Criminals figure why run a Botnet on a system when it can be run on chat programs for cheaper?

It has been confirmed that botnets no longer have to run on systems that attackers own or have compromised, as the controllers are now running botnets on Skype and other cloud-based chat programs, providing an even lower-cost alternative for attackers according to PhishMe.

Speaking about the discovery, Ronnie Tokazowski – Senior Researcher at PhishMe advised, “We all remember analyzing samples of IRC botnets that were relatively simple, where the malware would connect to a random port running IRC, joining the botnet and waiting for commands from their leader. In this day and age, it’s slightly different.”

One user at PhishMe received the following message over Skype, where the “user” sent several attempts for a phone call to them: 

The attacker called with a username that also contained a link to a domain, www.viewror[d]com. Once clicked, a voice directs the user to click the download link and install a “proprietary” video player in order to play the video. Examining the underlying HTML in the download page, Ronnie established that the download was part of an affiliate program where the attacker is probably getting money on a per-install or per-download basis.

Ronnie continues, “Once the executable is opened, it asks to run as administrator. As any user would do…just push play! The user is presented with a screen to install different aspects of the program. Once we are given it the option to start installing, VideoPlayer.exe downloads, installs, and runs many different things. All of these are pieces of adware being installed to the system One of the final steps is to install “Search Protect”, a very shady application that gives you “protected” searches. The malware does download a “proprietary” media player, called Media Player Classic, but there is nothing proprietary about the media player, which is available for free download online.”

By looking at the Skype username, there are two fields that are present, the name and description. One of the even cooler things is that you can search by name in Skype. By scrolling through the list of bots, we can gather a list of domains the attackers are using. So how do you attack this long list of bot names being used for badness? You pass it over to the security folks”

In the case of these attacks, PhishMe worked with the Amazon and Microsoft security teams to disrupt the attackers activities and infrastructure – both were very helpful. 

Ronnie concludes, “When users are trained to spot suspicious things, the amount of information you can get back increases 100 fold.  And in this case, the user reported a small piece of information, which resulted in the disruption of a large adware campaign, on both the infrastructure and bot side of things.”



Security game launched titled “The Weakest Link”

IT security vendor IS Decisions has launched the first online game designed specifically to educate and raise awareness of user security and insider threat. ‘The Weakest Link: A user security game’ has been developed in response to IS Decisions’ research that found 48% of IT professionals believe training is key to raising awareness of user security, whilst 38% wanted to see more innovative training content and materials.

The game is now public, following an initial private beta period, during which time the contents have been developed with input from security experts and analysts including Bob Tarzey at Quocirca, Independent Advisor Neira Jones, Christophe Veltsos of and Lead Assessor in Information Security at Metropolitan State University, and Paul Drury of Chatback Security. Input has also been sourced via the community on IT social network Spiceworks.

Taking a question and answer format similar to a ‘choose your own adventure’ style, the game tasks its players to make it through their first month at a new imaginary employer without too many security ‘slip ups’. A different scenario is posed for each working day, with options for responses. The player then loses points for the choosing a non-secure option, or gains for making a secure choice. The aim is to survive the month without losing too many points.

François Amigorena, CEO of IS Decisions, said, “User security is obviously a serious issue, but we know that it’s often a struggle to educate users on the issue through a dry security policy document or even a presentation. You have to hold their attention, so we came up with a way to try and do that. The idea is to bring a fun element to user security, sneaking some education into a game you can play in 20 minutes.

“That said, we didn’t want to develop ‘The Weakest Link’ (a play on the fact your users are your weakest link) in isolation. We want it to be a credible independent resource for IT people to use, which is why we’ve developed it with the input of analysts, experts and IT people themselves. It’s completely free to use, and we hope that IT people will share it with their users to play to try and drive awareness of the issues of user security and insider threat.”

‘The Weakest Link: A user security game’ is free to play on, where IS Decisions is still gathering feedback for the continued development of the game.



Stegoloader malware hides exploit code in images

Dell SecureWorks Counter Threat Unit™ Threat Intelligence unit has released information about Stegoloader. Appearing to have been active since 2012, this particular malware uses digital steganography – the art of hiding secret information within a digital image or graphic – to conceal its true nature and to avoid detection. Stegoloader operators are hiding a core component of the malware within a portable network graphic (PNG) hosted on a legitimate site. As Stegoloader executes, it downloads the core component and then uses digital steganography to extract the code from the image. The core component is never saved to the victim’s computer, meaning that it is incredibly difficult to detect the malware through regular tools.

Comments from the industry experts are:

Szilard Stange, director, OPSWAT

“Malware authors are always looking for new distribution mechanism to make detection harder, however modern internet security desktop suites contain methods to detect unusual network operations even when the remote site is a well known site. They are also able to track what the running processes exactly does. It means that detection of malware like Stegoloader can be harder but not impossible. There are many ways to deliver harmful content including this steganography based one but there are other interesting way to distribute harmful code like embedded data into DNS queries/responses. Any of them can be in main-stream but it mainly depends how anti-malware vendors can react to these attacks. To protect an organization against attacks like this one it is worth to consider applying data sanitization techniques to remove any harmful content from images downloaded from the internet without losing important data.”

Martin Lee, intelligence manager, Alert Logic:

“We are currently in an arms race between malware writers and the security industry. As security researchers become more adept in discovering malware, so malware writers must become more inventive in hiding their malware. In many ways, seeing malware writers deploying inventive strategies to disguise and hide their malware is proof that security solutions are making it difficult for malware to persist and that we are forcing malware writers to innovate. Even if this malware is hiding itself on the end point, the command and control traffic is still visible on the network. Monitoring for traffic to known command and control servers or anomalous traffic remains an excellent technique for identifying the presence of malware, even if identifying and reverse engineering the malware becomes more difficult.”



Expert comment on Last Pass hack

DFMag has obtained expert comment on the LastPass hack from Javvad Malik, Security Advocate at AlienVault.

For those not aware, hackers have attacked LastPass, the popular online password management service, and stolen data.  

Javvad comments as follows:

On the hack

“It’s not a matter of if companies get hacked, but when. Even security firms are not immune to being attacked, especially considering how much data can be accessed via them. We should stop being surprised when we hear of a company getting attacked or breached – that is not the measure on which to judge, but rather how they respond speaks volumes.”
On the LastPass response
“LastPass has done a very good job on several fronts. Firstly, it didn’t just rely on preventative controls, but had detection controls in place and were actively monitoring it to identify suspicious activity. Secondly, LastPass has communicated to the public very clearly about what it knows and what has happened via a blog and email. Thirdly, the @LastPasshelp (twitter support account) has been active in this period responding to many customer queries and complaints. They have also provided advice to customers as to what steps they should take and what additional security measures they’ve implemented.”
What companies can take away
“It is only by having adequate detection and response controls in place that companies can be prepared and efficient in times of crisis. Not only does this include technical response and recovery capabilities, but effective communication strategies to provide relevant information to customers, partners, law enforcement and other stakeholders informed.”
What LastPass (or similar provider) users should do
“LastPass has provided good advice in that users should consider resetting their master passwords and enable two-factor authentication if possible. Some people may choose to move to another password manager on the market, but this won’t change the overall risk of being hacked. For all organisations, it’s not a matter of if, but when they will be hacked.
“Users should bear in mind the complexity and scale of how many passwords are needed and stored by a password manager. Ditching a password manager for manual techniques (such as remembering your passwords) will likely lead to overall weaker passwords. 
“Overall, we should reserve judgement until a post mortem of the incident has been concluded and more details are made available.”



How attackers piece together partial data

Last month, Carefirst confirmed it had suffered a data breach. As details have emerged, the prevailing notion in the aftermath of this breach is that it isn’t as severe as the Anthem or Premera breaches that preceded it. The thinking is that the victims of this breach dodged a bullet, since the attackers only accessed personal information – such as member names and email addresses, not more sensitive information like medical information, social security numbers, and passwords. However, PhishMe’s CTO and co founder, Aaron Higbee warns attackers may still be able to use this partial information in a variety of ways, and a partial breach should not be dismissed as trivial.

Aaron said “The first, most obvious way attackers will use this information is to send phishing attacks. There may be a sense of relief that victims at least avoided the risk of identity theft, but even partial information about Carefirst’s members can help enterprising criminals.

“For Carefirst’s attackers (who had been present on the network since June 2014), the key to profiting from this attack is to sell this information. Names and email addresses by themselves are valuable to spammers (one can imagine spam hawking cheap prescription drugs being sent a list of healthcare users), but names and email addresses also hold value. Fresh email addresses are also valuable to people who are building out botnets. Most importantly, there is an entire cottage industry of people who go to great lengths to upgrade partial data to make it more valuable. On the Dark Web, one can easily find postings buying and selling this kind of partial information.”

PhishMe pulled the following, showing a forum post looking to purchase any kind of databases containing private user information:


Aaron continues, “How could attackers use this information? Take, for example, a list containing phone numbers and debit card numbers, but no PINs. A debit card number without a PIN isn’t useful, but an attacker could easily orchestrate a phone scam by posing as the victim’s bank, gain legitimacy by correctly stating the victim’s card number, and ask the victim to verify his/her identity by providing the PIN. Look no further than the recent IRS breach to see how attackers may gain the coveted, sensitive information needed to steal identities by piecing together partial bits of information.” 

Attackers were able to access full tax returns through the IRS’ Get Transcript application, which required attackers to answer personal questions, making it likely that the attackers had some prior knowledge about their targets. The IRS stated as much, saying, ‘These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer.’

Aaron concludes, “I’m not trying to draw any connection between the IRS breach and Carefirst. We don’t know how the IRS attackers gathered their intel, it was likely from a number of sources. We also don’t know where Carefirst data has gone either, it’s just important to note that these “less severe” breaches still have consequences.”



Recent report detects over 225,000 new malware strains per day in the first quarter of the year

PandaLabs has published its Quarterly Report for Q1 2015, analyzing the IT security events and incidents from January through to March. The global security vendor detected over 225,000 new malware strains per day in the first quarter of the year, with peaks reaching 500,000. This record-breaking figure represents a 40% increase over Q1 2014, and is well above the average for the entire year, which stood at approximately 205,000 new malware samples per day. 

As is usually the case, most of these specimens were variants of known malware conveniently modified by virus writers to evade detection by antivirus laboratories. Trojans continued to be the most common threat type, representing 72.75% of all new malware, and the main source of infections (76.05% of the total).

CryptoLocker remains the biggest threat

The first months of the year were dominated by ransomware attacks, especially CryptoLocker, and it is safe to say that ransomware has become cyber-criminals’ preferred method to make money from companies’ stolen information.

That was the case with ten companies in the oil and gas maritime transportation sector, which fell victim to this type of attack, as revealed by Panda Security in a report on a hacking campaign dubbed “Operation Oil Tanker: The Phantom Menace” which targeted oil tankers.

“In this particular case, the attackers didn’t use any kind of malware, but legitimate files executed recurrently”, explained Luis Corrons, Technical Director of PandaLabs at Panda Security.

Other popular attack methods exploited over the past quarter include social networks scams and mobile malware. One of the most notable scams made use of a fake $500 Zara gift card giveaway on Facebook to trick users. The scam spread like wildfire. In just a few hours over 5,000 people had joined the event, and more than 124,000 invites had been sent out.

Meanwhile, Android was in the firing-line for mobile malware attacks more than ever, this time through malicious SMS messages.

China tops list of infections per country

The average number of infected PCs across the globe stands at 36.51%, up more than six percentage points compared to 2014. China once again led this ranking (48.01% of infected PCs), followed by Turkey (43.33%) and Peru (42.18%).

The list of least infected countries is dominated by European countries, the top one being Norway (22.07%) and the UK 5th least infected at 25.11%. Other countries with a malware infection rate below the worldwide average include Denmark (28.18%), Finland (28.59%), Venezuela (33.35%) and USA (34.03%), among others.

“We must never forget that cyber-criminals’ sole motivation is money and information, and as our lives become more digital, we are more exposed to cyber-threats. This year we can expect to see more ransomware attacks, as well as new scams spreading through social media and mobile applications”, concluded Corrons.

The full report is available here:



Solving the Endpoint Dilemma

Tom Bain, CounterTack

CounterTack is helping organizations solve an extremely difficult security problem for teams who struggle to visualize activity on endpoints across the enterprise. There is a significant lack of intelligence for incident responders and security teams that is actionable, and that provides an awareness of real-time behavior on workstations, laptops, servers and mobile devices. 

The ability to capture behavior takes away the guesswork of how specific threats can impact an organization, starting at endpoints, which are the most susceptible to sophisticated and non-sophisticated attacks, both internally and externally. CounterTack provides the visibility into user-defined behavior as those behaviors are taking place. 

Teams face the reality that there is no silver bullet, nor is there a singular technology that can detect every incoming threat. Teams need a combination of real-time, forensic-level analysis at the point of detection so they can get ahead of that threat, mitigate its proliferation and its intended path to infect additional endpoints. Having operating system visibility across the enterprise and the ability to automatically respond to escalating attacks is the only way teams can counter and resist threats before they inflict more organizational damage. 

What is Sentinel?

Built on top of a Big Data architecture to counter endpoint attacks at-scale, Sentinel leverages stealth collection technology to capture malicious behavior on workstations and servers. Sentinel dramatically reduces the impact of advanced attacks in real-time and false-positives coming from other security tools, giving teams an opportunity to defend the enterprise before incidents escalate. 

CounterTack Sentinel is the only EDR (endpoint detection and response) platform that offers teams the flexibility, scale and integration necessary to take back control of security on a global scale and effectively manage unknown threat detection. 

CounterTack’s driverless kernel module provides low-level visibility into malicious behavior from a position of stealth, with no user presence and no impact on endpoint performance or stability. Sentinel not only sees attacker behavior, it captures all events and processes in registry, file, and memory in the network that unfold as part of that attack. This unprecedented visibility provides real-time context as threats escalate so teams can make better security decisions to protect the organization.

CounterTack Sentinel combines real-time OS-level surveillance with Big Data analytics, delivering an improved, automated workflow for incident response and threat detection across the enterprise. Sentinel also ships with an advanced set of indicator profiles that automate the prescriptive analysis and remediation of known and unknown threats. The built-in, and learned intelligence over time, characterizes attack techniques in real-time, like antivirus disabling, firewall modification and evasion, where signature-based tools, whitelisting and preventative solutions are 80% blind.

How It Works and How It’s Used for Maximum Enterprise ROI

Sentinel collects endpoint intelligence from a position of stealth then de-duplicates, compresses and encrypts that data. That behavioral data is then forwarded to the Endpoint Analysis Cluster, featuring collector nodes and data nodes, which helps to characterize and correlate massive quantities of behavioral data in real-time. 

Next, from a threat standpoint, Sentinel tracks each interaction with the target OS, as well as its impact on the system, and offers enterprise-wide correlation to expose the anatomy and origin of attacks while they are still in progress. 

Operators can subscribe to real-time updates as threats escalate that provide the industry’s only “complete attack capture”—meaning continuous monitoring of advanced threats throughout the threat lifecycle—to not only remediate against the threat, but to understand how to resist that threat across massive batches of endpoints. This is where machines start to learn root cause, known good and the known bad, but also start to become immune to behaviors exhibited by unknown attacks.



The importance of universities protecting themselves from DDoS attacks

Further from the recent news that The University of London suffered a DDoS attack, Dave Larson, CTO at Corero has given the following comment:

“As always colleges and universities are extremely busy this time of year, with students undergoing finals and preparing for the following year or graduation.  It could be a coincidence that lately we’ve been hearing of various higher education institutions having their networks disrupted by DDoS attacks; but these stories highlight the importance for universities to be prepared against the inevitable damage of DDoS, particularly at this time in the academic year. Not only do universities have a large student population, but they also have hundreds, sometimes thousands of employees, including academics, researchers, service personnel, physical plant workers and even police – a large quantity of people whose personal information they have a responsibility to protect.”



Huge cyber breach at federal Office of Personnel Management

A significant breach of computer systems at the Office of Personnel Management (OPM) has just been reported. Although the breach happened sometime in December of 2014, the breach was only discovered in April according to officials, as a result of new tools implemented by OPM. Over 4 million current and former federal employees are being notified that their personal data may have been compromised.

Who was behind the attack has still to be confirmed, however the Washington Post is reporting that the attackers might be from China.

Given that the OPM hold sensitive data about federal employees the ramifications of this breach could prove to be significant.