Cryptolocker Infects 250K Systems
DELL’s security research team has revealed that a new form of ransomware, dubbed “Cryptolocker” has managed to infect up to 250,000 devices, stealing almost a million dollars in Bitcoins.
“Based on the presented evidence, researchers estimate that 200,000 to 250,000 systems were infected globally in the first 100 days of the CryptoLocker threat,” Dell announced in a Secureworks post.
The firm worked out that if the Cryptolocker ransomware threat actors had sold its 1,216 total Bitcoins (BTC) that they collected from September this year, immediately upon receiving them, they would have earned nearly $380,000.
“If they elected to hold these ransoms, they would be worth nearly $980,000 as of this publication based on the current weighted price of $804/BTC,” Dell said.
Cryptolocker is unique when compared against your average ransomware. Instead of using a custom cryptographic implementation like many other malware families, Cryptolocker uses third-party certified cryptography offered by Microsoft’s CryptoAPI.
“By using a sound implementation and following best practices, the malware authors have created a robust program that is difficult to circumvent,” Dell said.
Conventionally, ransomware prevents victims from using their computers normally and uses social engineering to convince them that failing to follow the malware authors’ instructions will lead to real-world consequences. These consequences, such as owing a fine or facing arrest and prosecution, are presented as being the result of a fabricated indiscretion such as pirating music or downloading illegal pornography.
“Victims of traditional forms of ransomware could ignore the demands and use security software to unlock the system and remove the offending malware,” Dell explained. “Cryptolocker changes this dynamic by aggressively encrypting files on the victim’s system and returning control of the files to the victim only after the ransom is paid.”
Dell said that the earliest samples of Cryptolocker appear to have been released on 5 September this year. However, details about its initial distribution phase are unclear.
“It appears the samples were downloaded from a compromised website located in the United States, either by a version of Cryptolocker that has not been analysed as of this publication, or by a custom downloader created by the same authors,” Dell added.
Dell seems to think that early versions of Cryptolocker were distributed through spam emails targeting business professionals as opposed to home internet users, with the lure often being a ‘consumer complaint’ against the email recipient or their organisation.
Attached to these emails would be a ZIP archive with a random alphabetical filename containing 13 to 17 characters, containing a single executable with the same filename as the ZIP archive but with an EXE extension, so keep your eye out for emails that fit this description.
Adobe Reader Security Issue Found
McAfee has discovered a vulnerability in Adobe’s Reader program that allows people to track the usage of a PDF file.
“Recently, we detected some unusual PDF samples,” McAfee’s Haifei Li said in a blog post. “After some investigation, we successfully identified that the samples are exploiting an unpatched security issue in every version of Adobe Reader.”
The affected versions of Adobe Reader also include the latest “sandboxed” Reader XI (11.0.2).
McAfee said that the issue is not a “serious problem” because it doesn’t enable code execution, however it does permit the sender to see when and where a PDF file has been opened.
This vulnerability could only be dangerous if hackers exploited it to collect sensitive information such as IP address, internet service provider (ISP), or even the victim’s computing routine to eventually launch an advanced persistent threat (APT).
McAfee said that it is unsure who is exploiting this issue or why, but have found the PDFs to be delivered by an “email tracking service” provider.
The vulnerability works when a specific PDF JavaScript API is called with the first parameter having a UNC-located resource.
“Adobe Reader will access that UNC resource. However, this action is normally blocked and creates a warning dialog,” Li said. “The danger is that if the second parameter is provided with a special value, it changes the API’s behavior. In this situation, if the UNC resource exists, we see the warning dialog.
“However, if the UNC resource does not exist, the warning dialog will not appear even though the TCP traffic has already gone.”
McAfee said that it has reported the issue to Adobe and is waiting for their confirmation and a future patch. Adobe wasn’t immediately available for comment at the time of writing.
“In addition, our analysis suggests that more information could be collected by calling various PDF Javascript APIs. For example, the document’s location on the system could be obtained by calling the Javascript “this.path” value,” Li added.
Yahoo Messenger Flaw Exposed
December 10, 2011 by admin
Filed under Around The Net
Comments Off on Yahoo Messenger Flaw Exposed
An unpatched Yahoo Messenger vulnerability that allows hackers to change people’s status messages and possibly perform other unauthorized functons can be exploited to spam malicious links to a large number of users.
The flaw was discovered in the wild by security researchers from antivirus vendor BitDefender while investigating a customer’s report about unusual Yahoo Messenger behavior.
The flaw appears to be located in the application’s file transfer API (application programming interface) and allows attackers to send malformed requests that result in the execution of commands without any interaction from victims.
“An attacker can write a script in less than 50 lines of code to malform the message sent via the YIM protocol to the attacker,” said Bogdan Botezatu, an e-threats analysis & communication specialist at BitDefender.
“Status changing appears to be only one of the things the attacker can abuse. We’re currently investigating what other things they may achieve,” he added.
Victims are unlikely to realize that their status messages have changed and if they use version 11.5 of Yahoo Messenger, which supports tabbed conversations, they might not even spot the rogue requests, Botezatu said.
This vulnerability can be leveraged by attackers to earn money through affiliate marketing schemes by driving traffic to certain websites or to spam malicious links that point to drive-by download pages.
80% Of Browsers Found To Be At Risk Of Attack
Comments Off on 80% Of Browsers Found To Be At Risk Of Attack
About eight out of every ten internet browsers run by consumers are vulnerable to attack by exploits of already-patched bugs, a security expert said today.
The poor state of browser patching stunned Wolfgang Kandek, CTO of security risk and compliance management provider Qualys, which presented data from the company’s free BrowserCheck service Wednesday at the RSA Conference in San Francisco.
“I really thought it would be lower,” said Kandek of the nearly 80% of browsers that lacked one or more patches.
BrowserCheck scans Windows, Mac and Linux machines for vulnerable browsers, as well as up to 18 browser plug-ins, including Adobe’s Flash and Reader, Oracle’s Java and Microsoft’s Silverlight and Windows Media Player.
When browsers and their plug-ins are tabulated together, between 90% and 65% of all consumer systems scanned with BrowserCheck since June 2010 reported at least one out-of-date component, depending on the month. In January 2011, about 80% of the machines were vulnerable. Read more….