Another Android Flaw Gives Apps Elevated Privileges

Close on the heels of Stagefright, another vulnerability has been found to affect Android devices. A flaw in the OpenSSL X509Certificate class allows apps to elevate privileges, allowing them to snoop on vulnerable devices, install malware, and cause other problems. More than half of Android handsets are believed to be vulnerable.

Google has provided a patch, but as with the patch for Stagefright, most people won’t receive it automatically. Ask your mobile carrier if a patch is available and if not, when you can expect it.

Read the story in the news.


The Simda Botnet

The Simda botnet (a botnet is a network of computers infected with self-propagating malware) has compromised more than 770,000 computers worldwide in the past six months. The botnet has recently been taken down by law enforcement groups and private security companies by seizing 14 command-and-control servers located in various countries, including the US.

Simda malware takes advantage of Windows computers with unpatched software to re-route a user’s Internet traffic to websites under control by the criminals. The infected computers can also be used to install additional malware, give criminals access to harvest user credentials, or cause other malware attacks.

Read a full report on this threat in the alert released by the DHS and FBI: TA15-105A, which includes the recommended actions users can take:

  • Use and maintaining anti-virus software
  • Change your passwords
  • Keep your operating system and software up to date
  • Do a manual check of your system (or ask for assistance to do so) to see if it is infected. Microsoft has developed a free cleaning agent for Simda. If you have been infected by Simda.AT, run a comprehensive scan of your environment using Microsoft Safety Scanner, Microsoft Security Essentials or Windows Defender.

Read the story in the news here and here.

Security Tip: Gaming Online

This month’s issue of OUCH! is about online gaming. While gaming is a fun activity, online gaming — where you communicate and connect with others from anywhere in the world — can be risky. (Even security experts aren’t immune. Just last week we spent several hours removing malware from the computer our son uses for online gaming.)

Read about how you can secure yourself, your system and your online accounts. If you are the parent of a gamer, there are tips on teaching your children about the risks.

View the issue here (.pdf)

Malware Identified from Attack on Sony

US-CERT has released an advisory regarding the sophisticated malware that the attackers of Sony Pictures used. According to the advisory, the attackers used a Server Message Block (SMB) Worm Tool to disrupt the company’s infrastructure. The tool is equipped with five components, including a listening plant, a lightweight backdoor, a proxy tool, a destructive hard drive tool and a destructive target cleaning tool.

According a Securityweek article: “The SMB worm propagates through an infected network via brute-force authentication attacks, and connects to a command and control (C2) infrastructure with servers located in Thailand, Poland, Italy, Bolivia, Singapore and the United States.”

An organization infected with this malware could experience operational impacts, including loss of intellectual property and disruption of critical systems.

Users and administrators are recommended to take preventative measures, such as using and maintaining anti-virus software, keeping software up to date, reviewing security tips for handling destructive malware and reviewing practices for control systems with defense-in-depth strategies.

Malvertising Campaign Hits PCs and Macs

A malware campaign that began in May 2014 is delivering customized concoctions of spyware, adware, and browser hijacking malware to PCs and Mac users. The “malvertising” network (a merging of the words “malware” and “advertising”), which has been dubbed Kyle and Stan, has 700 domains.

Getting a malicious ad into an advertising network distribution, even for a short time, can infect many computers, especially if it is on a popular site like Amazon or YouTube. The combination of malware downloaded to each machine is different, which means the checksum varies, thwarting detection.

Malvertising attacks are not new, and have been around for a few years. Generally, criminals use ads on popular sites or networks, such as Spotify or Facebook to spread malware. They place an ad with the network, then change the code in the ad to exploit flaws in the browser which allows them to inject malware on the user’s computer.

To protect yourself against these attacks, it is recommended to run malware detection software (Sophos is distributed for free for MIT users) and to make sure your browser is up to date with the latest security patches. Another option is to filter sites based on their potential threat level. Browser plug-ins such as AdBlock, and Webutation can block ads and warn users if they have accessed a site that is known to host malware. These plug-ins are free and can be run on different types of browsers.

Read the full story in the news.

Home Depot Hit By Malware Similar to Target Breach

Security researcher, Brian Krebs, published information on his security blog yesterday about the cyber attack on Home Depot. Reportedly, the compromised credit cards were exposed through the same malware that exposed 40 million accounts of Target customers in December 2013. He points to a new variant of the malware strain “BlackPOS,” aimed at retail accounts, which has the ability to steal credit and debit card information from the physical memory of point-of-sale devices.

If this information is true, then it could mean the same people were responsible in both breaches. Credit card numbers allegedly stolen from Home Depot have appeared on an underground cybercrime shop known as Rescator, which has also been seen selling cards stolen in the Target breach. According to Krebs, the people involved harbor anti-American sentiments.

Read the story in the news.

GameOver Zeus P2P Malware

GameOver Zeus (GOZ), a peer-to-peer variant of the Zeus family of bank credential-stealing malware identified in September 2011­, uses a decentralized network infrastructure of compromised personal computers and web servers to execute command-and-control.

The malware was used by criminals to infect victims with ransomware such as Cryptolocker. Although the government has taken control of GameOver’s servers, preventing further infection of Cryptolocker, there are many, perhaps hundreds of thousands of computers still infected.

Systems at risk:

  • Microsoft Windows 95, 98, Me, 2000, XP, Vista, 7, and 8
  • Microsoft Server 2003, Server 2008, Server 2008 R2, and Server 2012

The US government recently released this technical advisory on GOZ to provide further information. A system infected with GOZ may be employed to send spam, participate in DDoS attacks, and harvest users’ credentials for online services, including banking services.

One of the solutions provided in the advisory is to use and maintain anti-virus software. The software supplied by Information Systems & Technology at MIT, Sophos Anti-Virus, protects against this malware. To clean up a computer already infected, Sophos also offers a separate, free Virus Removal Tool.

Read more at Sophos online.