New, improved Macro malware hitting Microsoft Office

December 16, 2015 – 4:40 PM

The comeback was 16 years in the making, but macro malware is once again on security professional’s radar in a big way impacting at least 100,000 people since it began its resurgence earlier this year, according to Intel Security.

The malware, which uses the macros found in Windows Office products like Word and Excel, saw its heyday in 1999 when it was first observed and known as the Melissa virus. Some good work by Microsoft at the time, that included added a permissions step for Office documents users, helped curtail the issue, but now it is again on the rise.

“Certainly over the last 12 months we have witnessed a spike. In underground forums there are multitudes of tools that allow people to create malicious macro malware attachments that has also fed the spike,” Raj Samani, vice president and CTO of Intel Security, told in an email Wednesday.

Fellow Intel Security executive Vincent Weafer, senior vice president, Intel Security, wrote in an Intel Security Perspectives blog that the number of incidents of macro malware is up fourfold this year, adding that just as in 1999, Office documents are still the preferred targets. The latest incarnation includes several new twists to spread the malware, including using socially-engineered phishing campaigns to target corporate workers, where Office is most often used. Previously, the email attack was much less sophisticated.


You Can Break Into a Linux System by Pressing Backspace 28 Times.

December 16, 2015 – 4:37 PM

Hitting a key over and over again actually works for once. Two security researchers in Spain recently uncovered a strange bug that will let you into most Linux machines just by hitting the backspace key 28 times. Here’s how to fix it and keep your data protected.

The researchers, Hector Marco and Ismael Ripoll from the Cybersecurity Group at Polytechnic University of Valencia, found that it’s possible to bypass all security of a locked-down Linux machine by exploiting a bug in the Grub2 bootloader. Essentially, hitting backspace 28 times when the machine asks for your username accesses the “Grub rescue shell,” and once there, you can access the computer’s data or install malware. Fortunately, Marco and Ripoll have made an emergency patch to fix the Grub2 vulnerability. Ubuntu, Red Hat, and Debian have all issued patches to fix it as well.

Linux is often thought of as a super secure operating system, but this is a good reminder to take physical security just as seriously as network security (if not more). Take extra care when your machine is around people you don’t know, especially if your system has sensitive data on it.


Updated Cryptowall Encrypts File Names, Mocks Victims

November 5, 2015 – 4:13 PM

Cryptowall has gotten a minor, but important facelift that might make it more difficult for researchers to tear apart and for victims to recover their encrypted data without paying a ransom.

Spotted two days ago, the latest update to the ransomware has begun not only encrypting data on victims’ machines, but also file names, a first according to independent researcher Nathan Scott, who examined the code along with researchers from Bleeping Computer.

“I’m surprised more don’t it; this makes it significantly harder to recover files except for paying the ransom,” Scott said. “If you try to do a forensic data recovery, the files show up with these weird names and the user doesn’t know what file is what. No one knows any structure in files any more.

“The only way to regain your data is a complete backup,” Scott said. “If you don’t backup, the only way to get the data back is to pay the ransom.”

The attackers behind Cryptowall have also updated the ransom note that victims are presented with. The note contains new mocking language, congratulating the victim for becoming part of the Cryptowall community, and the attackers have also assigned themselves a hashtag #CryptowallProject. The use of the hashtag, Scott speculates, is that victims may use it to commiserate on social media and if there is any kind of volume, it may lead them toward paying the ransom that much quicker.


New type of auto-rooting Android adware is nearly impossible to remove

November 4, 2015 – 4:25 PM

Researchers have uncovered a new type of Android adware that’s virtually impossible to uninstall, exposes phones to potentially dangerous root exploits, and masquerades as one of thousands of different apps from providers such as Twitter, Facebook, and even Okta, a two-factor authentication service.

The researchers have found more than 20,000 samples of trojanized apps that repackage the code or other features found in official apps available in Google Play. From the end user’s perspective, the modified apps look just like the legitimate apps, and in many cases they provide the same functionality and experience. Behind the scenes, however, the apps use powerful exploits that gain root access to the Android operating system. The exploits—found in three app families known as Shedun, Shuanet, and ShiftyBug—allow the trojanized apps to install themselves as system applications, a highly privileged status that’s usually reserved only for operating system-level processes.

“For individuals, getting infected with Shedun, Shuanet, and ShiftyBug might mean a trip to the store to buy a new phone,” researchers from mobile security firm Lookout wrote in a blog post published Wednesday. “Because these pieces of adware root the device and install themselves as system applications, they become nearly impossible to remove, usually forcing victims to replace their device in order to regain normalcy.”

The Lookout researchers said the apps appear to do little more than display ads, but given their system-level status and root privileges, they have the ability to subvert key security mechanisms built into Android. Under a model known as sandboxing, for instance, Android apps aren’t permitted to access passwords or most other data available to other apps. System applications with root, by contrast, have super-user permissions that allow them to break out of such sandboxes. From there, root-level apps can read or modify data and resources that would be off limits to normal apps.


Zero-Day Attack Compromises a Half-Million Web Forum Accounts

November 4, 2015 – 4:14 PM

Forum software-makers vBulletin and Foxit Software may have been breached by a hacker claiming to have made off with personal data belonging to some 479,895 users between the two.

“Coldzer0” said in a post co-authored with @Cyber_War_News that he exploited the same zero-day vulnerability for both domains, and was able to access user IDs, full names, email addresses, security questions and corresponding answers (both in plain text) and salted passwords for hundreds of thousands of users.

For its part, vBulletin has confirmed that an attack happened: “Very recently, our security team discovered a sophisticated attack on our network,” the company said in a post. “Our investigation indicates that the attacker may have accessed customer IDs and encrypted passwords on our systems.”

The issue affects vBulletin versions 5.1.4 to 5.1.9, it said, and has issued a patch, presumably for the zero-day, and has also forced a password reset for all of its users.

Tod Beardsley, principal security research manager at Rapid7, said in an email that it looks like the vBulletin attack was due to an SQL injection bug in vBulletin’s forum software.