Viry a Červi

Microsoft Patches .NET Zero Day Vulnerability in September Update

VirusList.com - 12 Září, 2017 - 21:59
Microsoft fixes 25 critical vulnerabilities including one zero day under attack and one tied to the high-profile BlueBorne attack vector.
Kategorie: Viry a Červi

D-Link router riddled with 0-day flaws

The Register - Anti-Virus - 12 Září, 2017 - 21:34
'Basically, everything was pwned, from the Lan to the Wan'

Updated  A security researcher has shamed D‑Link by publicly disclosing 10 serious, as-yet unpatched vulnerabilities in a line of consumer-grade routers without notifying the vendor first.…

Kategorie: Viry a Červi

Adobe Fixes Eight Vulnerabilities in Flash, RoboHelp, ColdFusion

VirusList.com - 12 Září, 2017 - 21:27
Adobe fixed eight vulnerabilities across three products, Flash Player, RoboHelp for Windows, and ColdFusion, as part of its September Patch Tuesday updates.
Kategorie: Viry a Červi

FreeXL Library Fixes Two Remote Code Execution Vulnerabilities

VirusList.com - 12 Září, 2017 - 17:54
Researchers warned Monday of two remote code execution vulnerabilities in FreeXL that could let an attacker execute code with local user privileges.
Kategorie: Viry a Červi

News in brief: lawyerbot offers Equifax help; Facebook faces privacy fine; gang hacks India ID scheme

Sophos Naked Security - 12 Září, 2017 - 17:47
Your daily round-up of some of the other stories in the news

New iOS 11 features create fresh headaches for law enforcement

Sophos Naked Security - 12 Září, 2017 - 16:56
The latest version of the iPhone and iPad platform requires a six-digit passcode before it will sync with a new laptop - and revealing a passcode does have Fifth Amendment protection

Beware the Kedi RAT pretending to be a Citrix file that Gmails home

Sophos Naked Security - 12 Září, 2017 - 15:41
The Kedi Remote Access Trojan has some sneaky tricks up its sleeve - don't get caught out by it

Wireless ‘BlueBorne’ Attacks Target Billions of Bluetooth Devices

VirusList.com - 12 Září, 2017 - 15:00
Bluetooth attack vector, dubbed ‘BlueBorne’, leaves billions of smart Bluetooth devices open to attack including Android and Apple phones and millions more Linux-based smart devices.
Kategorie: Viry a Červi

Why are redditors ripping images from Instagram? Because they can

Sophos Naked Security - 12 Září, 2017 - 14:48
If you'd rather a bunch of random people on the internet didn't 'archive' your photos, you're not alone - Instagram is trying to stop them

Researcher reveals D-Link router holes that might never be patched

Sophos Naked Security - 12 Září, 2017 - 12:31
If you've got a D-Link DIR-850L AC1200 router, it's time to think about replacing it - the holes in the firmware might never be fixed

VB2017: WHOIS and EICAR Small Talks added

Virus Bulletin News - 12 Září, 2017 - 11:59
Today, we announce two more 'Small Talks' for the VB2017 programme. In one of them, Neil Schwarzman will discuss the consequences of the GDPR for WHOIS and abuse research, while the other will be hosted by three members of EICAR, who will discuss its work on a trustworthiness strategy and minimum standard.

Read more
Kategorie: Viry a Červi

Miners on the Rise

Kaspersky Securelist - 12 Září, 2017 - 11:00

Miners are a class of malware whose popularity has grown substantially this year. The actual process of cryptocurrency mining is perfectly legal, though there are groups of people who hoodwink unwitting users into installing mining software on their computers, or exploiting software vulnerabilities to do so. This results in threat actors receiving cryptocurrency, while their victims’ computer systems experience a dramatic slowdown. Over the last month alone, we have detected several large botnets designed to profit from concealed crypto mining. We have also observed growing numbers of attempts to install miners on servers owned by organizations. When these attempts are successful, the companies’ business processes suffer because data processing speeds fall substantially.

In general, the number of users that have encountered cryptocurrency miners has increased dramatically in recent years. For example, in 2013 our products protected around 205,000 of users globally when they were targeted by this type of threat. In 2014 the number increased to 701,000, and the number of attacked users in the first eight months of 2017 reached 1.65 million.

Number of users Kaspersky Lab protected from malicious cryptocurrency miners from 2011 to 2017

Propagation methods

The main method for installing miners makes use of adware installers that are spread using social engineering. There are also more sophisticated propagation methods – one is exploiting vulnerabilities such as EternalBlue. In that case, the victim is a server, which is especially advantageous for the threat actors because they end up with a more powerful asset.

The following types of ads can be found in the Telegram messaging service:

Advert for a mining builder in a Telegram channel advertising opportunities to earn money online

By following the advertised link, the user can download a trial version of a builder which assembles a dropper for a miner with some extra features, including suspension of the software whenever the user launches a popular game.

The miner’s builder

To receive the full version, the user is prompted to contact the administrators of a group on the VKontakte social media site.

Main principles of operation

Concealed miners are very difficult to detect due to their specific nature and operating principles. Any user can independently install this kind of software on their computer and legally use it for mining a cryptocurrency.

Often, a crypto miner comes with extra services to maintain its presence within the system, automatic launch every time the computer is switched on, and concealed operation.

These services can, for example:

  • Try to turn off security software;
  • Track all application launches, and suspend their own activities if a program is started that monitors system activities or running processes;
  • Ensure a copy of the mining software is always present on the hard drive, and restore it if it is deleted.

The miner searches for system monitoring tools

We recently detected a network containing an estimated 5,000+ computers on which Minergate, a legal console miner, was installed without the users’ knowledge or consent. The software was distributed via an adware installer, and was installed as a service on the victim computer in the following way:

Minergate installation

  • The user downloads an installer from a file hosting service under the guise of a freeware program or keys to activate licensed products;
  • When launched, the installer downloads the miner’s dropper (exe) to the victim computer;
  • The dropper writes Minergate and the tool exe to the hard drive, using srvany.exe when the system boots to launch the miner as a service named windows driver.exe;
  • The dropper creates an additional service named exe which ensures the continuous operation of Minergate; if Minergate is deleted, the dropper restores it on the hard drive.

The dropper stores the miner configuration info in a registry record.

MinerGate’s configuration data

Moneymaking scheme

The two currencies most often used in concealed mining are monero (XMR) and zcash. These two ensure the anonymity of transactions, which comes in very handy for threat actors.

According to the most conservative estimates, the mining network can generate anything up to $30,000 a month to its owners.

The wallet of a mining botnet

The above screenshot shows a wallet coded into the miner’s configuration data. At the time of writing, a total of 2,289 XMR had been transferred from this wallet, which at the current exchange rate is equivalent to $208,299.

Assuming a regular desktop computer yields a hash rate of 30-100 H/sec, this bot may contain in the region of 4,000 computers.

Hash rates of the mining botnet plotted against time

Conclusion

As we see, threat actors will grasp any opportunity to make illegal money, and the methods to make money online are continuously evolving. The development of the cryptocurrency market has led to an explosive growth in cases where miners are installed without users’ knowledge or consent. This can be explained by the fact that when a new cryptocurrency is emerging, it is much easier to mine and make money from it. Threat actors are on the lookout for ways to use the resources of somebody else’s hardware, and often it is regular users who fall victim.

Kaspersky Lab’s solutions detect all the threats described in this article under the verdicts:

  • Win32.BitCoinMiner.hxao
  • PDM:Trojan.Win32.Generic
IOCs:

185b23c602e64dc6bcd2a2776095653e
33e46f76bc9bf1ff8380406f111f56af
26f42df21371bd4afe86a643ac0a6b44
25451e6fe30b54b432854bde5b9abb74

Another reason to hate Excel: its Macros can help pivot attacks

The Register - Anti-Virus - 12 Září, 2017 - 08:01
From Excel.Application to remote code execution. Lovely

A white-hat has taken a good look at whether you can pivot an attack from one machine to others using Microsoft Excel, and you probably won't like what he found.…

Kategorie: Viry a Červi

Equifax backtracks arbitrate-don't-litigate plan for punters

The Register - Anti-Virus - 12 Září, 2017 - 04:17
It's also bought a random number generator for PINs

Equifax has decided it will no longer try and impose arbitration on any of the millions of Americans who try to find out if they've been stung in its massive data leak.…

Kategorie: Viry a Červi

Google to kill Symantec certs in Chrome 66, due in early 2018

The Register - Anti-Virus - 12 Září, 2017 - 02:56
This is how trust ends, not with a bang but with a whimper

Google has detailed its plan to deprecate Symantec-issued certificates in Chrome.…

Kategorie: Viry a Červi

Crackas With Attitude troll gets five years in prison for harassment

The Register - Anti-Virus - 11 Září, 2017 - 23:33
Embarrassing law enforcement comes at a heavy price

A member of the short-lived Crackas With Attitude hacking troupe has received five years in prison, despite the fact that he hadn't actually hacked any accounts himself and had accepted a plea deal.…

Kategorie: Viry a Červi

Apache Foundation Refutes Involvement in Equifax Breach

VirusList.com - 11 Září, 2017 - 21:02
The Vice President of the Apache Struts PMC says the attackers likely used an unknown Struts zero day or an earlier announced vulnerability.
Kategorie: Viry a Červi

Popular D-Link Router Riddled with Vulnerabilities

VirusList.com - 11 Září, 2017 - 20:09
D-Link router model 850L has 10 vulnerabilities that could allow a hacker to gain remote access and control of device, according to researcher.
Kategorie: Viry a Červi

FireEye pulls Equifax boasts as it tries to handle hack fallout

The Register - Anti-Virus - 11 Září, 2017 - 19:50
Now credit freezes may not even be secure

FireEye removed an Equifax case study* from its website in response to a recently disclosed mega-breach at the credit reference agency.…

Kategorie: Viry a Červi
Syndikovat obsah