Malware | Bach Seat

Tag Archive for Malware

RB | August 2, 2012

Malware Launches Massive Print Jobs

If your printers start printing garbage characters until they run out of paper, it’s a sure sign your network has been hit by the Milicenso Trojan malware. Help Net Security reports that Symantec (SYMC) researchers have found that the garbled printouts are just a side effect of the infection and not its goal. The malware’s last variants have an extremely low detection rate – only 4 of the 42 solutions used by Virus Total detect them at the moment.

The article says the Milicenso Trojan is actually a backdoor used to deliver other malware on the affected machines. The infection vectors are links and malicious attachments in unsolicited emails, as well as websites hosting malicious scripts that trigger the download of the Trojan. “The Trojan creates and executes a dropper executable, which in turn creates a DLL file in the %System% folder”, shared the Symantec researchers.

The heavily encrypted DLL file creates a number of EXE and DLL files and uses a number of routines to discover whether the execution environment is a virtual machine, public malware sandbox or a black-boxing site. The Trojan also drops a piece of adware, whose aim is to serve as a decoy for AV solutions present on the machines. The blog says the Adware.Eorezo has only one goal: to point Internet Explorer to an ad-relater URL.

Sandbox environment Help Net Security explains the malware triggers the massive printing by exploiting the Windows default print spooler directory. “During the infection phase, a .spl file is created in [DRIVE_LETTER]system32Spool PRINTERS[RANDOM].spl. Note the Windows’ default print spooler directory is %System%spoolprinters.”

The researchers explained “The .spl file, while appearing to be a common printer spool file, is actually an executable file and is detected as Adware.Eorezo. Depending on the configuration, any files, including binary files, created in that folder will trigger print jobs.”

rb-

I have written about the risks of copiers and printers here and here. I’m sure someone will figure out how to use this malware as a direct DOS on printers, and not as a side effect.

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: 2012, Malware, Microsoft, MSFT, Printer, Security, Symantec, Windows

RB | July 25, 2012

Comments Off

Social Media Malware Launch Pads

Social networks’ role in the growth of the global virtual society has been well documented. What is not so well documented according to Help Net Security is the role social media has in spreading malware. The security and privacy mechanisms of social networking firms such as LinkedIn (LNKD), Twitter, and Facebook (FB) have proven insufficient to prevent exploitation.

The article notes that “To Err is Human,” and human errors lead to exploitation and manipulation whether the social network is online or offline. Social media hold a plethora of personal information on the users that create the network. Individual connections between users collectively form a web of connections. To build each link between users an implicit trust is required between the two users and implicitly across the entire network. Any information provided by an individual user through chained connections becomes a part of the full network. When an attacker is able to exploit one user in the social network, they have the potential to be able to push malicious content into the network. The network’s connectivity enables the spread of exploitation. The blog explains that attackers exploit the weakest link in the chain.

The inability of users to determine the legitimacy of content flowing through the social media helps this exploitation process. Help Net Security says the biggest problem with online social networks is that they do not have built-in protection against malware. For example, current social networks do not scan the URLs and embedded content coming from third-party servers such as Content Delivery Networks. Therefore, there is no way to authenticate the URLs passed among the user objects in the social networks.

The infection process begins with the exploitation of human ignorance and followed by the spreading of the malware through the trust upon which the network is based.

The article further explains that to start the exploitation process, an attacker will pick an issue that affects human emotions to evoke a response so the social network user will do something the attacker wishes. Phishing and spam messages about weather calamities, politics, and financial transactions are used for starting infections. The author states that since social network exploitation begins by exploiting an individual’s ignorance common attack strategies have emerged.

One of the simplest infection techniques is to put malicious URLs on a user’s Fac eb ook message wall. When a user clicks on an illegitimate hyperlink it can result in the automatic download of malware through the browser. Some of the exploits used are:

Browser Exploit Packs (BEP) fingerprint the browser version and other software on the user machine. Based on this information, a suitable malware is served to the user which uses exploits for that particular browser.
Drive-by-Download attacks begin by visiting a malicious page. They exploit vulnerabilities in browsers and plugins. Successful exploitation of the vulnerability causes a shellcode to run that in turn downloads the malware into the system.
Malicious advertisements (malvertisements) happen when an attacker injects a malicious link into a user’s Facebook wall to spread malware. The fake post is linked to a third-party website that has malicious advertisements embedded in it. These advertisements are linked to malicious JavaScripts which execute the malicious content in the browser.

Help Net Security states that online social media is not harnessing the power of Safe Browsing API’s from Google (GOOG) or similar services to instantiate a verification procedure before posting a URL back to a user profile. Lack of such basic protections is a key factor in making the social networks vulnerable to exploitation.

Microsoft (MSFT) recently spotted a Facebook attack in the wild that exploited Facebook user’s trust in a social engineering campaign. The attack tries to trick Facebook users into installing a backdoor Trojan with keylogging capabilities according to the Help Net Security report.

MSFT says the Facebook Wall messages varied but they all lead to fake YouTube pages. Once there, the user is urged to download a new version of “Video Embed ActiveX Object” to play the video file. Unfortunately, the offered setup.exe file is the Caphaw Trojan.

The trojan bypasses firewalls, installs an FTP and a proxy server, and a key logger on the affected machine. Microsoft’s Mihai Calota says ” … has built-in remote desktop functionality based on the open-source VNC project.” MSFT says the Facebook attack can be used to steal money, “We received a report .. that money had been transferred from his bank account … The keylogging component, coupled with the remote desktop functionality, makes it entirely possible for this to have happened.”

rb-

The articles correctly state that security and privacy mechanisms are indispensable for safe online social networking. Built-in security is necessary because attackers exploit the trust, curiosity, and ignorance of the social network customers to their own profit. Users should demand safe and secure transmission of the information and the user’s privacy. These should also be a focus of the social networking companies.

To protect themselves, users should:

Have up to date AV software running on their computers
Keep their browsers and operating systems fully patched
Change the passwords on all their sensitive accounts regularly
Warn friends and Facebook if an account seems to be hacked by using the Facebook “report/mark message as spam” option.

Facebook denies malware risk from message bug (go.theregister.com)

Category: Uncategorized | Tags: 2012, Browser exploit, Content delivery network, Drive-by download, Facebook, FB, GOOG, Google, JavaScript, LinkedIn, LNKD, Malware, Microsoft, MSFT, Security, Social media, YouTube

RB | May 8, 2012

Comments Off

Unknown Malware Rampant in Enterprise Networks

Unknown malware plague enterprise networks according to network security company Palo Alto Networks. Help Net Security reports that Palo Alto Networks found hundreds of unique, previously unknown malware samples on live networks. Palo Alto Networks conducted the research with their new WildFire malware analysis engine.

DarkReading says that the cloud-based WildFire analysis engine found that seven percent of all unknown files analyzed contained malware. WildFire is a new service recently announced by Palo Alto Networks that integrates in-line firewalling with automated cloud-based malware analysis. Over a three-month period of analyzing unknown files from the Internet entering enterprise networks,the firm discovered more than 700 unique malware samples, 57 percent of which had no coverage by any antivirus service or were unknown by Virus Total at the time of discovery. Out of all the new malware identified, 15 percent also generated malicious or unknown outbound command and control traffic.

The firewalls identify unknown and potentially malicious files by executing them in a virtual cloud-based environment to expose malicious behavior even if the malware has never been seen in the wild before. Wade Williamson, Senior Security Analyst at Palo Alto Networks says, “WildFire is taking sandbox technology out of the lab and applying it to a real product … customers can detect and protect themselves against malware using the hardware that they already have deployed today.”

For malicious files, Palo Alto Networks automatically generates new signatures for both the file itself and for any traffic generated by the malicious file. These signatures are then distributed with regular signature updates, as well as providing the user with actionable analysis of exactly how the malware behaves, who was targeted, and what application delivered the threat.

“I think we were all a bit surprised by the volume and frequency with which we were finding unknown malware in live networks,” the Senior Security Analyst said. “Unknown malware often represents the leading edge of an organized attack, so this data really underscores the importance of getting new anti-malware technologies out of the lab and into the hands of IT teams who are on the front lines. The ability to detect, remediate and investigate unknown malware needs to become a practical part of a threat prevention strategy in the same way that IPS and URL filtering are used today.”

Palo Alto Networks found that a variety of web applications distributed zero-day malware, in addition to the traditional HTTP web-browsing and email traffic commonly associated with malware distribution. WildFire was able to identify specific phishing campaigns based on their affinity for particular applications. One attacker used AOL Mail and another used the Hotfile file hosting service as the delivery vector.

“It’s important to note this because many enterprises only inspect email or FTP traffic for malware but do not have the ability to scan other applications. Applications that tunnel within HTTP or other protocols can carry malware that will be invisible to a traditional anti-malware solution,” said Williamson. “These are examples of the big reasons why a lot of malware gets missed – most enterprises only focus on scanning their corporate email application. To control this problem we need to expand our view to other applications, pull the traffic apart, and go a level deeper in to find out if there’s a file transfer happening.”

Taking the Leap to Cloud-Based Malware Inspection (circleid.com)
Debate Over Facebook Use At Work Gets New Compromise From Palo Alto Networks Firewall (allfacebook.com)

Category: Uncategorized | Tags: 2012, Cloud computing, Malware, Network security, Palo Alto Networks, Security, VirusTotal.com, WildFire

RB | April 12, 2012

2 comments

What is Malware?

Most users I talk to about malware seem to use the following terms interchangeably; malware, virus, trojan, keylogger, worm, backdoor, bot, rootkit, ransomware, adware, spyware, and dialer. Raymond.cc offers some standard definitions to clarify the conversations.

Malware is short for Malicious Software where all the terms above fall into this category because they are all malicious. The different term being used instead of just plain virus is to categorize what the malicious software is capable of doing.

Virus spreads on its own by smuggling its code into application software. The name is in analogy to its biological archetype. Not only does a computer virus spread many times and make the host software unusable, but also runs malicious routines.

Trojan horse/Trojan is a type of malware disguised as useful software. The aim is that the user executes the Trojan, which gives it full control of your PC and the possibility to use it for its own purposes. Most of the time, more malware will be installed in your system, such as backdoors or key loggers.

Worms are malicious software that aims at spreading as fast as possible once your PC has been infected. Unlike viruses, it is not other programs that are used to spread the worms, but storage devices such as USB sticks, communication media such as e-mail, or vulnerabilities in your OS. Their propagation slows down the performance of PCs and networks, or direct malicious routines will be implemented.

Key loggers log any keyboard input without you even noticing, which enables pirates to get their hands on passwords or other important data such as online banking details.

Dialers are relics from a time when modems or ISDN were still used to go online. They dialed expensive premium-rates numbers and thus caused your telephone bill to reach astronomic amounts. Dialers have no effect on ADSL or cable connections, but they are making a comeback with mobile devices and QR codes (I covered Attaging here).

Backdoor / Bots is usually a piece of software implemented by the authors themselves that enable access to your PC or any kind of protected function of a computer program. Backdoors are often installed once Trojans have been executed, so whoever attacks your PC will gain direct access to your PC. The infected PC, also called “bot”, will become part of a botnet.

Exploits are used to systematically exploit vulnerabilities of a computer program. Whoever attacks your PC will gain control of your PC or at least parts of it.

Spyware is software that spies on you, i.e. collect different user data from your PC without you even noticing.

Adware is derived from “advertisement”. Besides the actual function of the software, the user will see advertisements. Adware itself is not dangerous, but tons of displayed adverts are considered a nuisance and thus are detected by good anti-malware solutions.

Rootkit mostly consists of several parts that will grant unauthorized access to your PC. Plus, processes and program parts will be hidden. They can be installed, for instance, through an exploit or a Trojan.

Rogues / Scareware are also know as “Rogue Anti-Spyware” or “Rogue Anti-Virus”, rogues pretend to be security software. Often, fake warnings are used to make you buy the security software, which the pirates profit from.

Ransomware “Ransom” is just what you think it is. Ransomware will encrypt personal user data or block your entire PC. Once you have paid the “ransom” through an anonymous service, your PC will be unblocked.

There are different categories of malware the author says that most of the malware today combines different kinds of malware to achieve a higher rate of infection and giving more control to the hacker. Most malware is invisible that runs silently without your knowledge to avoid detection except for ransomware and adware.

Using “virus” as a catch-all phrase to include all types of malware is no longer right. The correct word to use should be malware. However, don’t expect the big anti-virus companies to rebrand their products to Kaspersky Anti-Malware or Bitdefender Anti-Malware because doing that may risk losing their brand identity even if they do offer a complete anti-malware solution.

The blog says it doesn’t mean that you’re safe if you don’t see it so it is important to run an anti-virus software from reputable brands such as Kaspersky, ESET, Avast, Avira, AVG (at one time AVG was installing a Yahoo toolbar without notice) MSE together with a second opinion anti-malware such as HitmanPro, Malwarebytes Anti-Malware, and SUPERAntiSpyware. As for Emsisoft Anti-Malware, it comes with its own Anti-Malware engine and Ikarus Anti-Virus Engine.

Flashback Trojan affects around 600,000 Macs (macmusings.wordpress.com)

Category: Uncategorized | Tags: 2012, Anti-Virus, Attaging, Avast, AVG Technologies, Avira, Botnet, Computer, ESET, Kaspersky, Malware, Ransomware, Security, Spyware, Trojan Horse, Virus

RB | March 20, 2012

One comment

Spyware Prevention 101

Spyware goes by many names, including adware, malware, crimeware, scumware, and snoopware. No matter what you call it, spyware’s purpose is still the same: to steal your personal information (PII).

Help Net Security says that once hackers have your personal information they can steal your identity, use your credit cards, siphon funds from your bank accounts, and more. Simply put: it’s bad news and you want nothing to do with it.

The good news, according to the article, is that spyware prevention is possible and there are many ways to keep these dangerous programs at bay. In addition to installing the right software, users can practice these computer security tips from Broomfield, CO-based Internet security firm Webroot:

Download software directly from the source. The article says a common way to get a spyware infection is to install free or pirated programs from file-sharing sites which have been booby-trapped with malware.
Set your browser security settings to “high” and protect yourself from “drive-by” downloads and automatic installations of unwanted programs.
Avoid questionable websites, such as those featuring adult material. They’re notorious for spreading spyware threats and causing users problems.
Use a firewall.
Be suspicious of email and IM.
Don’t open attachments unless you know the sender and are expecting a file from them.
Delete messages you suspect are spam (don’t even open them).
Avoid clicking on links within messages.
Do not give personal information to unsolicited requests even if they seem legitimate.
If you receive a request for personal information from your bank or credit card company, contact that financial institution directly, but do not click on a link embedded in the email message.

rb-

Amichai Shulman – CTO, Imperva posted that the credentials to a Hotmail account are worth $1.50 and a Gmail account is worth over $80 to cyber-criminals. Gmail is more valuable to the attacker because of the wide variety of other Gmail cloud services that can be accessed through Gmail credentials.

It is also likely that credentials used by a person for one application will most work on other applications as well. It is not uncommon for people to have the same username and password used for their Facebook account, their Twitter account, their Airline Frequent Flyer account, or any application that uses their Gmail account as the application account name.

That’s why spyware is bad.

Save Your Smartphones from Spyware and Malware Invasion (cellphones.org)
Google Intros ‘Bouncer’ Security System for Android Market (phonescoop.com)

Category: Uncategorized | Tags: 2012, Gmail, GOOG, Google, Imperva, Malware, PII, Security, Spyware, Webroot

« Older Entries Recent Entries »

S	M	T	W	T	F	S
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30

Bach Seat

Tag Archive for Malware

Malware Launches Massive Print Jobs

What is Malware?

Related articles

Spyware Prevention 101

Related articles

Meta