Tech Talk

Chat with our technicians or read posts made by them.

Researchers Uncover Polymorphic AutoRun Worm

W32/Autorun.worm.aaeb-h is an evolved, virtual machine-aware AutoRun worm that makes use of obfuscation and polymorphic techniques in order to evade detection and infect removable media and mounted network shares, according to McAfee. Researchers have seen an increase in samples for the year-old malware family, which is compiled in Visual Basic 6. This family of malware generally compromises machines through drive-by downloads or spam and ends up looking like any other thumb-drive infecting, AutoRun worm. W32/Autorun.worm.aaeb-h is the most complicated virus among known members of this family.Its authors have upped their game with this latest version by encrypting all the important strings with one or in some cases two rounds through the RC4 cipher algorithm using a randomly generated encryption key. McAfee’s Sanchit Karve notes that earlier variants stored much of their code in plain-text. The initial infection requires that users either willingly execute the malicious file directly or navigate to a folder storing the files. Once a machine is compromised, the malware writes an “autorun.inf” file so that it can automatically execute itself on any machines with AutoRun enabled as the worm spreads. Researchers have also observed the malware copying itself to Zip and RAR archive files and downloading new software from its command and control server. The worm is also changing relevant directories so that they appear hidden in affected drives. Beyond that the worm is copying itself as that hidden directory file but also as “secret.exe,” “sexy.exe,” “porn.exe,” and “passwords.exe” among other apparently-alluring-things in what McAfee claims is an attempt to trick new users into running the malicious executables. Whoever is responsible for this worm is packaging it with VB6 projects in order to make it seem like legitimate software. Most of the payload files themselves are originating from the Zbot and BackDoor malware...

Read More

Joomla Sites Hit by IFrame Injection Attacks

Users of the popular Joomla content management system are being urged by security experts to upgrade to the latest version after reports of exploits being used to compromise websites built on the platform. The SANS Internet Storm Center received numerous reports that Joomla sites, as well as WordPress sites, had been compromised and iFrames had been injected that were pointing visitors to malicious sites. “The interesting thing to note is that it doesn’t seem to be a scanner exploiting one vulnerability, but some tool that’s basically firing a bunch of Joomla and WordPress exploits at a given server and hoping something hits,” said ISC handler John Bambenek. Joomla sites built with extensions were, in particular, being exploited, Bambenek said. The ISC report identified a pair of IP addresses, 78.157.192.72 and 108.174.52.38, as the biggest offenders. The exploits, Bambenek said, were loading scareware on victims’ computers. German security and tech site The H reports that the German Computer Emergency Response Team (CERT-Bund) also confirmed attacks emanating from Joomla sites. CERT-Bund said the iFrame points visitors to a Sutra Traffic Distribution System that eventually lands them on a site hosting an exploit kit. In September, Joomla warned of a series of automated attacks against the Joomla Content Editor versions 2.0.11 and earlier that were infecting websites with malicious content. The attacks were dropping malicious GIF images; attackers were able to attack the front end without authentication, Joomla said at the time in an advisory. The GIF is a PHP shell which gives the attacker a launchpad for further Java exploits such as redirecting visitors to a malicious site, spam or phishing attacks, or unauthorized database access. The H added that the use of the traffic redistribution systems, which are channels used by attackers that buy and sell Web traffic. Visitors clicking on a particular link would be redirected by the TDS to the vendor, which would sell the traffic to the attacker in this...

Read More

New Linux Rootkit Emerges

A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems, and while it has some interesting features, it does not appear to be the work of high-level programmer or be meant for use in targeted attacks. The new Linux rootkit is loaded into memory and once there, it pulls out some memory addresses and then stores them for use later. It also then hooks into several kernel functions as a way to hide some of its files on the machine. “To hook private functions that are called without indirection (e.g., through a function pointer), the rootkit employs inline code hooking. In order to hook a function, the rootkit simply overwrites the start of the function with an e9 byte. This is the opcode for a jmp rel32 instruction, which, as its only operand, has 4 bytes relative offset to jump to,” Georg Wicherski of CrowdStrike wrote in a detailed analysis of the new Linux malware. “The rootkit, however, calculates an 8-byte or 64-bit offset in a stack buffer and then copies 19 bytes (8 bytes offset, 11 bytes unitialized) behind the e9 opcode into the target function. By pure chance the jump still works, because amd64 is a little endian architecture, so the high extra 4 bytes offset are simply ignored.” The Linux rootkit does not appear to be a modified version of any known piece of malware and it first came to light last week when someone posted a quick description and analysis of it on the Full Disclosure mailing list. That poster said that his site had been targeted by the malware and some of his customers had been redirected to malicious sites. The rootkit, like many pieces of malware, relies on a remote command-and-control server for some instructions. The server is still active right now and researchers said that it has some other related tools stored on it, as well. In order to inject the iframes onto targeted sites the rootkit uses a custom method. “The iFrame injection mechanism is quite interesting: the malware substitutes the system function tcp_sendmsg – which is responsible for building TCP packets – with its own function, so the malicious...

Read More

Shamoon Malware Steals Data

A new piece of malware known as Shamoon that has the ability to destroy files on infected machines and overwrite the master boot record has researchers scratching their heads, wondering what the tool’s purpose might be and why the attackers behind it would destroy infected PCs. There are some indications that the malware could be related to Wiper, but researchers believe this is a red herring. The Shamoon malware came to light on Thursday when researchers at Kasperksy Lab said that they had analyzed samples that included some odd and puzzling characteristics. One module in the malware has a string with a name that includes “wiper” as part of it, something that could point to a connection to the Wiper or Skywiper malware discovered earlier this year. Wiper was erasing files from disks, but it doesn’t appear that the two are connected at this point. “Our opinion, based on researching several systems attacked by the original Wiper, is that it is not. The original “Wiper” was using certain service names (“RAHD…”) together with specific filenames for its drivers (“%temp%\~dxxx.tmp”) which do not appear to be present in this malware. Additionally, the original Wiper was using a certain pattern to wipe disks which again is not used by this malware,” Kaspersky researchers said. However, researchers at Seculert who looked at Shamoon found that the malware not only has the ability to destroy data on infected PCs, but it also can overwrite the machine’s MBR, making the PC essentially useless. They discovered that before Shamoon executes its destructive instructions, it collects data from various files on the infected machine and then feeds that data to another infected PC on the same internal network. It’s a confusing routine, but there may be a reason for it. “The attacker took control of an internal machine connected directly to the internet, and used that machine as a proxy to the external Command-and-Control (C2) server. Through the proxy, the attacker infected the other internal machines, which were probably not connected directly to the internet,” Aviv Raff, Seculert CTO, said in his analysis. After the attackers got whatever information they wanted off of the Shamoon-infected PCs, they then executed the instructions to delete the data on the hard disk and overwrite the MBR. Shamoon then communicates the results back to the command-and-control server through the internal proxy, Seculert said. The intent of the attackers behind the...

Read More

YouTube launches face-blurring feature

YouTube launches new face-blurring feature to disguise identities   Google (GOOG) on Wednesday announced a new face-blurring tool for its video-sharing website YouTube. The site is the first to roll out such a feature, which is meant to protect the identity of protesters around the world. “Whether you want to share sensitive protest footage without exposing the faces of the activists involved, or share the winning point in your 8-year-old’s basketball game without broadcasting the children’s faces to the world, our face blurring technology is a first step towards providing visual anonymity for video on YouTube,” Google wrote on its blog. The Internet giant does note, however, that because it is using “emerging technology,” it may sometimes run into problems “detecting faces depending on the angle, lighting, obstructions and video quality,” and “it’s possible that certain faces or frames will not be blurred.”...

Read More

Botnet responsible for spam taken down

Botnet responsible for as much as 50% of global spam taken down   Computer security experts on Wednesday revealed that they had successfully taken down Grum, the world’s third-largest botnet, which was responsible for roughly 18% of global spam, according to The New York Times. According to CNNMoney, that figure could be as high as 50%. The security experts were able to block the botnet’s command and control servers in both the Netherlands and Panama. While the service was successfully shut down, it wasn’t long before Grum’s architects set up seven new command and control centers throughout Russia and Ukraine. The team, however, was able to successfully block those servers, too. The researchers were able to kill the botnet again by tracing it back to its servers and alerting various Internet service providers. Most botnets are able to come back online within weeks, however the team still counts the shutdown as a massive win. “It’s not about creating a new server. They’d have to start an entirely new campaign and infect hundreds of thousands of new machines to get something like Grum started again,” said Atif Mushtaq, a computer security specialist at FireEye. “They’d have to build from scratch. Because of how the malware was written for Grum, when the master server is dead, the infected machines can no longer send spam or communicate with a new server.” Read [NYTimes] Read...

Read More