Internet threat news

Kovter is a Trojan specifically designed to exploit advertising campaigns. Often referred to as click or advertising fraud, the Trojan is used to hijack Web browser sessions in order to simulate a victim’s machine clicking on advertisements to generate advertising revenue for the hackers behind the malware campaign. A well-known malware security researcher who calls himself Kafeine first discovered the latest version of this threat. Kafeine specializes in tracking and studying drive-by download attacks that rely on exploit kits to find vulnerabilities in popular Web browser plug-ins including Adobe Flash Player, Adobe Reader, Microsoft Silverlight, and Java. According to Kafeine, the latest version of Kovter is being distributed using multiple exploit kits that are designed to capitalize on zero day vulnerabilities found within the browser plug-ins mentioned above.

Back in June, security researchers discovered that the source code for both the building tool and control panel of ZeusVM had been leaked to the public. This leak means that anyone can build a Zeus-powered botnet without any programming knowledge. Initially, the leak was kept secret as security researchers from Malware Must Die (MMD) worked to keep these files from becoming widely available. Unfortunately, the leaked source code spread faster than the researchers could have imagined and as a result, MMD made information about the leak publicly available in an effort to alert security professionals around the world about this concerning threat. ZeusVM, sometimes also known as KINS, is a banking Trojan that works by hijacking the Web browser process. Once this process has been hijacked, the Trojan can modify and/or steal information being exchanged between the infected client machine and the server hosting the secure session.

Hackers often rely on compromised websites as a way to host and distribute malicious software via drive-by download attacks. A drive-by download uses an exploit kit to exploit known vulnerabilities in popular Web browser plugins including Java, Silverlight, and Adobe Flash. Recently, security researchers discovered a group of cybercriminals that have chosen to take a different path. By exploiting vulnerable wireless routers, these criminals have found a way to distribute the notorious Dyre malware strain without the need for compromised websites to deliver the payload. Dyre, which is also known as Dyreza and Battdil, is typically installed by a payload-carrying Trojan that modern antivirus software detects as “Upatre.”

As PC users become increasingly vigilant when it comes to protecting themselves from a constant onslaught of malware threats, hackers keep coming up with clever new ways to sneak past antivirus solutions and install malware on PCs around the world. In addition to creating new ways of distributing malware, hackers have also become increasingly adept at preventing security researchers from reverse engineering many new strains of malware by using a series of basic checks on an infected system to ensure it isn’t a sandbox analysis environment. A new form of malware, known as Stegoloader, combines a new way to deliver its malicious payload with anti-detection tools that have made it difficult for security researchers to figure out exactly how it works.

A powerful computer worm known as Duqu 2.0 has been recently discovered in the networks of three hotels used to host the P5+1 negotiations. These negotiations included representatives from the US, UK, France, Germany, China, and Russia and were created to discuss Iranian nuclear capabilities over the last year and a half. Although the official Kaspersky report does not name the hotels in question, it is believed that this worm was deployed by a state-sponsored Israeli campaign in an attempt to gather sensitive intelligence as it relates to the nuclear talks and anything else of relevance that the worm was able to gather in the process. Although a direct link to an Israeli sponsored campaign cannot be proven at the time of this writing, it’s worth pointing out that just this past March, the US Government accused Israel of spying on the negotiations and using the intelligence gathered to persuade Congress to undermine the talks.

The venerable Zeus banking Trojan has been killed off many times; disappearing from the global Internet time and time again only to reappear with new modifications designed to improve the powerful malware’s features while avoiding modern detection software. Zeus has been used by cybercriminals around the world to orchestrate massive malware campaigns that have been responsible for millions of dollars in stolen funds over the last several years.

Ransomware was a big threat to PC users around the world in 2014 and although a few ransomware variants have made headlines this year, there could be a massive increase in the number of ransomware campaigns during the next several months thanks to a new, free tool available for anyone to download. This program, known as Tox, was created and released by a hacker who has yet to be identified. Essentially, Tox is a ransomware-as-a-service kit. While similar kits have been made available to wannabe hackers in the past, most of these kits cost money to get started. Tox, on the other hand, does not charge users for its service - at least not up front. Rather than charge an upfront fee for ransomware creation, the creator of Tox opted to offer the service for free; choosing instead to charge a 20% fee on any success ransom attempts created using Tox.

According to Microsoft, the User Account Control (UAC) security feature built into all modern Windows OS release is designed to help defend your PC against both hackers and malicious software. Whenever a program attempts to make a change to the PC, UAC notifies the user and asks for permission. When this occurs, users can allow the changes, decline the changes, or click a button that displays additional details about the program attempting to make the change and what specific changes the program is attempting to make. Unfortunately, many people simply choose ‘Yes’ without clicking the ‘Show details’ button first and this is exactly how a new proof-of-concept malware known as ShameOnUAC deceives victims. In most cases, UAC works very well. It often stops potential malware threats by not allowing installed malware to make any significant changes to the PC without the consent of the user. Of course, like most other PC security considerations, effectively using UAC means that the user must know when to allow changes via the privilege escalation prompt and when to decline these changes (i.e. when an unknown program attempts to make changes via the UAC prompt).

Over the last several months, there has been a flood of exploits targeting commonly used encryption standards. These standards, which were designed to secure server-client sessions from man-in-the-middle attacks, are used by websites around the world. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are both cryptographic security measures that were created to protect sensitive data transmissions across computer networks. The Heartbleed bug, which affected millions of websites using the OpenSSL protocol, was the first major cryptographic vulnerability to make headlines. Then it was POODLE. Then came FREAK. All of these vulnerabilities allowed hackers to hijack secure Web sessions – providing these hackers with the opportunity to steal sensitive personal information (often without the victim knowing anything was wrong until it was too late).

Perhaps the most dangerous banking Trojan to emerge since the takedown of the Gameover Zeus botnet last summer, the Dyre banking Trojan has been credited with millions of dollars in losses around the world. Although most modern antivirus suites detect the original version of Dyre as of this writing, hackers have been working to update the banking Trojan in an effort to squeeze additional financial gain out of this powerful malware variant. Security researchers from Seculert recently discovered a new version of Dyre in the wild that is capable of avoiding sandbox detection tools. While this may seem like a complicated programming trick, the mechanics behind this evasion technique are really quite simple. Once installed on a PC, this new version of Dyre checks to see how many processor cores the infected machine is running.

A security researcher from Web security firm Sucuri recently discovered a cross-site scripting (XSS) vulnerability present in every default installation of WordPress, a popular content management system (CMS) used by millions of websites around the world. The vulnerability, which is part of the default WordPress Twenty Fifteen theme, is a DOM-based (Document Object Model) flaw. DOM is responsible for the rendering of images, text, links, and headers within a Web browser. The vulnerability is the result of an insecure file within the 'Genericons' package that allows the DOM environment of the victim's browser to be modified by hackers.

Security researchers recently discovered a new strain of malware that uses unique – and somewhat extraordinary – measures to avoid detection and analysis. Known as Rombertik, this malware strain is unique even among other forms of self-destructing malware due to its unusual evasion techniques. Once Rombertik detects any analysis tool on the infected machine, it immediately attempts to delete the PCs Master Boot Record (MBR) and all home directories. This puts the machine in a constant reboot loop – essentially making the computer unusable. This complex piece of malware collects data about everything a user does online in an attempt to obtain login credentials and other sensitive information.

In a report issued by security firm FireEye last October, a group of hackers known as APT28 has been secretly targeting government organizations around the world in an attempt to gather as yet unknown information in a campaign with its roots in Russia. Specifically, FireEye was able to determine that APT28 has an apparent government sponsor located in Moscow. Unlike many of the China-based threats that have made recent headlines, the hackers of APT28 do not appear to be seeking financial gain from the intellectual property stolen during a breach.

Last week, this blog reported on a dangerous strain of malware, known as PoSeidon that is targeting the POS systems of small retailers including bars and restaurants. A recent report issued by security firm Trustwave indicates that yet another malware variant specifically targeting POS systems has been spotted in the wild. This malware, known as Punkey, appears to have evolved from the recently discovered “NewPOSthings” family of malware first discovered by researchers from Arbor Networks. While the discovery of Punkey is the topic of this article, it’s worth pointing out that TrendMicro recently detailed the discovery of multiple malware strains based on the NewPOSthings source code.