boot13Authorities from several countries have successfully neutralized the relatively small, but technically sophisticated botnet Beebone. At least 12,000 computers are still infected with the malware, but it has been rendered toothless through a process known as sinkholing.
Category Archives: Malware
Malvertising is a growing threat
If you’re not familiar with the term, you should be. ‘Malvertising‘ refers to the increasingly common tactic whereby malicious persons include exploit code within what otherwise appears to be legitimate, web-based advertising.
Over on eWEEK, a recent post (Why ‘Malvertising’ Has Become a Pervasive Security Risk) explains why Malvertising is a real and growing threat.
Organizations that provide advertising platforms – including Google – need to deal with this threat quickly. If they don’t, there’s likely to be a surge in users installing ad-blocking software in their browsers. I personally use and recommend NoScript, a browser plugin that blocks all Javascript (and Malvertising) by default.
Ramnit botnet suppressed
Europol, with assistance from Microsoft, Symantec, and Anubis Networks, has identified and seized the servers thought to be at the core of Ramnit‘s infrastructure.
Ramnit began operations in 2010, and has evolved from a simple worm to include advanced features for stealing personal/banking information and self-propagation. In its latest incarnation, Ramnit is capable of compromising infected computers in numerous ways. In 2012, Ramnit was used to gain access to 45,000 Facebook accounts.
Only time will tell whether this crackdown has actually succeeded in ridding the world of this particular piece of malware.
Google beefs up protection against unwanted software
A recent post on Google’s Online Security Blog describes security improvements to the Chrome browser, Google’s search engine, and Google’s advertising platform. The changes should make it easier for users to stay away from web sites known to contain unwanted (and presumed harmful) software.
Chrome now detects when you are about to visit a web site known to contain unwanted software, and displays a large red warning message.
Google’s search engine now decreases ranking for sites known to contain unwanted software. That means these kinds of sites should be less likely to appear in the first few pages of Google search results.
Google now checks all advertisements provided by its AdWords system, and disables any with links to sites with unwanted software. Additional details are available on Google’s Advertising Policies site. Google’s primary source of income is AdWords, so it’s comforting to see that they’re willing to take a financial hit (however small) to protect users.
Dangerous new Flash 0-day
Even up to date installations of Flash are currently vulnerable to a new zero-day exploit that’s showing up in the wild. The exploit has already been added to at least one exploitation kit, which means attacks using this exploit are likely to increase rapidly. The exploit can be used to gain unauthorized access to affected computers.
Anyone using a web browser with Flash enabled should be extremely cautious when browsing web sites not known to be safe. The safest course of action is to disable Flash in your browser.
I personally use Firefox with Flash enabled, but I have the Flash add-on configured to always ‘Ask to activate’. That way any time I visit a web site that wants to display Flash content, I can avoid any danger by leaving Flash disabled for that site.
CryptoWall update
Despite the demise of CryptoLocker, ransomware is still prevalent, mostly in the form of CryptoWall, now in its ‘improved’ 2.0 version.
Security researchers recently deconstructed CryptoWall 2.0 and shared their findings in a post on a Cisco security blog.
The researchers discovered that the malware uses a variety of techniques to obfuscate itself on target systems. It’s also able to infect both 32 and 64 bit Windows systems. And it can detect whether it’s running on a virtual machine, making it more difficult to analyze. The command and control servers are apparently in Russia.
A Windows computer can become infected with CryptoWall in a variety of ways, including as part of an e-mail ‘phishing’ attack, through a malicious website, via malicious PDF files, or in a spam e-mail disguised as an ‘Incoming Fax Report’.
Ars Technica has additional details.
Warning: avoid using pirated themes on WordPress and other CMS sites
Anyone who operates a WordPress, Joomla or Drupal site should exercise extreme caution when selecting themes and plugins. You should assume that any commercial theme or plugin offered for free contains malware.
Popular Content Management Systems (CMS), including WordPress, Joomla and Drupal can be customized through the use of themes and plugins. A theme is a collection of styles and other files that modify the default appearance of a CMS. A plugin typically adds specific functionality to a CMS. Many CMS themes and plugins are available for free, but the commercial ones are among the most popular, since they often include more and better features.
As with all commercial software, CMS themes and plugins are sometimes copied and offered for free on pirate sites. Unfortunately, it’s very easy for a theme or plugin to be modified so that any site using it can be compromised and then used for illegal activities.
The people at Fox-It recently published a document describing “CryptoPHP” (PDF) – malware that is showing up on CMS sites with alarming regularity. They traced the source of the malware to thousands of themes and plugins that had been modified to include a single line of PHP code that allows CryptoPHP to infect any site that uses one of those themes or plugins.
Recommendation: if you operate a CMS site, do not use any commercial theme or plugin that is offered for free. Make sure you obtain themes and plugins from the developer/author, or from a reputable source like wordpress.org.
There’s more information over on the Wordfence blog.
USB firmware hacks published
We recently reported a new potential security threat in the form of hacked USB device firmware.
The details of the original hack were not reported by its discoverers, since it seemed likely that the vulnerability was widespread and difficult to fix.
Now a second team of researchers has published working code for a similar hack. Reactions have been mixed, with some categorizing this move as irresponsible.
This is probably going to get a lot worse before it gets better. There’s currently no way to detect whether a USB device has been hacked. Traditional anti-malware software is useless for this purpose.
Hopefully you were already exercising caution when using thumb drives, viewing drives from unknown sources with suspicion. With this new vulnerability, there’s probably no way to be perfectly safe unless you stop using thumb drives completely. Since that’s not practical for many users, you can stay relatively safe by making sure that your thumb drives are always on your person or stored in a secure location when not in use. So much for convenience.
CryptoWall ransomware growing
Not to be confused with its bigger, better-known rival, CryptoWall seems to be thriving in the wake of CryptoLocker’s demise. CryptoWall has infected at least 625,000 computers in the past five months.
CryptoLocker defanged at last
Security researchers have cracked the encryption used by the horrible CryptoLocker ransomware.
Recall that once CryptoLocker infects a computer, it encrypts all documents it can find, making them inaccessible until you pay the perpetrators $300 for a key to unlock them. Thousands of users have been hit, with some paying the ransom, while many others lost their data forever.
The researchers have set up a free web site (2016Jan09: the site has been decommissioned) that allows anyone hit by CryptoLocker to decrypt their files. You must upload one encrypted file, after which you are sent the required key. After decrypting your files, you can then use a CryptoLocker removal tool to get rid of the infection.