Skip to content

Hamweq Worm Brings a Mountain of Malware

2013-01-15

20130115_hamweq_think-with-your-dipstick-jimmyFor an early Christmas present, the Internet gave our ThreatVision research team a worm malware called Hamweq. It’s the kind of unsubtle “gift” that keeps on giving, though most other people wouldn’t appreciate its prolific malicious activity.

The Hamweq malware, which had copied itself onto one of our UK-based research honeypots in mid-December, uses an IRC server in China to receive command-and-control instructions, and behaves as a typical botnet client. As a worm, it also attempts to exploit vulnerabilities in Windows computers in order to propagate; this appears to be how it ended up on the honeypot in the first place.

Our sample continues to actively retrieve new malware payloads from a variety of Web hosts located around the world, and periodically engages in a wide range of undesirable activities, including scanning for other vulnerable hosts and ARP poisoning. It was also pretty damn rude — the dialog box above is what you’d see about 30 seconds after the infection took hold.

Read more…

Duqu Font Parsing Exploit Goes Mainstream, Delivers Ransomware

2012-12-21

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

20121221_duqu_text_cropA year-old exploit, previously employed by the W32.Duqu remote-access Trojan, is now being used to deliver ransomware in drive-by download attacks. Happy armageddon day, everyone!

The TrueType Font Parsing Vulnerability (also known as CVE-2011-3402) was (in October, 2011, when it was discovered and first publicized) a serious zero-day exploit that, at the time, affected all versions of Windows. When first discovered, the exploit really was one of those rare cats and dogs living together, mass hysteria-scale threats, because it not only permits those who yield it to force computers to download and run arbitrary programs, but also to remotely create user accounts on the victim’s computer.

Pretty nasty stuff. Microsoft’s security bulletin also said there’s one silver lining: The exploit only works if the victim visits a Web site hosting the exploit on his or her own — it can’t be done without that human interaction, and “an attacker would have to convince users to visit the Web site” hosting the exploit. Or, as is the case here, they could just put the exploit on a site that people might want to visit, anyway, and then wait for the cash to start rolling in.

Microsoft issued its MS11-087 patch, which (once installed) prevents the exploit from functioning on updated PCs, a year ago almost to the week. But that hasn’t stopped some enterprising malware distributors from trying to use it anyway, because (as was demonstrated during the Conficker worm outbreak) the mere existence of a patch — even one that’s a year old — doesn’t mean that every computer user in the world is going to install it. Read more…

Five Cybercrime Trends Likely to Continue into 2013

2012-12-12

20121212_2013_freshskimmed_crop2012 has been a challenging year for incident responders and security analysts. Ne’er-do-wells of the Internet have been flooding our inboxes with malicious spam; scattering exploit kits around the ‘net; and spreading malware to, and from, the four corners of the Earth. With the context of what’s happened in the past year in mind, we once again dusted off the crystal ball to deliver a short list of predictions of what we can expect over the coming 12 months. In no particular order, they are…

More Attacks Staged Through Compromised Websites

20121212_2013_comprosite_crop

Attacks delivering malware rapidly earn the Web domain hosting the attack, or its IP address, a bad reputation. This kind of activity also doesn’t remain under the radar for long. Once the really big reputation services, like Google SafeBrowsing, flag a domain as a source of malicious stuff, browsers that hook into that information (such as Firefox) throw dire warnings in the face of visitors, cautioning them away from the site delivering an infection.

Ending up on one of those reputation filters is like a death sentence to a malware campaign. So one way that malware distributors try to stretch out the amount of time an attack URL will remain viable is to abuse someone else’s website — preferably, one with a good reputation, but almost any will do. Malware distributors use links to pages hosted on these legitimate websites to bounce computers destined for infection to another site delivering the infectious code.

Read more…

You Just Can’t Trust a Trojan VPN

2012-12-01

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

20121201_privitize_iconFor at least the past month, someone has been playing dirty tricks on people downloading pirated commercial software: Instead of getting the five-finger discount, the software pirates are getting something they didn’t expect — a VPN software client that calls itself Privitize. The installer for this highly suspicious software was named after lots of different pirated TV shows, movies, utility and game software, and music.

VPNs are amazing tools for privacy and data security. Typically, individuals use VPNs to create a secure, encrypted private tunnel between their location and a corporate network, through which they can send and receive sensitive data without concern that the data might be intercepted enroute. Businesses, for example, operate VPNs so remote workers can connect to file shares and other private resources, or to route their regular Internet traffic through the company network and avoid “man in the middle” surveillance.

But sometimes using a VPN makes you less secure. How? In this case, the VPN pushes all the Internet traffic on a victim’s computer through an encrypted tunnel that terminates in a datacenter physically located in Stockholm, Sweden. While the VPN may protect the data until it arrives in Stockholm, once it arrives at the datacenter, someone could simply sniff the “out” port of whatever VPN device receives the data.

In essence, it routes absolutely everything directly through a network that is inherently untrustworthy: After all, the company distributing these VPN client installers lied to you about the nature of the installers. Would you really trust a company that would do that to protect other, considerably more sensitive data they might be able to access?

Read more…

How to Dodge a Blackhole Friday

2012-11-23

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

With Black Friday marking the dubiously traditional start of the holiday shopping season, malware distributors have been ramping up the spear-phishing and spam-driven malware attacks designed to steal online banking logins. In the past month, we’ve seen an increase in the number of spam campaigns which seem to use a commercial, rather than consumer, social engineering hook.

The spam messages — the social engineering links in the kill chain — purport to originate from a number of different merchant payment processors, payroll services, and other commercial finance businesses. Recipients receive a message about some sort of large, rejected fund transfer. In each case we’ve seen recently, the spam message links to a page on a legitimate Web site that had been previously compromised, on which a single HTML file has been stored. The HTML file automatically redirects the visitor to another Web site, one that is under the direct control of the malware distributors, often (though not always) hosting exploit kit code.

In one case, we followed a link from a message that (superficially) appeared to originate from American Express; The subject line read Your November 2012 American Express Online Merchant Financial Operations Sheet. The body proposes that you follow a link to view your (sic) Online Merchant Fiscal Activism Statement. The end result on our test systems was a fistful of malware executables, all designed to engage in a specific type of fiscal activism: liberation of the assets from whatever bank accounts you manage online.

Read more…

Blackhole 2: Ransomware Boogaloo–Coming This Fall

2012-11-02

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

October was a crazy month, and not just because there’s a major update to the Blackhole exploit kit picking up steam. Solera’s been hitting the road, meeting with people around the country to show off some cool tech and insider views into the latest security threats. In the past month, we’ve also witnessed, and researched, such a profusion of incidents that it’s been hard to keep up with you here, in the blog. I apologize for the relative quiet spell; expect more frequent posts.

As for Blackhole 2 (hey, I didn’t name it), the kit’s use in a campaign to spread keyloggers and ransomware kicked into high gear in the past few weeks. We’ve been getting links to Blackhole-hosting URLs by collecting and analyzing spam email disguised as corporate or social communications, or billing notices.

In a few of the cases, the visual quality of the spam was disconcertingly convincing. One can appreciate the craftsmanship, while damning the purpose. But as clever as the spammers are, they can’t hide the fact that hovering the mouse pointer over the links in the message reveals the real URL the message links to.

Read more…

September Was a Rough Month for 0days

2012-10-03

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Taking stock of the security incidents that seemed to pile up past month, I’m reminded of the sage words of Billie Joe Armstrong: Wake me up when September ends.

The month got started on the heels of Oracle’s incident response to the CVE-2012-4681 Java vulnerability; and it closed on an unpleasant note for Java, with the public announcement on September 25th of the existence of an allegedly severe vulnerability that the discoverer, Adam Gowdiak, claims he responsibly reported to Oracle.

On September 17th, Microsoft issued the first of its staged responses to the discovery of a previously unknown vulnerability affecting Internet Explorer. MS12-063 was a worst-case scenario for Microsoft: Not only did it comprise a new vulnerability (CVE-2012-4969), but one which had already been weaponized and prototyped as a malware delivery mechanism, and then left carelessly stored in a browsable open directory on a Web server hosting other malicious content, which a malware analyst stumbled upon purely by chance.

Adobe didn’t escape punishment, either, as the company announced on September 27th a breach of their code-signing process. Malware had been discovered in the wild franked with an entirely valid Adobe Software digital signature, making it appear as legitimate as any other software published by Adobe. The company also released two security updates to Flash, a week apart, the previous month.

Throughout the month, the Solera Networks labs ran malware samples obtained from servers hosting the vulnerabilities, or from other researchers who shared them. Here’s a little slice of what we saw.

Read more…