New crypto-ransomware “quarantines” files, downloads info-stealer

April 7, 2015 – 8:46 AM

Trend Micro researchers have found and analyzed a new piece of crypto-ransomware: CryptVault encrypts files, makes them look like files quarantined by an AV solution, asks for ransom and, finally, downloads info-stealer malware.

It arrives on target computers after the user has been tricked into downloading and running a malicious attachment – a Javascript file – that downloads four files: the ransomware itself, SDelete (a MS Sysinternals tool that will be used to delete files), GnuPG (legitimate open source encryption tool), and a GnuPG library file.

The ransomware uses GnuPG to create an RSA-1024 public and private key pair that is used to encrypt and decrypt the files. It targets popular file types, mostly document, image, and database files.

“After encryption, the malware will change all associated *.vault file extensions to padlock icons. Each ‘locked’ and encrypted file will display a ransom note when opened,” Threat Response Engineer Michael Marcos explains.


New router DNS attack delivers porn and game ads on mainstream websites

March 26, 2015 – 6:32 PM

Of all the various malware attack vectors, hacking a person’s router is one of the most effective. A new report from Ara Labs highlights how router attacks have evolved in recent years, and details a new method of serving unwanted advertising via intercepted Google Analytics information.

When evil routers attack

The reason routers are tempting targets for botnet builders and NSA agents alike is because they typically function as the gateway to an entire local network. Consumers tend to forget that the router is, itself, vulnerable. It’s not at all unusual for a router to serve its entire operating lifetime running default firmware and using the stock admin/admin name and password.

Once an attacker has gained access to a local router, they can tamper with its configuration. The most common type of attack is known as DNS spoofing or cache poisoning.


Detect DLL Hijacks on Windows

March 26, 2015 – 6:30 PM

DLL hijacking is an attack that makes applications load malicious dynamic link libraries instead of the intended — clean and legit — library on a Windows system.

Programs that don’t specify paths to libraries are vulnerable to DLL hijacking as Windows uses a priority based search order in this case to load libraries.

If attackers manage to place malicious libraries in a location with a high priority, then it will be loaded by the application.

Users cannot really do anything about this as it is not clear if paths are set properly or not in applications that they run on the system. It is up to programmers to make sure paths are set properly in the programs before they are released to the public.

As an end user, you can use a program like Dll Hijack Detect to scan the computer system for potential hijacks.

The program identifies all DLLs loaded by running processes on the system. It inspects all library locations where malicious files could be placed and checks in addition if a loaded library appears multiple times in the search order, determines which library is currently loaded and warns you if hijacks are possible.


Secure your wireless router

March 24, 2015 – 5:35 AM

There is no such thing as perfect security. Given enough knowledge, resources, and time any system can be compromised. The best you can do is to make it as difficult for an attacker as possible. That said there are steps you can take to harden your network against the vast majority of attacks.

The default configurations for what I call consumer-grade routers offer fairly basic security. To be honest, it doesn’t take much to compromise them. When I install a new router (or reset an existing), I rarely use the ‘setup wizards’. I go through and configure everything exactly how I want it. Unless there is a good reason, I usually don’t leave it as default.

I cannot tell you the exact settings you need to change. Every router’s admin page is different; even router from the same manufacturer. Depending on the specific router, there may be settings you can’t change. For many of these settings, you will need to access the advanced configuration section of the admin page.


Noobs can pwn world’s most popular BIOSes in two minutes

March 20, 2015 – 7:16 PM

Millions of flawed BIOSes can be infected using simple two-minute attacks that don’t require technical skills and require only access to a PC to execute.

Basic Input/Output Systems (BIOS) have been the target of much hacking research in recent years since low-level p0wnage can grant attackers the highest privileges, persistence and stealth.

LegbaCore researchers Xeno Kopvah and Corey Kallenberg revealed the threat to El Reg ahead of a presentation How Many Million BIOSes Would You Like to Infect? at CanSecWest tomorrow.

“Because almost no one patches their BIOSes, almost every BIOS in the wild is affected by at least one vulnerability, and can be infected,” Kopvah says.

“The high amount of code reuse across UEFI BIOSes means that BIOS infection can be automatic and reliable.

“The point is less about how vendors don’t fix the problems, and more how the vendors’ fixes are going un-applied by users, corporations, and governments.”

Kopvah and Kallenberg’s talk aims to both highlight the dangers and capabilities of BIOS attacks and the need for system administrators to apply vendor patches, something which they say is not being done.