Feed aggregator

Cridex Malware Takes Lesson From GameOver Zeus

Threatpost for B2B - Fri, 08/15/2014 - 10:05
Researchers have now identified a new variant of the Cridex malware that has adopted some of the techniques that made GOZ so successful in its day.

Google Fixes 12 Vulnerabilities in Chrome 36

Threatpost for B2B - Fri, 08/15/2014 - 09:23
Google patched its Chrome browser this week, fixing 12 vulnerabilities including both a serious information disclosure bug and a use-after-free vulnerability that could let users obtain potentially sensitive information and execute arbitrary code.

Gameover Zeus Botnet Rebuilds

Threatpost for B2B - Thu, 08/14/2014 - 16:58
Research from Arbor Networks points to a rejuvenated GameOver Zeus botnet that has grown more than 1,800 percent, confirming it has been rebuilt from scratch.

Easy Pickings at DEF CON Router Hacking Contest

Threatpost for B2B - Thu, 08/14/2014 - 14:10
Fifteen zero day vulnerabilities were exploited during the SOHOpelessly Broken router hacking contest at DEF CON.

Google Adds Warnings About Deceptive Software to Safe Browsing Service

Threatpost for B2B - Thu, 08/14/2014 - 13:18
The Google Safe Browsing service has become an integral part of most of the major browsers, integrating malware alerts, warnings about malicious Web sites and suspicious content. The company has been expanding the capabilities of the service steadily over the last few years, and now Google is adding warnings about deceptive software to the service. […]

Apple Patches Series of WebKit Flaws in Safari

Threatpost for B2B - Thu, 08/14/2014 - 10:02
Apple has released a new version of Safari that fixes seven security vulnerabilities, all of which are related to the WebKit framework in the browser. The advisory from Apple is typically bare-bones, with almost no information about the vulnerabilities fixed in Safari 6.1.6 and 7.0.6. Apple said that all of the vulnerabilities in WebKit are […]

Study Confirms Uyghur Remain in Crosshairs of Targeted Attacks

Threatpost for B2B - Wed, 08/13/2014 - 15:18
A research paper to be delivered next week at USENIX takes a deep look into the reconnaissance nation-states undergo in order to craft email-based attacks against non-governmental organizations.

Disqus Patches CSRF, Other Flaws in Plugin

Threatpost for B2B - Wed, 08/13/2014 - 13:35
Disqus, the maker of the popular community commenting plugin, has patched a handful of security flaws, including a CSRF bug.

Google Tweaks Gmail to Help Limit Spam

Threatpost for B2B - Wed, 08/13/2014 - 10:23
Google is making a small, but potentially important, change to the way that Gmail handles some special characters in messages as a way to defeat a common tactic used by spammers to confuse recipients and trick them into opening emails.

ZeuS GameOver, Brazilian Trojans and Boletos: an explosive combination

Secure List feed for B2B - Wed, 08/13/2014 - 10:00

I'm sure you've read or heard about the malware attacking boletos – the popular Brazilian payment system – and how lots of malicious code is able to modify it, redirecting the amount paid to an account owned by criminals. Despite the fact that some numbers were overestimated by some companies and media outlets, these attacks are of particular interest and the Brazilian bad guys are quickly developing and adopting new techniques. Trust me: everything you read about boleto malware was only the tip of the iceberg; our complete research into this topic will be presented at the next Virus Bulletin conference.

The boleto malware campaigns combine several new tricks to infect and steal from more users. One of the most recent is the use of non-executable and encrypted malware payloads XORed with a 32-bit key and compressed by ZLIB. It's no coincidence that a very similar technique was used by ZeuS GameOver some months ago, but this time the files are using extensions such as .BCK and .JMP, instead of .ENC.

We have evidence of Brazilian criminals cooperating with western European gangs involved with ZeuS and its variants; it's not unusual to find them on underground forums looking for samples, buying new crimeware and ATM/PoS malware. The first results of this cooperation can be seen in the development of new attacks such the one affecting boletos payments in Brazil.

A typical Brazilian boleto: using web-injection to change the numbers in the ID field is enough to redirect the payment

In February, security expert Gary Warner wrote about a new version of ZeuS campaign that downloads some strange and non-executable .ENC files to the infected machine. Our colleagues at CrySys did a very detailed analysis showing how this is an effective technique for passing through your firewall, webfilters, network intrusion detection systems and many other defenses you may have in place, as a tiny Trojan downloads these encrypted (.ENC) files and decrypts them to complete the infection.

Brazilian cybercriminals decided to use the .JMP extension in files encrypted in the same way, and downloaded by several small Trojans used in boletos and Trojan banker campaigns. This is what an encrypted file looks in the beginning:

After removing the encryption we can see it as a normal PE executable:

The criminals tend to encrypt the big payload files using this technique, as well as some removal tools such as Partizan and big Delphi Trojan bankers that include images of Internet banking pages. The aim is always to encrypt the payload and make it undetectable, so that it's not recognized as a normal portable executable.

Other files of interest are those with .BCK extensions – they are packed with an as yet unknown application that appears to be a commercial backup app. Just checking the head of the encrypted file is enough to see what's inside - in this case it is a malicious CPL file used in the boletos campaigns:

"refazboleto" is Portuguese for "rebuild boleto". It points to a CPL file

Our antivirus engines are prepared to unpack and detect .JMP and .BCK files like these. These facts show how Brazilian cybercriminals are adopting new techniques as a result of the collaboration with their European counterparts.

Thanks to my colleague Alexander Liskin for help with the analysis.

Microsoft Keeps Focus on IE Security With Patch Tuesday Updates

Threatpost for B2B - Tue, 08/12/2014 - 15:09
Microsoft released nine security bulletins today, including a critical Internet Explorer update, as part of its monthly Patch Tuesday release.

August Update Tuesday - OneNote's First RCE, IE Memory Corruption

Secure List feed for B2B - Tue, 08/12/2014 - 14:34

The second Tuesday of the month is here along with Microsoft's August security updates, and with it brings interesting updates of OneNote and Internet Explorer. The full list is nine security bulletins long.

OneNote has been a part of Microsoft's drive into mobile and cloud technologies, away from traditional Wintel computing, providing Office-integrated note-taking multi-user collaborative functionality across tablets and mobile devices. I noticed a bunch of Blackhat attendees using this software. While the vulnerability is limited to all versions of Microsoft OneNote 2007,, and there have been a couple of releases since, I believe that this vulnerability is the first RCE enabled by a component exclusively delivered with the OneNote software. In this case, it is the file parser that reads onenote (.ONE) files that enables remote code execution attacks. This software package now is available for Windows, Mac, Windows RT, Windows Phone, iOS, Android and Symbian, but the vulnerable OneNote code appears to be available only for TabletPCs and the Windows platform. cve-2014-2815 was privately reported to Microsoft.

Another big Bulletin pushed today for Internet Explorer addresses 25 critical RCE vulnerabilities(!) across IE 6 - 11 on Windows clients Vista through 8.1, all memory corruption issues. The browsers on related server installs are rated moderate. Some of these vulnerabilities have been actively exploited ItW, so it is an urgent update issue.

 

And Adobe released their own patch separately from the Microsoft update process to fix an extraordinary sandbox vulnerability abused by APT that we reported a while back.      Be sure to check out those details. It effects fairly recent versions of Reader sandboxes.

Black Hat and DEF CON Wrap Up

Threatpost for B2B - Tue, 08/12/2014 - 14:01
Dennis Fisher and Mike Mimoso look back on the news from the last week in Las Vegas at Black Hat and DEF CON, including the Blackphone rooting, the Computrace research and the more upbeat mood at the conferences this year.

Adobe Patches Reader Zero Day Used in Targeted Attacks

Threatpost for B2B - Tue, 08/12/2014 - 12:44
Adobe released security updates for Reader, Acrobat and Flash Player. The Reader and Acrobat patches address a zero-day vulnerability being exploited in limited targeted attacks.

Authentication Bypass Bug Fixed in BlackBerry Z10

Threatpost for B2B - Tue, 08/12/2014 - 11:15
There's a remotely exploitable authentication bypass vulnerability in the BlackBerry Z10 phone that affects the service that lets users share files with machines on a wireless network. The bug could allow an attacker to steal users' personal data or hit them with targeted malware.

CVE-2014-0546 used in targeted attacks - Adobe Reader Update

Secure List feed for B2B - Tue, 08/12/2014 - 11:09

Today Adobe released the security bulletin APSB14-19, crediting Kaspersky Lab for reporting CVE-2014-0546.

This out of band patch fixes a rather creative sandbox escape technique that we observed in a very limited number of targeted attacks.

At the moment, we are not providing any details on these attacks as the investigation is still ongoing. Although these attacks are very rare, just to stay on the safe side we recommend everyone to get the update from the Adobe site as soon as possible.

You can grab the Adobe Reader updates here.

Fog Lifts on Rooted Blackphone Merry-Go-Round

Threatpost for B2B - Tue, 08/12/2014 - 09:40
Vulnerabilities in the secure Blackphone reported during DEF CON require unusual circumstances to exploit.
Syndicate content