W32/Autorun.worm.aaeb-h is an evolved, virtual machine-aware AutoRun worm that makes use of obfuscation and polymorphic techniques in order to evade detection and infect removable media and mounted network shares, according to McAfee.
Researchers have seen an increase in samples for the year-old malware family, which is compiled in Visual Basic 6. This family of malware generally compromises machines through drive-by downloads or spam and ends up looking like any other thumb-drive infecting, AutoRun worm. W32/Autorun.worm.aaeb-h is the most complicated virus among known members of this family.Its authors have upped their game with this latest version by encrypting all the important strings with one or in some cases two rounds through the RC4 cipher algorithm using a randomly generated encryption key. McAfee’s Sanchit Karve notes that earlier variants stored much of their code in plain-text.
The initial infection requires that users either willingly execute the malicious file directly or navigate to a folder storing the files. Once a machine is compromised, the malware writes an “autorun.inf” file so that it can automatically execute itself on any machines with AutoRun enabled as the worm spreads. Researchers have also observed the malware copying itself to Zip and RAR archive files and downloading new software from its command and control server.
The worm is also changing relevant directories so that they appear hidden in affected drives. Beyond that the worm is copying itself as that hidden directory file but also as “secret.exe,” “sexy.exe,” “porn.exe,” and “passwords.exe” among other apparently-alluring-things in what McAfee claims is an attempt to trick new users into running the malicious executables.
Whoever is responsible for this worm is packaging it with VB6 projects in order to make it seem like legitimate software. Most of the payload files themselves are originating from the Zbot and BackDoor malware families.
Users of the popular Joomla content management system are being urged by security experts to upgrade to the latest version after reports of exploits being used to compromise websites built on the platform.
The SANS Internet Storm Center received numerous reports that Joomla sites, as well as WordPress sites, had been compromised and iFrames had been injected that were pointing visitors to malicious sites.
“The interesting thing to note is that it doesn’t seem to be a scanner exploiting one vulnerability, but some tool that’s basically firing a bunch of Joomla and WordPress exploits at a given server and hoping something hits,” said ISC handler John Bambenek.
Joomla sites built with extensions were, in particular, being exploited, Bambenek said.
The ISC report identified a pair of IP addresses, 22.214.171.124 and 126.96.36.199, as the biggest offenders. The exploits, Bambenek said, were loading scareware on victims’ computers.
German security and tech site The H reports that the German Computer Emergency Response Team (CERT-Bund) also confirmed attacks emanating from Joomla sites. CERT-Bund said the iFrame points visitors to a Sutra Traffic Distribution System that eventually lands them on a site hosting an exploit kit.
In September, Joomla warned of a series of automated attacks against the Joomla Content Editor versions 2.0.11 and earlier that were infecting websites with malicious content. The attacks were dropping malicious GIF images; attackers were able to attack the front end without authentication, Joomla said at the time in an advisory.
The GIF is a PHP shell which gives the attacker a launchpad for further Java exploits such as redirecting visitors to a malicious site, spam or phishing attacks, or unauthorized database access.
The H added that the use of the traffic redistribution systems, which are channels used by attackers that buy and sell Web traffic. Visitors clicking on a particular link would be redirected by the TDS to the vendor, which would sell the traffic to the attacker in this case.
A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems, and while it has some interesting features, it does not appear to be the work of high-level programmer or be meant for use in targeted attacks.
The new Linux rootkit is loaded into memory and once there, it pulls out some memory addresses and then stores them for use later. It also then hooks into several kernel functions as a way to hide some of its files on the machine.
“To hook private functions that are called without indirection (e.g., through a function pointer), the rootkit employs inline code hooking. In order to hook a function, the rootkit simply overwrites the start of the function with an e9 byte. This is the opcode for a jmp rel32 instruction, which, as its only operand, has 4 bytes relative offset to jump to,” Georg Wicherski of CrowdStrike wrote in a detailed analysis of the new Linux malware.
“The rootkit, however, calculates an 8-byte or 64-bit offset in a stack buffer and then copies 19 bytes (8 bytes offset, 11 bytes unitialized) behind the e9 opcode into the target function. By pure chance the jump still works, because amd64 is a little endian architecture, so the high extra 4 bytes offset are simply ignored.”
The Linux rootkit does not appear to be a modified version of any known piece of malware and it first came to light last week when someone posted a quick description and analysis of it on the Full Disclosure mailing list. That poster said that his site had been targeted by the malware and some of his customers had been redirected to malicious sites.
The rootkit, like many pieces of malware, relies on a remote command-and-control server for some instructions. The server is still active right now and researchers said that it has some other related tools stored on it, as well. In order to inject the iframes onto targeted sites the rootkit uses a custom method.
“The iFrame injection mechanism is quite interesting: the malware substitutes the system function tcp_sendmsg – which is responsible for building TCP packets – with its own function, so the malicious iFrames are injected into the HTTP traffic by direct modification of the outgoing TCP packets,” Marta Janus of Kaspersky Lab said in her analysis of the rootkit.
“In order to obtain the actual injection payload, the malware connects to the C&C server using an encrypted password for authentication. We weren’t able to connect to the C&C on the port used by malware, but the malicious server is still active and it hosts other *NIX based tools, such as log cleaners.”
“Since the command is appended to the end of rc.local, there might actually be shell commands that result in the command not being executed as intended. On a default Debian squeeze install, /etc/rc.local ends in an exit 0 command, so that the rootkit is effectively never loaded,” he wrote.
Researchers believe that the Linux rootkit likely is being used in cybercrime operations rather than in targeted attacks, as the quality of the code isn’t high enough to have come from one of the groups engaged in the upper level attacks right now.
“Although the code quality would be unsatisfying for a serious targeted attack, it is interesting to see the cyber-crime-oriented developers, who have partially shown great skill at developing Windows rootkits, move into the Linux rootkit direction. The lack of any obfuscation and proper HTTP response parsing, which ultimately also led to discovery of this rootkit, is a further indicator that this is not part of a sophisticated, targeted attack,” Wicherski said.
A new piece of malware known as Shamoon that has the ability to destroy files on infected machines and overwrite the master boot record has researchers scratching their heads, wondering what the tool’s purpose might be and why the attackers behind it would destroy infected PCs. There are some indications that the malware could be related to Wiper, but researchers believe this is a red herring.
The Shamoon malware came to light on Thursday when researchers at Kasperksy Lab said that they had analyzed samples that included some odd and puzzling characteristics. One module in the malware has a string with a name that includes “wiper” as part of it, something that could point to a connection to the Wiper or Skywiper malware discovered earlier this year. Wiper was erasing files from disks, but it doesn’t appear that the two are connected at this point.
“Our opinion, based on researching several systems attacked by the original Wiper, is that it is not. The original “Wiper” was using certain service names (“RAHD…”) together with specific filenames for its drivers (“%temp%\~dxxx.tmp”) which do not appear to be present in this malware. Additionally, the original Wiper was using a certain pattern to wipe disks which again is not used by this malware,” Kaspersky researchers said.
However, researchers at Seculert who looked at Shamoon found that the malware not only has the ability to destroy data on infected PCs, but it also can overwrite the machine’s MBR, making the PC essentially useless. They discovered that before Shamoon executes its destructive instructions, it collects data from various files on the infected machine and then feeds that data to another infected PC on the same internal network. It’s a confusing routine, but there may be a reason for it.
“The attacker took control of an internal machine connected directly to the internet, and used that machine as a proxy to the external Command-and-Control (C2) server. Through the proxy, the attacker infected the other internal machines, which were probably not connected directly to the internet,” Aviv Raff, Seculert CTO, said in his analysis.
After the attackers got whatever information they wanted off of the Shamoon-infected PCs, they then executed the instructions to delete the data on the hard disk and overwrite the MBR. Shamoon then communicates the results back to the command-and-control server through the internal proxy, Seculert said.
The intent of the attackers behind the Shamoon malware isn’t too clear at this point, but the tool is collecting data from infected machines and sending off to parts unknown. That puts it in the league of the cyber espionage tools that have become the favored weapons of attackers of late.
YouTube launches new face-blurring feature to disguise identities
Google (GOOG) on Wednesday announced a new face-blurring tool for its video-sharing website YouTube. The site is the first to roll out such a feature, which is meant to protect the identity of protesters around the world. “Whether you want to share sensitive protest footage without exposing the faces of the activists involved, or share the winning point in your 8-year-old’s basketball game without broadcasting the children’s faces to the world, our face blurring technology is a first step towards providing visual anonymity for video on YouTube,” Google wrote on its blog. The Internet giant does note, however, that because it is using “emerging technology,” it may sometimes run into problems “detecting faces depending on the angle, lighting, obstructions and video quality,” and “it’s possible that certain faces or frames will not be blurred.”
Botnet responsible for as much as 50% of global spam taken down
Computer security experts on Wednesday revealed that they had successfully taken down Grum, the world’s third-largest botnet, which was responsible for roughly 18% of global spam, according to The New York Times. According to CNNMoney, that figure could be as high as 50%. The security experts were able to block the botnet’s command and control servers in both the Netherlands and Panama. While the service was successfully shut down, it wasn’t long before Grum’s architects set up seven new command and control centers throughout Russia and Ukraine. The team, however, was able to successfully block those servers, too.
The researchers were able to kill the botnet again by tracing it back to its servers and alerting various Internet service providers. Most botnets are able to come back online within weeks, however the team still counts the shutdown as a massive win.
“It’s not about creating a new server. They’d have to start an entirely new campaign and infect hundreds of thousands of new machines to get something like Grum started again,” said Atif Mushtaq, a computer security specialist at FireEye. “They’d have to build from scratch. Because of how the malware was written for Grum, when the master server is dead, the infected machines can no longer send spam or communicate with a new server.”
Targeted Attacks on SMB’s Increase in 2012
In the first six months of 2012, 36 percent of targeted attacks focused on small businesses of fewer than 250 employees, and there were an average of 58 attacks per day, according to a new research report. At the end of 2011, small businesses were on the receiving end of only 18 percent of such attacks.
Despite that statistic, those large corporations with more than 2,500 employees remain the most common targets, averaging 69 blocked attacks per day, according to the Symantec Intelligence Report.
“There appears to be a direct correlation between the rise in attacks against smaller businesses and a drop in attacks against larger ones,” said the cyber security intelligence manager at Symantec, Paul Wood. “It almost seems attackers are diverting their resources directly from the one group to the other.”
Organized by industry, the defense industry, which Symantec considers a subset of the public sector, was the most sought-after target, experiencing 7.3 attacks per day. The chemical and pharmaceutical sectors continue to occupy the second and third spots, accounting for one in five targeted attacks.
Wood claims that despite these increases, targeted attacks, those that make use of customized malware and refined social engineering tactics to compromise sensitive information, are still exceptionally rare.
Other notable findings include that spam continued its gradual decline, dropping one percent in June from May, however, it still accounts for more than two thirds of global email. Meanwhile, phishing attacks are up 0.04 percent, which, coincidentally, is identical to the increase in email-borne threats. Web-based malware threats decreased 51.7 percent over that same period.
You can read more details here.
Microsoft has warned that a Gadgets feature included in Vista and later versions of Windows could allow attackers to hijack end-user machines and has taken the unusual step of issuing a temporary update that allows it to be completely disabled.
“An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user,” company officials said in an advisory issued Tuesday. “If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system.” To be successful, they added, “An attacker would have to convince a user to install and enable a vulnerable Gadget.”
Microsoft added the Gadgets feature and an accompanying Sidebar to Windows Vista in hopes of matching the success Apple had with a similar feature called Dashboard, which is included in Mac OS X. It allows end users to add clocks, stock tickers, and other small apps to their desktops. A few weeks ago, Microsoft pulled the plug on its official Gadgets gallery. The page now includes a warning that says, “Gadgets installed from untrusted sources can harm your computer and can access your computer’s files, show you objectionable content, or change their behavior at any time.”
An accompanying Fix-it, which users are free to use or ignore, is described as a “workaround” and completely disables the Windows Sidebar and Gadgets.
Microsoft didn’t elaborate on the vulnerability or its long-term plans for Gadgets. Tuesday’s advisory thanked “Mickey Shkatov and Toby Kohlenberg for working with us on Gadget vulnerabilities.” The researchers are scheduled to deliver a presentation on July 26 at the Black Hat security conference in Las Vegas titled “We Have You by the Gadgets.”
HP is warning customers that some of its ProCurve switches were shipped recently with compact flash cards infected with malware. The company said that a number of software versions in the ProCurve 5400 switch were affected, and that PCs could be become infected by the malware under some conditions.
HP did not provide details on which piece of malware was included on the switches or what the program is capable of doing. However, the company is encouraging customers to address the issue immediately. They suggest that customers either use a software script that will remove the malware from the flash card or opt for a hardware replacement through which HP will ship out a new module to replace the infected one.
“A potential security vulnerability has been identified with certain HP ProCurve 5400 zl switches containing compact flash cards which may be infected with a virus. Reuse of an infected compact flash card in a personal computer could result in a compromise of that system’s integrity,” HP said in its advisory.
The list of software versions affected by the malware infection are:
- J9532A 5412zl-92GG-PoE+ / 2XG SFP+ v2 Switch
- J9533A 5406zl-44G-PoE+ / 2XG SFP+ v2 Switch
- J9539A 5406zl-44G-PoE+ / 4G SFP v2 Switch
- J9540A 5412zl-92G-PoE+ / 4G SFP v2 Switch
- J9642A HP E5406 zl Switch with Premium Software
- J9643A HP E5412 zl Switch with Premium Software
- J8697A HP E5406 zl Switch Chassis
- J8698A HP E5412 zl Switch Chassis
- J8699A – HP 5406-48G zl Switch
- J8700A – HP 5412-96G zl Switch
- J9447A – HP 5406-44G-PoE+-4SFP zl Switch
- J9448A – HP 5412-92G-PoE+-4SFP zl Switch
- J8726A Management Module in the 5400 series zl switch with the following serial numbers:
- ID116AS04P through ID116AS0HR
- ID117AS00H through ID126AS0FB
HP warned customers that re-using the infected compact flash card from the switch in a desktop PC could result in the PC becoming infected by the malware, as well. The problem of hardware being shipped with malware already on it is not a new one. It’s been happening for several years now and malware has shown up in devices from digital picture frames to USB drives to CDs.
To help better protect you, our valuable customers, I would like to point this post back to an article on Make Us Of’s web site. They have a good article on methods to detect what are called “Phishing” attacks. This is a method where in a “hacker” tries to obtain your personal information via a spoof. Here is the opening part of the article, to read the whole article, please follow the link below.
“The internet is one of the best tools known to mankind to do basically whatever you want. But Facebook, Twitter, Gmail, Dropbox, Paypal, eBay, bank portals, and so many more sites have twins that are actually phish.
A “phish” is a term for a scam website that tries to look like a site that you know might well and visit often. The act of all these sites trying to steal your account information is called phishing. While it’s very easy to spot some sites as a phish, others aren’t nearly as easy.
Here are four different anti-phishing methods you can use so that you don’t fall victim to phishing.”