Tag Archives: malware

Highlights of Cisco 2014 Annual Security Report

cybercrime hierarchy

  • Report focuses on exploiting trust as thematic attack vector
  • Botnets are maturing capability & targeting significant Internet resources such as web hosting servers & DNS servers
  • Attacks on electronics manufacturing, agriculture, and mining are occurring at 6 times the rate of other industries
  • Spam trends downward, though malicious spam remains constant
  • Java at heart of over 90% of web exploits
  • Watering hole attacks continue targeting specific industries
  • 99% of all mobile malware targeted Android devices
  • Brute-force login attempts up 300% in early 2013
  • DDOS threat on the rise again to include integrating DDOS with other criminal activity such as wire fraud
  • Shortage of security talent contributes to problem
  • Security organizations need data analysis capacity

Top themes for spam messages:

  1. Bank deposit/payment notifications
  2. Online product purchase
  3. Attached photo
  4. Shipping notices
  5. Online dating
  6. Taxes
  7. Facebook
  8. Gift card/voucher
  9. Pay Pal

Cisco 2014 Annual Security Report

The roof the roof the roof is on fire

Reminiscent of the delicate lyrics of Rock Master Scott and the Dynamic Three, there’s a lot of press about a number of different attacks right now on individuals, SMB’s, and large enterprises.  CryptoLocker ransomware, a Microsoft attack via images, and the  oldie-but-goodie of continued Java vulnerabilities.  It seems that the attacks are coming from all sides. And I believe they are. 

The CryptoLocker attack seemed interesting and fairly novel a few weeks ago, but I figured it would fade away pretty quickly as new anti-virus signatures or other patches caught up with it.  However, it appears to be on the rise.  CryptoLocker is a form of malware known as ransomware where the attacker encrypts your files and then demands a ransom for the key to unlock the files.  There have been reports of successful file unlocks after paying ransom, no file unlock after paying ransom, and also of the ransomware actor extending the due date.  US Cert has issued an alert regarding the rise in infections.

And then Microsoft has issued a security advisory regarding vulnerabilities in its graphics component and malicious TIFF files. Apparently, malicious code hidden in an image can execute and do arbitrary things.  So we’ve got that going for us. Affected systems include Office 2003, 2007, 2010, Server 2008, and Lync.  Microsoft offers a fixit/workaround here.

Finally, rounding out the happy news is the update from a Kaspersky report  that there were over 14 million attacks with Java exploits between 9/2012 and 8/2013, with more than 8 million of those in the second half of that period.  While chasing down some Java issues across several hundred machines myself last week, I counted over 200 Java fixes in the past year and that’s not counting new ‘features’.

It’s been said before, but the good guys are not winning this battle.  The general consensus is that it’s getting worse, not better.  What to do?  While no panacea, the basics apply — current anti-virus with daily updates, autoupdate on operating systems, good Internet hygiene — don’t open unknown mail, don’t download unknown things, keep a watchful eye for phishing attacks, use good passwords and don’t share them.  I think this will be our best/only approach for some time to come.

PHP.net site is down

phpnet2I was just getting ready to write a post about the malware on PHP.net’s servers in the past week.  I went to the site to dig up some additional information and learned that it is down right now.  I also got this result from isitdownrightnow.com (left).

Per DarkReading, PHP.net says that the site served Javascript malware to some users between Oct 22 and Oct 24, 2013.  There is also the possibility that the PHP.net SSL certificate private key was accessed. It has since been revoked.  uk.php.net appears to be up.

Update: 10:00 pm PST: PHP.net is back up.  Downtime appears to have been a little over an hour and a half.


Meet the New Boss … Reincarnated malware returns to SMB’s

Same as the old boss …

A popular form of malware called ZeuS/Zbot has made a comeback and SMB’s are particularly at risk.  Initially identified in 2007,  the malware typically steals user credentials for banking activity.  SMB’s have higher risk exposure because they typically don’t have the resources for risk and security programs.  One SMB, a Maine construction company, was robbed of almost $600,000 in 2009.

ZeuS/Zbot source code is known to be readily available on underground informal networks as well as, apparently, even available for sale.

Back because it works

Once thought to be largely eradicated, ZeuS/ZBot is back because of market analysis and software upgrades.  SMB’s typically have a richer target (bigger accounts) than individuals and are also generally less protected than larger businesses.  Facebook is also providing a new and effective ‘attack vector’ for getting the malware onto user computers to steal data.

How does it work ?

ZeuS/Zbot uses a ‘Man-In-The-Browser’ (MITB) attack. Once a machine is infected, Zbot is able to monitor web activity and watch for particular banking sites.  User credentials are copied and replicated on a database maintained by the attacker. With this information, attackers or their proxies (‘mules’) can login and transfer money wherever they’d like.  By downloading a configuration file established by the attacker, the list of banking sites can be updated.

Prevention/due care activity for SMB’s includes:

  • Move banking activity to dedicated machines used for no other purpose than banking
  • Educate employees on threats, risks, and behavior
  • Review high risk accounts (eg big balances) and access/authorization to them
  • Keep antivirus/antimalware software current
  • Implement a simple information risk management plan (Shocking!)

What percentage of your computers have current antivirus scanning? How do you know?