Displaying items by tag: Malware

In addition to seeing more than a few products and ideas during Black Hat and DEF CON we also had the chance to see something really cool from the team at Trustwave. This was not a product, but a chance to see the back end of the command and control servers for a new and improved version of the RIG exploit kit. To say that what they showed was impressive is an understatement.

The one common thing that I keep hearing everyone talk about at Black Hat and even DEF CON is how to protect your data. It is pretty much a given that if someone wants to get into your network they are going to get in. The number of flaws, vulnerabilities and compromises that are out there are simply too many to protect against. So there needs to be some other method to make sure that any sensitive data that you have is keep out of the hands of the “bad guys”. There are many suggestions about this, but most of them still try to do the same things stop the barbarians at the gate.

Last year during DEF CON 22 we saw a demonstration of a UEFI root kit that was extremely worrying. This root kit was installed using a multipart systems to infect the UEFI BIOS in such a way as to grant the same level of access to an attacker as the CPU has (Ring 0). It was an almost unprecedented style of attack. When we reported on this many seemed to feel that it was not an issue. Now researchers are finding evidence of this same type of attack in the data lifted from the Hacking Team.

Although it will not come as a surprise, there seems to be yet another bug in Adobe’s flash player that allows for an attacker to potentially take control of a system by forcing a crash of the application. According to TrendMicro, CVE 2015-5123 is a critical bug in the latest version of Flash player for Linux, Windows, and OSX operating systems. Adobe has already released a customer advisory stating they are already aware of this flaw being exploited in the wild.

The Italian Security firm Hacking Team is now admitting that their spying software is potentially in the hands of bad guys. After a hack that saw roughly 400GB of company information liberated from their systems they have been monitoring what is being released online. They have now concluded that there is sufficient source code for their monitoring applications to allow someone to mount the same style surveillance that they were providing to their clients.

On March 2 2015 CVE-2015-1187 was released. This alert indicated that a simple cross-site request forgery allowed someone (the “bad” guys) to hijack DNS settings on a wide range of routers. By doing this they were able to point people to their own DNS server and in turn direct them to malicious sites. These sites could be anything they wanted them to be from phishing sites to sites with malware intended to compromise the target system. The exploit is a pretty smart one especially when you take into account the fact that the bad guys do not need to remotely manage the target router to get this going.

The idea of GPU accelerated applications is one that has caught the attention of many developers over the years since we first heard about it. It is a great advancement in technology that allows you to use the parallel processing and faster memory of a GPU to perform complex tasks much faster than most CPUs can. This is great for software that needs that extra boost like AI, video or photo editing and… Malware. Yes it is also possible to develop malware that uses OpenCL and Cuda (NVIDIA’s flavor of GPU programing language.

There is a common belief that Linux and BSD operating systems are, by their nature, much more secure than anything Microsoft has ever released. The problem with this belief is that it is simply not true. Linux, BSD and Windows can all be made more secure than they are by default, but there is work involved and there is a tradeoff of ease of use when you start locking things down. Many web hosts running Linux or BSD do not really have the time or available man power to really lock their host systems down which leaves them vulnerable to a number of attacks.

Over the weekend there was a lot of talk about how Windows in particular is vulnerable to a flaw that is linked to SMB. This flaw could allow someone to grab user information by forcing a redirect to a malicious server using the SMB protocol. The way it works is pretty simple; if you give someone a URL that begins with the work “file” then Windows (and some other systems) will think that you want to use SMB to connect to a file share. If the server that the link (URL) points to uses even basic authentication then you can try and tempt a user to put in their own credentials and grab them during the exchange.

It is no secret that malware is often spread through sites that offer pirated content. No matter the type of content there is a chance that someone has put up a file that is little more than malware. This type of behavior is common and plays into human nature in many ways. It also replies on the fact that many anti-malware applications already see cracked files and key generators are malware. This makes people ignore warnings from the systems designed to protect them and end up installing more than just the game they wanted to get out of playing.