Malware Identified from Attack on Sony

US-CERT has released an advisory regarding the sophisticated malware that the attackers of Sony Pictures used. According to the advisory, the attackers used a Server Message Block (SMB) Worm Tool to disrupt the company’s infrastructure. The tool is equipped with five components, including a listening plant, a lightweight backdoor, a proxy tool, a destructive hard drive tool and a destructive target cleaning tool.

According a Securityweek article: “The SMB worm propagates through an infected network via brute-force authentication attacks, and connects to a command and control (C2) infrastructure with servers located in Thailand, Poland, Italy, Bolivia, Singapore and the United States.”

An organization infected with this malware could experience operational impacts, including loss of intellectual property and disruption of critical systems.

Users and administrators are recommended to take preventative measures, such as using and maintaining anti-virus software, keeping software up to date, reviewing security tips for handling destructive malware and reviewing practices for control systems with defense-in-depth strategies.

Malvertising Campaign Hits PCs and Macs

A malware campaign that began in May 2014 is delivering customized concoctions of spyware, adware, and browser hijacking malware to PCs and Mac users. The “malvertising” network (a merging of the words “malware” and “advertising”), which has been dubbed Kyle and Stan, has 700 domains.

Getting a malicious ad into an advertising network distribution, even for a short time, can infect many computers, especially if it is on a popular site like Amazon or YouTube. The combination of malware downloaded to each machine is different, which means the checksum varies, thwarting detection.

Malvertising attacks are not new, and have been around for a few years. Generally, criminals use ads on popular sites or networks, such as Spotify or Facebook to spread malware. They place an ad with the network, then change the code in the ad to exploit flaws in the browser which allows them to inject malware on the user’s computer.

To protect yourself against these attacks, it is recommended to run malware detection software (Sophos is distributed for free for MIT users) and to make sure your browser is up to date with the latest security patches. Another option is to filter sites based on their potential threat level. Browser plug-ins such as AdBlock, and Webutation can block ads and warn users if they have accessed a site that is known to host malware. These plug-ins are free and can be run on different types of browsers.

Read the full story in the news.

Home Depot Hit By Malware Similar to Target Breach

Security researcher, Brian Krebs, published information on his security blog yesterday about the cyber attack on Home Depot. Reportedly, the compromised credit cards were exposed through the same malware that exposed 40 million accounts of Target customers in December 2013. He points to a new variant of the malware strain “BlackPOS,” aimed at retail accounts, which has the ability to steal credit and debit card information from the physical memory of point-of-sale devices.

If this information is true, then it could mean the same people were responsible in both breaches. Credit card numbers allegedly stolen from Home Depot have appeared on an underground cybercrime shop known as Rescator, which has also been seen selling cards stolen in the Target breach. According to Krebs, the people involved harbor anti-American sentiments.

Read the story in the news.

GameOver Zeus P2P Malware

GameOver Zeus (GOZ), a peer-to-peer variant of the Zeus family of bank credential-stealing malware identified in September 2011­, uses a decentralized network infrastructure of compromised personal computers and web servers to execute command-and-control.

The malware was used by criminals to infect victims with ransomware such as Cryptolocker. Although the government has taken control of GameOver’s servers, preventing further infection of Cryptolocker, there are many, perhaps hundreds of thousands of computers still infected.

Systems at risk:

  • Microsoft Windows 95, 98, Me, 2000, XP, Vista, 7, and 8
  • Microsoft Server 2003, Server 2008, Server 2008 R2, and Server 2012

The US government recently released this technical advisory on GOZ to provide further information. A system infected with GOZ may be employed to send spam, participate in DDoS attacks, and harvest users’ credentials for online services, including banking services.

One of the solutions provided in the advisory is to use and maintain anti-virus software. The software supplied by Information Systems & Technology at MIT, Sophos Anti-Virus, protects against this malware. To clean up a computer already infected, Sophos also offers a separate, free Virus Removal Tool.

Read more at Sophos online.

Hackers Lurk in the Strangest Places

When hackers were unable to gain access to Target’s records through their main system, they went through its heating and cooling system. In other cases, hackers have used printers, thermostats, video-conferencing equipment and a Chinese takeout menu.

A Chinese takeout menu? Yes, when hackers couldn’t breach the computer network at a big oil company, they infected the online menu of a Chinese restaurant with malware that was popular with employees of the oil company. When workers browsed the menu, they inadvertently downloaded code that gave attackers a foothold in the business’ network.

Companies that are doing everything possible to seal up their systems are now having to look in the unlikeliest places for vulnerabilities. The situation has grown increasingly complex and urgent. Access to a network is given to all kinds of other computerized systems and services, including heating, ventilation and cooling systems, billing and expense systems, health insurance providers and even vending machines.

While security researchers are often employed to find such leaks in a system, it is now becoming as difficult as finding a needle in a haystack.

Read the full story online.

The Story Behind the Breach at Target, Inc. has written an in-depth article and posted a video explaining how Target Stores were breached and their systems infected with malware, leading to one of the biggest data thefts in retail history. According to the investigation conducted after the discovery of the theft, Target employees failed to respond to several alerts made by their security system, provided by FireEye. Had Target security staff responded appropriately to the alarms, they could have prevented the transmission of the stolen credit card data.

Even without human intervention, the breach could’ve been stopped, according to the article. “The system has an option to automatically delete malware as it’s detected. But according to two people who audited FireEye’s performance after the breach, Target’s security team turned that function off.” While not unusual, it puts pressure on a team to quickly find and neutralize the infected computers.

It was clear, according to the article, that Target was getting warnings of a serious compromise; even the company’s antivirus system by Symantec, identified suspicious behavior over several days around Thanksgiving – pointing to the same server identified by FireEye.

Read the full story on

OUCH! Newsletter: What is Malware?

This month’s issue of OUCH!, the monthly security awareness newsletter for computer users from SANS, explains what malware is, who is developing it and why and how to protect yourself against it.

You can download or view a copy online here:


Get every new post delivered to your Inbox.

Join 72 other followers