This new malware goes straight to your RAM, no installation required

Subject: General Tech | March 19, 2012 - 08:58 AM |
Tagged: Virus, Trojan-Spy.Win32.Lurk, ram virus, Kaspersky Labs, javaw.exe, fud

A lovely little electronic beastie was spotted by Kaspersky Labs on Russian ad servers recently which uses a Java exploit (long since patched) to corrupt javaw.exe while it is running on system memory, infecting machines without any installation required whatsoever.  While this sounds quite bad, the fact is that in your memory it can infect running programs but not move out of the memory without triggering an installation process and will not survive a system reboot.  That is why as soon as this malware finds its self on a systems RAM it immediately tries to install the Lurk Trojan, which is when your problems would start and when your anti-virus/anti-malware protection should notice something amiss. 

By its self the new virus poses little direct risk but it represents a new attack vector for drive by infections, which could get into protected space and be able to launch an attack from within the systems memory, a much faster and more intimate way of attacking than coming over the network.  With home systems sporting more that 4GB of RAM, there is a lot more space for this type of virus to work with than there was just a few years ago.  Read on at The Register, if you dare.

ocz_ddr3_platinum.jpg

"The researchers aren’t quite sure how unusual it is, describing it as both “unique” and “very rare”, but no matter how scarce this type of malware is it does sound rather nasty as it “… uses its payload to inject an encrypted dll from the web directly into the memory of the javaw.exe process.” That mode of operation means Windows and MacOS are both affected by the exploit, which is hard for many antivirus programs to spot given it runs within a trusted process."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

You might want to rethink enabling RDP unless you have NLA set up

Subject: General Tech | March 14, 2012 - 09:36 AM |
Tagged: remote desktop protocol, patch tuesday, fud, rdp, security

Remote Desktop Protocol is a very handy tool, as the name suggests it allows you to take remote control of a desktop and is commonly used for everything from logging into a remote server to change settings to helping a long distance friend to get their printer installed to logging onto your home machine to start a Steam download and install so your game will be ready for you when you get home from work.  Unfortunately it does open up a way into your PC for attackers, though thanks to the Network Level Authentication feature which was added into Vista and later versions of Windows, PCs on an authenticated network are much safer than they would be without it.  Unfortunately NLA will not exist on home workgroups, nor is it supported by versions of Windows previous to Vista.  That is why The Register warns of a RDP vulnerability that Microsoft will be patching next patch Tuesday, as older machines as well as home machines could be at risk if someone launches an attack before the patch is released and installed.  For the mean time you might want to disable RDP unless you actually use it regularly.

rdp.png

"The critical flaw covers all versions of Windows and is found in the Remote Desktop Protocol (RDP). It allows attackers to run code remotely behind the firewall, although Vista users and above can activate the Remote Desktop’s Network Level Authentication (NLA) to trigger an authentication request. RDP is disabled by default, but is often activated."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Frankenmalware, an antiviral boss fight

Subject: General Tech | January 26, 2012 - 09:47 AM |
Tagged: fud, Malware, Virus, Worm

Back in the ancient days of gaming and repeated in Skyrim's Draugr your enemies started out simple, a simple zombie or leever becoming a Infected Death Lord Zombie of Fiery Devastation.  Another way to look at is a supervillain origin story where exposure to something that should have killed them instead grants them powers beyond mere mortals.  There may have also been a dozen decent SciFi novels written about the topic (well, probably more like a gross) ... however you look at it, computer worms are mutating!

It seems that systems infected with a worm are being hit by certain viruses which inadvertently infect the worm, creating malware with twice the command and control servers, twice the backdoors and twice the methods to spread its self.  The Register cites a specific example of the Rimecud worm which steals passwords becoming infected by Virtob which creates a backdoor on a system.  At this moment BitDefender has found that 0.4% of the infected systems they detected had an infected worm present, a number you can expect to grow. 

Be careful out there!

The-special-infected.jpg

"Viruses are accidentally infecting worms on victims’ computers, creating super-powered strains of hybrid software nasties.

The monster malware spreads quicker than before, screws up systems worse than ever, and exposes private data in a way not even envisioned by the original virus writers.

A study by antivirus outfit BitDefender found 40,000 such "Frankenmalware samples" in a study of 10 million infected files in early January, or 0.4 per cent of malware strains sampled. These cybercrime chimeras pose a greater risk to infected users than standard malware, the Romanian antivirus firm warns."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Symantec users beware

Subject: General Tech | January 18, 2012 - 09:56 AM |
Tagged: symantec, norton antivirus, fud, PCanywhere

It took 5 years and a threat by a hacker group for Symantec to admit that they were successfully hacked and source code to some of their software was stolen.  As the threat was never delivered upon it is possible that the hacker group may have had nothing to do with the original hack but were more interested in having Symantec admit to the breach.  Current Norton Antivirus Corporate Edition, Norton Internet Security or Norton Systemworks users should not worry, the source code is so old that possessing it will not give you the ability to affect current software.  PC Anywhere users on the other hand might be at increased risk if they left the installation on default settings; according to The Inquirer Symantec will be contacting PC Anywhere customers to ensure they know about the attack and how to change their settings to minimize any risks.

pcanywhere.jpg

"SECURITY VENDOR Symantec has admitted that its servers were successfully hacked and Norton antivirus and other software source code was stolen.

At the beginning of this month the firm acknowledged that some of its source code was obtained from a third party but said that would not affect Norton antivirus users. However, it now admits that an attack in 2006 obtained source code for other software, which could put its customers at risk."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Inquirer

Java JRE, Adobe Acrobat and Flash; the triumvirate of malware evil

Subject: General Tech | October 5, 2011 - 09:19 AM |
Tagged: fud, security, microsoft, windows

An interesting study that Slashdot has linked to today breaks down three months of infection data and crunched the numbers to see how the infections made it onto systems and which systems are the most vulnerable.  Fully two thirds of the infections happened to users browsing with Internet Explorer, but you must keep in mind IE's market share.  At this time last year half of all users browsed the internet with some version of IE and while that has fallen to around 40% this year it is still the most commonly used browser and will therefore have a greater representation in the sample of PC s tested.  As long as you keep that in mind, you can then move onto disparaging the average IE user ... especially if it is still IE6.

As well, you can see that Vista has something to be proud of.  Even with the lack of PCs using the OS it has almost as many infections as WinXP machines.  As to the programs most likely to be used as an attack ... Java JRE sits at 37% with Acrobat just behind at 32%, leaving the much maligned Flash responsible for only 16%. 

net-security_research.jpg

"Since Up to 85 % of all virus infections occur as a result of drive-by attacks automated via commercial exploit kits, CSIS has actively collected real time data from them for a period of three months. The purpose of their study is to reveal precisely how Microsoft Windows machines are infected with malware and which browsers, versions of Windows and third party software that are at risk. They monitored more than 50 different exploit kits on 44 unique servers / IP addresses. The statistical material covers all in all more than half a million user exposures out of which as many as 31.3 % were infected with the virus/malware due to missing security updates."

Here is some more Tech News from around the web:

Tech Talk

 

Source: Slashdot

Still hope for SSL, the web ain't dead yet

Subject: General Tech | September 26, 2011 - 10:20 AM |
Tagged: fud, security, SSL

SSL and secure data transfer are wounded, but not dying quite yet if you use an elderly encryption protocol called RC4 or ARC4.  Current AES is suggested as the preferred way of encrypting data transfers, but the BEAST (Browser Exploit Against SSL/TLS) attack is capable of defeating AES encryption.  Unfortunately there are attack methods which are able to defeat RC4, specifically as it is implemented for WPA and WES in wireless networks.  Google informed The Register that they have been using RC4, although clients that attempt to connect which don't support that encryption method are offered the vulnerable AES method.  Google also pointed out the latest developer version of Chrome protects against the BEAST attack but don't mention when the main version of Chrome will protect users.

Broken_Key_Extractor.jpg

"The recommendations published Friday by two-factor authentication service PhoneFactor, suggest websites use the RC4 cipher to encrypt SSL traffic instead of newer, and ironically cryptographically stronger, algorithms such as AES. Google webservers are already configured to favor RC4, according to this analysis tool from security firm Qualys. A Google spokesman says the company has used those settings "for years."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Sort of secure socket layer

Subject: General Tech | September 20, 2011 - 09:02 AM |
Tagged: fud, SSL, tls, security

The good news about the discovery that the encryption procedure behind Secure Socket Layer and Transport Layer Security has been compromised is that the newest versions of both SSL and TLS are still safe and they have been available for a while now.  The bad news is that not only do only a tiny handful of websites utilize TLS 1.1/1.2 and SSL 3.0, most browsers don't even support the updated protocols.  Oddly Internet Explorer and Internet Information Services both support the newer protocols, though they are not enabled by default; the only one that does have TLS 1.2 enabled by default is Opera.  

You don't have to immediately switch browsers, in order for your secure connection to be compromised the attacker first has to compromise your browser or machine in order to get JavaScript code to run in your browser before they can start the decryption process.  It is not the quickest peice of programming either ... yet.  In the proof of concept that The Register references a 1000-2000 character long cookie will take about a half hour to crack, which is most likely longer than the average connection to your PayPal account will last, which is the site they used as an example.   Of course if you throw a dozen Tesla cards at it and it will probably decrypt the packets at a much quicker pace.

nSSL.gif

"Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that's passing between a webserver and an end-user browser.

The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet's foundation of trust. Although versions 1.1 and 1.2 of TLS aren't susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he's visiting."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Oh joy the BIOS level trojan is finally here

Subject: General Tech | September 13, 2011 - 10:00 AM |
Tagged: security, fud, bios, trojan, bmw

You do not want BMW; it is a Trojan that uses your master boot record and your BIOS to ensure that it remains on your system so even after a format and reinstall of Windows it will still be infecting you.  It originally infects winlogon.exe on Windows XP and Server 2003, and to wininit.exe on Windows 7 and Vista but once it is on it installs and uses HOOK.ROM at the BIOS level to check to see if it has been uninstalled and if so it will reinstall itself.  The Register points out that in this case the enormous variety of BIOS setups is a good thing as it ensures that any BIOS level virus will always be limited in scope even if it is a vulnerability shared by a single BIOS type.

biohazard.png

"SECURITY RESEARCHERS at Chinese antivirus firm 360 have identified a piece of malware that installs rogue code into the BIOS of targeted computers.

Dubbed BMW by 360 and Mebromi by other security vendors, the threat has separate components for the operating system, the master boot record (MBR) and the system BIOS."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Inquirer

Nothing new to see here but Firesheep may be news to some

Subject: General Tech | September 12, 2011 - 08:56 AM |
Tagged: firesheep, security, fud, https

About a year ago you may have read about FireSheep, a FireFox add-on which takes advantage of the unencrypted nature of many packets being sent to social networks to allow others to access your accounts.  It is specifically used on wireless connections, in what is called a man in the middle attack, as you surf using an unencrypted connection the laptop running Firesheep captures your data before it even hits your account.  That extension is still around and causing havoc, making the news recently with the revelation that packets sent via Google have a unique session ID sent in plain text which can be used to identify a Google acount and then access the search history of the acccount.   Check out The Register for more on this topic and consider HTTPS Everywhere for your laptop.

Firesheep.JPG

"Researchers have released a Firefox extension that demonstrates the risks of using Google search services on Wi-Fi hotspots and other unsecured networks: With just a few clicks, attackers can view large chunks of your intimate browsing history, including websites you've already visited."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

So you think nobody knows what you've been watching on the net?

Subject: General Tech | August 17, 2011 - 11:03 AM |
Tagged: security, fud, tracking cookie, super cookie, ETag value

KISSmetrics is a small company which is able to track your movements across sites like Hulu and Spotify, using what some call a super cookie but more accurately is an ETag value.  That ETag value is a unique identifier stored in both a browser's cache and metadata folders which can be sent to KISSmetrics via JavaScript along with a header, so that any time you visit a site partnered with KISSmetrics they will know it is you.

Of course, very soon after the technical documentation of the trick was released to the net KISSmetrics claimed that they were completely innocent and that it was all a misunderstanding.  According to the CEO of KISSmetrics the company has never tracked anyone nor shared the information with a third party, so either the company never plans to ever make any money or he is being very specific in his definitions of what "is is".  Even better, they claim not to use ETag values at all only first party cookies.  As well, they claim support for the Do Not Track header and a "consumer-level opt-out" for their tracking as well.  That is disingenuous in that there is no sign of how to start the opt out process on their site, nor is there any clear way that they could identify you in order to let you opt out without a cookie or ETag placed on your machine in the first place.

The Do Not Track header is a good idea, but in addition you should consider browser add ins such as BetterPrivacy, NoScript and Ghostery as essential and perhaps even get used to running Chrome in Incognito mode, if you do not want to be trapped.  Don't use them to disable the ads which fund your favourite websites, they should be used to identify and possible block violations to your privacy only.  You can follow the link at The Register if you would like to see the technical research that has lead to these questions about KISSmetrics.

supercookie.jpg

"A privacy researcher has revealed the evil genius behind a for-profit web analytics service capable of following users across more than 500 sites, even when all cookie storage was disabled and sites were viewed using a browser's privacy mode."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register