Tick-tock! 40% of PCs start Windows XP malware meltdown countdown
With one year to go until Microsoft kills free support for Windows XP, if you haven’t got a migration plan in place it’s time to start doing something about it... but don't panic, say the migration experts.
One year from today, on 8 April 2014, Microsoft will stop fixing broken code and no longer release security patches for free for an operating system that is still used by a staggering 40 per cent of PCs.
From that date on, you’ll either have to face hackers and malware writers on your own or you’ll be hiding behind the skirts of some premium-level paid Microsoft support instead. Gartner reckons Microsoft will charge you $200,000 if you have a Software Assurance contract and $500,000 without a SA agreement. Read more...
Elusive TDL4 malware variant infected Fortune 500 companies, government agencies
Researchers from security vendor Damballa have identified malicious Internet traffic that they believe is generated by a new and elusive variant of the sophisticated TDL4 malware.
The new threat, which has been assigned the generic name DGAv14 until its true nature is clarified, has affected at least 250,000 unique victims so far, including 46 of the Fortune 500 companies, several government agencies, and ISPs, the Damballa researchers said in a research paper released Monday.
On July 8, Damballa sensors that operate on the networks of telecommunication operators and ISPs that partnered with the company detected a new pattern of DNS (Domain Name System) requests for non-existent domains. Such traffic suggests the presence on the network of computers infected with malware that uses a domain generation algorithm (DGA),
Some malware creators use DGAs in order to evade network-level domain blacklists and to make their command and control infrastructure more resilient against takedown attempts. Read more...
Unpatched Java vulnerability exploited in targeted attacks, researchers say
Attackers are exploiting a new and unpatched vulnerability that affects the latest version of Java -- Java 7 Update 6 -- in order to infect computers with malware, according to researchers from security vendor FireEye.
So far, the vulnerability has been exploited in limited targeted attacks, FireEye's senior staff scientist Atif Mushtaq said Sunday in a blog post. "Most of the recent Java run-time environments i.e., JRE 1.7x are vulnerable."
The exploit is hosted on a website that resolves to an Internet Protocol address in China and its payload is a piece of malware that connects to a command and control server located in Singapore.
The malware installed in the attacks seen so far appears to be a variant of Poison Ivy, Jaime Blasco, a researcher with security firm AlienVault, said Monday in a blog post. Read more...
Security experts push free Gauss detection tools
Two security organizations have released online tools that let Windows users check for possible infections by Gauss, the newly-revealed cyber surveillance malware thought to have been built by one or more governments.
Kaspersky Lab and the Laboratory of Cryptography and System Security (CrySys) at the Budapest University of Technology and Economics each published Gauss detection tools today.
Gauss, Kaspersky said yesterday, is a sophisticated threat that monitors financial transactions with Middle Eastern banks, perhaps as part of a wider investigation into the funding of terrorist groups. Kaspersky believes that Gauss was built by or under the auspices of a government, in large part because of coding practices that resemble those used in Flame, an advanced spying and data-stealing toolkit that targeted Iranian computers.
Flame, which was uncovered three months ago but may have been operating since mid-2008, was notable for its ability to fake the Windows Update service, then use that to infect up-to-date Windows PCs. Read more...
Researcher creates malware that infects BIOS, network cards
Security researcher Jonathan Brossard created a proof-of-concept hardware backdoor called Rakshasa that replaces a computer's BIOS (Basic Input Output System) and can compromise the operating system at boot time without leaving traces on the hard drive.
Brossard, who is CEO and security research engineer at French security company Toucan System, demonstrated how the malware works at the Defcon hacker conference on Saturday, after also presenting it at the Black Hat security conference on Thursday.
Rakshasa, named after a demon from the Hindu mythology, is not the first malware to target the BIOS -- the low-level motherboard firmware that initializes other hardware components. However, it differentiates itself from similar threats by using new tricks to achieve persistency and evade detection. Read more...
Mac malware Crisis as Apple lets slip its Mountain Lion
Miscreants have developed a sophisticated multi-platform attack dog designed to maul Windows and Mac OS X computers.
The malware comes bundled in an Java Archive file which pretends to be Adobe Flash Player, named AdobeFlashPlayer.jar. Inside the malicious archive is a .class file named WebEnhancer, and two files named win and mac. The WebEnhancer applet decides if a user opening the file is running either Microsoft Windows or Apple Mac OS X before pushing the corresponding software nastie.
If run on an OS X system the malware drops multiple components, reconfigures system settings and installs a backdoor and rootkit combination onto infected machines. The Mac OS X component of the malware – called Crisis or Morcut – arrives on the eve of Apple's release of Mac OS X Mountain Lion, but this is probably a coincidence. The new operating system build goes on sale today. Read more...
Black Hat demo: Google Bouncer malware detection can be beaten
Google in February implemented in its Google Play (formerly Android Market) a technology called Bouncer to check apps submitted by Android developers for any traces of malicious code. This week at the Black Hat Conference in Las Vegas, security firm Trustwave will demonstrate and discuss how it's possible to circumvent the Google Bouncer security check.
Trustwave proved to itself that its masking technique could get past Bouncer's detection by getting a malicious app it created into Google Play earlier this year, says Nicholas Percoco (shown here), senior vice president and head of Trustwave's SpiderLabs advanced security team. "We wanted to test the bounds of what it's capable of," he says, describing how Trustwave as a registered Android developer created an app called "SMS Blocker." When downloaded to a smartphone, the app would be able to steal contacts, SMS messages and photos, and basically know anything about the device. The app could also make the phone go to arbitrary Web pages or launch a denial-of-service attack. He says: "Google never flagged it." Read more...
Microsoft to revamp Windows encryption keys in face of Flame malware
Starting next month, updated Windows operating systems will reject encryption keys smaller than 1,024 bits, which could cause problems for customer applications accessing websites and email platforms that use the keys.
The cryptographic policy change is part of Microsoft's response to security weaknesses that came to light after Windows Update became an unwitting party to Flame Malware attacks, and affects Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 operating systems, according to the Windows PKI blog written by Kurt L. Hudson, a senior technical writer for the company.
"To prepare for this update, you should determine whether your organization is currently using keys less than 1,024 bits," Hudson writes. "If it is, then you should take steps to update your cryptographic settings such that keys under 1,024 bits are not in use." Read more...
Internet will vanish Monday for 300,000 infected computers
As many as 300,000 PCs and Macs will drop off the Internet in about 65 hours unless their owners heed last-minute calls to scrub their machines of malware.
According to a group of security experts formed to combat DNSChanger, between a quarter of a million and 300,000 computers, perhaps many more, were still infected as of July 2.
DNSChanger hijacked users' clicks by modifying their computers' domain name system (DNS) settings to send URL requests to the criminals' own servers, a tactic that shunted victims to hacker-created sites that resembled real domains.
At one point, as many as 4 million PCs and Macs were infected with the malware, which earned its makers $14 million, U.S. federal authorities have said.
Infected machines will lose their link to the Internet at 12:01 a.m. ET Monday, July 9, when replacement DNS servers go dark. Read more...
Flame part of U.S.-Israeli cyber attack campaign against Iran
The highly sophisticated Flame malware was jointly developed by the U.S. and Israeli governments in preparation for a cyber sabotage campaign to disrupt Iran's nuclear fuel enrichment efforts, according to a media report.
Citing unnamed Western officials with knowledge of the operation, the Washington Post reported on Tuesday that Flame's goal was to collect intelligence about Iran's computer networks that would facilitate future cyber attacks.
On June 1, The New York Times reported that Stuxnet, a sophisticated piece of malware that is believed to have caused the destruction of up to 1,000 gas centrifuges at Iran's Natanz uranium enrichment facility, was created by the U.S. and Israel governments as part of a joint operation code-named Olympic Games. Read more...
Honeynet Project tackles USB-carried malware like Flame
A nonprofit security research group is building technology to trap malware spread from PC to PC via USB storage drives, the method used to infect computers with the Flame cyber-espionage malware.
The Honeynet Project launched the effort Thursday, saying it was necessary to combat increasing use of portable drives in spreading malicious programs. Malcontents or criminals within an organization often use such methods to compromise closed networks that are not accessible through the Internet.
In the case of Flame, the malware created a folder that could not be seen by a Windows PC, hiding the application and its payload of stolen documents from the user, experts say. This opened up the possibility that people unknowingly carried Flame from PC to PC.
Discovered in May by Moscow-based Kaspersky Lab, Flame, a so-called super Trojan aimed at Middle Eastern governments, is believed to be the most sophisticated malware to date Read more...
Flame crypto attack very hard to pull off, researcher says
The MD5 collision attack used by the creators of the Flame malware was significantly more difficult to pull off than an earlier attack that resulted in the creation of a rogue CA certificate, says security researcher Alexander Sotirov.
In December 2008, at the Chaos Communication Congress (CCC) in Berlin, an international team of security researchers that included Sotirov presented a practical MD5 collision attack that allowed them to obtain a rogue CA certificate signed by VeriSign-owned RapidSSL.
The attack was significant because it showed for the first time that at least one of the known theoretical MD5 collision techniques could be used in practice to defeat the security of the HTTPS (HTTP Secure) protocol. To pull off the attack, the researchers used computing power generated by a cluster of 200 PlayStation 3s. Read more...
Microsoft’s reaction to Flame shows seriousness of ‘Holy Grail’ hack
The exploit of Microsoft's Windows Update system by the sophisticated Flame cyber espionage malware was a "significant" event in the history of Windows hacking, experts said today.
And by its response, Microsoft appears to agree: It not only issued an immediate fix just days after the malware's public unveiling with one of its increasingly-rare "out-of-band" updates, but it has turned its certificate-generation process upside down and will revamp how it secures Windows updates.
"It was a very significant," said Wolfgang Kandek, chief technology officer with Qualys, in an interview today. "It's the Holy Grail of exploits, and until now it had only been done in research." Read more...
Tiny banking trojan can do a lot of damage
Security experts at CSIS say that they have discovered the smallest online banking trojan yet. Called Tiny Banker (Tinba), the malware is just barely 20KB in size, including its configuration files.
Like Zeus, Tinba uses man-in-the-browser techniques and easily extendable configuration files to manipulate bank web sites via webinjects. Webinjects can be used, for example, to create additional fields for numerical single-use passwords that the attackers can then leverage to authorise fraudulent payments. Tinba can also uncover standard passwords and monitor network traffic. Read more...
Snow Leopard users most prone to Flashback infection
Of the Macs that have been infected by the Flashback malware, nearly two-thirds are running OS X 10.6, better known as Snow Leopard, a Russian antivirus company said Friday.
Doctor Web, which earlier this month was the first to report the largest-ever malware attack against Apple Macs, mined data it's intercepted from compromised computers to come up with its findings.
The company, along with other security vendors, has been "sinkholing" select command-and-control (C&C) domains used by the Flashback botnet -- hijacking them before the hackers could use the domains to issue orders or update their attack code -- to both estimate the botnet's size and disrupt its operation. Read more...