April 20, 2014

New digitally signed malware targets Mac users

os x mavericks desktopA new piece of digitally signed malware that targets Mac users has been discovered. The new malware, which has been dubbed OSX/LaoShu-A by Sophos and is considered as bot, is being used in an “undelivered courier item” email campaign which tries to trick users into downloading the malware as they try to see the description of an alleged undelivered parcel.

In this particular case the email explains that the undelivered item contained some documents which have been scanned and are waiting for the user to inspect them. A link is provided which takes the unsuspecting user to a fake courier website (often a clone of a real courier website like FedEx or DHL) and then proceeds to download an attachment. If the malicious website detects that the web browser is running on Windows then a piece of malware called Mal/VBCheMan-C is downloaded.

However for Mac users a .zip file is downloaded containing an application that looks like a PDF document. OS X will automatically unzip the file and leave the application in the Downloads folder. The app icon has been intentionally given the PDF icon to trick users into thinking it is a PDF document. However when clicked it will install the malware. Because the application is digitally signed OS X won’t produce a warning about the application coming from an unknown source, but rather it will only warn the user that it has been downloaded from the Internet. Although the warning does actually say “application” rather than “document” the dialog offers the user two possibilities to Cancel or to Open. The use  of the word Open by Apple rather than Run can leave the user with the impression that they are opening a document.

According to Sophos OSX/LaoShu-A is a bot and takes commands from a C&C server, however its main function appear to be data stealing as it will search for files with extensions such as DOC, DOCX, XLS, XLSX, PPT and PPTX and try to upload them to the C&C server. However it can also download new program files and execute shell commands which means it will basically be able to do whatever the attackers tell it to do.

In conclusion, don’t click on random links in unsolicited emails especially those with good link bait like the undelivered courier item emails.

NSA deliberately infected 50,000 computer networks with malware

nsa_aerial_300pxAccording to documents provided by former NSA-employee Edward Snowden, the US National Security Agency (NSA) infected 50,000 networks with malware designed to steal sensitive information. The revelations come from the Dutch newspaper NRC which says it has seen the documents first hand.

A top secret presentation given in 2012 showed how the NSA hacked – called  ‘Computer Network Exploitation’ (CNE) by the NSA - over 50,000 networks using malware. It is thought that the infiltration discovered earlier this year at the Belgium telecom provider Belgacom is an example of the NSA’s infiltration techniques, this time according to NRC in conjunction with GCHQ. The malware infected Belgacom’s computers by luring employees to a fake LinkedIn page.

This hacking work is carried out by a special department in the NSA called TAO (Tailored Access Operations), which is said to employ more than a thousand hackers. By 2008 the TAO had access to over 20,000 networks with the program recently expanded to include up to 50,000 networks around the world including some in Rome, Berlin, Pristina, Kinshasa, and Rangoon.

The installed malware took its instructions from  a command and control server and could be turned on and off at will. The malware, known as ‘implants’, can be put into a sleeper mode and activated when needed. “The NSA-presentation shows their CNE-operations in countries such as Venezuela and Brazil. The malware installed in these countries can remain active for years without being detected,” wrote Floor Boon, Steven Derix and Huib Modderkolk of NRC.

According to the NSA’s careers website the organization carries out three types of Computer Network Operations:

  • Computer Network Attack (CNA): Includes actions taken via computer networks to disrupt, deny, degrade, or destroy the information within computers and computer networks and/or the computers/networks themselves.
  • Computer Network Defense (CND): Includes actions taken via computer networks to protect, monitor, analyze, detect, and respond to network attacks, intrusions, disruptions, or other unauthorized actions that would compromise or cripple defense information systems and networks.
  • Computer Network Exploitation (CNE): Includes enabling actions and intelligence collection via computer networks that exploit data gathered from target or enemy information systems or networks.

The presentation also revealed that along with CNE missions the NSA has access to large Internet cables at 20 different locations; runs over 80 regional Special Collection Service (SCS) installations that are part of a joint CIA-NSA program; and maintains liaison with 30 third-party countries outside of the Five Eyes partnership of Australia, Canada, the U.K. and New Zealand.

Cybercriminals looking to target SAP users

SAP_logoFresh warnings have been issued by RSA Europe and ERPScan following the discovery of a modified banking Trojan that now also searches for SAP client applications on infected systems. Recently a new variant of the malware Trojan.ibank was found by researchers at Dr. WEB who then passed on the information to ERPScan, a company which develops security monitoring products for SAP systems.

RSA Europe also issued a warning about the new malware variant suggesting that its existence could mean that there is a new wave of SAP based attacks coming. The issue of the malware was discussed by Alexander Polyakov, co-founder and CTO of ERPScan, at the RSA Europe security conference in Amsterdam which hosted sessions on the dangers of SAP and ERP vulnerabilities.

According to Polyakov one of the likely ways that attackers could be using the new malware is to gather information that could then be sold on the black market. However an alternative scenario is that the attackers will wait until a larger number of systems are infected and then start to steal sensitive information via a specially crafted malicious SAP modules which the Trojan uploads from and command and control server.

“There are dozens of ways to steal those passwords and use them,” said Polyakov to Dark Reading. “It is possible to connect to SAP Server and do any kind of fraud in the system or simply steal critical information such as client lists or employees’ personal information. We decided to warn people and SAP’s Security response team with whom we closely work before this can happen.”

Once the malware has found a SAP client there are lots of ways to steal information including from configuration files that contain the IP addresses of the servers. There is also the possibility of sniffing for passwords. Once on to the servers the cyber-criminals can perform all many of malicious activities, including theft and fraud via false transactions.

58% of vulnerabilities which exploit kits try to use are over 2 years old

solutionary-logo(LiveHacking.Com) – A new report from the security company Solutionary, has revealed that 58% of the vulnerabilities targeted by the top exploit kits are at least two years old. In total the company looked at 26 of the most common exploit kits and found exploit code from nine years ago. The fact that code from 2004 is still in the kits implies that old vulnerabilities are still fruitful for cyber criminals.

Further analysis showed that 58% of the vulnerabilities targeted are over two years. Solutionary also say that number of newly discovered and disclosed vulnerabilities has declined since 2010.

It seems as if Russia the center for exploit development with 70 percent of kits released or developed there. Following Russia comes China and Brazil. Of these kits BlackHole 2.0 continues to be the most often-used exploit kit while the lesser known Phoenix 3.1 exploit kits offers the highest number of vulnerabilities.

“The fact that cyber criminals are able to penetrate network defenses by targeting aging vulnerabilities and using old techniques demonstrates that many organizations are still playing catch-up when it comes to cyber security,” said Rob Kraus of Solutionary. “Exploit kits largely focus on targeting end-user applications. As a result, it is vital that organizations pay close attention to patch management and endpoint security controls in order to significantly decrease the likelihood of compromise.”

The popularity of BlackHole was also confirmed when Solutionary saw that 30% of the malware samples are indirectly linked to BlackHole exploit kit, while 18% of the malware samples directly attributed to BlackHole.

On the effectiveness of anti-virus solutions, the report found that anti-virus and anti-malware software cannot detect 67 percent of malware being distributed.

Top malware threats of last year included autorun and malicious Javascript

usb-flash-drive(LiveHacking.Com) –  ESET has released a new report looking back at the top attack vectors used by malware to infect PCs in 2012. The top three vectors where the autorun.inf file, obfuscated Javascript and iframe injections. Together these three accounted for almost 15% of the ways that malware found its way onto PCs.

Autorun.inf is a special file placed on removal media (like USB flash disks) that tells Windows what file to run when the media is inserted into the computer. Many different types of malware copy themselves onto any removable media present and change the autorun.inf file to make sure that the malware is run when the media is inserted into a machine. It is a popular way for malware to infect computers that are not connected to the Internet. A recent report by the USA’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) revealed that two power generation facilities became infected with malware via USB flash drives that were being used inside the plants. It is also the method believed to have been used to infect Iran’s nuclear program with Stuxnet. In total 5% of malware infections detected by ESET’s Live Grid was spread via the autorun.inf file.

Although Microsoft disabled Autorun on Windows XP and Vista, to prevent malware infections, nearly two years ago (back in February 2011), ZDNet’s  Dancho Danchev is hypothesizing that the number of infections that happen via Autorun is still high because of software piracy. Basically users are running a pirated/outdated version of Windows. These installations aren’t being updated because of Microsoft’s Genuine Advantage program and so remain with Autorun enabled. The piracy problem was also reiterated by Symantec when it speculated that “the lack of patching due to piracy may be a contributory factor to high infection rates in those countries.”

Another 8% of infections came via hacked webpages with some kind of malicious intent. When a web page is hacked the attacker can alter the HTML to insert Javascript or an iframe that redirects the browser to a URL where malware is hosted or to start a drive by download. Normally any injected Javascript is obfuscated.

“Since poisoned web sites and scripts are an ongoing and regrettable but inevitable part of the threatscape, it’s not surprising that HTML/Iframe.B and HTML/Scrinject.B are still with us…” wrote David Harley, a senior research fellow at ESET.

Malware found in U.S. power plants, should America be worried?

us-cert logo(LiveHacking.Com) – According to a new report (pdf) released by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), part of the Department of Homeland Security’s Office of Cybersecurity and Communications, the last three months of 2012 saw at least two instances of malware infecting computers inside power generation facilities.

The first case came to ICS-CERT’s attention when it was contacted by the staff at a power generation facility. Several different bits of malware, which has been classified as both common and sophisticated, were discovered when an employee asked IT staff to inspect a USB drive used to back up control systems configurations within the control environment.

Initial analysis of the malware, found on the USB drive, raised some alarms since one of the infections was linked to known sophisticated malware. ICS-CERT engineers went on-site and took drive images of the infected hardware. The engineers also discovered two critical engineering workstations, which were infected by the malware, that had no backups, and an poor or incorrect removal of the malware would have significantly impaired the operation of the power plant.

A cleanup procedure was developed and executed together with the organization’s control system vendor to ensure that it would not adversely impact the critical workstations.

The second case happened in early October. A power company contacted ICS-CERT to inform it malware infection in a turbine control system. The malware infected around ten computers on the control system network that was down due to a scheduled outage for equipment upgrades. The infection resulted in more than planned downtime and delayed the plant restart by approximately 3 weeks.

“ICS-CERT continues to emphasize that owners and operators of critical infrastructure should develop and implement baseline security policies for maintaining up-to-date antivirus definitions, managing system patching, and governing the use of removable media. Such practices will mitigate many issues that could lead to extended system downtimes,” said the ICS-CERT report. “Defense-in-depth strategies are also essential in planning control system networks and in providing protections to reduce the risk of impacts from cyber events”

It is clear that these key infrastructural facilities need to have the correct security and backup policies and procedures in place, something which is sorely lacking at the moment.

Imperva says anti-virus spend not proportional to effectiveness

Imperva-logo(LiveHacking.Com) –  The business security firm Imperva has conducted a study together with students from The Technion – Israeli Institute of Technology into the effectiveness of anti-virus products and come up with some startling numbers. According to the report, only 5% of new viruses are detected with the existing techniques used by anti-virus products. In time the anti-virus vendors do update their signature databases but, put simply, the majority of anti-virus products can’t keep up with the rate of virus creation and propagation.

What this means is that if the detection of new, previously unknown viruses is used as the measure of success then consumers and businesses are spending a total of $7.4 billion a year on anti-virus products that don’t work. A lot of this spend comes from Enterprises attempting to adhere to some compliance standard. Imperva suggest that relaxing anti-virus compliance standards could free money which could be spent on other security software.

“One reason why security budgets devote too much money to antivirus is compliance. Easing the need for AV could free up money for more effective security measures,” wrote Imperva in the report.

Imperva recommends that existing anti-virus software should remain in place, but that security teams should use more resources on identifying aberrant behavior such as unusually fast access speeds or large volume of downloads.

The report also noted that the best way for a piece of malware to have long term success was to shun popularity. Antivirus products are much better at detecting malware that spreads quickly as the malware appears quickly on the radar of the anti-virus companies. However malware which has a limited distribution (such as government sponsored attacks) usually have a prolonged window of opportunity.

SMS fraud malware now targets OS X users

(LiveHacking.Com) –  SMS fraud is nothing new and is one of the preferred methods of generating income for malware writers on Android and on Windows. The Russian security firm Dr. Web has discovered a piece of malware which attempts to perpetrate SMS fraud on unsuspecting OS X users. Dubbed Trojan.SMSSend.3666, it  is the first program of its kind that targets Mac OS X.

With SMS fraud the malware writers attempt to subscribe victim’s to premium rate SMS services which charges high fees for useless messages. The Android variant is to cause the phone to send a message to one of these premium rate numbers.

The new Mac malware is a fake installer which can be downloaded under the guise of useful software. In this case, the Trojan pretends to be an installer for a program called VKMusic 4, a program meant for use on the VK social network. VK claims it is the largest European social network with more than a 100 million active users.

“In order to continue the ‘installation’ fraudsters ask that the victim enter their cellphone number into an appropriate field and then specify the code found in a reply SMS. By performing these actions the user agrees to terms of a chargeable subscription and a fee will be debited from their mobile phone account on a regular basis,” wrote Dr. Web.

Recent outbreaks of OS X malware have used vulnerabilities in Java, however this Trojan doesn’t use a known or unknown vulnerability, rather it is a simple social engineering ploy to trick the user into subscribing to a costly phone service. A relativity small number of OS X users will be affected as first it targets users of VK, second the OS X user needs to download the fake version of VKMusic from an underground web site.

It is anticipated that Apple’s XProtect malware utility will be updated to identify this new Trojan in due course.

Banking Trojan tries to hide from security researchers

Shylock from Shakespeare’s Merchant of Venice. Engraving by G. Greatbach after a painting by John Gilbert.

(LiveHacking.Com) –  In the never-ending cat and mouse chase between malware writers and security researchers a twist has been observed by the security company Trusteer. Recent analysis of a piece of banking and financial malware called Shylock has shown that the authors are trying to add methods which stops the malware from being analyzed. Malware researchers often use virtual machines or remote computers in an operations center or “lab” to perform research on malware. To connect to the machines in the lab, researchers use remote desktop connections. Knowing this, Shylock has been altered to identify and avoid remote desktop environments.

“Like most malware strains, Shylock continues to evolve in order to bypass new defensive technologies put in place by financial institutions and enterprises,” Gal Frishman wrote in a blog post. According to Gal, Shylock tries to detect a remote desktop environment by feeding invalid data into a certain Windows function call and then observes the error code returned. It uses this return code to spot remote desktops. If it recognizes a remote desktop sessions it won’t install. It is also possible to use this method to identify other known or proprietary virtual/sandbox environments as well.

“This is good, general purpose financial malware that we see along with Zeus, SpyEye and a host of other malware families that target these institutions,” George Tubin told SC Magazine. “We do see malware doing more things to avoid so-called virtual environments. For instance, sometimes malware has a sleep function, so once it gets in, it won’t start for a time. We see an increasing trend in malware being able to evade virtual environments.”

To find out if it is running in a remote desktop environment Shylock makes a call to the SCardForgetReaderGroup() function in Windows. This innocent function is designed to remove a previously introduced smart card reader group from the smart card subsystem. However it turns out that if the function is called on a normal desktop machine the return values are different to the cases when it is called on a PC using a remote connection. Based on the return code Shylock decides to install or not.

Chevron was a victim of Stuxnet

(LiveHacking.Com) – Chevron, the US headquartered international oil and gas company, has admitted that Stuxnet infected its IT network. Speaking to the Wall Street Journal, Mark Koelmel, general manager of the company’s earth sciences department said that the notorious malware was found on its networks in 2010.

Stuxnet is known for destroying centrifuges used in Iran’s uranium enrichment program. It is thought it was designed by a nation state with the intention of targeting Siemens supervisory control and data acquisition systems (SCADA) which controlled the industrial processes inside the enrichment facilities.

Chevron was not damaged by its encounter with Stuxnet and it appears that it got onto its network by accident. But this is the first time that a U.S. company has admitted that the malware got onto its systems. There are probably many more Stuxnet infections in the U.S. and mainland Europe that went unreported for reasons of security or to avoid embarrassment.

Stuxnet specifically targets industrial equipment that is controlled by devices known as programmable logic controllers, or PLCs. These devices have been sold and used in their millions all over the world and potentially the Stuxnet malware would have destroy other equipment across the global. Just like a real world virus, once it is out there, it can’t be controlled.

“I don’t think the U.S. government even realized how far it had spread,” Koelmel said. “I think the downside of what they did is going to be far worse than what they actually accomplished.”

The U.S. has almost admitted that it wrote Stuxnet, which makes the U.S. a probable target for any retaliatory cyber attacks. It now seems that the lid is off “Pandora’s box” and worse still the very weapons used to attack others have come back to haunt their creators.

Ultimately private enterprise will have to clean up in the aftermath of Stuxnet without any help from the government. “We’re finding it in our systems and so are other companies,” said Koelmel. “So now we have to deal with this.”