AhelioTech

Wednesday, May 27, 2015

Exploit kit attacks DNS settings of over 50 different router models

Internet users that have not secured their wireless router may soon face potential issues. A French researcher has discovered an exploit kit that targets and attacks many well known router models from reputable manufacturers.

Photo by ShoutMeTech.com, Flickr

In recent times, home and office routers (SOHO) have become a primary target for hackers that are seeking to redirect web traffic to malicious websites. In this specific case, hackers are now using a complex exploit kit on your router DNS settings in order to carry out cross-site request forgery attacks.

A French researcher named Kafeine has discovered an exploit kit and published research about the attacks on Friday. Kafeine said that at the attacks peak on May 9, after a month long series of modifications from attackers including JavaScript obfuscations that the traffic from the campaign peaked at approximately a million hits.

Traffic redirection results from hijacked router DNS settings

Particularly, the attackers are driving a lot of web traffic from Chrome users. Such an occurrence is an example of a pharming attack and is considered to be dangerous because it puts online banking and sensitive transactions/communications at risk.

Kafeine stated:

“This kind of attack is really old, but that this is the first time that I’ve seen something with obfuscation, rotating domains and landing going after DNS.”

Office and home routers are infected in this malicious campaign via drive by downloads and malvertising. The attackers concentrate on Chrome and Chromium based users possibly because of their ability to discover local and public IP addresses by using tools such as WebRTC-ips. WebRTC-ips is present in popular web browsers such as Chrome and Firefox and allows browsers and mobile apps to communicate in realtime via API’s.

CSRF attacks force victims to submit malicious requests on behalf of a hacker, typically on sites where a victim is already logged in. Kafeine stated the original exploit code was written in the clear, but within a month had added obfuscation and many other improvements. There is a long list of routers vulnerable to this type of attack including D-Link, Belkin, Netgear, Asus, and others.

Kafeine wrote:

“In the attack, the DNS address was changed to 185[.]82[.]216[.]86; it has since been changed to 217[.]12[.]202[.93], and always uses Google’s DNS as a failover should the first IP fail.”

Update your router firmware

Users are at risk of financial loss, click-fraud, man-in-the-middle attacks, and even phishing. It is recommended that everyone updates their router firmware and software and secure their router using strong password and security settings.

Have a great (CSRF-free) day!

Firmware Vulnerabilities Discovered on Linksys and ASUS…

NetUSB hack puts Millions of home users at risk

Hacker group LizardSquad used home routers to attack Xbox…

Caphaw Trojan Found in Youtube Ads

Caphaw Trojan Found in Youtube Ads

Exploit kit attacks DNS settings of over 50 different router models

Malware masquerades as AdBlock Plus application

31267379_s The merciless onslaught of advertisements in some parts of the web have forced people to use applications like AdBlock to get a cleaner and less cluttered browsing experience. But using AdBlock is safe, right? Well, only if you are using the right one. A recent Malwarebytes post shows a malicious LSP Hijacker that tries to disguise itself as the legitimate application, AdBlock Plus. Talk about irony!

Disguised application contains rootkit elements

It turns out, the malware pretending to be AdBlock is actually pretty advanced. It detects virtual machines and does not deliver most of its payloads there, in order to avoid detection. On a real system however, it acts as an LSP Hijacker and installs rootkit elements which are difficult to get rid of. Some of the hidden services installed can even run in safe mode making removal a problematic procedure.

Rootkit elements of fake adblock (Source- https://blog.malwarebytes.org)

“A Layered Service Provider is a file (.dll) using the Winsock API to insert itself into the TCP/IP stack.”

Thus by hijacking the LSP, this malware is able to intercept all traffic passing between the internet and applications on the infected system. This way more ads can be inserted forcefully, that’s just what you wanted from your new ad “blocker”.

Although the application appears like AdBlock it does not block any ads or perform any of the functions associated with the legitimate application. This fake adblocker named “Bylekh” also attempts to avoid suspicion by using a fake installation date. The installation date added by the program (as seen in the Add or Remove Programs section in control panel) is much older than the actual date. This is done to avoid being immediately spotted when programs are sorted by install dates.

Fake adblock using incorrect installation date (Source- https://blog.malwarebytes.org)

Programs like these blur the lines between PUP and malware, almost making the two categories equivalent. As adware continues to grow, users must know that no program can be easily trusted. As seen in this case, a program that promises to block ads may actually end up doing the very opposite.

Have a nice (malware-free) day!

Emsisoft Malware Library

How downloading one program can give you six (!) PUPs

How to use the new behavior blocker panel to quickly spot…

SMS Trojan Podec bypasses CAPTCHA on Android phones

Installer hijack vulnerability threatens almost half of all…

Malware masquerades as AdBlock Plus application

Sunday, May 24, 2015

NitlovePOS: New Point of Sale malware that steals payment card information

29623190_s In recent times we have seen the rise of POS or Point of Sale malware (Remember PoSeidon?) designed to extract and transmit payment card information. According to this post by FireEye, a new variant of this malware family has emerged, one that is capable of stealing track one and track two payment card data. This malware, Nitlove, scans the processes on a compromised system, and after obtaining the payment card data, sends it back to the controlling webserver using SSL. Nitlove is mostly spread through malicious macro files attached to spam emails.

Victims infected through malicious macro files found in spam emails

Instead of first targeting their victims, the cybercriminals send out bulk spam messages through spoofed Yahoo! Mail accounts with a generic subject like: “Any jobs?”, “Internships?”, “My Resume” and so on. This indiscriminate spam campaign began on Wednesday, May 20, 2015 with the obvious goal of infecting as many users as possible with the attached malware.

Each of the spam emails contained an attached document file named CV_[4 numbers].doc or My_Resume_[4 numbers].doc which were embedded with a malicious macro. In order to convince the user to allow the macro to run, the documents even proclaim to be “Protected”.

Source: FireEye

Once executed, the macro downloads one of many malicious files present in the included url: “80.242.123.155/exe/”. For example 80.242.123.155/exe/dro.exe. It turns our several of the malicious files are named “pos.exe” which suggests the intended target of the cybercriminals might be point of sale machines.

After infecting the system, the malware ensures its survival by creating a registry key that enables it to start-up automatically after reboot. The malware also sets up communications to one of three hardcoded C2 servers:

systeminfou48[.]ru

infofinaciale8h[.]ru

helpdesk7r[.]ru

Then begins the memory scrapping. After searching for any data resembling the payment card format, the malware sends matching data back to its creators through a secure SSL channel, making detection at the network-level more difficult.

The cybercriminals may even have a control panel to help orchestrate their malicious operations. More and more variants of such POS malware emerge, as the existing ones are detected and blocked. It looks like the cybercriminals are not going to give up easily.

Have a nice (malware-free) day!

Half a million computers infected as Macro Malware makes a…

Spam email delivers Microsoft Office macro trojan malware

Sophisticated new breed of Point-of-Sale malware discovered

Michaels Arts & Crafts Confirms Data Breach

Un demi-million d’ordinateurs infectés par des…

NitlovePOS: New Point of Sale malware that steals payment card information

Saturday, May 23, 2015

Logjam attack, similar to the FREAK vulnerability, breaks TLS security

8512510_s Not so long ago, a massive vulnerability in SSL security forced browsers to use weak encryption under certain circumstances, which would allow hackers to spy on sensitive and otherwise secure data. This vulnerability was dubbed FREAK as it involved RSA export keys. Now, a similar issue has emerged concerning Diffie-Hellman keys and TSL security. All servers supporting export-grade 512-bit Diffie-Hellman cryptography are affected.

Use of weak encryption leads to man in the middle scenario

At the heart of the problem is a ’90s US government policy that restricted export of strong encryption keys.

The Logjam attack technique involves downgrading a vulnerable server to weak 512 bit encryption. Then, the attacker must break the weaker encryption key using computing resources. Once the encryption is broken, the attacker can view or modify any of the information passing through the affected connection. Thus, sensitive data passing between the server and client computers is leaked. Since the procedure requires cracking an encryption key, this type of attack is mostly going to be carried out by hackers with significant resources and computing power. This makes state-level organizations and intelligence agencies perfect candidates. In fact, the researchers behind the discovery also say that NSA documents leaked by Edward Snowden suggest that the agency may have been able to break the prime numbers used in the Diffie-Hellman key exchange.

Logjam was discovered through a joint study conducted by CNRS, Inria Nancy-Grand Est, Inria Paris-Rocquencourt, Microsoft Research, Johns Hopkins University, University of Michigan, and the University of Pennsylvania. Their findings are detailed in this post.

According to the post, all TLS-dependent services that support DHE_EXPORT ciphers are at risk:

HTTPS (Top 1 million domains) – 8.4% vulnerable

HTTPS (Browser Trusted Sites) – 3.4% vulnerable

SMTP+StartTLS (IPv4 Address Space) -14.8% vulnerable

POP3S (IPv4 Address Space) – 8.9% vulnerable

IMAPS (IPv4 Address Space) – 8.4% vulnerable

The researchers also stated:

“Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve—the most efficient algorithm for breaking a Diffie-Hellman connection—is dependent only on this prime. After this first step, an attacker can quickly break individual connections”

Server administrators are recommended to disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group. Internet Explorer has already been updated to eliminate the vulnerability and patches for other browsers are a work in progress. Almost ever transaction relies massively on maintaining secure client-server communication which is why any encryption breaking vulnerability a major concern.

Have a nice (secure) day!

Security flaw “FREAK” haunts millions of Android

The end of FREAK: Massive SSL vulnerability finally patched

Teleoperated surgery robots are vulnerable to malicious…

Protecting Yourself from Heartbleed

Urgent! Update your Windows to patch several critical…

Logjam attack, similar to the FREAK vulnerability, breaks TLS security

Thursday, May 21, 2015

How to use the new behavior blocker panel to quickly spot potential threats

One of the biggest improvements of Emsisoft Anti-Malware and Emsisoft Internet Security version 10 is the new behavior blocker panel, which gives you full control over your running programs. If your PC seems to run slower or behaves erratically, it’s time to view which and what programs are running on your system and take action accordingly. Here’s how you can do so.

What is the purpose of a behavior blocker?

The best way to understand what a behavior blocker does is to imagine a layer that sits between your operating system and the programs on your computer. This layer checks for certain malicious behavior patterns in the actions of the programs and raises an alert as soon as something suspicious occurs. For example, if a program is not digitally signed, starts without a visible window, creates an auto-run entry in registry or sends data over the internet then chances are high this is a piece of spyware.

No matter how encrypted or complex a malware program is, it’s can’t hide its behavior. Because there are a limited amount of ways a malware can behave (e.g. a virus will always infect files), the behavior blocker can detect almost any type of malware.

The Emsisoft behavior blocker.

However, many legitimate programs behave quite similar to malware, such as software updaters that may also run in the background and send data over the internet. That’s where the Emsisoft Anti-Malware Network comes in: the behavior blocker uses our public malware database to perform a live cloud verification when it notices a program is exhibiting questionable behavior. If the Emsisoft Anti-Malware Network has a clear indication that a program is good or bad, the alert can be skipped and will automatically be allowed or blocked, drastically reducing the amount of false positives. The Emsisoft Anti-Malware Network knows over 163 million malware threats, and more than 200,000 threats are added daily!

The behavior blocker settings

The behavior blocker panel has several key settings:

Activate or deactivate the behavior blocker

You can activate or reactivate the behavior blocker by checking the “Activate Behavior Blocker” option. We don’t recommended to disable the behavior blocker as this will lower your overall protection against malware. If the need ever arises that you must disable the behavior blocker, simply uncheck this box.

Show or hide fully trusted programs

You can choose your preferred view of running processes by using the “Hide fully trusted applications” option. To view all running processes, uncheck the box and all processes that have good, bad, or unknown reputations will become visible. Checking the box will only show bad or unknown processes and hide the ones that are known to be safe.

View details about active running processes

You can view several details about each actively running program in the revamped behavior blocker panel. The most important columns in the panel to look at are the “Company” column and the “Reputation” column. A company name is marked in green if the file is digitally signed and the certificate is valid. This is important because any file property information can potentially be faked by malware authors. Therefore, if you only see a black color coded “Microsoft Corporation”, that does not guarantee that the file is from Microsoft. You should always pay attention to the reputation rating for each program in the last column (good, bad or unknown) as this is essential in distinguishing the good from the bad.

How to use the process list to spot potential threats

Now that you know where to find the key settings in the panel, you are ready to utilize the process list to find and remove potentially malicious applications running on your PC. If the behavior blocker indicates that a program’s reputation is unknown or bad, you can right-click on the program to perform several actions: create rule, lookup online, end process, quarantine process, open file location, and view file properties.

Right-click on any process to perform various tasks to find out more about it.

The quarantine and end process options are only available for new or bad processes in order to prevent you from harming your system by mistakenly performing one of these actions on a harmless or critical windows process. Each action will allow you to learn specific details about the program:

Create rule

Creating application rules for active running processes is simple: Right click on any individual process and select the “create rule” option from the context menu. You can then configure application rules and set your preferences on how you want the behavior blocker to behave, which is described in more detail in the next paragraph.

Lookup online

Use this feature to check a file in the Emsisoft Anti-Malware Network. After selecting the desired process, you’ll be directed to a page in which you can view several file properties and details about the executable process that you can use to make an informed decision about the safety of a file.

The process list “lookup online” feature using the Emsisoft Anti-Malware Network.

If a process is known to have a bad or unknown reputation, you are presented with options to either quarantine or end the process. If a file is classified as new or unknown, use caution. If a file status is classified as bad, we recommend you remove the file entirely.

Quarantine program

You can use the quarantine program option to move an unknown or malicious process or program safely to Emsisoft’s quarantine. Once you move a program or process to quarantine it can no longer be accessed or run because it is placed in an encrypted container that will keep it locked. In the event that you mistakenly quarantine a harmless file, you can restore the file from the quarantine at at any given time.

End process

You can use the end process option to end an unknown or active malicious process. This means that the the threat cannot harm your PC anymore since it is no longer running. The end process option may be a safer alternative than the quarantine option in the event you are unsure if a process is malicious, but still do not trust it or notice that it is potentially exhibiting suspicious behavior.

Open the file location

Navigate to a file location to get insight about where exactly a file is located. For example, if a supposed system process is typically located in the System32 directory but is now present in your Documents folder, it is most likely malware. Experienced users may wish to manually remove threats using this option.

View the file properties

File properties are traits of the file such as the size or type. Viewing file properties is helpful in determining whether a file is malicious because users can view the MD5 hash of any given file which can be compared to the authentic hash that can quickly be found online. The MD5 hash of a file is a sequence of 32 characters which help identify each file uniquely and comes in handy to see if a file as been manipulated or changed. If the hash is different, there is a high probability that the file is malicious. The date a file was first and last seen is a factor to take into consideration because if a file is relatively new and not classified yet, it in theory should not be trusted.

What to do when a malicious process is found

ProcessList_151605 If a process is found to be malicious, it will most likely be blocked in realtime by the Emsisoft behavior blocker. Alternatively, use the process list to quarantine or end the active malicious program. If a program is classified as malicious, it is recommended that you quarantine the threat.

If the program is unknown, ending the process may be a safer option at the time as the program could potentially be harmless. At this point, running a scan with your security product may be a wise choice to ensure that your PC is free of other potential malware infections. Alternatively, feel free to consult with our malware removal experts on our support forum if you are unsure of which action to take.

How to configure application rules

You can configure application rules in order to define your own preferences on how you want the Emsisoft behavior blocker to react to specific programs. If you notice there is already a rule available for that program, then double click on the process to open an “edit rule box” instead of creating a new rule. You can configure application rules under the protection tab or by right-clicking on an individual program in the process list. You have the following options:

Configure an “all allowed” application rule.

All allowed should be used when the application is undoubtedly safe and is a common everyday application with favorable reputation status among many users.

Configure a “custom monitoring” application rule.

Monitor this application but, allow/block specific activities should be used when a safe or unknown application is not necessarily malicious, but exhibits suspicious behavior at times that triggers the behavior blocker to prompt you frequently.

Configure an “always block this application” rule.

Always block this application should be used if you are certain a program is behaving in a malicious manner. An example of such a scenario is if an unknown application is attempting to capture your keystrokes or injecting code into another process.

Conclusion

The revamped behavior blocker panel offers new ways to spot potential threats. You can use the new process list to weed out suspected threats and learn several details about which programs are running on your PC. When a malicious process is found, simply use the end or quarantine option to remove the threat from memory. In addition, you can create application rules control the manner in which the behavior blocker handles certain applications and activities. You can use the new panel to your advantage to get the most out of your Emsisoft protection.

Please share your feedback about the new behavior blocker panel, we always like to hear your thoughts!

Have a great (malware-free) day!

Efficient protection against new malware: Emsisoft’s…

Stable update: Emsisoft Anti-Malware and Internet Security…

Emsisoft Anti-Malware & Emsisoft Internet Security…

Is this file safe? Re-launch of the Emsisoft Anti-Malware…

Emsisoft Malware Spotlight: Blackbeard and Pigeon

How to use the new behavior blocker panel to quickly spot potential threats

What is the purpose of a behavior blocker?

The Emsisoft behavior blocker.

The behavior blocker settings

The behavior blocker panel has several key settings: