Category Archives: Malware

New dangers of thumb drives

August 5, 2014 jrivett 1 Comment

We’ve known for years that careless use of thumb drives (USB storage devices) is dangerous. Windows in particular has a bad habit of automatically running programs on thumb drives when they are plugged in.

Now researchers have found a new way to infect USB devices; not the files they contain, but the firmware that controls how they operate. All USB devices contain firmware, and while it’s not normally accessible to users, the firmware can be modified by anyone with the requisite skills and knowledge.

The researchers developed proof-of-concept malware called BadUSB. A USB device infected with BadUSB can be configured to do just about anything to a computer to which it’s connected, from redirecting network traffic to modifying files.

It remains to be seen just how easy it is for BadUSB – or any other malware that uses this technique – to spread. USB device firmware varies between brands and device types, which might necessitate infection code that’s specific to each type of device.

For now, while the researchers have created working malware that exploits this new technique, real-world exploits are likely months away, if they indeed ever appear.

Ars Technica has more, as does Wired.

Internet, Internet crime, Malware, Microsoft

Microsoft gets careless in its anti-malware efforts

July 2, 2014 jrivett Leave a comment

Up to now we’ve been happy to report on the successes of Microsoft’s work on hindering or shutting down botnets and other malware networks and sites. But their most recent actions in this area were heavy-handed, resulting in millions of legitimate domains going offline.

From Microsoft’s official blog post:

On June 19, Microsoft filed for an ex parte temporary restraining order (TRO) from the U.S. District Court for Nevada against No-IP. On June 26, the court granted our request and made Microsoft the DNS authority for the company’s 23 free No-IP domains, allowing us to identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats.

Microsoft named two foreign nationals, Mohamed Benabdellah and Naser Al Mutairi, and a U.S. company, Vitalwerks Internet Solutions, LLC (doing business as No-IP.com), for their roles in creating, controlling, and assisting in infecting millions of computers with malicious software—harming Microsoft, its customers and the public at large.

We’re taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims with the Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware.

That all sounds fine, except for one thing: No-IP was also being used for millions of domains with perfectly legitimate purposes. Microsoft says they knew this, and took measures to protect non-malicious domains.

Backlash against Microsoft’s actions is ramping up. Microsoft’s PR people are now saying that this is all due to a technical error, but given their characterization of No-IP (see above), it seems more likely that this is just spin, and they really did mean to kill all domains using no-IPs services.

Brian Krebs has additional details, as does Ars Technica.

Update 2014Jul03: Microsoft has returned control of the No-IP domains to No-IP. There’s still some doubt as to whether Microsoft acted in good faith: No-IP claims they were never contacted by Microsoft prior to the domain seizure; Microsoft claims otherwise. Regardless, I imagine No-IP will quickly move to remove clients using No-IP for nefarious purposes.

Update 2014Jul13: The EFF has a useful followup of the debacle.

Internet crime, Malware, Security, Spam and scams

Gameover botnet targeted in takedown effort

June 4, 2014 jrivett Leave a comment

An international law enforcement project to disrupt the Gameover botnet is underway.

Gameover, aka Gameover Zeus or GOZ, is currently installed on up to a million computers worldwide. The botnet is rented out for malicious purposes, including harvesting private information, sending spam email, denial of service (DoS) attacks, extortion, and distribution of various kinds of malware, including the awful CryptoLocker [1,2] ransomware.

This effort to disrupt GOZ has already been very successful: the botnet’s owners are no longer able to control clients. As for Cryptolocker, newly-infected machines can no longer communicate with their controlling servers, which means they are safe, at least for now. Infected machines that are already encrypted are not affected and must still pay the decryption ransom or lose all encrypted information.

Brian Krebs provides additional details on his Krebs on Security blog.

Update 2014Jun09: Brian Krebs has a behind-the-scenes look at what went into this takeover. To this point, the takeover seems to have been 100% effective, but the botnet developers may have more moves left.

Malware, Microsoft, Security

New Microsoft Word vulnerability already being exploited

March 24, 2014 jrivett 2 Comments

Earlier today, Microsoft announced in a security advisory that it was seeing evidence of attacks targeted against certain versions of its flagship word processing software.

The vulnerability can be exploited using a specially-crafted RTF file. Opening such a file can give the attacker full access to the user’s computer.

According to Microsoft, Word 2003, 2007, 2010, and 2013 are all affected. Since Word is the default editor in Outlook, simply opening an affected email can lead to a successful attack.

Microsoft is working on a patch, but until it’s ready, their advice is to install and configure EMET. They are also providing the usual ‘Fix It‘ stopgap, which in this case just disables the ability to open RTF files in Word.

There’s a less technical overview of this issue over at the MSRC blog.

This vulnerability is identified as CVE-2014-1761.

Malware, Microsoft, Patches and updates, Security, Windows XP

MSRT will still be updated for Windows XP after April 8

March 21, 2014 jrivett Leave a comment

Microsoft’s Malicious Software Removal Tool (MSRT) checks for and attempts to remove known malware from Windows computers during the Windows Update process.

Previously, it was assumed that MSRT would stop being updated for Windows XP once support for that O/S ends in April. A few weeks ago, Microsoft confirmed that it will continue to update MSRT on Windows XP computers until July 15, 2015.

This is good news for anyone who will still be running XP after April, but it’s important to note that MSRT is not a substitute for a full anti-malware solution, and should not be seen as protection against the flood of malware, targeted at Windows XP computers, expected to appear after April 8.

Internet Explorer, Malware, Microsoft, Security

Internet Explorer vulnerable to new attack

February 14, 2014 jrivett 2 Comments

Update 2014Feb19: Microsoft has released a ‘Fix-It’ patch that apparently removes this vulnerability in Internet Explorer 9 and 10. They are expected to release a regular update at some point, but for now, if you have to use IE9/10, you should apply this Fix-It.

Ars Technica reports on a new vulnerability affecting Internet Explorer 10 and 9. Visitors to the American Veterans of Foreign Wars (VFW) web site who are using Internet Explorer will become infected with malware.

The VFW site was recently compromised, and altered to include code that loads the malware from another site. Presumably the VFW site will be cleaned up very soon, but the vulnerability in IE remains, so we can expect to see this malware being served up by other compromised web sites very soon.

Microsoft said that they are aware of the problem but there’s no word yet on a possible fix.

For now, since there’s no way to know which web sites to avoid, we recommend not using Internet Explorer at all for general web surfing.

Malware, Security, Spam and scams

Ouch newsletter: What is Malware?

February 5, 2014 jrivett Leave a comment

This month’s Ouch! newsletter (warning: PDF) from SANS provides a basic overview of malware: what it is, where it comes from, who creates it, and how it infects your computer. A good read for anyone who has wondered what malware is and why it’s a problem.

Internet crime, Malware, Security, Spam and scams

Cryptolocker malware is getting worse

January 23, 2014 jrivett 1 Comment

A new variant of the nasty malware known as Cryptolocker is appearing on the Internet. Cryptolocker – once it infects your computer – encrypts all your files and then demands money to decrypt them. If you fail to pay within a specified time period, your files become permanently inaccessible.

The new version of Cryptolocker can apparently spread itself via portable media such as thumb drives. It is also often disguised as a software activation program for Photoshop and Microsoft Office on file sharing sites. The original Cryptolocker typically arrived in the form of a fake PDF file.

Disguising Cryptolocker as a software activation program is a particularly devious way to spread the malware. Every day, thousands of people who can’t afford the massively overpriced Office and Photoshop look for alternative ways to use that software, and now those people are going to be risking more than the ire of Microsoft and Adobe.

Internet, Malware

If you needed another reason not to visit yahoo.com…

January 5, 2014 jrivett Leave a comment

Advertisements containing malware started appearing on yahoo.com on December 30, 2013 – or possibly even earlier. Anyone visiting the site with a browser running an unpatched version of Java risked infecting their computer. If that includes you, a full malware scan of the computer you used should be your next task. One of the following (or both) should do the trick:

Internet, Malware, Security, Spam and scams

Holiday season warnings from CERT

November 21, 2013 jrivett Leave a comment

Christmas is coming, and along with it, holiday-themed scams, spam and malware. It’s a time for families to come together and celebrate, but it’s also a time to be wary and vigilant.

CERT has provided a handy set of guidelines and tools you can use to avoid being the recipient of one of these unwanted ‘gifts’.

boot13