Category Archives: Malware

More IoT insecurity: This Blu-ray disc pwns PCs and DVD players

For more than a decade, malicious hackers have used booby-trapped USB sticks to infect would-be victims, in rare cases to spread virulent, self-replicating malware on air-gapped computers inside a uranium enrichment plant. Now, a security researcher says he has found a way to build malicious Blu-ray discs that could do much the same thing—without any outward signs that an attack was underway.

Stephen Tomkinson, a security consultant at NCC Group, said he has devised a proof-of-concept exploit that allows a Blu-ray disc to compromise both a PC running Microsoft Windows and most standalone Blu-ray players. He spoke about the exploit on Friday at the Securi-Tay conference at the Abertay University in Dundee, Scotland, during a keynote titled “Abusing Blu-ray players.”

“By combining different vulnerabilities in Blu-ray players, we have built a single disc which will detect the type of player it’s being played on and launch a platform-specific executable from the disc before continuing on to play the disc’s video to avoid raising suspicion,” Tomkinson wrote in an accompanying blog post. “These executables could be used by an attacker to provide a tunnel into the target network or to exfiltrate sensitive files, for example.”

Read 4 remaining paragraphs | Comments

How Installing League of Legends and Path of Exile Left Some With a RAT

Official releases for the League of Legends and Path of Exile online games were found laced with a nasty trojan after attackers compromised an Internet platform provider that distributed them to users in Asia.

The compromise of consumer Internet platform Garena allowed the attackers to attach malicious software components to the official installation files for the two games, according to a blog post published Monday by antivirus provider Trend Micro. In addition to the legitimate game launcher, the compromised executable file also included a dropper that installed a remote access tool known as PlugX and a cleaner file that overwrote the infected file after it ran.

According to Trend Micro, the attackers took care to conceal their malware campaign, an effort that may have made it hard for victims to know they were infected. The cleaner file most likely was included to remove evidence that would tip users off to a compromise or the origin of the attack. The cryptographic hash that was included with the tampered game files was valid, so even people who took care to verify the authenticity of the game installer would have no reason to think it was malicious, Trend Micro researchers said. The researchers linked to this December 31 post from Garena. Translated into English, one passage stated: “computers and patch servers were infected with trojans. As a result, all the installation files distributed for the games League of Legends and Path of Exile are infected.”

Read 2 remaining paragraphs | Comments

Shoe Retailer Warned on Data Breach

The Information Commissioner’s Office warns online shoe retailer Office to take better care of customer data, following a breach.

NSA Secretly Hijacked Existing Malware to Spy on N. Korea, Others

A new wave of documents from Edward Snowden’s cache of National Security Agency data published by Der Spiegel demonstrates how the agency has used its network exploitation capabilities both to defend military networks from attack and to co-opt other organizations’ hacks for intelligence collection and other purposes. In one case, the NSA secretly tapped into South Korean network espionage on North Korean networks to gather intelligence.

The documents were published as part of an analysis by Jacob Appelbaum and others working for Der Spiegel of how the NSA has developed an offensive cyberwarfare capability over the past decade. According to a report by the New York Times, the access the NSA gained into North Korea’s networks—which initially leveraged South Korean “implants” on North Korean systems, but eventually consisted of the NSA’s own malware—played a role in attributing the attack on Sony Pictures to North Korean state-sponsored actors.

Included with the documents released by Der Spiegel are details on how the NSA built up its Remote Operations Center to carry out “Tailored Access Operations” on a variety of targets, while also building the capability to do permanent damage to adversaries’ information systems, including internal NSA newsletter interviews and training materials. Also included was a malware sample for a keylogger, apparently developed by the NSA and possibly other members of the “Five Eyes” intelligence community, which was also included in the dump. The code appears to be from the Five Eyes joint program “Warriorpride,” a set of tools shared by the NSA, the United Kingdom’s GCHQ, the Australian Signals Directorate, Canada’s Communications Security Establishment, and New Zealand’s Government Communications Security Bureau.

Read 8 remaining paragraphs | Comments

Surprise! North Korea’s Official News Site Delivers Malware, Too

A security researcher examining the website of North Korea’s official news service, the Korean Central News Agency, has discovered that the site delivers more than just the latest photo spread of Democratic Peoples’ Republic of Korea leader Kim Jong Un inspecting mushroom farms. There’s a little extra surprise hidden in the site’s code—malware. The news site appears to double as a way for North Korea to deliver a “watering hole” attack against individuals who want to keep tabs on the “activities” of the DPRK’s dear leader.

Ars has independently verified a reference within part of the site’s JavaScript code called from the home page to a download named “FlashPlayer10.zip.” The file, which is set as a JavaScript variable “FlashPlayer” on the site’s main page and on other site pages, contains two files labeled as Windows executable installers containing updates for the long-since obsolete Flash Player 10—one for an alleged ActiveX control, and the other for a browser plug in. Both are identical files, and they contain a well-known Windows malware dropper, based on an analysis through the malware screening site Virustotal.

Read 3 remaining paragraphs | Comments

Sony Got Hacked Hard: What We Know and Don’t Know So Far

A week into the Sony hack, however, there is a lot of rampant speculation but few solid facts. Here’s a look at what we do and don’t know about what’s turning out to be the biggest hack of the year.

The post Sony Got Hacked Hard: What We Know and Don’t Know So Far appeared first on WIRED.

Sony Pictures hack gets uglier; North Korea won’t deny responsibility [Updated]

More evidence has emerged that makes the Sony Pictures hack look similar to a suspected attack on South Korean companies over a year ago. And a spokesperson for the North Korean government, rather than denying his country’s involvement, is playing coy as the damage to Sony appears to be growing daily.

When contacted by the BBC, a spokesperson for North Korea’s mission to the United Nations said, “The hostile forces are relating everything to [North Korea]. I kindly advise you to just wait and see.”

Sony Pictures’ computers were reportedly the victim of wiper malware which erased all the data on infected PCs and the servers they were connected to. As Ars reported yesterday, this is similar to the attack on two South Korean broadcasters and a bank that was launched in 2013. As security reporter Brian Krebs reports, the FBI sent out a “Flash Alert” to law enforcement warning of a cyber attacker using “wiper” malware this week—malicious software that erases the entire contents of the infected machine’s hard drives as well as the contents of the master boot record of the computer. The FBI shared a Snort intrusion detection signature for the malware file, and as Krebs noted, “the language pack referenced by the malicious files is Korean.”

Read 7 remaining paragraphs | Comments

This Artist’s Images Integrate Code From Malware Like Stuxnet and Flame

James Hoff’s art glitches music and images with malware like NSA-created Stuxnet and the ILOVEYOU viruses.

The post This Artist’s Images Integrate Code From Malware Like Stuxnet and Flame appeared first on WIRED.

Bits Blog: Symantec Discovers ‘Regin’ Spy Code Lurking on Computer Networks

The security company indicated that a powerful program that could only have been created by a “nation state” has been finding its way into computer systems for six years.

Researchers Uncover Government Spy Tool Used to Hack Telecoms and Belgian Cryptographer

Piecing together new information from various researchers, it’s clear the ‘Regin” malware is one of the most sophisticated nation-state spy tools ever found.

The post Researchers Uncover Government Spy Tool Used to Hack Telecoms and Belgian Cryptographer appeared first on WIRED.

Highly Advanced Backdoor Trojan Cased High-profile Targets for Years

Researchers have unearthed highly advanced malware they believe was developed by a wealthy nation-state to spy on a wide range of international targets in diverse industries, including hospitality, energy, airline, and research.

Backdoor Regin, as researchers at security firm Symantec are referring to the trojan, bears some resemblance to previously discovered state-sponsored malware, including the espionage trojans known as Flame and Duqu, as well as Stuxnet, the computer worm and trojan that was programmed to disrupt Iran’s nuclear program. Regin likely required months or years to be completed and contains dozens of individual modules that allowed its operators to tailor the malware to individual targets.

To remain stealthy, the malware is organized into five stages, each of which is encrypted except for the first one. Executing the first stage triggers a domino chain in which the second stage is decrypted and executed, and that in turn decrypts the third stage, and so on. Analyzing and understanding the malware requires researchers to acquire all five stages. Regin contains dozens of payloads, including code for capturing screenshots, seizing control of an infected computer’s mouse, stealing passwords, monitoring network traffic, and recovering deleted files. Other modules appear to be tailored to specific targets. One such payload included code for monitoring the traffic of a Microsoft IIS server. Another sniffed the traffic of mobile telephone base station controllers.

Read 4 remaining paragraphs | Comments

Bits Blog: Malicious Software Said to Spread on Android Phones

Lookout, a security company, says it has been tracking malware that over the last two years has become more sophisticated as it hit millions of devices.

Target to Judge: Banks’ Losses in Our Card Breach Aren’t Our Problem

Target’s massive data breach, in which criminals were able to drop malware onto point-of-sale systems and compromise at least 40 million credit and debit cards, is now the subject of a federal lawsuit by banks who issued those cards. And Target is arguing in court today that those claims should be thrown out, Bloomberg reports—because the company claims it had no obligation to protect the banks from damages.

The suit has been brought by five banks—First Federal Savings, Village Bank, Umpqua Bank, Mutual Bank, and Louisiana’s CSE Federal Credit Union. As a group, the banks are claiming losses because the breach exceeded $5 million. The lawsuit is playing out as representatives from financial organizations, including the US’ two major credit union industry associations, are pressing Congress to take action to hold retailers more accountable for payment data breaches and to bring them under the same privacy standards as financial institutions with regard to financial data.

Major retailer data breaches over the past year, including the ones at Target and Home Depot, have caused banks and credit unions to have to reissue hundreds of millions of payment cards. The Home Depot breach, first reported in September, was revealed last week to have exposed 53 million customer e-mail addresses, as well as 56 million payment cards.

Read 2 remaining paragraphs | Comments

Police Make Computer Hijack Arrests

Fifteen people have been arrested, including four in the UK, in connection with the hijacking of computers.

Warnings on ‘Complex’ Android Virus

Hundreds of thousands of Android phones have been infected with malware that uses handsets to send spam and buy event tickets in bulk.

Chinese Arrests over iOS Malware

Three people believed to have been involved in creating malware that penetrated Apple’s strict controls have been arrested in China.

Only Half of USB Devices Have an Unpatchable Flaw, But No One Knows Which Half

After testing the USB controller chips of all eight major manufacturers, the researcher who first discovered BadUSB has some good news and some bad news.

The post Only Half of USB Devices Have an Unpatchable Flaw, But No One Knows Which Half appeared first on WIRED.

Stuxnet Worm Infected High-Profile Targets before Hitting Iran Nukes

Kaspersky Labs

The Stuxnet computer worm that attacked Iran’s nuclear development program was first seeded to a handful of carefully selected targets before finally taking hold in uranium enrichment facilities, according to a book published Tuesday.

The new account, included in Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon by Wired reporter Kim Zetter, is at odds with the now-popular narrative that the malware first penetrated Iran’s Natanz enrichment facility and later unexpectedly broke loose to infect hundreds of thousands of other sites across the globe. That earlier account, provided by New York Times journalist David Sanger, characterized the escape outside of Natanz as a programming error that was never intended by engineers in the US and Israel, the two countries Sanger and Zetter said devised and unleashed Stuxnet. According to Zetter, the world’s first known cyber weapon first infected Iranian companies with close ties to Iranian nuclear facilities and only later found its way to Natanz.

“To get their weapon into the plant, the attackers launched an offensive against four companies,” Zetter wrote. “All of the companies were involved in industrial control processing of some sort, either manufacturing products or assembling components or installing industrial control systems. They were likely chosen because they had some connection to Natanz as contractors and provided a gateway through which to pass Stuxnet to Natanz through infected employees.”

Read 6 remaining paragraphs | Comments

DarkHotel: A Sophisticated New Hacking Attack Targets High-Profile Hotel Guests

The hotel guest probably never knew what hit him. When he tried to get online using his five-star hotel’s WiFi network, he got a pop-up alerting him to a new Adobe software update. When he clicked to accept the download, he got a malicious executable instead. What he didn’t know was that the sophisticated attackers […]

The post DarkHotel: A Sophisticated New Hacking Attack Targets High-Profile Hotel Guests appeared first on WIRED.

This System Will Self Destruct: Crimeware Gets Powerful New Functions

Wikia

Researchers have discovered new capabilities in the BlackEnergy crimeware tool that significantly extend its reach. The ability to run on network devices, steal digital certificates, and render infected computers unbootable are just a few of new-found weapons in its arsenal.

BlackEnergy emerged as a tool for launching denial-of-service attacks. It later morphed into crimeware used to funnel banking credentials and most recently was observed as a refitted piece of software for espionage that targeted the North Atlantic Treaty Organization, Ukrainian and Polish government agencies, and a variety of sensitive European industries over the last year. In this last incarnation, BlackEnergy in some cases was installed by exploiting a previously unknown vulnerability in Microsoft Windows systems.

According to a report published Monday by security firm Kaspersky Labs, the breadth of BlackEnergy goes even further. A host of extensions customized for both Windows and Linux systems contain commands for carrying out DoS attacks, stealing passwords, scanning ports, logging IP sources, covertly taking screenshots, gaining persistent access to command and control channels, and destroying hard drives. Researchers Kurt Baumgartner and Maria Garnaeva also acquired a version that works on ARM- and MIPS-based systems and uncovered evidence BlackEnergy has infected networking devices manufactured by Cisco Systems. They are unsure precisely what the purpose is for some plugins, including one that gathers device instance IDs and other information on connected USB drives and another that collects details on the BIOS, motherboard, and processor of infected systems.