Categories
Computer & Network Security>Malware

Top 5 malware that kept researchers up at night

Which malicious code would be most frightening if sinister pieces of malware could rise from the dead on Halloween? Well, malware researchers spend all their time working with the creations of people who intend others harm, so you might expect they would be pretty immune to nervousness about the effects of malicious code. And it is true; a lot of us are very jaded about your average malware. Researchers certainly have a sense of the potential danger of the materials we are working with and are appropriately cautious, but there are some threats that are so scary that we will double or triple-check everything to make sure we cannot possibly let it loose somewhere accidentally.

While there are certainly other malware that has been more costly to fix or which spread much more widely, in terms of inconvenience or outright damage the following are the five malware that really give me the creeps:

1. CIH (aka Chernobyl)
CIH is the oldest of the malware on this list, and it was first discovered in 1998. This virus caused such pain for its victims that it was brought up in the news every year for ages, and almost every year it seemed to have a brand new nickname in the press, but the one that stuck was related to its particular payload.CIH would spread by hiding itself in “empty” spaces within innocent files, which made it very hard to clean – the size of those empty spaces varies a lot, so the virus code could be broken up in different ways, so it was hard to be sure that cleaning routines got every last bit of it out of a file. That could mean possibly manually replacing a lot of damaged executable files.Worse than that, if your system was still infected on April 26th (the anniversary of the Chernobyl disaster, which was speculated by some to be why the date was chosen) the virus was set to overwrite the first megabyte of the hard-drive, which made the computer hang or blue-screen. In some cases the virus would even flash the BIOS, which is to say it rendered the computer completely unusable by overwriting code on a chip attached to the motherboard that enables computers to turn on. This virus hit over a million computers worldwide, and stuck around for many years after the last variant was found.

2. ExploreZip
ExploreZip is a pretty old virus too, first discovered in 1999. This comes from back in the days when people started using the term “blended threat” to describe the increasingly popular tactic of worms spreading by using a variety of different mechanisms. This one spread both by replying to your unread email with a copy of itself, and by searching for network shares that it could silently copy itself to. Once it was executed, it showed an error message that seemed to indicate that you’d just run a corrupted ZIP file.So far, pretty mundane stuff. But in the background, this virus overwrote .DOC files and certain programming source files with zeroes, which meant the files were destroyed in a way that could not be undone without resorting to expensive data recovery techniques.

3. CryptoLocker
CryptoLocker is the newest threat on this list, having first been discovered in the last few months. It too causes changes to affected users’ files such that they may be beyond repair. This malware is considered ransomware, which means that it scrambles files from a list of different file-types, if the scammer is not paid $300 within a fixed time frame of a few days.That list of file-types it seeks is very extensive, so the odds are good that if you do not have a backup of your data files, they will soon be completely garbled. Sometimes with ransomware we will get lucky and there will be some sort of clue in the files or weakness in the encryption that will allow us to figure out how to decrypt the files. But as this uses asymmetric encryption (similar to the technique used by commercial products), without the attacker’s key the files cannot be retrieved.

4. Mebromi
Mebromi is a nasty beast that was discovered in 2011, which takes a tip from CIH in that it flashes the BIOS to store some of its code. This puts part of its code outside the confines of the hard disk, which means it is outside the reach of the usual software-based cleaning mechanisms. As this would mean monkeying with the motherboard, this is a process that would probably require a trip to a repair shop.

5. ZMist
You may have heard of polymorphic viruses, which are viruses that change the appearance of their code from one infection to the next so that they appear different enough to hopefully fool anti-malware scanners. The problem with this is that the code used to change itself is static, and can be used by scanners as a way to identify the virus. ZMist, which was discovered in 2002, was called a “metamorphic” virus because it took this idea to an even more complicated level. Rather than simply changing its appearance, it contained code to completely recompile itself from one infection to the next. This made it incredibly difficult to detect, with the technology that was available at the time.

These malware are all terribly unnerving in that they work hard to elude removal or create permanent damage on infected machines. But none of these threats managed to be truly undetectable, and most of them will not work at all on the latest versions of Windows.

The first two threats managed to become quite widespread, and they genuinely did cause a lot of damage. Because threats are now mostly financially motivated, it is generally not a good idea for them to announce their presence by causing a lot of damage on affected systems, as they are effectively killing their source of income. CryptoLocker is something of an exception to this rule, as some people are apparently paying to get their data back, but it is not truly damaging the files so much as rendering them unusable. But if you have backed up your data, this is merely an annoyance rather than a genuine problem.

The last two threats had researchers on tenterhooks for a while, as it could really have caused some major headaches or necessitated some changes in defensive technology, if malware authors had continued development of these strategies. But the thing is, malware authors looking for financial gain are not going to sink more of their time or money into development than they need to. Enough people are not employing good security practices that malware authors are able to make a considerable amount of money with much less complicated techniques.
Malware authors do not need to develop the most stealthy, armor-piercing creations imaginable to get what they want. But at the same time, this means you will not need bulletproof technology to defend yourself. For most people, practicing above average security hygiene–including good, up-to-date antivirus–is enough to evade most threats.

The post Scary Code: Top 5 malware that kept researchers up at night appeared first on:
We Live Security.

View article…

Categories
Information Security>Data Breach|Compliance>Encryption|Compliance>Privacy|Social Engineering|Computer & Network Security>Vulnerabilities

MongoHQ Hacked

This goes to show that application dev is not necessarily the biggest risk.  Information Security isn’t tied to any single domain of IT or business.  It’s a complex relationship between every aspect.

http://techcrunch.com/2013/10/29/hosting-service-mongohq-suffers-major-security-breach-that-explains-buffers-hack-over-the-weekend/

http://security.mongohq.com/notice

Categories
Information Security>Data Breach|Social Engineering>Phishing|Compliance>Privacy

Phishing With Linkedin’s Intro

In the everchanging landscape of social media, the latest ‘features’ can often be the newest vulnerabilities.  Social engineering techniques have become very sophisticated, and can be a real problem for enterprises.  Take the recent changes to LinkedIn and the threat they post in the form of phishing emails: http://jordan-wright.github.io/blog/2013/10/26/phishing-with-linkedins-intro/

Are your end users’ prepared to spot a well crafted spear phishing email like this?  We can help you find out.

[av_button label=’Find Out How’ link=’page,1298′ link_target=’_blank’ color=’theme-color’ custom_bg=’#444444′ custom_font=’#ffffff’ size=’small’ position=’right’ icon_select=’no’ icon=’ue800′ font=’entypo-fontello’]

Categories
Computer & Network Security>Malware|Research|Computer & Network Security>Vulnerabilities

PHP source code compromised?

Source: http://barracudalabs.com/2013/10/php-net-compromise/ 

It was announced that the PHP website was hacked and serving malware.  If the attackers had access to their internal servers, can we trust the PHP sourcecode anymore?

So far PHP Group has been unable to determine the cause of an infection to two of their servers.  According to their reports, they have recreated web servers and have revoked the PHP SSL cert and are reissuing it in case the private key was compromised.

According to Rasmus Lerdorf, PHP creator, “Not much to say about the effect on end users who visited the site during that time because the windows where the changed file was actually being served were really small and our focus has been on establishing the integrity of the PHP source code we distribute…” http://www.infoworld.com/d/security/phpnet-compromised-and-used-attack-visitors-229531

From a security perspective, it sounds like the source code is their priority, but they can’t tell us whether or not it has been compromised or not.  This does not leave much room for comfort in the integrity of the source code at the moment.  We will continue to monitor this closely.  Considering over 85%* of the web is run using PHP, this could be a serious blow to open source developers and their level of security.

Other references: http://arstechnica.com/security/2013/10/hackers-compromise-official-php-website-infect-visitors-with-malware/

*http://w3techs.com/technologies/overview/programming_language/all

See an update on who was affected by the attack.

 

Categories
Research

VERIS Community Database (VCDB)

VERIS as described by it’s creators:

“One of the most critical and persistent challenges plaguing efforts to manage information risk is a lack of data. To aid removal of this barrier to more widely available security data, we offer the Vocabulary for Event Recording and Incident Sharing (VERIS) for public consideration and use. VERIS is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner. The overall goal is to lay a foundation on which we can constructively and cooperatively learn from our experiences to better manage risk.”

Categories
Research|Computer & Network Security>Vulnerabilities

Real Time Cyber Attack Viewer

Categories
Computer & Network Security>Microsoft|Computer & Network Security>Microsoft Security Bulletin|Computer & Network Security>Patches

Microsof October Security Bulletin

This summary includes 4 critical and 4 important vulnerabilities.

Source: http://technet.microsoft.com/en-us/security/bulletin/ms13-oct