Information Security News
by Peter Bright
The Windows 10 November update (version 1511, build 10586) included a handful of new security features to provide protection against some security issues that have kept on popping up in Windows for a number of years. Google yesterday added source code support for these features to the Chrome browser, making Windows 10 the best version of Windows to use with Google's browser.
Over the last few years, Windows has had a number of flaws that relate to its font handling. The TrueType and PostScript fonts that Windows supports are complex things, and for historic reasons, much of the code used to handle these fonts runs in Windows' kernel mode. This makes it attractive to attackers: if a bug exists in this font-handling code, it can be used to obtain kernel-level privileges.
Compounding this, the code is also quite exposed: a Word document, for example, can contain its own embedded fonts, and opening the document means that those embedded fonts will be loaded into the kernel. If the fonts are malicious, constructed to exploit bugs in the font-handling code, this can compromise your system simply by opening a document.
I was discussing malicious spam (malspam) with a fellow security professional earlier this week. He was examining malspam with zip attachments containing .js files. This is something Ive covered previously in ISC diaries [1, 2]. However, the traffic patterns he saw was somewhat different than Ive seen, so I figured its time to revisit this type of malspam.
I found 13 messages with the following subject lines during the past two days:
Attachments names were different for each of the 13 messages:
Each of the attachments were zip files that contained a .js file. " />
The script in these .js files is highly-obfuscated. however, I prefer to execute the .js files and see where the traffic takes us.
Traffic and malware
Each of the scripts tried to download and execute three malware items. " />
script.php_wndz1.jpg - 255.5 KB (261,632 bytes) - File type: Windows EXE
script.php_wndz2.jpg - 159.5 KB (163,328 bytes) - File type: Windows EXE
script.php_wndz3.jpg - 84.5 KB (86,528 bytes) - File type: Windows EXE
Based on the callback traffic reported on the first sample, that file appears to be CryptoWall. I havent had the time to dig into the other two items.
The malspam and malware samples can be found here. My thanks to Chris, who emailed me about this most recent wave of malspam.
It's still not clear how, but a disproportionately large number of websites that run on the WordPress content management system are being hacked to deliver crypto ransomware and other malicious software to unwitting end users.
In the past four days, researchers from three separate security firms have reported that a large number of legitimate WordPress sites have been hacked to silently redirect visitors to a series of malicious sites. The attack sites host code from the Nuclear exploit kit that's available for sale in black markets across the Internet. People who visit the WordPress sites using out-of-date versions of Adobe Flash Player, Adobe Reader, Microsoft Silverlight, or Internet Explorer can then find their computers infected with the Teslacrypt ransomware package, which encrypts user files and demands a hefty ransom for the decryption key needed to restore them.
"WordPress sites are injected with huge blurbs of rogue code that perform a silent redirection to domains appearing to be hosting ads," Malwarebytes Senior Security Researcher Jérôme Segura wrote in a blog post published Wednesday. "This is a distraction (and fraud) as the ad is stuffed with more code that sends visitors to the Nuclear Exploit Kit."
Yesterday, while investigating some Facebook click-bait, I came across a fake Flash update that is targeting OS X users. Fake flash updates have been very common to infect OS X. They do not rely on a vulnerability in the operating system. Instead, the user is asked to willingly install them, by making them look like genuine Adobe Flash warnings (and we keep telling users to make sure Flash is up to date, so they are likely going to obey the warning and install the update).
The Installer for the fake Flash update will install various scare ware (I observed a couple different varieties when re-running the installer), and it actually installs an up to date genuine version of Flash as well.
While I wasnt able to capture the exact trigger for the popup advertising the update, I suspect it was injected by one of the many ads on the page:
Once the user clicks on the popup, the following page offers the Flash Player update for download:
Antivirus coverage was pretty bad yesterday when I came across this (4 out of 51 on Virustotal). On a brand new OS X 10.11 install, the Installer appears to install a genuine copy of Adobe Flash in addition to Scareware that asks for money after informing you of various system problems.
The installer is signed with a valid Apple developer certificate issued to a Maksim Noskov:
I recorded a small video showing what happens when you install the update on a clean OS X 10.11 system:
Startup PatternEx Launches AI Platform for Information Security
"The most frustrating thing in InfoSec is that the data to detect malicious behavior often already exists in enterprise infrastructures today," Veeramachaneni said. "The human analysts can detect it, but analysts are difficult to hire and are not ...
PatternEx Launches Company With First Artificial Intelligent Security Analyst