Digital Security Update - February 2016
Recent Malware & Security Issues
Well, it’s been a few weeks since our last malware and security roundup and there’s been plenty of action in that time.
Before beginning, we should explain a few of the terms used in this post.
Exploit Kit: Software that probes a computer or system to see if it is vulnerable to any of the known or published vulnerabilities in applications or operating system files. Software vulnerabilities are documented in a number of locations, arguably the most complete and up to date is the CVE List (Common Vulnerabilities and Exposures). Hackers trawl this database of security issues to locate serious issues that could allow them to access a machine or inject malicious applications onto a machine. They target the most commonly installed applications, for example Internet Explorer or Flash Player. This technique works well as the hackers know many people don’t keep their software up to date and there will be un-patched machines they can attack. Even those without the skills to write their own exploits can acquire kits from the authors and make use of them in their own malware campaigns. As an example, here’s a link to vulnerabilities for Flash Player https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=flash+player
Drive-by Download: This occurs when someone visits a website that has been compromised and infected with an exploit kit. Once the user loads the webpage, the exploit kit begins scanning for vulnerabilities and if it finds any, will attempt to inject some malicious code to either allow the cyber-criminal access to the machine, install a virus or malware, or turn the machine into a mail zombie. This process can take less than a second.
Spear Phishing: So you are now saying to yourself, I’m not foolish enough to go visiting strange websites that might expose me to these kinds of risks… The perpetrators of these schemes are becoming more sophisticated and instead of generic “Click this link to claim your prize” emails, they use Social Media and other methods to discover information about each targeted victim. Bait emails may contain your name, company names you may have dealt with, possibly even the correct logos and details about recent online transactions (you may have mentioned in Facebook posts/Twitter Tweets etc). So rather than cast a wide net, the phishing is now individualised (aka the spear!).
You can see how these three work together to create an effective infection campaign.
Here’s some recent significant issues…
Jan 2016 – A critical vulnerability that allowed remote code execution (which means the attacker would be able to infect your machine with his own code). This was fixed in a January patch release from Microsoft. If you haven’t updated Silverlight recently, do it now.
Jan 2016 - Cyber-crims have been targeting Facebook users with phishing emails claiming there is an audible message waiting for them. The zip file attached to the email contains an executable file which, when opened, replicates itself onto the C: drive, places an entry in the auto-run and registry startup to spread the malware. The Trojan collects personal information such as usernames, passwords and bank or credit card information and sends them to the criminals.
Xbot Trojan for Android
Feb 2016 - This Trojan can be obtained through 3rd party application sites and attempts to steal financial data by producing fake login pages for various banking apps and also mimicking Google Plays payment page. It can also intercept and steal SMS message contents and contact details. Finally, it’s able to lock and encrypt a user’s files on external SD card storage. The lesson here is to only use the official Google Play app store.
Your Cloud storage isn’t as safe as you think
Feb 2016 – New ransomware known as Locky has been distributed using Word Docs attached to emails. Opening the document executes a Word macro which downloads the Locky ransomware which then proceeds to encrypt your files.
If you use a Cloud storage solution such as OneDrive, Google Drive or any of the multitude that provide autonomous file syncing between your machine and the Cloud, your ‘backup’ copy will not be safe in the event of a ransomware infection. As your local copy of the files is encrypted, the syncing service from these Cloud storage vendors will happily re-sync the new encrypted copy of the files to your Cloud storage account, making that copy as useless as your local copy. If you’ve ‘shared’ files with other users, their machines will also sync with the encrypted copy, leaving you with the option of paying a ransom or abandoning the data. While we are on the subject of ransomware, later generations of this malware are able to encrypt pretty much any file your machine can access, even network shares that don’t have drive letters assigned to them.
The only way to ensure a usable backup of your data is to store it somewhere you can’t access through your computers file system. I.e if you can navigate to it (or a sync-able copy of it) using File Explorer, then it’s not safe. Check our StoreSafe backup solution for as safe option.