When the threat research analysts here at Webroot recently started seeing malware swapping out legitimate components of Windows and replacing them with malware payloads, I couldn’t help but wonder what these malware authors were thinking.
After all, cybercriminals with a lick of sense know very well that messing with system files is dangerous juju. Such an act could, in the right (or should I say wrong) circumstances, render a PC inoperable, or at the very least, bogged down in crashes and instability. And for the authors of phishing malware, it would be incredibly thick-headed to do something to an infected system which might alert the user that something is wrong. After all, when it comes to stealing passwords, flying under the radar is the goal, otherwise the owner of the infected machine might hunt down the problem and remove the Trojan before it has a chance to do its work.
Well, it’s probably a good idea never to underestimate the stupidity of some malware authors. In the past four months, we’ve created new definitions for two phishing Trojans – Trojan-PWS-Mockworthy and Trojan-Phisher-Cassicant — that routinely replace system files with their own malicious payload. Removal is incredibly easy, but generates error messages on the system. That’s just annoying. The best news is, you don’t even need an antivirus product to restore a system file that’s been replaced in this way: A system sweep will remove the malicious components, and a service called Windows File Protection will find the correct system file on your Windows CD and replace it for you. Read on for some step-by-step instructions on just how to do that.
By now, you’ve most likely heard about how an ESPN reporter was victimized, and that a surreptitiously recorded video was distributed online. You may also have read that malware distributors were taking advantage of the high level of interest in this video to rapidly disseminate malware by convincing people to click links to malicious Web sites, including a fake CNN lookalike site, to watch said tawdry video.
Well, that first wave of malware was almost identical to the distribution we saw when Farrah Fawcett died a few weeks ago. Web surfers were urged to click a link to download a picture of the late actress, and instead received an executable file which dropped, then downloaded, additional malware. Graham Cluley, who works for Sophos, pretty much nailed the story on his blog.
In our own research, we found the same things going on that he did: The piece of malware he describes (which we call Trojan-Downloader-Dermo) primarily engages in massive clickfraud, in which affiliates of advertising networks are paid each time someone clicks an advertisement in their browser. The software, in this case, is directed to “click” through hundreds of ads per minute. Occasionally, those “ads” exploit vulnerabilities in the browser to foist more malware onto the victim’s machine.
But the malware distribution didn’t stop there. Seizing on the opportunity, another bunch of creep distributors of rogue antivirus products also began spreading the pain, using terms like “peephole video” to rank themselves high in search results. What we found was a rogue that not only lies about alleged infections on the victim’s computer, and features supposed endorsements from legitimate, respected technology publications — the award logos of PC World (and its UK counterpart PC Advisor), PC Magazine, and C|Net’s Computer Shoppergrace its website — but spreads via a PDF file which exploits a relatively recently-disclosed vulnerability in Adobe’s Acrobat Reader software.
This week it was impossible to escape the “big news” that Twitter got hacked. The French hacker, known as “Hacker Croll,” who made headlines back in May for a similar Twitter breach, was at it again. This time he managed to get his hands on at least 310 sensitive Twitter business documents by gaining access to an employee’s email account, subsequently using information found in that account to then access the employee’s Google Apps account to steal the confidential company documents. The hacker sent the documents to TechCrunch, who then chose to publish them along with an account of the breach.
This highly publicized breach got people talking, and ignited a wave of speculation about two things: first, about the security of passwords and how easy it is to guess the answer to someone’s security question based on publicly available information found on social media sites; and second, about the security of data stored “in the cloud” – in this case, Google Apps.
Oh no, the sky is falling!
Our data isn’t safe in the cloud!
On the second point, let’s not take this too far. This incident has little to do with the security of the cloud apps themselves. It is much more about the first point and the security practices that users of all Web sites and applications – whether they are banking sites, social media sites or cloud applications – should be employing in their day-to-day use.
The key learning end users should take from this incident is that password security is critical, both in terms of the passwords you choose as well as the amount of data you expose publicly through social media sites like Twitter and Facebook.
Twitter spells this out on its blog response and even Hacker Croll himself articulates that his intention is to teach people a lesson about the security holes in secret questions:
“What I would like to say is that even the biggest and the strongest do silly things without realizing it and I hope that my action will help them to realize that nobody is safe on the net. If I did this it’s to educate those people who feel more secure than simple Internet novices. And security starts with simple things like secret questions because many people don’t realise the impact of these question on their life if somebody is able to crack them.”
Webroot recently surveyed more than 300 email and Web security professionals about email management, compliance, archiving, encryption, spam, viruses, Web filtering and Web-based malware attacks. Our research shows that security practices and risk perceptions have evolved over the last year – the top three security concerns are email threat protection, data security/confidentiality and Web threat protection. Other highlights of the survey include:
Security professionals are clearly worried about insufficient resources for Web security– a potential result of the economic downturn.
The large number of organizations that were required to retrieve email for legal or compliance reasons within the last year indicates that email archiving services are becoming increasingly important.
Most companies experienced some type of negative impact due to Web-based threats over the last 12 months, ranging from server outages and disrupted business activities to compromised data or transactions.
23% of survey respondents experienced a data breach – which cost between $10,000 and $1 million:
Just two weeks ago, Heartland Payment Systems disclosed that intruders hacked into the computers it uses to process 100 million payment card transactions per month for 175,000 merchants in one of the largest breaches on record. This past April, the Virginia Department of Health Professions learned that its Prescription Monitoring Program (PMP) computer system had been accessed by an unauthorized user – who then demanded $10 million to return over 8 million patient records and 35 million prescriptions.
Every once in a while, you hear whispers or rumors about specially-crafted, targeted malware designed to steal a specific piece of data from a particular victim. The data thieves, in these limited cases, tend to be clever, thoughtful, and methodical in both the creation and deployment of their creations.
Rarely do malware researchers encounter these files. But it does happen occasionally, and I thought I had stumbled upon one of these kinds of spies a few weeks ago. It’s a peculiar Trojan horse which has been written not as a standard Windows application, but as an ObjectARX application — an application which can only run if you have AutoCAD, the engineering and design program from AutoDesk, installed on your PC.
Now, why do you suppose a malware author would write a Trojan that can only run on computers with AutoCAD; a Trojan that is so well designed that it prevents antivirus applications from running, and downloads specific, tailored updates for itself, depending on which version of AutoCAD the victim has on his or her PC?
Sounds a lot like a slick tool for corporate espionage, right? Well, not quite. Fark: It’s just another stupid adware client. We’re calling this dumb gimmick Trojan-Pigrig.