DecryptedTech

Thursday18 August 2022

Displaying items by tag: Malware

anonymousIf there is one thing that you can say Anonymous has done that has a measurable positive effect it is exposing the level of Corporate and Government Ignorance. Ignorance is not an admissible excuse any longer in this day and age and is often used in court when someone says they did not know they were breaking the law. Since this is generally accepted why is anyone willing to give companies that show massive amounts of ignorance (which is just really lack of forethought or cost cutting) when it is discovered that their systems are not secure? We are shocked that this is at all acceptable considering the data breaches going back as far as 2009. Still we continually hear about this product or that network is suddenly discovered to be insecure. Exactly how is that possible?

Published in Editorials

News_light-virus-1There is nothing like a botnet to remind us all that there is truly no such thing as a “secure” operating system. For years Apple presented the Mac as impervious to viruses and Malware. They had commercials stating “Macs do not get viruses” and continued this mythology despite many Java, Flash and other attacks that existed in the wild. The fact that many of these were centered on pirated software or required user interaction did not deter the myth. Now with Flashback things have gotten very real very quickly.

Published in News

News_manstealingdataMicrosoft has scored a fairly important (if somewhat small) victory over some of the real cyber criminals out there. This morning they announced that through a joint effort with the US Marshals, Multiple Financial organizations they were able to bring two Zeus botnets down over the weekend. This was accomplished by seizing the command and control servers for this particular group. The Zeus family of malware has been responsible for millions of dollars in losses due to the theft of banking information.

Published in News

IntroFUD (Fear Uncertainty and Doubt) comes in many forms. The most common is through the use of the News (printed and internet) here as hundreds of millions of people consume content from multiple sources the seeds of misinformation can be sewn with relative ease. Over the past few months we have seen the NSA, the FBI, Fox News, Symantec and others start to pain the Anonymous (and other) online movement as villains. The FBI, CIA and NSA have even begun the campaign to throw them into the same category as terrorists. Most of these have not met with success as more and more people are beginning to read between the lines of the daily news, but it still has an impact.

Published in News

News_manstealingdataThere is an old saying; buy cheap and sell dear that came about in the Carnegie days and has been in use by corporations for so long that it is just the way they do things. What this means now is that corporations will always look for the quick and easy way to do things. This is not a big shocker; after all most companies will want to minimize costs and maximize their profits. Where this hurts the consumer is that many times minimizing costs ends up being translated to security or product quality. A perfect example would be Apple’s move to Foxconn. Yes they reduced their operating costs, but the product quality realistically has gone down. Another place where we see cuts are in security and network protections of user data. A good example of this can be found in Google Wallet.

Published in Editorials

14621rotten_appleIf the name Charlie Miller sounds familiar to you it should. After all he is one of the researchers that has consistently found bugs and holes in Apple’s vaunted security. He is also a very frequent winner of the Pwn2Own competition where security experts and “hackers” alike compete to find the fastest way of breaking into a computer system. Charlie’s love for Apple and all of its devices has kept him in something of a love-hate relationship with the company for years, but recently things turned for the worse.

After the discovery of a flaw in Apple’s Mobile Safari that allowed the execution of unsigned code Miller reported this to Apple. He did this on the 14th of October and never received any word back on it. To further demonstrate the seriousness (and apparent ease) of this new flaw Miller submitted an app that had the malicious code packed inside. The App, which was disguised as a stock ticker, was approved by Apple and set up for distribution in the walled garden of the iTunes App Store. Miller was able to use the App to execute his code and take control of core functions of the phone.

For his troubles Miller was unceremoniously dropped from the Apple Developers Program for violating the terms of the agreement (which he really did do). The problem with this type of action from Apple is that it makes them seem like they do not want to admit or address serious security issues inside their operating systems. Miller has sent off an email asking for clarification stating “I’m mad, I report bugs to them all the time. Being part of the developer program helps me do that. They’re hurting themselves, and making my life harder.”

Miller feels that this is one of the changes that are coming after the passing of Steve Job and the new management. “I miss Steve Jobs,” he says. “He never kicked me out of anything.”

Source Forbes

Discuss in our Forum

Published in News

84There is a long standing myth that PCs are susceptible to viruses and malware while Macs and Linux are not. Unfortunately for anyone that believes this myth there are consequences. One of these is a feeling of invulnerability when browsing. This false sense of security can lead to many things, including having your computer hijacked or being silently rolled into a giant Mac only botnet … I am sure you get my point. This phenomenon is not limited to Mac owners. PC owners that have “Full” Virus and Malware protection also get this false sense of security.

Now, the interesting thing is that while there are literally thousands of viruses and malware for Windows based systems in the wild there are actually more security loop holes in OSX that can be exploited by something as simple as a drive-by or other malformed code on a web page. One that caught our attention was an Adobe based Exploit (yes I know Steve Jobs wanted to ban Adobe). This little exploit allows someone to run a .swf file in a hidden iFrame. The .swf in question here has code to authorize turning on the end users webcam and broadcasting it to the source server.

Now this is nothing new and I have witnessed this kind of thing done at different security conventions. The thing that really is concerning is that this is being run on a version of Flash that is supposed to have code (called frame busting) to prevent this. What happened is that Adobe only patched part of the hole. They covered the whole page being loaded in an iFrame, but forgot to prevent the malformed .swf from being loaded into that same space. This little exploit was found by a computer science student at Stanford University named Feross Aboukhadjeh.

Now I know you are wondering what my rant at the beginning of this article about Macs has to do with this exploit… Well the kicker is that Aboukhadjeh has only been able to get this exploit to work on Macs and running either Firefox or Safari. The reason that he has been so successful is that with these browsers and OSX it is easier to make the iFrame transparent to the end user. Aboukhadjeh says that he does believe that this will work on other operating systems, but that it will take significantly more effort and would require layering the frame to avoid detection.

Adobe has been notified of the exploit

Source The Inquirer

Discuss in our Forum

Published in News
Tuesday, 18 October 2011 21:14

New Malware Found with Stuxnet Similarities

84Just in case all of the warnings that we gave you before about SCDA (Supervisory Control and Data Acquisition) devices and how insecure most of them are was not enough. We now find that a new piece of malware that appears to be intended spy on industrial networks as a precursor to a future attack like the Stuxnet malware that hit last year. Dubbed Duqu because of a prefix attached to files the new malware creates this new bit of code is very concerning to security experts.


The code was found on several Windows based systems across multiple companies in Europe. These companies were not directly identified but all appear to have connections to industries that directly interact with basic infrastructure services.  As of right now Duqu appears content to just gather information and report back to its command and control servers (including using an internal key logger).  Duqu also appears to be sending JPG files back and forth between the server and the infected system, but as many found out to their dismay you can embed quite a bit of information in a JPG files so these could be used to send control instructions and responses or could be nothing more than test files right now.

So far researchers are at a loss as to what Duqu is collecting and why this is happening. They do know that the attacks have been going on since at least December 2010 and that the first variant identified used a stolen certificate much like the original Stuxnet did. Researchers at Symantec and McAfee also feel that the creators of this code had access to the source code of Stuxnet as the two pieces of Malware are very similar in the way they operate and the coding used. Both McAfee and Symantec have also stated that Duqu does not spread and that it does not appear to use any known exploits. This would indicate that the malware uses tactics like drive-by, or social engineering based exploits. These rely on human intervention to download and install the malicious code on a system usually via email or web link.

We personally wonder if this is related to some of the rumors about Anonymous stepping up their attacks on Governments and Large Corporations. After all with what they can gather using some fairly simple techniques (and a nice bit of coding) they can put some rather devastating plans into action very quickly. If this is the case (and this is all just speculation) then we might be looking at an attack that no one is really prepared for. Then again this could all be nothing more than a reconnaissance mission, especially considering the fact that the code uninstalls itself after 30 days…

Source Symantec and McAfee
Discuss this in our Forum

Published in News
Monday, 03 October 2011 07:23

Chrome Accidentally Identified as Malware

MSEssentialsSometimes old news is funny news and this one falls into that category. On Friday the 30th of September a new malware definition database for Microsoft’s Security Essentials (that comes with almost every current version of Windows) began mistakenly (?) identifying Google’s Chrome Web Browser as a form of Malware known as Win32/Zbot.  As a result it either blocked or removed Chrome from the “infected” system.

Now Win32/Zbot is a nasty little piece of malware that is known to steal passwords and other personal information. According to information about Zbot in the internet it is capable of grabbing FTP passwords, E-Mail passwords, lowering security on IE, FireFox and other browsers other malicious activities. Microsoft quickly released an updated signature database that corrects the false positive, but it is also worth mentioning that Google released an updated version of Chrome as well.

My question is this, if Chrome was not exhibiting any “unwanted” behaviors then why change it? After all Microsoft released an updated engine to prevent it from being removed unintentionally. Perhaps it has something to do with the way that Chrome scavenges user data and stores browsing history (even if the user tells it not to). Since its release there have been concerns over the way Chrome caches browsing history, passwords and other sensitive user information. In fact in the early releases we tracked the software writing to the System Volume Information folder and then sending this data back to Google serves. We have heard that this behavior is no longer happening but have not tested the latest versions.

Unless I have completely missed the mark I have a feeling that there is a little bit of truth to the accidental identification of Chrome as a Malware and that Google had to respond to prevent other Malware prevention software from finding the same thing. Meanwhile many IT departments still prohibit the use of Chrome for security reasons… you be the judge on this one.

Discuss this in our Forum

Published in News

84So it appears that Google thinks people should use their Chrome Browser even if they work at a company that restricts things of this nature (often with very good reason).  Although you will not hear much about this it has been a well-documented fact that Chrome caches web pages (even in private mode) and also runs certain applications after Chrome is closed. These APIs read and write data to the System Volume Information folder and also do a few other things that are suspicious at best. This (amongst over things) has caused more than a few companies to ban the browser from use inside the corporate network.

However, Google still thinks that it has the right to let people by-pass these restrictions and install software that is not authorized. They have done this with a plug-in called Chrome-Frame. Chrome Frame is an API that allows a web page to be rendered using Chrome’s engine inside the currently running browser.  I guess this is for people that do not want to use multiple browsers, and is fine as long as it is something they want to install and (in the case of someone at their place of employment) it is authorized to be installed. This was not good enough for Google though, they have written a version of the plug-in that allows this to be installed with elevated privileges by-passing restrictions that are in place to prevent this from happening.

Now, I know there are some that will not understand why this is bad. They will say that people should be able to view the internet and that companies that are still on IE6 or 7 (which are no longer supported by GMAIL and other Google sites) are hindering their employees. However, most companies have fairly strict policies on browsing. This is mostly to prevent malware but also to help increase productivity. I know at more than one company I have worked for we provided internet systems in the break room and lunch room, but prevented all browsing on the users workstations. We also were never hit with a virus on any user desktop, but had them on the employee internet systems.  So it is not unusual to place these restrictions on browsing. It is entirely wrong (not to mention arrogant) of Google to create something that by-passes these restrictions. It also opens up a vector for attack as someone will find a way to usurp the plug-in and execute code through that elevated API, it is nothing short of Malware all on its own.

Discuss this in our Froum

Published in News
Page 16 of 17