Tag Archives: malware

Malware Archaeology Updates Windows Logging Cheat-Sheets

The ‘Windows Logging Cheat Sheet’, ‘Windows File Auditing Cheat Sheet’ and ‘Registry Auditing Cheat Sheet’ have been updated for 2016.  The cheat sheets have been updated in part due to auditing improvments[sic] added by the ‘Windows 10 Anniversary Update’ released earlier this year.  We also took the opportunity to do some cleanup and add more autorun keys to the registry auditing cheat sheet.  Updates are easy to spot, just look for ‘new‘.

Go get ’em and watch for the updated Log-MD!


Chinese hackers attacked New York Times computers for four months

This is why you employ defense-in-depth and full network monitoring, even if you don’t care what websites your employees visit at work.

But while the company was informed by AT&T of suspicious activity over its network connection on October 25—the day the Wen story was published—the attack had begun weeks earlier and appears to have been focused on getting into the e-mail accounts of Times Shanghai Bureau Chief David Barboza and South Asia Bureau Chief Jim Yardley. The attack used 45 different pieces of custom malware code, including remote access tools that gave Chinese hackers the run of the Times’ network.

The attackers used a botnet of computers compromised at US universities to obscure the source of the attack. They then infected computers at the Times with malware, most likely through e-mail “spear phishing” attacks, and used the malware to install remote access tools on at least three target systems that allowed them to gather more information from the network—finally finding the Windows network domain controller and grabbing its user directory and password tables. The hackers then used the cracked passwords to access other systems and created a custom program built to infiltrate the Times‘ mailserver to search all the e-mails and documents sent to Barboza and Yardley’s accounts—apparently searching for the names of people who may have spoken to Barboza as he reported on the Wen family.

via Chinese hackers attacked New York Times computers for four months | Ars Technica.

Mushrooming ransomware now extorts $5 million a year

Yeesh, that’s a lot of money:

Malware that disables computers and demands that hefty cash payments be paid to purported law-enforcement agencies before the machines are restored is extorting as much as $5 million from end-user victims, researchers said.

The estimate, contained in a report published on Thursday by researchers from antivirus provider Symantec, is being fueled by the mushrooming growth of so-called ransomware. Once infected, computers become unusable and often display logos of local law-enforcement agencies, along with warnings that the user has violated statutes involving child pornography or other serious offenses. The warnings then offer to unlock the computers if users pay a fine as high as $200 within 72 hours.

Don’t pay up – disconnect from the Internet and clean your computer.  Reformat if necessary.  There’s no guarantee they’ll actually clean your computer after you pay up:

“A lot of individuals do pay up, either because they believe the messages or because they realize it is a scam but still want to restore access to their computer,” Symantec’s 16-page report explained. “Unfortunately, even if a person does pay up, the fraudsters often do not restore functionality. The only reliable way to restore functionality is to remove the malware.”

via Mushrooming ransomware now extorts $5 million a year | Ars Technica.

Discovery of new “zero-day” exploit links developers of Stuxnet, Flame

Quite interesting news:

An early version of Stuxnet dating back to 2009 contained executable code that targeted what was then an unknown security flaw in Microsoft Windows, a discovery that brings the number of zero-day vulnerabilities exploited by the malware to at least five, researchers from Kaspersky Lab said Monday morning. Even more significantly, they discovered that a 6MB chunk of code found in the Stuxnet.A (1.0) variant contained the guts of today’s Flame. In addition to unearthing previously overlooked data about how Stuxnet hijacked targeted networks, the discovery is important because it establishes the first positive connection between the developers of Stuxnet and those behind Flame, which came to light two weeks ago as a highly sophisticated espionage platform that targeted computers in Iran and other Middle Eastern countries.

The techie in me is boggled at the resources they poured into discovering zero-day exploits, applications to exploit them, and the entire malware package wrapped around it.

The citizen in me is just amazed that the U.S. government is comfortable committing so much sabotage, espionage, and military action against nations with which we are not at war.  It’s just another reminder that you cannot trust your government.

via Discovery of new “zero-day” exploit links developers of Stuxnet, Flame | Ars Technica.

Iran-targeting Flame malware used huge network to steal blueprints

It is quite an impressive sample of software engineering and deployment:

Attackers behind the Flame espionage malware that targeted computers in Iran used more than 80 different domain names to siphon computer-generated designs, PDF files, and e-mail from its victims, according to a new analysis from researchers who helped discover the threat.

The unknown authors of Flame shut down the sprawling command-and-control (C&C) infrastructure immediately after last Monday’s disclosure that the highly sophisticated malware had remained undetected for at least two years on computers belonging to government-run organizations, private companies, and others. The 80 separate domain names were registered using a huge roster of fake identities, and some of the addresses were secured more than four years ago.

“The Flame C&C domains were registered with an impressive list of fake identities and with a variety of registrars, going back as far as 2008,” Kaspersky Lab expert Alexander Gostev wrote in a blog post published Monday. “In general, each fake identity registered only 2-3 domains, but there are some rare cases when a fake identity registered up to 4 domains.”

Names used to obtain the domains included Adrien Leroy, Arthur Vangen, George Wirtz, Gerard Caraty, Ivan Blix, and at least 15 others. They claimed to reside in a host of cities in Europe and elsewhere, in some cases at addresses that turned out to belong to hotels such as the Appart’Hotel Residence Dizerens in Geneva or, with a slight modification, the Apple Inn in Amsterdam. Other fake identities used addresses of shops, organizations, or doctor’s offices. Because of the effectiveness and complexity of Flame and its targeting of Iran and other Middle Eastern computers, researchers have speculated it was sponsored by a wealthy nation-state.

via Iran-targeting Flame malware used huge network to steal blueprints | Ars Technica.

Why antivirus companies like mine failed to catch Flame and Stuxnet

Mikko Hypponen of F-Secure discusses mainstream failure to detect and identify Stuxnet and Flame:

A couple of days ago, I received an e-mail from Iran. It was sent by an analyst from the Iranian Computer Emergency Response Team, and it was informing me about a piece of malware their team had found infecting a variety of Iranian computers. This turned out to be Flame: the malware that has now been front-page news worldwide.

When we went digging through our archive for related samples of malware, we were surprised to find that we already had samples of Flame, dating back to 2010 and 2011, that we were unaware we possessed. They had come through automated reporting mechanisms, but had never been flagged by the system as something we should examine closely. Researchers at other antivirus firms have found evidence that they received samples of the malware even earlier than this, indicating that the malware was older than 2010.

Very interesting that they (and others) had samples of the malware several years old, yet hadn’t examined it yet.  I imagine they receive thousands of submissions, so I wonder what pushes a sample from the “submitted” queue to the “let’s have a closer look at this” queue.

via Why antivirus companies like mine failed to catch Flame and Stuxnet | Ars Technica.

Malware Advancing Faster Than Companies Can Analyze It – Dark Reading

IT is worried: More than half of IT leaders say malware sophistication is outpacing their ability to analyze it.

A new study conducted by Forrest Anderson Research and commissioned by Norman ASA found that 62 percent of IT pros have this concern, while 58 percent say their biggest worry is the growing number of threats.

Problems like this are going to make whitelisting a nearly mandatory strategy.

via Malware Advancing Faster Than Companies Can Analyze It – Dark Reading.

Trojan Tricks Victims Into Transferring Funds — Krebs on Security

Something to watch out for:

The German Federal Criminal Police (the “Bundeskriminalamt” or BKA for short) recently warned consumers about a new Windows malware strain that waits until the victim logs in to his bank account. The malware then presents the customer with a message stating that a credit has been made to his account by mistake, and that the account has been frozen until the errant payment is transferred back.

When the unwitting user views his account balance, the malware modifies the amounts displayed in his browser; it appears that he has recently received a large transfer into his account. The victim is told to immediately make a transfer to return the funds and unlock his account. The malicious software presents an already filled-in online transfer form — with the account and routing numbers for a bank account the attacker controls.

via Trojan Tricks Victims Into Transferring Funds — Krebs on Security.

Zscaler Research: Malware sites already capitalizing on announcement of Osama Bin Laden’s Death

Within hours of the announcement of Osama Bin Laden’s death, we are already seeing malicious sites emerge to capitalize on the news. One Spanish language site displays a purported photo of a murdered Osama Bin Laden and includes a story about the US led operation. Farther down the page, the reader is presented with a Flash Player window with a message indicating that the user must first update a VLC plugin, which is a popular media player, in order to view the video. When the user clicks on the link, they will download a file titled XvidSetup.exe. This file is actually a popular adware tool known as hotbar. At present, 19 of 41 antivirus engines are blocking the file.

It’s amazing how quickly malware providers respond to current events to spread their wares.  Use a secure browser, and keep your virus definitions up to date.

via Zscaler Research: Malware sites already capitalizing on announcement of Osama Bin Laden’s Death.