Malware Could Be Using Legitimate Signature Certificates

When it comes to installing software on your computer, we often have to take it on faith that the software is safe to use. As an extra precaution, the latest step is to allow companies to use “certificates”, digital signatures that show that a trusted company created the software. A group known for creating malware may have found a way around this system though as some of their nasty programs are using legitimate signature certificates.

By using legitimate signature certificates your computer trusts the software and installs it without further hassle, the problem being that the software is less than safe and, in fact, is just malware (or malicious software). According to Symantec, the group known as Suckfly has used no less than nine different singing certificates from nine different companies since 2014.

Categorising the found malware into groups, Symantec found that 11 of the identified tools could be used for backdooring into your system. While others could be used to log and find out your information, some even checked your network traffic to find out what could be used to access your system through port scanning software.

With so many certificates being stolen and used for signing malware, and it becoming a common practise amongst malware creators, could we see the need for another way of finding and checking software is legitimate if these techniques are so easily bypassed?


Shape-Shifting ‘Beebone’ Malware Taken Down by Europol and the FBI

It looks like a shape-shifting malware that was able to change its identity up to 19 times a day to avoid detection has been put to rest by Europe’s Cybercrime Centre and the FBI.

The malware dubbed ‘Beebone’ is said to have been controlling 100,000 computers at its peak back in September 2014 and was used to download other programs on the infected computer. The malware is estimated to have made 12,000 victims, who are now asked to clean up their PCs using latest anti-malware and anti-virus programs.

Beebone has been said to download password stealers, ransomware, rootkits, and programs designed to take down legitimate websites on the affected computers.

“Beebone is highly sophisticated. It regularly changes its unique identifier, downloading a new version of itself, and can detect when it is being isolated, studied, or attacked.” Raj Samani, Intel Security Chief Technology Officer stated.”It can successfully block attempts to kill it.”

Almost 100 .net, .com, and .org domains have been ‘sinkholed’ by the Joint Cybercrime Action Taskforce in order to redirect the attackers’ traffic and intercept requests for further instructions made by the malicious software.

The FBI has also assisted in redirecting the traffic for most of the sites due to the fact that most of the sites used were operated from the United States.

However, this is not a permanent solution for the malware in question. This is why Paul Gillen, head of operations at the European Cybercrime Centre, urges both agencies to look into finding those responsible and bringing them to justice.

“We can’t sinkhole these domains forever. We need those infected to clean up their computers as soon as possible.” Paul Gillen told the BBC.

Even with the attackers in custody, the malware is still out there on unsuspecting victims’ PC. This is where Raj Samani comes in and stated that those who have the malware “will be notified by their internet service provider”.

ISPs in each affected country will be handed a list of suspected victims to contact by the task force. Also, a free removal tool has been issued by software security firms in order to deal with the malware at hand, including F-Secure, TrendMicro, Symantec and Intel Security.

Thank you BBC for providing us with this information

Symantec Uncovers Tricky ‘Regin’ Malware

Anti-Virus company Symantec has identified a heavy malware threat named ‘Regin’. It’s said by PC World that this nasty piece of work was likely developed by a nation state and used by these criminals to spy on governments, infrastructure operators, businesses, researching and individuals as far back as 2008.

Symantec released a statement on Sunday alongside a technical paper about the malware. Said to span across 10 countries including Russia, Saudi Arabia, Mexico, Ireland, India, Afghanistan, Iran, Belgium, Austria and Pakistan, Symantec had the following to say: “Regin displays a degree of technical competence rarely seen”. It’s interesting to note that England, Australia and USA are not included on this list.

Worried for your own safety? You probably shouldn’t be. Up until this news has been uncovered and spread across the globe, you hadn’t been effected by it personally, so why would you now? We’re not trying to partake in any ‘big news’ fear mongering, don’t worry. However, if you’re the president of one of the countries listed above, then maybe you should take a knee and listen. A very select target audience, I know.

It’s reported that the first incarnation of Regin was used to spy on multiple organizations from 2008 to 2011, seeing it withdrawn and re-injected late into 2013. Symantec also claim that nearly half of the systems with Regin installed have been identified to involve private individuals and small businesses.

Symantec claims that Regin is a back-door Trojan that is “customizable with an extensive range of capabilities depending on the target” and “it provides its controllers with a powerful framework for mass surveillance.” Alongside stating that “its authors have gone to great lengths to cover its tracks.”

We’ll continue to report as the story develops.

Image courtesy of Techtimes

More Than One Thousand Power Plants Found Compromised by Unknown Cyberattack

Since the major topics nowadays are secret service cyber conspiracies and cyberattacks, the latest news points to another cyberattack aimed at more than one thousand power plants worldwide.

Symantec, a company specialising in software security, has apparently uncovered a malware campaign started by a group called Dragonfly, allowing remote access to computer systems from various power plants. Symantec stated that the group has used the malware only to spy on its victims, though serious damage could have been done as well.

A number of 1,018 organisations across 84 countries are stated to have been infected, spanning from grid operations to gas pipelines. It has later been discovered that Dragonfly’s base servers were based in Eastern Europe, leading to the conclusion that the group is of Russian origin. They reportedly used techniques spanning from garden pushing attacks, to campaigns targeting component manufacturers, allowing infections to take hold in any downstream system.

The comparison made against the infected systems led to the conclusion that the sophisticated Stuxnet virus has been used, something which the US previously used to damage nuclear power plants in Iran back in 2010. Up to this point, the real purpose of this major cyberattack is unclear.

Thank you The Verge for providing us with this information
Image courtesy of Picture-Newsletter

Microsoft Is Leading PC Anti-Virus Vendor According To Report

New research figures by software and IT solutions company OPSWAT suggest that Microsoft dominates the desktop and laptop anti-virus markets with its free Microsoft Security Essentials offering. Microsoft has an impressive 25.4% of the market with all its products combined, though this is mainly comprised of MSE and Windows Defender. Microsoft is followed closely behind by Avast who manage to rack up an impressive 23.6% mainly through their free anti-virus offering. AVG, Symantec, ESET, Avira and Kaspersky also made the list with market shares between 6.5 and 8.3%.

In terms of the single most popular programs well Avast lead the way with their free antivirus followed closely behind by MSE. Windows Defender, Avira and AVG come in third, fourth and fifth respectively meaning the entire top 5 is comprised of free anti-virus solutions – which is hardly surprising. The leading paid anti-virus solutions are produced by ESET, Kaspersky, Norton, Avast and AVG respectively.

For more details and in depth graphs on the current state of the PC anti-virus market, see here.

Image courtesy of OPSWAT

New Report Says Google Glass Is Vulnerable To WiFi Hijacking

According to Symantec there is a major flaw with Google Glass and we all know that a flaw in glass means something is going to shatter sooner or later. Yet Symantec have found a potentially dangerous and simple way of attacking a Glass device and it’s pretty much the same technique that was found capable of wiping out an Android based smart phone, QR codes.

By taking a picture of a QR code, which is something many of us do without second thought, the device could be silently connected to a malicious WiFi access point, which from that point on leaves you with a compromised device and its all potentially down hill from there.

Once on an access point your attacker can monitor all your traffic, redirect you to malicious websites, or maybe worse! So what is being done about this? Everything actually, Google has leapt up and fixed the problem, but it just goes to show that as popular as the device is becoming, it’s far from perfect and there will be people out there looking for new ways to manipulate the device.

There is still a risk of these kind of attacks unfortunately, but this is true of any WiFi capable device you own and fake networks, unmonitored open networks and other false sources are out there to lure you in and need to use a little care, but in some cases it’s impossible to know if a network is safe.

Thankfully Google is taking steps to secure their Glass device and its great to see development continuing to push forward for the device, but online security, especially on public WiFi will always be a dice roll for many end users.

Thank you Xbitlabs for providing us with this information.