Posts Tagged ‘malware’

InfoSec Alert: Flash 0-Day Exploit Used by Angler Exploit Kit – Browsers Targeted

Thursday, January 22nd, 2015

The “Angler” exploit kit is a tool frequently used in drive-by download attacks to probe the browser for different vulnerabilities, and then exploit them to install malware. The exploit kit is very flexible and new exploits are added to it constantly.

However, the blog post below shows how this exploit kit is currently using an unpatched Flash 0-day to install malware. Current versions of Windows (e.g. Window 8 + IE 10) appear to be vulnerable. Windows 8.1, or Google Chrome do not appear to be vulnerable.

This is still a developing story, but typically we see these exploits more in targeted attacks, not in widely used exploit kits. This flaw could affect a large number of users very quickly. Please refer to the original blog for details.

[1] http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html

via InfoSec Handlers Diary Blog – Flash 0-Day Exploit Used by Angler Exploit Kit.

Stealthy Regin malware is a ‘top-tier espionage tool’ – CNET

Monday, November 24th, 2014

An advanced piece of malware, newly uncovered, has been in use since as early as 2008 to spy on governments, companies and individuals, Symantec said in a report released Sunday.The Regin cyberespionage tool uses several stealth features to avoid detection, a characteristic that required a significant investment of time and resources and that suggests it’s the product of a nation-state, Symantec warned, without hazarding a guess about which country might be behind it. The malware’s design makes it highly suited for long-term mass surveillance, according to the maker of antivirus software.”Regin’s developers put considerable effort into making it highly inconspicuous. Its low key nature means it can potentially be used in espionage campaigns lasting several years,” the company said in a statement. “Even when its presence is detected, it is very difficult to ascertain what it is doing.”The highly customizable nature of Regin, which Symantec labeled a “top-tier espionage tool,” allows for a wide range of remote access Trojan capabilities, including password and data theft, hijacking the mouse’s point-and-click functions, and capturing screenshots from infected computers. Other infections were identified monitoring network traffic and analyzing email from Exchange databases.Cyberespionage is a sensitive subject, often straining diplomatic relations between countries. The US and China have tussled for years over accusations of electronic spying. The US has accused China’s government and military of engaging in widespread cyberespionage targeting US government and business computer networks. China has denied the charges and accused the US of similar behavior targeting its own infrastructure.Related stories Russian government gathers intelligence with malware: report Former NSA director speaks out on spying, Stuxnet, defense China cyberspies hit US national security think tanks Behind US-China cyberspy tensions: The view from Beijing Q&ASome of Regin’s main targets include Internet service providers and telecommunications companies, where it appears the complex software is used to monitor calls and communications routed through the companies’ infrastructure. Other targets include companies in the airline, energy, hospitality and research sectors, Symantec said.The malware’s targets are geographically diverse, Symantec said, observing more than half of the infections in Russia and Saudi Arabia. Among the other countries targeted are Ireland, Mexico and India.Regin is composed of five attack stages that are hidden and encrypted, with the exception of the first stage, which begins a domino chain of decrypting and executing the next stage. Each individual stage contains little information about malware’s structure. All five stages had to be acquired to analyze the threat posed by the malware.The multistage architecture of Regin, Symantec said, is reminiscent of Stuxnet, a sophisticated computer virus discovered attacking a nuclear enrichment facility in Iran in 2010, and Duqu, which has identical code to Stuxnet but which appeared designed for cyber espionage instead of sabotage.Symantec said it believes that many components of Regin remain undiscovered and that additional functionality and versions may exist.”Regin uses a modular approach,” Symantec said, “giving flexibility to the threat operators as they can load custom features tailored to individual targets when required.”

via Stealthy Regin malware is a ‘top-tier espionage tool’ – CNET.

New BlackEnergy Crimeware Enhanced to Target Linux Systems and Cisco Routers

Wednesday, November 5th, 2014

 

BlackEnergy Cyber Crimeware equipped to Target Linux Systems and Cisco Routers

 

Security researchers at Kaspersky Lab have unearthed new capabilities in the BlackEnergy Crimeware weapon that has now ability to hacking routers, Linux systems and Windows, targeting industry through Cisco network devices.The antivirus vendor’s Global Research & Analysis Team released a report Monday detailing some of the new “relatively unknown” custom plug-in capabilities that the cyber espionage group has developed for BlackEnergy to attack Cisco networking devices and target ARM and MIPS platforms.The malware was upgraded with custom plugins including Ciscoapi.tcl which targets The Borg’s kit, and According to researchers, the upgraded version contained various wrappers over Cisco EXEC-commands and “a punchy message for Kaspersky,” which reads, “Fuck U, Kaspersky!!! U never get a fresh B1ack En3rgy. So, thanks C1sco 1td for built-in backd00rs & 0-days.”BlackEnergy malware program was originally created and used by cybercriminals to launch Distributed Denial-of-Service DDoS attacks. The malware developer then added some custom plugins used to funnel banking information.Most recently BlackEnergy malware was observed in alleged state-sponsored attacks targeting the North Atlantic Treaty Organization NATO, Ukrainian and Polish government agencies, and a variety of sensitive European industries over the last year.Now, the cyber espionage group has enhanced the malware program which also has the capabilities like port scanning, password stealing, system information gathering, digital certificate theft, remote desktop connectivity and even hard disk wiping and destroying.In case if a victim knew of the BlackEnergy infection on their system, the attacker activates “dstr,” the name of a plugin that destroys hard disks by overwriting them with random data. A second victim was compromised by using VPN credentials taken from the first victim.Security researchers, Kurt Baumgartner and Maria Garnaeva, also came across BlackEnergy version that works on ARM and MIPS based systems and found that it has compromised networking devices manufactured by Cisco Systems.However, the experts are not sure for the purpose of some plugins, including one that gathers device instance IDs and other information on connected USB drives and another that collects details on the BIOS Basic Input/Output System, motherboard, and processor of infected systems. “We are pretty sure that our list of [BlackEnergy] tools is not complete,” the researchers wrote. “For example, we have yet to obtain the router access plugin, but we are confident that it exists. Evidence also supports the hypothesis that there is a decryption plugin for victim files.”Multiple unnamed victim companies in different countries were targeted with the latest BlackEnergy malware, including victims in Russia, Germany, Belgium, Turkey, Libya, Vietnam and several other countries.Another Crimeware group, the Sandworm Team, believed to have used the BlackEnergy exclusively throughout 2014 at victim sites and included custom plugin and scripts of their own. Also last month, the Sandworm Team had targeted organizations across the world in an espionage campaign, and iSIGHT Partners revealed that the team used spear phishing as the major attack vector to victimize their targets.

via New BlackEnergy Crimeware Enhanced to Target Linux Systems and Cisco Routers.

Visit the Wrong Website, and the FBI Could End Up in Your Computer | WIRED

Thursday, August 7th, 2014

big brother

Security experts call it a “drive-by download”: a hacker infiltrates a high-traffic website and then subverts it to deliver malware to every single visitor. It’s one of the most powerful tools in the black hat arsenal, capable of delivering thousands of fresh victims into a hackers’ clutches within minutes.

Now the technique is being adopted by a different kind of a hacker—the kind with a badge. For the last two years, the FBI has been quietly experimenting with drive-by hacks as a solution to one of law enforcement’s knottiest Internet problems: how to identify and prosecute users of criminal websites hiding behind the powerful Tor anonymity system.

The approach has borne fruit—over a dozen alleged users of Tor-based child porn sites are now headed for trial as a result. But it’s also engendering controversy, with charges that the Justice Department has glossed over the bulk-hacking technique when describing it to judges, while concealing its use from defendants. Critics also worry about mission creep, the weakening of a technology relied on by human rights workers and activists, and the potential for innocent parties to wind up infected with government malware because they visited the wrong website. “This is such a big leap, there should have been congressional hearings about this,” says ACLU technologist Chris Soghoian, an expert on law enforcement’s use of hacking tools. “If Congress decides this is a technique that’s perfectly appropriate, maybe that’s OK. But let’s have an informed debate about it.”

The FBI’s use of malware is not new. The bureau calls the method an NIT, for “network investigative technique,” and the FBI has been using it since at least 2002 in cases ranging from computer hacking to bomb threats, child porn to extortion. Depending on the deployment, an NIT can be a bulky full-featured backdoor program that gives the government access to your files, location, web history and webcam for a month at a time, or a slim, fleeting wisp of code that sends the FBI your computer’s name and address, and then evaporates.

via Visit the Wrong Website, and the FBI Could End Up in Your Computer | Threat Level | WIRED.

InfoSec Blog -BEWARE- efax Spam Containing Malware

Tuesday, June 10th, 2014

Beware of efax that may come to your email inbox. This week I receive my first efax spam with a source address of “Fax Message [message@inbound.efax.com]” which contained a link to www.dropbox.com that contained malware. The link has since been removed.

 

efax Spam

On efax’s website, the indicate that you are receiving fax spam to submit the fax via to online form and they “will attempt to prevent further transmission of junk faxes from the source.[2]

[1] http://www.efax.com/help/faq

[2] http://www.efax.com/privacy?tab=reportSpam

via InfoSec Handlers Diary Blog – efax Spam Containing Malware.

Windows 7 and Vista ‘more at risk’ to viruses than XP, says Microsoft | TechRadar

Monday, May 12th, 2014

Windows XP is past its sell-by date, but Microsoft has warned that its comparatively newer operating systems Windows Vista and Windows 7 are more at risk of malware infections.

WINDOWS XP

That’s according to the software giant’s latest Security Intelligence Report, which shows an increased rate of infection for Vista, at 3.24 percent. Windows 7 is lower at 2.59 per cent, compared to 2.42 per cent for XP.

Unsurprisingly, Windows 8 and 8.1 have the lowest infection rates of 1.73 per cent and 0.08 per cent respectively, arguably because they aren’t as popular as their predecessors and therefore present a less lucrative market for the shady hacker underworld.

The figures have been normalised to reflect different numbers of computers running each operating system.

Misleading

Despite the stark warning, security experts think the figures are somewhat misleading. Speaking to The Independent, security researcher Graham Cluley warned that Windows XP is still less secure than newer versions.

He pointed out that the numbers Microsoft has come up with cover a time when Windows XP was still receiving updates, and was thus more secure.

via Windows 7 and Vista ‘more at risk’ to viruses than XP, says Microsoft | News | TechRadar.

FBI Keeps Internet Flaws Secret to Defend Against Hackers – Bloomberg

Wednesday, April 30th, 2014

The Obama administration is letting law enforcement keep computer-security flaws secret in order to further U.S. investigations of cyberspies and hackers.The White House has carved out an exception for the Federal Bureau of Investigation and other agencies to keep information about software vulnerabilities from manufacturers and the public. Until now, most debate has focused on how the National Security Agency stockpiles and uses new-found Internet weaknesses, known as zero-day exploits, for offensive purposes, such as attacking the networks of adversaries.The law enforcement operations expose a delicate and complicated balancing act when it comes to agencies using serious security flaws in investigations versus disclosing them to protect all Internet users, according to former government officials and privacy advocates.

The FBI also hacks into computers and networks of adversaries using what are known as remote access operations coordinated by a team at the bureau’s facility in Quantico, Virginia, said a former government official. Most of the malware and computer exploits used are available for purchase online and the operations are authorized by warrants specifying devices targeted, the official said in a phone interview.

via FBI Keeps Internet Flaws Secret to Defend Against Hackers – Bloomberg.

Backdoor PHP AntiSecShell.v0.5 at malware-collection · GitHub

Saturday, April 19th, 2014

[— AntiSecShell(ASS) by 7h3 und3rgr0und h4ck1ng c0mmuni7y | n0 c0n74c7s ju57 3nj0y 4nd pwn wh173h475 | G3n: <?php echo round(gmt()-starttime,4); ?> s3cs —]

<br>c0d3 4 0d4y5 : 0d4y0nwh3v3ryw33k4n0n0ps</font></div>

</body></html>

<?php chdir($lastdirass); ass5h3x17(); ?>

via web-malware-collection/Backdoors/PHP/AntiSecShell.v0.5.txt at master · nikicat/web-malware-collection · GitHub.