Within this obfuscated code is a downloader that contacts multiple domains as a way to install Kovter or Miuref, both notorious click-fraud malware variants. To make these spam emails look legitimate and to propagate a feeling of urgency, most of these messages are about bogus court appearances, toll charges, and delivery notices. Kovter is a Trojan specifically designed to exploit advertising campaigns.
Often referred to as click or advertising fraud, the Trojan is used to hijack Web browser sessions in order to simulate a victim’s machine clicking on advertisements to generate advertising revenue for the hackers behind the malware campaign.
Miuref is similar to Kovter in that it is also specifically designed to create advertising revenue for the hackers behind the campaign by creating fake ad clicks that are generated from the victim’s PC. Once installed via a spam email attachment, Miuref downloads and installs additional components including the encrypted payload of the Trojan. This file can be identified because it has a specific file extension ending in one of the following: “.dat”, “.lck”, “.idx”, and “.txt”. Miuref modifies the Windows registry to ensure that the Trojan runs every time the victim logs onto the infected PC. If either Firefox or Chrome are installed on the machine, Miuref also covertly installs an extension to one or both of the browsers.
The Rowhammer vulnerability is a serious malware threat that can be used to gain kernel privileges on multiple systems. This exploit relies on the physical property of specific dynamic random access memory (DRAM) chips.
Basically, when these DRAM chips are placed in close proximity in an attempt to increase capacity while decreasing size, hackers can force electrical interactions between cells and cause unwanted bit flips. This vulnerability gets its name because when the same memory location is accessed repeatedly (known as hammering a row of chips), targeted privilege escalation can be obtained. Rowhammer was first discovered in March by a team of Google researchers but at the time the attack was considered a minor threat because it required native code, physical access to the target, and special instructions – all requirements that even the most adept hackers would have a hard time securing to execute this attack.
While many PC manufacturers have already started to release BIOS updates that defend against these attacks, full defense against Rowhammer is still months, if not years, away and that doesn’t even take into consideration the fact that this exploit can also be used against victims via common Web browsers such as Google Chrome, Mozilla Firefox, and Microsoft Internet Explorer.
These threats, especially Rowhammer, are nothing to scoff at although protecting your PC from either of these threats is relatively simple. First, never open emails or attachments from unsolicited sources even if the emails seem legitimate at first glance. As always, ensure the OS and all third party applications are regularly updated. Disable any Web browser plug-ins that are not absolutely necessary and keep antivirus software updated with the latest virus definitions. Both of these attacks rely on known exploits within the Windows OS and Web browser plug-ins making them easy to defend against with basic PC maintenance and security.