April 20, 2014

HDD Plus Malware Spread by DoubleClick and MSN

The first two weeks of December has seen the HDD Plus malware spread throughout the Internet using the world’s largest ad serving platforms, namely DoubleClick and MSN, by using drive-by download malvertising.

HDD Plus is ransomware in that when it gets installed on a victim’s computer it holds the computer hostage by displaying threatening messages, that the system is failing, and asks the victim to purchase a license to fix the problems.

DoubleClick and MSN are implicated because when users visit websites that use their banner ads a malicious javascript is served from ADShufffle.com (that’s with three f’s), which in turn starts a drive-by download process. If HDD Plus installs successfully the victims computer has been infected without the victim doing anything or clicking on anything.

The attack uses a modified version of the Eleonore exploit pack and uses vulnerabilities in Microsoft Internet Explorer 6 & 7, the Java runtime environment (before update 19, the current version is update 23) and several weaknesses in Adobe Acrobat (including the Reader). By using exploits in Java and Acrobat, PCs using alternative browsers like Firefox or Chrome are also vulnerable.

This latest attack underlines again the need to keep your computer up to date (including not only the browser but also other applications like Java and Acrobat Reader).

A detailed technical report of how HDD Plus is spreading through these ad networks can be found here while information on removing HDD Plus can be found here and here.

Anti Anti-Virus: MalCon Speaker Demonstrates How Malware Can Disable Anti-Virus Software

Dubbed Anti Anti-Virus, the recent talk given at MalCon 2010 by Nima Bagheri, a Security Researcher and founder of U0vd Security, showed how alarmingly simple it is for a malware author to include steps to disable resident anti-virus software on the target PC.

Several techniques already exist for disabling Anti-Virus software by hooking System Service Dispatch Table (SSDT) calls and exploiting poorly implemented kernel hooks. However Nima’s research has revealed other methods of disabled Anti-Virus software.

The first strategy demonstrated disabled the Anti-Virius software by modifying the registry. The trick is startlingly simple, by modifying the registry a NULL debugger is attached to the startup of the Anti-Virus server. Since such a debugger can’t be run, the service fails to start.

Exploit released for unpatched Stuxnet hole

Microsoft has already patched three of the four security holes exploited by Stuxnet, but the fourth hole remains unpatched. Now, an exploit, currently being circulated on the web, exploits the remaining hole in the Windows Task Planner to access protected system directories – even if a user is only logged in with limited access privileges. Experts call this a privilege escalation attack.

Read the full story here.


Stuxnet: The Industrial Sabotage Mystery Deepens

Since its discovery a few months ago, the purpose and intention of the Stuxnet worm has remained shrouded in mystery. This Windows based worm is the first ever malware designed to attack industrial equipment.

Specifically it targets Siemens’ Supervisory Control And Data Acquisition (SCADA) software used to control and monitor industrial processes and has the ability to reprogram Siemens’ Simatic PLCs (programmable logic controllers).

[ad code=6 align=left]

PLCs contain code to control automated industrial systems in manufacturing plants or factories. Programmers use the Siemens’ software from a Windows PC to create code and then upload their code to the PLCs. The Stuxnet worm infects the PCs and then uploads its own code to the PLC.

Since the discovery of Stuxnet, conspiracy theories about its purposes have been rampant and these theories have included nation states, well funded hackers, Israeli spies and Iran’s nuclear program. But Symantec have just revealed (http://www.symantec.com/connect/blogs/stuxnet-breakthrough) that the Stuxnet virus only attacks systems with variable-frequency drives from two specific vendors: Vacon based in Finland and Fararo Paya based in Iran. This is sure to reignite the speculations about its target and origin.

What Stuxnet does is monitor the frequency of these drives and only attacks systems that run between 807Hz and 1210Hz which is very high and only used in particular industrial applications. Stuxnet then modifies the output frequency for a short time to 1410Hz and then to 2Hz and then to 1064Hz and thus effects the operation of the connected motors.

Stuxnet’s requirement for particular frequency converter drives and operating characteristics focuses the number of possible speculated targets to a limited set of possibilities.

If you work with PLCs and variable-frequency drives over 807Hz please contact Live Hacking as soon as possible as you might be able to shed some light on this increasingly mysterious malware.

BinNavi 3.0 released

Win32 Kernel Debugging utility, BinNavi version 3.0 has been released. BinNavi is a graph-based reverse engineering tool for malware analysis.  With reference to blog.zynamics.com the previous versions of BinNavi have already helped reverse engineers in the IT security industry, in governmental agencies, and academia around the world do their jobs faster and better.

New Features:

  1. Analyze code of MIPS-based devices
  2. Rename local and global variables to understand code
  3. Find out where global variables are used
  4. Quickly get back to your favorite projects, modules, and views
  5. Use a faster disassembly data exporter to get started
  6. Set conditional breakpoints to make debugging more efficient
  7. Edit the target process memory to test small patches
  8. Isolate code quickly using the improved trace mode
  9. Quickly see where variables are used
  10. Quickly recognize special instructions

More information is available at http://zynamics.com/binnavi.htm.