Subject: Tech: Info on Malware for All. From: JohnInKansas Date: 21 Aug 12 - 11:01 AM Although the "news" is about a month old, it's still something of which ALL kinds of users should be aware: Web-based malware determines your OS, then strikes F-Secure New malware that is spread via the Web, and is operating system-agnostic, has been discovered by researchers at F-Secure. The malware uses social engineering by showing this "warning" (top version shown here is for Windows, the bottom is for Mac) when a user visits the tainted page and gets the "warning." [images at the link] It doesn't matter which operating system you're using, says F-Secure; the file first "checks if the user's machine is running in Windows, Mac or Linux then downloads the appropriate files for the platform." The payload? "Once it has found out which operating system you are running, the Java class file will download the appropriate flavor of malware, with the intention of opening a backdoor that will give hackers remote access to your computer," writes Sophos Security's Graham Cluley on that company's blog. Topher Kessler of CNET's Blog Network notes that if "at any point you see a program, applet, or other resource attempt to use a self-signed certificate, then be sure you personally trust the source before using it (i.e., it is from a server you own or manage)." Legitimate vendors will "use certificates signed by an authority like VeriSign, which authenticates to the root certificates in your system to ensure applets and other transactions with the service are legitimate and secure," he writes. Cluley notes that this "isn't, of course, the first cross-platform malware that we have seen. For instance, in 2010 we saw the Boonana malware which similarly used a malicious Java applet to deliver a cross-platform attack that attempts to download further malware on Windows, Unix and Mac OS X." With more malware attacks on Apple's OS in the past year, and ongoing strikes against Windows-based systems, "although the amount of malware written for different operating systems can vary, it's becoming increasingly hard to argue on any OS that it's safe to surf the Web without anti-virus protection," Cluley wrote. And it's hard to argue with that. [end quote] Note that this is the second fairly recent exploit that attacks ALL OPERATING SYSTEMS, and that has been in wide enough circulation to merit serious concern. While the malware probably has to include separate payload versions for each OS, the ability to determine what OS you're running is pretty simple, and Java (and some other "new" stuff people are experimenting with) probably makes it simpler for even the "script kiddies" to come up with this kind of attack. Expect more of the same. Safe browsing habits are important for all, and are the "first line of defense. For those A different malware form has also been reported recently that "steals all your information and then deletes everything" that is particularly malicious; but at present it's been found almost exclusively in "Arab countries" and hasn't been considered much of a threat in western regions. Since most malware takes extreme measures to avoid detection, the purpose of this one - that makes it rather obvious when an attack has occured - is still mostly unknown. The biggest hazard with it is that it only needs to get on a few machines that "talk to" machines in other places in order to spread everywhere, so watching for further reports is probably a good idea. John |
Subject: RE: Tech: Info on Malware for All. From: Ole Juul Date: 21 Aug 12 - 04:03 PM . . . it's becoming increasingly hard to argue on any OS that it's safe to surf the Web without anti-virus protection," Cluley wrote. And it's hard to argue with that. No, it is not hard to argue with that. He is selling something. It is indeed possible to write viruses for *nix systems, but when people like him talk about exploits, they neglect to say that it only works if you have physical access to the machine or know the root password - in which case the OS is not the problem. I am well aware of the value of the "never say never" meme, but Cluley is just another one of the Windows apologists / salesmen. |
Subject: RE: Tech: Info on Malware for All. From: GUEST,leeneia Date: 22 Aug 12 - 09:14 AM I consider that article kind of strange. Surely a well-known virus has been assigned a name. (Preferably an unromantic set of numbers and letters.) Given the name, I can obtain software to scan for it and remove it. So far, all that F-secure has done is scare me without offering any suggestions on how to improve my situation. What's my situation? My computer has slowed down, it doesn't respond well to the mouse, and nobody can find a reason. |
Subject: RE: Tech: Info on Malware for All. From: GUEST,Charles Macfarlane Date: 22 Aug 12 - 09:37 AM Need to know more specifics to help you - what type of computer, what operating system, what type of mouse, and how connected, what hardware checks have you done such as trying a different mouse, did the problem begin with some identifiable occurrence, such as visiting a particular website or installing a particular program? |
Subject: RE: Tech: Info on Malware for All. From: GUEST,leeneia Date: 22 Aug 12 - 11:23 AM Thanks for your kindness, Charles, but I've done a lot of stuff. including buying a new mouse, malware scans and system restore. All I'd like now is the name of the malware described in the article. My backup plan is that a friend who is a computer professional has offered to come over and have a look at my machine. But if I can solve this without imposing on her, it would be nice. Meanwhile, just watch. I'm supposed to have a fast system, but I'll click Submit and it will take ten seconds for this message to go. |
Subject: RE: Tech: Info on Malware for All. From: GUEST,Charles Macfarlane Date: 22 Aug 12 - 12:50 PM > From: GUEST,leeneia > > Meanwhile, just watch. I'm supposed to have a fast system, but I'll click Submit and it will take ten seconds for this message to go. For me, that's about normal for loading any page from Mudcat. I suspect it's the advertisement blocking I have in place. |
Subject: RE: Tech: Info on Malware for All. From: Ole Juul Date: 22 Aug 12 - 02:04 PM Lots of things can cause a machine to be slow. I don't know much about MS-Windows, but I've noticed that people sometimes have pending upgrades and "call home" type things that take control (and bandwidth) away from the user. Also, I note that Mudcat has been very slow the last couple of days and I too have seen up to ten seconds response time. It seems pretty good now though. |
Subject: RE: Tech: Info on Malware for All. From: GUEST,mg Date: 22 Aug 12 - 10:49 PM My mouse is acting odd too and I have something called Babylon that takes over web browsing. I have free support through my host and they were supposed to have cleaned it b ut it still seems to be on. |
Subject: RE: Tech: Info on Malware for All. From: Ole Juul Date: 22 Aug 12 - 11:16 PM You can do a net search on the term "how to remove babylon" and do it yourself. You will find hundreds of sets of directions, including numerous videos. Good luck. :) |
Subject: RE: Tech: Info on Malware for All. From: JohnInKansas Date: 23 Aug 12 - 09:56 AM Mudcat has been a little slow for me recently, but other sites respond normally. That could be because of something at mudcat, or with a relay server that it uses often, but since it's just mudcat I can be pretty sure it's not on my computer. You can get similar assurance by checking whether it's just one site that's doing something unusual, or if it's all of them. If everything is slow, you probably have a problem with your own machine. Malware removers often just delete or quarantine the file that contains a particular bit of code that the remover recognizes, but the malware may also have added other files that are not in themselves capable of doing anything much. Checking for instructions for removing the malware, as already suggested, may let you get rid of a lot more of the junk associated with the malware. Occasionally the malware may modify an existing file that your computer needs to use, and quarantine or deletion of the infected file can muck things up. The complete removal instructions you'll find should tell you if you need to replace a file "damaged" by the particular malware. Your service is unlikely to do this for you. Your mouse and keyboard most likely are connected via USB, even if they're "wireless" ones. USB sometimes gets confused. A procedure that sometimes helps is to: 1. shut down the computer. 2. disconnect all USB devices. 3. restart the computer 4. plug in ONE device at a time and let the computer's PNP recognize it and connect it up before you plug in the next thing. This works better if you get into Control Panel and delete all the existing USB connections before the shutdown, but that can cause problems you likely will want on-site help with from someone more experienced. (Like how do you shut down properly if you've deleted both mouse and keyboard connections, and how to you log back on with no keyboard connected?) John |
Subject: RE: Tech: Info on Malware for All. From: GUEST,leeneia Date: 23 Aug 12 - 10:06 AM thanks for the info about Babylon and USB's. |
Subject: RE: Tech: Info on Malware for All. From: JohnInKansas Date: 23 Aug 12 - 10:16 AM Surely a well-known virus has been assigned a name. The reason for no name is that the news report describes a usage of a "normal process" that can be used to try to get any kind of malware on your computer, but isn't itself a real malware form. Any site you connect to can tell what browser you're using, and with very little more effort can tell what OS you use. That's a normal function. In the past, few malware designers have used the method to "tailor" their payload of junk. Some of them are doing it now, and that's what the report wants you to know. As to the immunity of 'nix systems, the operator sitting at the keyboard has direct access to the computer and must have some privileges in order to be able to do much of anything. IF THE PERSON AT THE KEYBOARD does something stupid, the computer must follow instructions, and it doesn't much matter what OS is being used. Much of the malware currently in circulation attempts to get ONE PERSON to compromise personal information, so that they can steal from that person. They DON'T WANT SMART PEOPLE since their success depends on the operator being induced to make additional mistakes. As long as there's one fool (or careless/distracted genius) left in the world, any system can be compromised. For most currently active malware, they don't care about getting into the entire system. They only want the keyboard where the "vulnerable person" sits. John |
Subject: RE: Tech: Info on Malware for All. From: JohnInKansas Date: 23 Aug 12 - 12:56 PM Not an immediate hazard, but on the subject, as above, of the use of normal processes for malicious purposes, a couple of researchers have produced a demonstration that an "innocent script" (containing no identifiable malware) could be used to assemble bits and pieces from the perfectly good (and otherwise safe) programs on your computer, to produce something that performs malicious actions. This is (for now) a "concept" only, and there's been no known use of the idea; but it may give an idea of what could come along eventually. (Eventually could be fairly soon, of course.) 'Frankenstein' virus could assemble itself from app snippets [quote] Many malware and viruses can be identified by detection software because of known bits of malicious code. But what if there was a virus compiled from little bits of programs you already had installed? That's just what two security researchers are looking into. Vishwath Mohan and Kevin Hamlen at the University of Texas at Dallas are interested in how malware disguises itself in order to propagate more widely. After all, with virus detectors and operating systems getting frequent updates, any positively identified virus will be destroyed on sight around the world soon after. Malware authors and security experts have tried different ways to camouflage malicious code, like encrypting it or adding garbage data to confuse the scanners. But Mohan and Hamlen take it a step further: their virus builds itself out of pieces your computer knows to be safe — bits of applications like your word processor, image editor or Web browser. Appropriately enough, they call it Frankenstein, and although right now it's still just a proof of concept, it's an indication of one avenue hackers might take in the future. Why bother sending out a whole application stuffed full of code that could be identified as bad news when you can just send a "blueprint" of what it needs, and let it assemble itself on-site, as it were? Their Frankenstein is a "toy" version, which means it does not propagate itself onto other computers, but it can make variants of itself by stealing different code from different programs. That means that every "mutant" version it creates of itself will be significantly different, but still check out when looked at piece by piece for suspicious functions. And there's no shortage of the snippets of code, which they call "gadgets." As they remark in the paper describing their work: The results show that even with the limited capacity of our prototype, 2–3 binaries are sufficient to bring the number of gadgets above 100,000. On average we discovered about 46 gadgets per KB of code, finding approximately 2338 gadgets per second. In other words, just a few basic applications rendered thousands of pieces to use. That many spare parts could keep the virus scanners busy for quite some time, though there is always the risk that they could be trained to look for the "blueprint" instead of the resultant patched-together virus. But that too could be made to look legitimate. Mohan and Hamlen hope that being aware of camouflaging systems like this will make virus detection stronger and better; after all, if they didn't invent it, some less well-meaning person might have instead, and it would be at large instead of in a paper. The research was supported by Air Force and National Science Foundation grants. The paper, "Frankenstein: Stitching Malware from Benign Binaries," is available for free download here, as well as the slides from Mohan and Hamlen's presentation at the USENIX security workshop. [end quote] There's a nice picture of Frankie at the link, and links to where you can download the full report if that's of interest to anyone. (Happy browsing.) John |
Subject: RE: Tech: Info on Malware for All. From: Stilly River Sage Date: 30 Aug 19 - 10:38 AM Nice to participate in an old "John in Kansas" thread. I was looking for a place to park this: The threats these days aren't just to computers, they're also for phones. Google finds malicious sites pushing iOS exploits for years Google finds exploits for 14 iOS vulnerabilities, grouped in five exploit chains, deployed in the wild since September 2016.
The attacks weren't aimed at particular iOS users, as most iOS exploits tend to be used, but were aimed at any user accessing these sites via an iPhone. "There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant," said Ian Beer, a member of Google Project Zero, Google's elite security team. The exploits also didn't require any user interaction to trigger. Google said the first website to host any of the exploits went live on September 13, 2016. The websites appeared to have been hacked, and the exploits planted by a third-party, rather than the site owner. "We estimate that these sites receive thousands of visitors per week," Beer said. 14 EXPLOITS, FIVE EXPLOIT CHAINS, AT LEAST ONE ZERO-DAY This nefarious and secretive hacking operation was discovered earlier this year when Google's Threat Analysis Group (TAG) came across the hacked sites. Follow the link for the rest. |
Subject: RE: Tech: Info on Malware for All. From: Stilly River Sage Date: 30 Jul 21 - 12:12 PM I know there are a lot of Linux users in Mudcatland, so I hope this is helpful. There are lots of linked spots in the text on the actual web page, so this is FYI but to follow the connections, go to the page itself. This is the bit that particularly caught my eye: the lengths they go to stay on a network put them in a different light than just a nuisance. It could be well-worth security teams' time to review Microsoft's tips towards the end of its analysis for hunting down LemonDuck threats and tools on a network because once LemonDuck is aboard, it really doesn't want to leave. Microsoft: This Windows and Linux malware does everything it can to stay on your network LemonDuck coin-mining malware has been crafted by some very determined, financially motivated cybercriminals. Microsoft has continued its analysis of the LemonDuck malware, known for installing crypto-miners in enterprise environments. It makes a strong case for why it is worth removing it from your network. |
Subject: RE: Tech: Info on Malware for All. From: robomatic Date: 30 Jul 21 - 01:48 PM Have the usual anti-malware and anti-virus softwares been updated to detect and/ or dispose of this innovation? |
Subject: RE: Tech: Info on Malware for All. From: DaveRo Date: 30 Jul 21 - 04:24 PM It affects enterprise computers, as it says in the first sentence. Microsoft's main concern is Windows Server, running databases such as MS SQL or Exchange Server, not ordinary Windows desktops. I don't know whether infections involve ordinary Windows PCs, and therefore whether AV programs detect them. But desktops are not the target. Linux servers are also affected, e.g. running Hadoop (don't ask!). Linux is not immune from malware, but only 2% of desktop computers run Linux so it's not a popular target. So I and most Linux users do not run AV programs. By contrast, 90% of enterprise servers run Linux. |
Subject: RE: Tech: Info on Malware for All. From: Stilly River Sage Date: 28 Feb 22 - 03:56 PM Here's an interesting bit about malware that has managed to distribute itself through the Google Play Store (shame on Google for not vetting the vendor): Xenomorph banking Trojan downloaded over 50,000 times from Play Store Besides the name of the creature that “stars” in the Alien movies by 20th Century Fox, Xenomorph is also the name given to an Android banking Trojan. Researchers found this banking Trojan to be distributed on the official Google Play Store, with more than 50,000 installations. There's more to the article at the link. It looks like it is mostly in Europe, intended to hit various country's banking apps, but I'm sure it can jump the pond with the touch of a screen button. |
Share Thread: |
Subject: | Help |
From: | |
Preview Automatic Linebreaks Make a link ("blue clicky") |