filed Under: Malware, News Tagged With: , , , ,

miniFlame: New malware found that is linked with Flame, Stuxnet, Duqu and Gauss

October 16, 2012 by

(LiveHacking.Com) – Kaspersky Lab has found a new piece of malware that is linked with the various nation-state cyber-espionage malware including Stuxnet, Duqu, Flame and Gauss. Although found all over the world, these malware attacks have specifically targeted the Middle East. Previous analysis of the Flame malware led Kaspersky Lab that there was some form of collaboration between the groups that developed Flame, Stuxnet and Duqu.  Further research prompted the discovery of  the previously unknown malware called Gauss which uses a modular structure resembling that of Flame, has a similar code base and uses the same system for communicating with its C&C servers. The made the whole family: Flame, Stuxnet, Duqu and Gauss.

Now Kaspersky Lab has discovered miniFlame. This new malware is based on the Flame platform and can be operated as part of Flame, but it can also be run as independently, without the main Flame modules installed.

“The SPE malware, is a small, fully functional espionage module designed for data theft and direct access to infected systems. If Flame and Gauss were massive spy operations, infecting thousands of users, miniFlame/SPE is a high precision, surgical attack tool,” wrote GReAT a Kaspersky Lab Expert.

Kaspersky Lab have also discovered that miniFlame can also be used in together with Gauss. It has also been assumed that Flame and Gauss were parallel projects but different as they did not have any common modules or common C&C servers. The fact that miniFlame works with both of these malware projects, proves that that they come from the same authors.

Like the others in the family, miniFlame is targeting the Middle East. Flame attacks where found mainly in Iran and Sudan, while Gauss was mostly present in Lebanon. However miniFlame does not have a clear geographical bias but there are reports from Lebanon, Palestine, Iran, Kuwait and Qatar.

Kaspersky Lab have a a Full Technical Paper on miniFlame here.

Filed Under: Malware, News Tagged With: , , , ,

DHL Express being used as bait for malware attack

October 15, 2012 by

(LiveHacking.Com) – A wave of malware laden email messages claiming to be from DHL Express is being tracked by Sophos. The email messages, which claims to have information about items being shipped to your address by DHL, have a .zip file attached which contains a variant of the Bredo trojan horse malware.

Unsuspecting users who download and unzip the attachment will most likely infect their PCs with this trojan. Once installed it will copy itself to the Windows system folder and modify the registry to load automatically the next time you start your PC. Then it will contact a command and control server to download more malware including possible adware, keyloggers and fake anti-virus ransomware.

Of course, such malicious emails claiming to come from companies likes DHL, FedEx and UPS are not new, but the fact that cyber criminals are sending fresh waves of these emails means that sadly they are working.

Advise

  • Install a good anti-virus solution
  • Don’t download and/or execute attachments on emails from untrusted sources.
  • Don’t fall be deceived by unsolicited emails.
Filed Under: Malware, News Tagged With: ,

In brief: Skype being used to spread DORKBOT worm

October 10, 2012 by

(LiveHacking.Com) – Skype is being used to distribute a variant of the DORKBOT worm. Users are being spammed with instant messages saying “lol is this your new profile pic?” If they click on the link (which cunningly includes the username of the recipient) a variant of the DORKBOT malware family is downloaded to the PC.

DORKBOT allows an attacker to take complete control of the PC and includes password theft capabilities for a large number of popular websites including Facebook, Twitter, Google, PayPal, NetFlix and many others. It can also be used to launch a distributed denial-of-service (DDOS) attacks. It can also download other malware to the PC when instructed by the command and control server.

Once the Windows machine has been infected, the worm sends out other “lol” messages to the user on the victim’s contact list. In turn, the unsuspecting recipients think the message was sent from someone they know and click on the link and the cycle starts again.

“Skype takes the user experience very seriously, particularly when it comes to security. We are aware of this malicious activity and are working quickly to mitigate its impact,” said Skype to the BBC. “We strongly recommend upgrading to the newest Skype version and applying updated security features on your computer. Additionally, following links – even when from your contacts – that look strange or are unexpected is not advisable.”

Filed Under: Malware, News Tagged With: , ,

Microsoft reaches settlement with domain operator linked to the Nitol botnet

October 3, 2012 by

(LiveHacking.Com) – Microsoft has reached a legal settlement with the hosting company which operated 3322.org, a domain linked to the Nitol botnet. The deal, which was reached with Peng Yong and his company Changzhou Bei Te Kang Mu Software Technology, is the result of an investigation Microsoft conducted into counterfeit Windows PCs made in China.

Microsoft  discovered that consumers in China were buying cheap counterfeit Windows based PCs which came with malware pre-installed. The malware, known as Nitol, was used to run distributed denial of service (DDoS) attacks as well as create backdoors onto the PCs. The domain 3322.org was part of the infrastructure supporting the botnot. Subsequently Microsoft started legal action to take control of the 70,000 malicious subdomains hosted on 3322.org.

The investigation revealed that the malware was not being pre-installed on computers in the factory but rather the cybercriminals had disreputable distributors or resellers load the malware-infected counterfeit software onto the computers before the final delivery to the customer.

Now, Peng Yong has agreed to work with Microsoft and and the Chinese Computer Emergency Response Team (CN-CERT) authorities to stop any further misuse of servers in his company. Any future black-listed domains will be moved into a sinkhole that has been established by CN-CERT. Also Yong is required to fix the systems of anyone affected by the botnet. Microsoft has already started to contact the Nitol victims with the help of the Shadow Server Foundation.

Since taking control of 3322.org, just over two weeks ago, Microsoft has been able to block more than 609 million connections from over 7,650,000 unique IP addresses.

“Fighting botnets will always be a complex and difficult endeavor as cybercriminals find new and creative ways to infect peoples’ computers with malware, whether for financial gain or other nefarious purposes. However, those working to combat cybercrime continue to make progress, and Microsoft remains committed to protecting its customers and services and to making it difficult for cybercriminals to take advantage of innocent people for their dirty work,” wrote assistant general counsel for Microsoft Digital Crimes Unit Richard Domingues Boscovich.

Filed Under: Malware, Microsoft, News Tagged With: , , ,

BlackHole exploit kit 2.0 released and its all about the money

September 14, 2012 by

(LiveHacking.Com) – A new version of the popular Black Hole exploit kit has been released. According to an entry on Pastebin, V2.0 has been rewritten from scratch to make it harder for anti-virus programs to detect it. Black Hole is one of the most popular exploit kits used onlne and accounts for just under 40 percent of all toolkits detected by AVG. The key element in the announcement is not so much the new features (which I will look at below) but the fact that the “advert” contains a list of the prices for server rentals and mentions that the prices have remained the same. Don’t ever loose sight of the fact that malware writing is all about the money.

So what are the prices, how much does it cost to be a cyber criminal nowadays? To rent a command and control server from the BlackHole creators cost just $50 per day with a limit of 50,000 hits. If you want to use your own server then you need to by a license (ironic, no!),  and that costs $700 for 3 months or $1500 for a year.

Among the new features is the use of a CAPTCHA on the administration panel login page to prevent security companies performing brute force attacks against the servers. Plus the kit adds new dynamically generated URLs, which are valid for a few seconds. These kind of “enchancements” aren’t to do with how BlackHole actual explots vulneravilitries on victim’s PCs, but rather they are designed purley to make life harder for security researchers and securty companies. In fact, the announcement says that the team have “developed and implemented a lot more features about which bragging and shouting in public is simply not reasonable, because competition and the AV companies do not nap.”

Filed Under: Malware, News Tagged With: ,

Google buys VirusTotal to boost its online protection services

September 10, 2012 by

(LiveHacking.Com) – VirusTotal, a free online service that analyzes files and URLs for malware, has been bought by Google. The purchase is seen by many as a way for Google to boost the protection it offers for its online services like Gmail and Google+. Since VirusTotal will continue to operate independently, the company plans to maintain its  partnerships with other antivirus companies and security experts.

VirusTotal works by aggregating warnings on user submitted files and URLs from all the major antivirus solutions, including Intel Corp’s McAfee and Symantec Corp. Once  a file or URL is received, VirusTotal performs the malware checks and then distributing the results to security vendors. Since those returned results include the original document and website in question, the service is sen as a valuable resource that allows the security industry to spot emerging threats.

“VirusTotal will continue to operate independently, maintaining our partnerships with other antivirus companies and security experts. This is an exciting step forward. Google has a long track record working to keep people safe online and we look forward to fighting the good fight together with them,” said the company on its blog.

Terms of the deal were not disclosed.

Filed Under: Antivirus, Google, Malware Tagged With: , ,

McAfree has detected 1.5 million new malware samples in the last three months

September 5, 2012 by

(LiveHacking.Com) – The amount of malware software (including viruses and trojans) has seen its single biggest increase in that last four years according to the new  McAfee Threats Report: Second Quarter 2012.  McAfee Labs says it has detected a 1.5 million increase in malware in the last three months and has seen malware writers becoming more sophisticated with the appearance of new threats such as mobile drive-by downloads, the use of Twitter to control of mobile botnets, and the appearance of mobile ‘ransomware’.

This means that there are 100,000 new bits of malware discovered every day and McAfee predicts that at this rate it will almost certainly see 100 million samples by next quarter and possibly the first 10-million-sample quarter.

“Over the last quarter we have seen prime examples of malware that impacted consumers, businesses, and critical infrastructure facilities,” said Vincent Weafer, senior vice president of McAfee Labs. “Attacks that we’ve traditionally seen on PCs are now making their way to other devices. For example, in Q2 we saw Flashback, which targeted Macintosh devices and techniques such as ransomware and drive-by downloads targeting mobile. This report highlights the need for protection on all devices that may be used to access the Internet.”

Android continue to be a popular target for malware writers. Virtually all new mobile malware detected in the last three months was written for Android. Mobile malware is growing in its sophistication and the full gamut of malware types now exists including SMS-sending malware, mobile botnets, spyware and destructive Trojans.

Other types of popular malware, this time aimed at the PC, include Fake Anti Virus (bogus security software), AutoRun, and password-stealing Trojans. The number of Fake AV malware grew slightly but the overall trend is still down. However AutoRun and password-stealing malware showed significant growth this quarter.

There were nearly 1.2 million new AutoRun samples the quarter and nearly 1.6 million new Password-stealing malware samples. AutoRun worms spread via USB flash drives by executing code embedded in AutoRun files, while Password-stealing malware is designed to collect account names and passwords, so an attacker carry out identity fraud.

You learn more about the rise in malware in the full copy of the McAfee Threats Report: Second Quarter 2012

Filed Under: Malware, News Tagged With: ,

Ransomware claims FBI know that victim’s computer associated with crime and told to pay fine

August 30, 2012 by

(LiveHacking.Com) – The Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT) has published a warning about various ransom campaigns which are impersonating multiple U.S. Government agencies. The malware, which impersonates the United States Cyber Command (USCYBERCOM) and the Federal Bureau of Investigation (FBI), displays an alert telling the victim that a Federal Government agency has associated the user’s computer with one or more online crimes. To regain use of the computer the victim must pay a fine, often through a prepaid money card service.

The US-CERT warning comes after the discovery earlier this month of a piece of ransonware known as Reveton. The drive-by Trojan, which infects a victim’s PC when they visit a compromised website, locks the user’s computer, displays a bogus message and demands payment of fines. The bogus message says that the user’s Internet address was identified by the FBI or the Department of Justice’s Computer Crime and Intellectual Property Section as having been associated illegal online activity. To unlock their machines, users are required to pay a fine using a prepaid money card service. The FBI has confirmed that the malware has already successfully stolen money from a number of innocent victims.

Needless to say, government agencies don’t send out official notifications as unsolicited emails or web popup alerts and are required by law to be delivered directly to the individual. Also, government agencies don’t ask for fines to be paid via money card services.

According to the US-CERT warning, vicitm’s can also choose to file a complaint with the FBI’s Internet Crime Complaint Center (IC3).

Filed Under: Malware, News Tagged With: , , , ,
«Older Posts
Newer Posts»