DDoS malware for Linux systems comes with sophisticated custom-built rootkit

February 6, 2015 – 7:54 PM

A malware program designed for Linux systems, including embedded devices with ARM architecture, uses a sophisticated kernel rootkit that’s custom built for each infection.

The malware, known as XOR.DDoS, was first spotted in September by security research outfit Malware Must Die. However, it has since evolved and new versions were seen in the wild as recently as Jan. 20, according to a new report Thursday from security firm FireEye, which analyzed the threat in detail.

XOR.DDoS is installed on targeted systems via SSH (Secure Shell) brute-force attacks launched primarily from Internet Protocol (IP) addresses registered to a Hong Kong-based company called Hee Thai Limited.

The attacks attempt to guess the password for the root account by using different dictionary-based techniques and password lists from past data breaches. FireEye observed well over 20,000 SSH login attempts per targeted server within a 24-hour period and more than 1 million per server between mid-November and end of January.

When the attackers manage to guess the root password they send a complex SSH remote command — sometimes over 6,000 characters long — that consists of multiple shell commands separated by semicolons. These commands download and execute various scripts as part of a sophisticated infection chain that relies on an on-demand malware building system.

Source:
http://www.csoonline.com/article/2881134/malware-cybercrime/ddos-malware-for-linux-systems-comes-with-sophisticated-custombuilt-rootkit.html#tk.rss_news

US health insurer Anthem suffers massive data breach

February 5, 2015 – 5:20 AM

Anthem, the second-largest health insurer in the United States, has suffered a data breach that may turn out to be the largest health care breach to date, as the compromised database holds records of some 80 million individuals.

Not much is known about how the attack was discovered, how it unfolded and who might be behind it, but the breach has been confirmed by the company’s CEO Joseph Swedish in a public statement, in which he says they were the victims of a “very sophisticated external cyber attack.”

“These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data,” he shared, and added that, as far as they can tell for now, “no credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised.”

“Anthem’s own associates’ personal information – including my own – was accessed during this security breach,” he noted, and promised that they will notify each of the affected customers in writing (via a letter), and provide credit monitoring and identity protection services free of charge.

The breach impacted customers of all their product lines: Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare. But, the final number of affected individuals is still to be determined.

Source:
http://www.net-security.org/secworld.php?id=17917

Serious bug in fully patched Internet Explorer puts user credentials at risk

February 4, 2015 – 5:46 AM

A vulnerability in fully patched versions of Internet Explorer allows attackers to steal login credentials and inject malicious content into users’ browsing sessions. Microsoft officials said they’re working on a fix for the bug, which works successfully on IE 11 running on both Windows 7 and 8.1.

The vulnerability is known as a universal cross-site scripting (XSS) bug. It allows attackers to bypass the same origin policy, a crucially important principle in Web application models that prevents one site from accessing or modifying browser cookies or other content set by any other site. A proof-of-concept exploit published in the past few days shows how websites can violate this rule when people use supported versions Internet Explorer running the latest patches to visit maliciously crafted pages.

To demonstrate the attack, the demo injects the words “Hacked by Deusen” into the website of the Daily Mail. But it also could have stolen HTML-based data the news site, or any other website, stores on visitors’ computers. That means it would be trivial for attackers to use it to steal authentication cookies many websites use to grant access to user accounts once a visitor has entered a user name and password. Once in possession of the cookie, an attacker could access the same restricted areas normally available only to the victim, including those with credit card data, browsing histories, and other confidential data. Phishers could also exploit the bug to trick people into divulging passwords for sensitive sites.

Source:
http://arstechnica.com/security/2015/02/serious-bug-in-fully-patched-internet-explorer-puts-user-credentials-at-risk/

Another Unpatched Adobe Flash Zero-Day vulnerability Exploited in the Wild

February 2, 2015 – 12:03 PM

A critical vulnerability (CVE-2015-0313) exists in Adobe Flash Player 16.0.0.296 and earlier versions for Windows and Macintosh.  Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.  We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below. 

Adobe expects to release an update for Flash Player during the week of February 2.

Source:
https://helpx.adobe.com/security/products/flash-player/apsa15-02.html

New version of Autoruns integrates with VirusTotal

February 1, 2015 – 5:01 PM

The new version of Microsoft’s Autoruns (version 13 – released last week) integrates the VirusTotal API for quick analysis and verification of unknown and questionable processes.  After running the program, just right-click on any entry and select Check VirusTotal:

Windows 7 - Clean-2015-02-01-15-58-52

You will need to accept VirusTotal’s Terms of Service by clicking Yes:

Windows 7 - Clean-2015-02-01-15-59-17

Once you click Yes to the Terms of Service prompt, Autoruns queries the VirusTotal API with the hash of the process and returns the results to you in the VirusTotal column:

Windows 7 - Clean-2015-02-01-15-59-35

If you want Autoruns to automatically check every process, you can configure this in Options -> Scan Options and selecting Check VirusTotal.com

Page 30 of 350« First...1020...2829303132...405060...Last »