A big amount of the malware out there are RAT (Remote administration tool) samples. This is software created by people specialized on it, people that develop, improve and sell their tools. It has capabilities that let the attacker spy on the victims with actions like screen capturing, keylogging, password stealing, command execution and remote access and controlling. Clients of these services usually pay to gain access to the tools and additional services like support, zero or low antivirus detection. Below is a description of such a service that AlienVault have been observing: Clients pay for the service and then they gain access to a web portal where they can generate personalized Trojans, manage the infected victims via the web browser and host the malware on their “cloud”. Creators promote itself as a service to remote control computers and “recover passwords”. This means that clients don’t have to mess with almost any technical issues, and they don’t need special skills or knowledge. The providers supply the tools, the hosting, and the Command and Control server. When the client logins to their personal account they can see the main menu, tutorials and shortcuts.
An unpatched critical security vulnerability in Microsoft’s software, which means that users’ computers can become infected simply by visiting a website with Internet Explorer, is being actively exploited by cybercriminals. Alongside last week’s regular Patch Tuesday announcement (including a remote code execution vulnerability that is being exploited by attackers in the wild), Microsoft also issued an out-of-bounds security advisory about an as-yet unpatched security hole (known as CVE-2012-1889).
The Flame cyber-attack that targeted computers across the Middle East has been linked to the, which is believed to have been orchestrated by the US and Israel to attack Iranian nuclear centres.
Speaking at the Reuters Global Media and Technology Summit on 11 June, Eugene Kaspersky, chief executive of the Russian security firm that bears his name and which discovered the Flame virus in May, said his team of researchers have found that Flame shares an almost identical piece of code with a 2009 version of Stuxnet.
Symantec has also been analysing Flame, seconded Kaspersky Lab’s assertion regarding the malware’s similarities to Stuxnet. A Symantec research manager confirmed that the two cyber weapons were built using shared source code.
“[T]here were two different teams working in collaboration,” Kaspersky said, suggesting that the engineers who developed both viruses had access to the same code.
Exploits for a recently revealed MySQL authentication bypass flaw are now in the wild, partly because the flaw is remarkably simple to exploit in order to gain root access to the database. The only mitigating factor appears to be that it depends on the C library that the MySQL database was built with. The bypass, assigned the vulnerability ID CVE-2012-2122, allows an attacker to gain root access by repeatedly trying to log in with an incorrect password. Each attempt has a 1 in 256 chance of being given access. The exploits are mostly variations of looping through connecting to MySQL with a bad password around 300 to 512 times.
The vulnerability, which was detailed in a posting by MariaDB security coordinator Sergei Golubchik, is due to a casting error when checking the results of comparing (with the memcmp function) the password given and the expected password. “Basically account password protection is as good as nonexistent”, says Golubchik, adding “Any client will do, there’s no need for a special libmysqlclient library”. Vulnerable versions of MySQL and MariaDB are those compiled with libraries that return integers outside the -128 to 127 range for
memcmp. According to Golubchik the gcc built in
memcmp and BSD libc
memcmp are safe, but the linux glibc sse-optimised memcmp is not safe.
Here is a great analysis of the MD5 collision in Flame by Alex Sotirov.