The latest firmware in some Philips smart TV models opens an insecure Miracast wireless network, allowing potential attackers located in the signal range to control the TV remotely and perform unauthorized actions.
Computerworld Malware and Vulnerabilities News
Cisco Systems released security updates for its IOS software used on routers, switches and other networking gear in order to fix seven vulnerabilities that could be exploited by attackers to impact the performance of affected devices or force them to reboot.
Computerworld Malware and Vulnerabilities News
Microsoft yesterday pulled out a fear-of-God approach to scare users into dumping Windows XP, telling them that the most popular tasks done on a PC will put them in the crosshairs of cyber criminals.
Computerworld Malware and Vulnerabilities News
The recently closed Full Disclosure security mailing list, which served as an open discussion forum for security researchers since 2002, was replaced Tuesday with a new list that will serve the same purpose, but will require former members to resubscribe.
Computerworld Malware and Vulnerabilities News
A group of enterprising cybercriminals have figured out how to get cash from a certain type of ATM — by text message.
Computerworld Malware and Vulnerabilities News
A vulnerability in Android that was publicly disclosed in mid-March could be exploited by malicious applications to force devices into an endless reboot loop, according to security researchers from Trend Micro.
Computerworld Malware and Vulnerabilities News
Microsoft today warned users of Word 2010 that in-the-wild attacks are exploiting an unpatched vulnerability in the software.
Computerworld Malware and Vulnerabilities News
A new entry in the cash-for-bugs business, the Internet Bug Bounty, recently paid out its first $ 10,000 rewards.
Computerworld Malware and Vulnerabilities News
Web servers running a long-outdated version of the Linux kernel were attacked with dramatic speed over two days last week, Cisco Systems said on Thursday.
Computerworld Malware and Vulnerabilities News
For the past several months Tor developers have unsuccessfully been trying to convince Apple to remove from its iOS App Store what they believe to be a fake and potentially malicious Tor Browser application.
Computerworld Malware and Vulnerabilities News
Some financial services companies are looking to migrate their ATM fleets from Windows to Linux in a bid to have better control over hardware and software upgrade cycles.
Computerworld Malware and Vulnerabilities News
Mozilla on Tuesday patched five vulnerabilities exploited by researchers last week at the Pwn2Own hacking contest, where they were awarded $ 200,000 for their collective efforts.
Computerworld Malware and Vulnerabilities News
A Linux worm that targets routers and set-top boxes is now looking for full-fledged computers to use its new feature, a cryptocurrency mining function, according to Symantec.
Computerworld Malware and Vulnerabilities News
The popular Full-Disclosure mailing list that has served as a public discussion forum for vulnerability researchers for the past 12 years was suspended indefinitely by its maintainer.
Computerworld Malware and Vulnerabilities News
Sally Beauty Holdings confirmed Monday that it fell victim to a data breach, an incident that may have coincided with a project to update point-of-sale terminals at its U.S. stores, a recent regulatory filing shows.
Computerworld Malware and Vulnerabilities News
An archive containing transaction records from Mt. Gox that was released on the Internet last week by the hackers who compromised the blog of Mt. Gox CEO Mark Karpeles also contains bitcoin-stealing malware for Windows and Mac.
Computerworld Malware and Vulnerabilities News
Google on Friday patched several vulnerabilities in Chrome and Chrome OS within 48 hours of their disclosures at last week’s Pwn2Own and Pwnium hacking contests.
Computerworld Malware and Vulnerabilities News
The developers of Replicant, a mobile OS based on Android, claim to have found a backdoor vulnerability in a software component shipped with some Samsung Galaxy devices that potentially provides remote access to users’ private files through the device modem.
Computerworld Malware and Vulnerabilities News
Symantec has spotted a phishing campaign leveraging Google Drive that would be hard for users to discern as a scam.
Computerworld Malware and Vulnerabilities News
Security researchers demonstrated zero-day exploits against Google Chrome, Microsoft Internet Explorer, Apple Safari, Mozilla Firefox and Adobe Flash Player during the second day of the Pwn2Own hacking competition Thursday, racking up total prizes of $ 450,000.
Computerworld Malware and Vulnerabilities News
Companies that suffer major data breaches almost always portray themselves as victims of cutting edge attack techniques and tools. The reality, though, is often much more mundane.
Computerworld Malware and Vulnerabilities News
Security Manager George Grachis discusses the current cyber threat landscape and why Human Sensors, our users, are our most underutilized resource that can make all the difference
Computerworld Malware and Vulnerabilities News
Adobe Systems released a new security update for Shockwave Player in order to fix a critical vulnerability that could allow attackers to remotely take control of affected systems.
Computerworld Malware and Vulnerabilities News
U.S. lawmakers had a chance to pose questions to the director of the National Security Agency on Wednesday but declined to ask him about reports that the agency plans to install malware on millions of computers.
Computerworld Malware and Vulnerabilities News
Adobe released updates for Flash Player that fix two vulnerabilities that could allow attackers to bypass security controls in the software.
Computerworld Malware and Vulnerabilities News
Aviation experts have cited multiple possible reasons for the problems in the multi-country effort to locate the Malaysia Airlines jetliner that dropped off the grid over the South China Sea four days ago.
Computerworld Malware and Vulnerabilities News
For this month's "Patch Tuesday" round of bug fixes, Microsoft has focused on correcting multiple vulnerabilities in Internet Explorer (IE), including one that is already being used in targeted attacks.
Computerworld Malware and Vulnerabilities News
Recently released security updates for the popular Joomla content management system (CMS) address a SQL injection vulnerability that poses a high risk and can be exploited to extract information from the databases of Joomla-based sites.
Computerworld Malware and Vulnerabilities News
Microsoft’s plans to ship the final public patches for Windows XP on April 8 could undo its hard-won reputation for security and hurt itself as much as the customers who end up with an infected XP system.
Computerworld Malware and Vulnerabilities News
U.S. retailers are digging in their heels over their need for PIN authentication for Europay MasterCard Visa (EMV) smartcard use here.
Computerworld Malware and Vulnerabilities News
With some opening shots in a cyber component to the war of nerves in the Ukraine already fired, security analysts today offered a look at how a full-fledged cyberwar in the region would unfold.
Computerworld Malware and Vulnerabilities News
Microsoft will deliver five security updates to customers next week, two tagged as “critical,” including one that will quash the open vulnerability in Internet Explorer that hackers have been exploiting since January.
Computerworld Malware and Vulnerabilities News
Cisco Systems released new firmware versions for some of its small business routers and wireless LAN controllers in order to address vulnerabilities that could allow remote attackers to compromise the vulnerable devices or affect their availability.
Computerworld Malware and Vulnerabilities News
Hackers found security weaknesses that allowed them to overdraw accounts with Flexcoin and Poloniex, two websites that facilitate bitcoin transactions, and exploited them to steal bitcoins from the two services. The attacks put Flexcoin out of business and cost Poloniex's users 12.3 percent of their bitcoins.
Computerworld Malware and Vulnerabilities News
This month the Malicious Software Removal Tool (MSRT) includes a new malware family – MSIL/Bladabindi. An interesting part of this family is that the author made three versions of this RAT, written in VB.NET, VBS and AutoIt. The malware builder is also publically available for download.
Because of this, there are many variants in this family, and they spread in many different ways, such as Facebook message and hacked websites. Once installed, malware in this family can be used to take control of a PC and steal sensitive information. We added Bladabindi to the MSRT due to its prevalence throughout 2013.
Figure 1: Telemetry data showing the prevalence of Bladabindi
Bladabindi variants can be created by using the Remote Access Tool (RAT) known as "NJ Rat". We detect this RAT as VirTool:MSIL/Bladabindi.A. Bladabindi can also be downloaded by recent variants of Jenxcus family, which likely has the same author as Bladabindi.
Recently its author released a dedicated downloader to download Bladabindi and run it directly from memory – we detect this as TrojanDownloader:MSIL/Bladabindi.A.
Bladabindi variants are usually installed with an enticing name and icon to trick people into running it. The following are some sample file names:
Below are some sample icons:
Figure 2: Some file icons used by Bladabindi
Bladabindi is written in VB.NET, and usually obfuscated with various .NET obfuscators to avoid detection. It uses undocumented APIs to make itself a critical process, which will cause a system crash if it is terminated. This can make it difficult to remove from your PC when the malware is running. MSIL/Bladabindi also has backdoor functionality, including:
From information we collected, it seems Bladabindi's author tries to show their ability to develop malware, to help their chances of being hired on to other projects. They even use the following picture (showing infected machines) as the header photo of their Twitter page.
Figure 3: Bladabindi author's Twitter page
Though there is no direct evidence connecting the author, distributor, and online account owner associated with the malware, the same user name is consistently used across multiple forums and social media. Do you remember the infamous Win32/Hupigon worm? – Another case where a malware author wrote a backdoor, but claims they didn't distribute it.
As usual, the best protection from Bladabindi, and other malware or potentially unwanted software is to have up-to-date security software installed and being aware of the risks of social engineering.
Zhitao Zhou, Steven Zhou, and Francis Allan Tan Seng
MMPC
Microsoft Malware Protection Center
Happy New Year! December 2013 was an exciting month for monitoring our protection results and watching malware trends. The good news – our customer infection rate for December (0.06 percent) was lower than any other month in 2013 and one third the size of our peak in October. The Win32/Sefnit trio mentioned in the October and November 2013 results declined even more significantly than last month. Even better, Win32/Sirefef malware development appears to have stopped after the disruption effort led by the Microsoft Digital Crimes Unit. Win32/Wysotot also suffered significant declines. More on these families in the year in review section below.
As for our other protection metrics, our performance metrics were consistent, and although incorrect detections remained low, we picked up one more crafted file attack. This was a specially-crafted clean file designed to trick antimalware vendors into incorrectly detecting a good program as malicious. This file raised our impact to 0.001 percent (or one in 100,000 in comparison to normal months where the impact closer to 1 in a 1,000,000). Along with improving our own processes to thwart these attack attempts on our systems, Dennis Batchelder and Hong Jia gave a presentation on this attack technique at VirusBulletin to help other vendors (from our data, we could see that there were several vendors who also appeared to be targets) discover and prevent these attacks from affecting customers.
Malware infections – Year in review
December 2013 was a good end to a tumultuous year. Figure 1 shows that although in this last quarter, our infection rates rose primarily due to the Sefnit trio, our overall rates ended on a good note with the decline of many malware families. Although fighting malware can often feel like whack-a-mole, seeing major families disappear into oblivion and the overall malware infection rate decline feels like a win in our industry.
Figure 2 highlights several major families that, earlier in the year, were contributing significantly to infections affecting Microsoft customers in addition to the overall infection rate (also shown on our protection metrics trend page.)
Figure 1: 2013 average daily infection rates
Figure 2: 2013 malware infections by family
First, I'll talk about FakeRean. This family poses as fake security software, which, as a category, took a dive in 2013 as we reported in the last Security Intelligence Report (SIRv15). FakeRean practically disappeared by July 2013.
Next, the Sefnit trio. Sefnit, a family that has been around for some time, made a strong comeback in 2013 and was given a strong assist by several trojans (Rotbrow and Brantall) used to distribute it. We took the fight to several fronts. One of the methods of distribution for Sefnit is through Tor. We worked with the Tor project to clean up the clients that were installed by Sefnit, preventing further abuse. We also took out the new distributors – Rotbrow and Brantall – reaching out to our MVI and VIA partners to ensure they also detected them. By December 2013, all three were in significant decline, and Sefnit impact is down to a trickle in comparison to the surge we saw in September and October 2013.
Wysotot, a new family that emerged late in 2013, hit a few highs in October and November, but slowed per our telemetry in December.
Last but not least, Sirefef. This family starting becoming very prevalent in 2012. Originally focusing on clickfraud and employing techniques making it really difficult to remove once installed, this threat quickly became a concern. In 2013, we started collaborating with the Digital Crimes Unit to apply some novel disruption techniques to squeeze this malware family out of existence. As figures 2 and 3 show, it worked. The malware authors even responded with a somewhat humorous "white flag" in their code and appear to have stopped development in their family altogether.
Figure 3: Sirefef encounters for Microsoft real-time protection customers
Of course these families could make a comeback. We'll be here waiting for them when they try.
Holly Stewart
MMPC
Microsoft Malware Protection Center
Empty-handed customers of bankrupt bitcoin exchange Mt. Gox are being targeted in a ploy likely intended to distributed malware.
Computerworld Malware and Vulnerabilities News
Recently, we've seen a few attacks in the wild targeting a patched Adobe Flash Player vulnerability (CVE-2013-5330). This vulnerability was addressed with a patch released by Adobe on November 12, 2013. On the Windows platform, Flash Player version 11.9.900.117 and earlier, are vulnerable.
We had a chance to analyze how the attacks work and noted some interesting details from our investigation.
The malicious file has been distributed as a .swf file using obfuscator secureSWF, which has been designed as a “one-stop” attack. It contains the vulnerability’s trigger, the heap spray and shellcode, and an encrypted PE file (see figure 1).
Figure 1: The malicious .swf file
This .swf exploit can be hosted on a web server and run when the webpage is visited. When the .swf is loaded, the vulnerability is triggered. The .swf successfully bypasses the validation of memory range and is able to access arbitrary locations. It builds a deliberated crafted VTABLE (figure 2) and uses it to pass control to a controlled location, which contains the “Shim” code (a small piece of code before the shellcode is executed), as shown in figure 3.
Figure 2: Crafted VTABLE for control transfer
Figure 3: The "Shim” code
The “Shim” code calls VirtualProtect() to make the shellcode memory area writable and executable. After the VirtualProtect() call, the control is passed to the shellcode. The shellcode is short and pithy – only 140 bytes (see figure 4).
Interestingly, the shellcode doesn’t contain the code to resolve the API addresses. Instead, the API addresses are resolved by the ActionScript (see figure 5 – the placeholders for the API addresses are marked as red).
The shellcode simply drops a PE file (already decrypted by .swf) to the %temp% directory and loads it with LoadLibrary() call. The dropped PE file (SHA1: 05446C67FF8C0BAFFA969FC5CC4DD62EDCAD46F5) is detected as TrojanSpy:Win32/Lurk. The telemetry for this file is showm in figure 6.
Figure 4: Short and sweet “shellcode”
Figure 5: The ActionScript used to generate the shellcode
Figure 6: TrojanSpy:Win32/Lurk infected machines
We have received reports that an iframe loading this malicious .swf file has been injected to some clean or benign websites. Visiting these websites with an outdated version of Flash Player, can lead to a compromise of the machine.
If you're using Flash Player version 11.9.900.117 or earlier, you need to update your Flash Player now to be protected against these attacks.
Chun Feng
MMPC
Microsoft Malware Protection Center
