Tag Archives: computer security

MBRFilter — Open Source Tool to Protect Against 'Master Boot Record' Malware

Ransomware threat has risen exponentially so much that ransomware authors have started abusing the MBR in their attacks to lock down your entire computer instead of just encrypting your important files on hard drive.

Talos team at Cisco Systems has released a free, open-source tool that protects the master boot record (MBR) sector of computers from modification by bootkits, ransomware, and

VeraCrypt Audit Reveals Critical Security Flaws — Update Now

After TrueCrypt mysteriously discontinued its service, VeraCrypt became the most popular open source disk encryption software used by activists, journalists, as well as privacy conscious people.

First of all, there is no such thing as a perfect, bug-free software.

Even the most rigorously tested software, like the ones that operate SCADA Systems, medical devices, and aviation software, have

Tales from Ransomwhere

INVITED-GUEST-HEADER-PSCM-ES

Last week, Pandalabs received a question about a specific family of ransomware that was using PowerShell, a Microsoft tool that is included in Windows 10 and that has been abused by cybercriminals for some time. We get these questions every now and then, we find those questions amusing as we consider ourselves the best ones stopping ransomware attacks. But to be honest I must admit we do not write that much about it as we should, we don’t share all our findings with the community, which is why we have decided to do it on a regular basis from now on in this “Tales of Ransomwhere” series.

it comes via a phishing email that has a Word document attached

The specific ransomware we were asked about sounded like old news to us, and in fact, our colleagues from Carbon Black wrote about it back in March. The attack flow is easy to follow: it comes via a phishing email that has a Word document attached. Once opened, a macro in the document will run cmd.exe to execute PowerShell, first to download a script from the Internet, and then will run PowerShell again using that downloaded script as input to perform the ransomware tasks.

This Powerware, as named by Carbon Black, is yet another ransomware of the thousands we see. We were blocking it even before we were aware of this particular family (as in 99.99% of the cases, did I already mention we are the best ones in the world stopping ransomware attacks?) although I have to admit that for some security companies this particular family is a bigger challenger than the rest. Why is that? Well, a number of these “Next Generation AVs” or whatever they call themselves, rely a lot on signatures (wait, weren’t they the ones that claim they do not use signatures?!?!) and at the same time their presence is stronger at the perimeter than at the endpoint. And as you can imagine, blocking Word documents at the perimeter is not really convenient. Once they have infected some customers they can add signatures and protect the rest (like blocking IPs where the script is being downloaded from) although the lack of a malware executable being downloaded from the Internet is a nightmare for them.

At the end of the day ransomware is a hell of a business for cybercriminals, and as such they invest a lot of resources into finding new ways to stay undetected by all kind of security solutions, being this Powerware just one example. The general behavior doesn’t change, but there are always subtle changes at least every week. These changes can apply to the ransomware itself (how it performs its actions) or the delivery (using new exploits, changing known exploits, changing the payload of the exploits, etc.)

A good example of new delivery methods is one we have seen recently: after exploiting Internet Explorer, it is executed CMD using  the “echo” feature to create a script. Then a number of Windows files are executed in order to perform all actions to avoid detection of suspicious behavior by security solutions. The script is run by wscript, and it downloads a dll, then it uses CMD to run regsvr32, that will execute the dll (using rundll32). In most cases that DLL is a ransomware, so far we have blocked +500 infection attempts using this new trick.

so far we have blocked +500 infection attempts using this new trick

We haven’t looked at the exploit used (we really don’t care a lot as long as we are blocking it) but given the timeframe where this infection attempts have shown up (first on June 27th) it happened when AnglerEK had already disappeared, so probably attackers are using either Neutrino or Magnitude.

Every time we see something new like this, someone ends up publishing information about it a month later, so I am afraid we may have screwed up someone’s research, or at least it won’t look that new. To make up for it I have listed all the MD5s of the DLLs we have captured in the wild in those +500 infection attempts:

00d3a3cb7d003af0f52931f192998508

09fc4f2a6c05b3ab376fb310687099ce

1c0157ee4b861fc5887066dfc73fc3d7

1cda5e5de6518f68bf98dfcca04d1349

1db843ac14739bc2a3c91f652299538c

2c5550778d44df9a888382f32c519fe9

2dcb1a7b095124fa73a1a4bb9c2d5cb6

2f2ca33e04b5ac622a223d63a97192d2

38fb46845c2c135e2ccb41a199adbc2a

3ac5e4ca28f8a29c3d3234a034478766

4cb6c65f56eb4f6ddaebb4efc17a2227

562bf2f632f2662d144aad4dafc8e316

63dafdf41b6ff02267b62678829a44bb

67661eb72256b8f36deac4d9c0937f81

6dbc10dfa1ce3fb2ba8815a6a2fa0688

70e3abaf6175c470b384e7fd66f4ce39

783997157aee40be5674486a90ce09f2

7981aab439e80b89a461d6bf67582401

821b409d6b6838d0e78158b1e57f8e8c

96371a3f192729fd099ff9ba61950d4b

9d3bf048edacf14548a9b899812a2e41

a04081186912355b61f79a35a8f14356

a1aa1180390c98ba8dd72fa87ba43fd4

a68723bcb192e96db984b7c9eba9e2c1

abb71d93b8e0ff93e3d14a1a7b90cfbf

b1ac0c1064d9ca0881fd82f8e50bd3cb

b34f75716613b5c498b818db4881360e

b6e3feed51b61d147b8679bbd19038f4

bbf33b3074c1f3cf43a24d053e071bc5

cba169ffd1b92331cf5b8592c8ebcd6a

d4fee4a9d046e13d15a7fc00eea78222

d634ca7c73614d17d8a56e484a09e3b5

de15828ccbb7d3c81b3d768db2dec419

df92499518c0594a0f59b07fc4da697e

dfd9ea98fb0e998ad5eb72a1a0fd2442

e5c5c1a0077a66315c3a6be79299d835

The post Tales from Ransomwhere appeared first on Panda Security Mediacenter.

“Android-specific ransomware and mobile banking Trojans are issued around the world”- Paul Chung

chung

If there is something that stands out from my +17 years in the security field, it is the bright people I’ve met from all over the globe, that protect users from the cyber-attacks threatening us every day. In this new section, I am going to interview people from different parts of the world, who will tell us about their experiences and perspectives in the security environment.

For my first interview, I’d like to present you to Paul Chung. Paul is from South Korea and his Korean name is 정택준. He works at AhnLab as a Security Evangelist in the Next Tech & Strategy Division.

 

1.- How did you get involved in security?

Actually, I was trying to get out of the computer science field when I was at school. I was confused at the time and I decided to join the Navy for a change. I was assigned CERT in Central Computing Center, where I managed network and security systems. I’ve been fascinated with security since then.

2.- Tell us a bit about your career at AhnLab.

When I was in the Navy, I learned about the network threats, but I was always curious about the file based threats. That is why I joined ASEC (AhnLab Security Emergency Response Center) at AhnLab. I’ve worked as a malware researcher for eight years and now I’m working on preparing our company for the future. I am learning about new technologies which we could adopt and what kind of new infrastructure we need.

3.- South Korea is the country with the highest Internet speed in the world, and among other things it is known for its gamer community. Do you have specific threats targeting gamers in your country?

Korea has a multi-billion dollar game industry, which is fifth in the world, and over 80% of them are online games. Because of the geological location and ‘Korean Wave’ in Asia, a lot of Korean games are distributed to nearby countries. I think that this is tempting for attackers. Not only to target Korean gamers, but everyone has who played that particular game. That is why we see a lot of online game hacks related malwares. Most of the malwares tries to steal the gamer’s credentials and some of the ransomware encrypts game related files and demands money to decrypt it.

Smishing, or SMS phishing, attacks are very popular in Korea.

4.- South Korea is also the country in the world with the highest smartphone ownership. Are there cyber-crime gangs specifically targeting South Korean smartphone users, or do you get the same kind of threats as the rest of the world?

According to one of the researchers (Pew Research Center) in 2015, 88% of Korea’s population owns a smartphone. From my point of view, android-specific ransomware and mobile banking Trojans are issued around the world. In Korea, Smishing (SMS phishing) attacks are very popular and mobile banking Trojans are on the rise.

5.- As a highly developed and technological country, South Korea has already suffered cyberattacks coming from other nations. Some countries have been already created commands that focus on cyber-defense of critical assets for the country, such as the United States Cyber Command. Are there similar initiatives in South Korea?

We do have an Armed Forces Cyber Command which is subordinate to the Ministry of Defense. Also, we have a National Cyber Security Center which is run by National Intelligence Service. Both of them grown large to defend cyber-attacks from the Strategy Cyber Command which is made by Kim Jung-un from the North.

But when it comes to security, one or two organization is not enough. As a security company we also work with our government to defend such an attack.

6.- Currently, what is the most desirable sector for cyber-delinquents? How do you think security in this sector has evolved?

I think what they are most interested in is money. So a lot of malware you see these days are related to ransomware or online banking. I think they are also interested in SCADA and ICS systems. We will see more of these attacks too.

A lot of industries are preparing for the attacks which we have seen already. But there are more to come. I think we need to cooperate with each other more than ever. Not just security companies but also with the government and other related industries. There is a lot of data out there, which we are missing. If we could gather meaningful data and share it, I think we will have a good chance to secure the net.

7.- What do you foresee in the next 5 years? What threats will we have to face? How is the security industry going to be like in the next decade?

This is a hard question for me. Because, who knows what will happen in the future? Though, I might have few things to forecast.

Threats aimed at IoT devices and connected cars will be the trend in the future.

I think we will see more threats on IoT devices and Connected Cars. IoT devices are very vulnerable when it comes to security, like everybody knows. Also, cars are evolving fast. From the Gartner report, in 2020, 250 million cars will be connected to the network. And from BI Intelligence, the market will grow into a 123 billion dollar industry by that time.

As the environment changes, threats will change too. As a security company, we need to carefully look at where the changes are being made and research how we could defend it. But it won’t be done by one man or a company, we all need to work together to figure it out.

Now that we understand how important cybersecurity is for our everyday lives, don’t hesitate any longer!  Boost your business with advanced cybersecurity solutions that allow you to manage, control and protect your business’s entire IT park.

The post “Android-specific ransomware and mobile banking Trojans are issued around the world”- Paul Chung appeared first on Panda Security Mediacenter.

Antivirus firm Avast to Buy its rival AVG for $1.3 Billion

Breaking New for Today:

Antivirus company Avast Software is planning to acquire Dutch rival AVG Technologies for $1.3 Billion in cash.

Avast announced today that it would buy Amsterdam-based AVG Technologies for $25 per share in an all-cash transaction valued at $1.3 Billion in an aim to expand its presence in the emerging markets.

With more than 230 Million users worldwide, Avast provides

Researcher releases Free Ransomware Detection Tool for Mac OS X Users

In Brief:
Introducing RansomWhere, a free generic ransomware detection tool for Mac OS X users that can identify ransomware-like behavior by continually monitoring the file-system for the creation of encrypted files by suspicious processes.

This ransomware detection tool helps to block the suspicious processes and waits for the user to decide whether to allow or stop the process.

MIT builds Artificial Intelligence system that can detect 85% of Cyber Attacks

In Brief
What if we could Predict when a cyber attack is going to occur before it actually happens and prevent it? Isn’t it revolutionary idea for Internet Security?

Security researchers at MIT have developed a new Artificial Intelligence-based cyber security platform, called ‘AI2,’ which has the ability to predict, detect, and stop 85% of Cyber Attacks with high accuracy.

Cyber security

Password Security — Who's to Blame for Weak Passwords? Users, Really?

The majority of Internet users are vulnerable to cyber threats because of their own weaknesses in setting up a strong password. But, are end-users completely responsible for choosing weak passwords?

Give a thought.

Recently we wrote an article revealing the list of Worst Passwords of 2015 that proved most of us are still using bad passwords, like ‘123456’ or ‘password,’ to secure our

Microsoft WARNING — 'Use Windows 7 at Your Own Risk'

Someone is threatening Windows 7 users with a misleading warning.

Guess who? Microsoft itself…

Microsoft has just issued a clear warning saying Windows 7 users should remain on the aging operating system “at your own risk, at your own peril.”

But why particularly Windows 7 Users?

Since Windows 7 runs on 55 percent of all the computers on the planet, Microsoft is worried that its