boot13With Christmas just over a month away, CERT is reminding us to be wary of holiday-related email. Malware and scam perpetrators use ‘big events’ like Christmas and celebrity deaths to push their wares on unsuspecting people.
Category Archives: Malware
Malware targeting Windows 8
Microsoft has been putting a lot of effort into making their software more secure, and it’s paying off: Kaspersky’s IT Threat Evolution: Q3 2012 report includes no Microsoft software in its Top Ten Vulnerabilities List.
The anti-malware software bundled with Windows 8 is Microsoft’s strongest offering in any version to date. But as long as Windows is widely deployed, it will remain a popular target for malware developers, as is demonstrated by the recent discovery by Symantec that a new Trojan variant, detected as Backdoor.Makadocs, includes code specific to the new O/S.
‘Ransomware’ prevalence increasing in North America
A new white paper from Symantec discusses the increase of ‘ransomware’ in North America. Ransomware is malware that – once installed on a user’s computer – prevents normal operation and presents the user with warnings that appear to be from regional law enforcement organizations. The warnings threaten further legal action if the user fails to pay a fine. The warnings look sufficiently legitimate to fool many users, who then pay the ‘fine’.
If you start seeing one of these warnings on your computer, do not pay the ‘fine’. Instead, have the malware removed from your computer by a knowledgeable technician.
ZeroAccess botnet growing rapidly
Growth of the ZeroAccess botnet is unfortunately showing no signs of slowing down. darkReading reports “2.2 million infected with fraudulent ad-click botnet’s malware“. The perpetrators make money by using infected computers to fraudulently ‘click’ on web-based ads.
Most current anti-malware software can detect and disable ZeroAccess-related malware. Make sure your anti-malware software is up to date, and run regular scans.
Latest ‘Ouch’ newsletter: what to do when you’ve been hacked
The SANS ‘Ouch’ newsletter is an excellent computer security resource, written for regular users.
The latest ‘Ouch’ (PDF file) helps to determine whether you’ve been hacked, and if you have, what to do about it.
New PushDo trojan variants currently active
The PushDo trojan has been around for a while, but recent variants are making it more difficult for security researchers.
PushDo infects vulnerable computers when users visit an infected web site (drive-by download). Once installed on a computer, PushDo sends out phishing email purporting to be from banking institutions, tricking other users into clicking links within the email and infecting their computers with other malware.
What makes the new versions of PushDo different is that they hide communication with the botnet’s controlling servers amongst a flurry of traffic to other, unrelated servers. This makes the process of finding the controlling servers much more difficult and time-consuming.
Phishing email examples
‘Phishing’ is the term used to describe email sent with the intention of tricking the recipient into divulging personal (often financial) information to the perpetrator.
A recent ISC Diary post provides some examples of recent phishing email received by ISC handler Johannes Ullrich. The associated analysis is helpful for learning how to distinguish legitimate from phishing email.
ISC is the Internet Storm Center, which “provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers.” The site and associated services provide a wealth of information regarding Internet security.
New Java vulnerability likely to remain unpatched until October 2012
UPDATE: Oracle releases a fix ahead of schedule.
A recently-discovered security flaw in Java is going to make web browsing more dangerous than usual over the coming weeks.
The new vulnerability has already been exploited to develop a working attack that can affect Windows, Linux and MacOS computers to varying degrees. The exploit code is available as part of the controversial Metasploit and Blackhole hacking toolkits. That means we can expect real, web-based attacks to start appearing almost immediately.
Anyone wanting to compromise vulnerable systems need only place the attack code on a web site and wait for those systems to visit the site. In this case, vulnerable systems include just about any Windows or Linux system running a web browser with Java enabled.
Java is typically installed both as a stand-alone runtime environment and as a plugin for web browsers. Both environments are vulnerable to this attack. Java is widely used for a variety of applications, including open source tools like Freemind and Eclipse. Some web sites use Java to provide functionality beyond what’s normally possible with web browsers.
Unfortunately, unless Java’s developer decides to issue an out-of-cycle patch for this vulnerability, it won’t be fixed until the next update cycle, which is scheduled for October 2012.
Recommendations
Standalone, locally-hosted Java applications you’re already using should be safe. Until the vulnerability is patched, we don’t recommend new installations of any Java-based software.
If you don’t use Java, or can live without it until a fix is made available, you can disable it completely in your operating system. However, this is overkill.
Attacks exploiting this vulnerability are much more likely to appear on compromised and nefarious web sites. Navigating your web browser to such a site will almost certainly infect your computer with some kind of malware. Savvy web users already know that care should be exercised when web browsing at any time, but until this security hole is fixed, blindly clicking on web links and browsing to unknown web sites is going to be like playing Russian Roulette. Because of this, many security experts are recommending disabling Java in web browsers, until the flaw is patched.
Here are some more technical details from CERT.
Additional related articles
Don’t be fooled by fake FBI warnings
The FBI has issued an alert about Reveton, drive-by ransomware that first appeared in early 2012.
The term “drive-by” is typically applied to malware that affects users when they visit an infected web site. To put it another way: your computer can become infected by this malware if you visit an infected web site, even if you don’t click anything on that web site or view anything other than the home page. This is why even web searches have become somewhat dangerous.
“Ransomware” refers to malware that presents a warning to the user, in some cases pretending to be from a government agency, that they have violated some law or regulation. The solution presented is to pay a ‘fine’; any money paid goes to the malware’s perpetrator. Surprisingly, this fools enough people to make it a worthwhile scam.
PCWorld has additional information.
Beware Olympic email
High profile events like celebrity deaths are seen as opportunities by malicious hackers and other nefarious persons on the Internet. Recent malicious email campaigns focus on the Olympics, trying to lure unsuspecting recipients into clicking web links or opening attachments, both resulting in the installation of backdoor/trojan software.
Please be extremely wary of all Olympic-themed email you receive during the Olympics.
The Sourcefire Vulnerability Research Team has more information on Olympic malmail.