Zeus malware found with valid digital certificate

April 4, 2014 – 5:46 AM

A recently discovered variant of the Zeus banking Trojan was found to use a legitimate digital signature to avoid detection from Web browsers and anti-virus systems.

Security vendor Comodo reported Thursday finding the variant 200 times while monitoring and analyzing data from users of its Internet security system. The variant includes the digital signature, a rootkit and a data-stealing malware component.

“Malware with a valid digital signature is an extremely dangerous situation,” the company said in a blog post.

Zeus is typically distributed through a compromised Web page or through a phishing attack in which cybercriminals send email that appear to come from a major bank.

A sample of the latest Zeus variant tried to trick the recipient into executing it by posing as an Internet Explorer document that included an icon similar to the Windows browser.

Because the file is digitally signed with a valid certificate, it appears trustworthy at first glance, Comodo said. The certificate is issued to “isonet ag.”

Source:
http://www.pcadvisor.co.uk/news/security/3510214/zeus-malware-found-with-valid-digital-certificate/

More than 24M home routers enabling DNS amplification DDoS attacks

April 3, 2014 – 4:58 PM

Tens of millions of the home routers we rely on everyday for internet access are enabling Domain Name System (DNS) based distributed denial-of-service (DDoS) attacks, and owners may never even know it, according to research by DNS software provider Nominum.

Working collaboratively with the Open Resolver Project, Nominum learned that open DNS proxies in more than 24 million home routers are allowing for DNS-based DDoS attacks, according to a Wednesday post, which adds that 5.3 million of the routers were used to generate attack traffic in February.

The DDoS attack in question is known as a DNS amplification attack, which essentially involves an attacker spoofing an IP address, sending small DNS queries to the internet service provider (ISP) that return large answers, and then sending those amplified answers to the target.

“It’s a really low bar in terms of sophistication and the capabilities that attackers need,” Bruce Van Nice, Nominum director of product marketing who headed up the research, told SCMagazine.com on Wednesday. “They just need to send DNS queries. They need to sit somewhere on the internet where they can spoof an IP address. It’s pretty easy to do.”

The issue with this particularly sneaky and effective attack is that most home routers are not provided by the ISPs, meaning the internet provider cannot access the device for preventive upgrades, Van Nice said, adding that the set it and forget it mentality of the consumer, and the lack of owner awareness of even an ongoing attack, compounds the problem.

Source:
http://www.scmagazine.com/more-than-24m-home-routers-enabling-dns-amplification-ddos-attacks/article/341265/

Hack of Boxee.tv exposes password data, messages for 158,000 users

April 1, 2014 – 6:38 PM

Hackers posted names, e-mail addresses, message histories, and partially protected login credentials for more than 158,000 forum users of Boxee.tv, the Web-based television service that was acquired by Samsung last year, researchers said.

The breach occurred no later than last week, when a full copy of the purloined forum data became widely available, Scott A. McIntyre, a security researcher in Australia, told Ars. On Tuesday, officials from password management service LastPass began warning customers with e-mail addresses included in an 800 megabyte file that’s still circulating online. The file contains personal data associated with 158,128 user accounts, about 172,000 e-mail addresses, and the cryptographically scrambled passwords that corresponded to those Boxee accounts, LastPass said. The dump also included a wealth of other details, such as user birth dates, IP addresses, site activity, full message histories, and password changes. All user messages sent through the service were included as part of the leak.

As Ars has explained before, even when passwords in hacked databases have been cryptographically hashed, most remain highly susceptible to cracking attacks that can reveal the plain-text characters required to access the account. The damage can be especially severe when people use the same or similar passwords to protect accounts on multiple sites, a practice that’s extremely common.

“Please update the password for your boxee.tv account immediately,” an e-mail LastPass sent to customers said. “The LastPass Security Challenge, located in the Tools menu of the LastPass addon, will help find any other accounts using the same password as the leaked account.”

Source:
http://arstechnica.com/security/2014/04/hack-of-boxee-tv-exposes-password-data-messages-for-158000-users/

Word and Excel Files Infected Using Windows PowerShell

March 27, 2014 – 7:36 PM

Malware targeting Word and Excel files has been around for some time, but we recently encountered a new malware family, CRIGENT (also known as “Power Worm”) which brings several new techniques to the table. (We detect these files as W97M_CRIGENT.JER and X97M_CRIGENT.A.)

Most significantly, instead of creating or including executable code, CRIGENT uses the Windows PowerShell to carry out its routines. PowerShell is a powerful interactive shell/scripting tool that is available for all current versions of Windows (and is built-in from Windows 7 onwards); this malware carries out all its behavior via PowerShell scripts. IT administrators that are normally on the lookout for malicious binaries may overlook this, as malware using this technique is not particularly common.

Arrival and Additional Components

This particular threat arrives as an infected Word or Excel document, which may be dropped by other malware or downloaded/accessed by users. When opened, right away it downloads two additional components from two well-known online anonymity projects:  the Tor network, and Polipo, a personal web cache/proxy.

The attacker disguised both what these files were (by changing their file name), and where they are hosted by hiding this information in DNS records. Copies of these files are stored using legitimate cloud file hosts (in this case, Dropbox and OneDrive). The URLs of these files were hidden in DNS records. How was this done?

Source:
http://blog.trendmicro.com/trendlabs-security-intelligence/word-and-excel-files-infected-using-windows-powershell/

Texting ATMs for Cash Shows Cybercriminals’ Increasing Sophistication

March 25, 2014 – 6:31 PM

There is a growing chorus of voices calling for businesses and home users to upgrade existing Windows XP installations to newer versions of Windows, if not for the features, then at least for the improved security and support. ATMs are basically computers that control access to cash, and as it turns out, almost 95 percent of them run on versions of Windows XP. With the looming end-of-life for Windows XP slated for April 8, 2014, the banking industry is facing a serious risk of cyberattacks aimed at their ATM fleet. This risk is not hypothetical — it is already happening. Cybercriminals are targeting ATMs with increasingly sophisticated techniques.

In late 2013, we blogged about new ATM malware in Mexico, which could let attackers force ATMs to spew cash on demand using an external keyboard. That threat was named Backdoor.Ploutus. Some weeks later, we discovered a new variant which showed that the malware had evolved into a modular architecture. The new variant was also localized into the English language, suggesting that the malware author was expanding their franchise to other countries. The new variant was identified as Backdoor.Ploutus.B (referred to as Ploutus throughout this blog).

What was interesting about this variant of Ploutus was that it allowed cybercriminals to simply send an SMS to the compromised ATM, then walk up and collect the dispensed cash. It may seem incredible but this technique is being used in a number of places across the world at this time.

In this blog, we will show you how this functionality works.

Source:
http://www.symantec.com/connect/blogs/texting-atms-cash-shows-cybercriminals-increasing-sophistication