2015/05/19

Every 4 Seconds New Malware Is Born

Every 4 Seconds New Malware Is Born



New research data out today shows that the rate of new malware variants released by malicious attackers continues to break records. According to the G DATA SecurityLabs Malware Report, new malware types were discovered less than every four seconds and 4.1 million new strains were found in the second half of 2014, an increase of close to 125 percent over the first half. Over the course of the entire year, nearly 6 million new malware strains were discovered. This is a 77 percent increase over 2013.
The data shows that in the second half of 2014, Trojans still remained atop the categories tracked by G DATA researchers, but could be on pace to be supplanted by adware. Adware showed the highest rate of growth among all of the malware categories, at a rate of 31.4 percent. While the number of new downloaders was on the rise during the second half, adware's growth rate outpaced that rise to take over the number two spot on the malware category chart. Meanwhile, spyware increased in prevalence while backdoors decreased, putting them in the number four and five spot, respectively.
Interestingly, while rootkits ranked ninth in the categories list, the second half of the year saw a huge spike in their prevalence. The report showed that there were 18 times more new variants than in the first half of 2014.
Specifically within the Trojan market, researchers reported that the second half of the year was novel in that there were no significant innovations compared to previous years.
"In the past, more and more new Trojans have been appearing very quickly in this sector over the years, with new groups in the background using new attack methods. However, in recent months there have been few changes to report," the study said, explaining that in spite of this the volume of attacks is still rising. According to G DATA, the number of banking Trojan attacks rose by 44.5 percent.
The authors speculated that the banking Trojan market seems to have consolidated due to a number of reasons.
"Improved security measures by banks are making it more and more difficult for online bank robbers to get money from bank customers," explains Ralf Benzmüller, head of G DATA SecurityLabs.
Some of the factors at play include an increase of criminal prosecutions against attackers, improved two-factor authentication measures and greater dependence by banks on anomaly detection to reduce fraud. As researchers explained, there's an increased risk for criminals and fraud takes more effort for lower yield. There's also a higher barrier to entry as attacks take "a certain amount of expertise and infrastructure" to carry out.

2015/05/18

High-level, state-sponsored Naikon hackers exposed


The activities of yet another long-running apparently state-sponsored hacking crew have finally been exposed.

The Naikon cyber-espionage group has been targeting government, military and civil organisations around the South China Sea for at least five years, according to researchers at Kaspersky Lab.
The Naikon attackers appear to be Chinese-speaking and chiefly interested in top-level government agencies and civil and military organisations in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal.
The group relies on standard cyber-spy tactics: custom malware and spear phishing featuring emails carrying attachments designed to be of interest to the potential victim. This attachment might look like a Word document, but is in fact an executable file with a double extension.

Naikon has developed platform-independent code and the ability to intercept the entire network traffic, marking them out as more capable than the norm.
The remote access trojan routinely used by the crew comes with 48 commands, including instructions for downloading and uploading data, installing add-on modules or working with the command line.

Each target country has a designated human operator, whose job it is to take advantage of cultural aspects of the country, such as a tendency to use personal email accounts for work.
As well as this social engineering to fine-tune targeting, the group also routinely places its hacking command and control infrastructure (a proxy server) within the country’s borders to facilitate real-time connections and data exfiltration.

The tactic means that suspicious traffic is not travelling outside a target's country and is therefore less likely to be flagged as potentially dodgy and subjected to further scrutiny.
"The criminals behind the Naikon attacks managed to devise a very flexible infrastructure that can be set up in any target country, with information tunnelling from victim systems to the command centre," explained Kurt Baumgartner, principal security researcher at Kaspersky Lab. 
"If the attackers then decide to hunt down another target in another country, they could simply set up a new connection. Having dedicated operators focused on their own particular set of targets also makes things easy for the Naikon espionage group."
The Naikon crew recently locked horns with Hellsing, another cyberspy group. The incident prompted Kaspersky Lab researchers, who were already looking into Hellsing, to cast their attention towards Naikon.

A full write-up of Kaspersky's findings on the Naikon cyberspies can be found in a blog post here.

Le plus gros problème des voitures autonomes



Hacker 3D prints device that can crack a combo lock in 30 seconds


A California hacker who has become an expert in cracking locks has invented a 3D-printed machine that can crack a rotary combination lock in around 30 seconds – and he's released the plans, 3D models, and code as open source.


A few weeks ago, Samy Kamkar told the world about a manufacturing flaw in Master Lock combination locks that reveals the combination by measuring how the dial interacts with the shackle. It's a moderately tricky thing to do, requiring some software, so now he's mechanized the process with the Combo Breaker device.
The Combo Breaker uses a stepper motor to rotate the Master Lock combination dial, a servo motor to try and open the mechanism, an Arduino chip to run the software, and 3D printed parts to house the lock and ensure a firm fit with the dial controller.
If you merely slip a Master Lock into the device and set it running, the Combo Breaker will take about five minutes to find the combination – which is worrying, but not very useful if you're trying to, for example, break into someone's high school or gym locker.
But if you use Kamkar's earlier method to "prime" the device by finding the first digit of the combination by hand – something that's relatively easy to do – then the Combo Breaker can do the job in 30 seconds or less. That's quick enough to be a serious problem in the right circumstances (and the wrong hands).
Before you start panicking, Kamkar tested the device on a cheaper version of the Master Lock combination dial mechanism. The company makes tougher rotary combo locks and the Combo Breaker isn't guaranteed to work on all of them.
This isn't not the first time Kamkar has caused a ruckus; he's been a major disruptive force in the tech industry for a while now. At 18, he co-founded Fonality, a multimillion dollar communications company, but then got seriously into hacking.
When he was 20, Kamkar created the Samy worm and released it onto MySpace, forcing the site to shut down temporarily. The worm was one of the fastest-spreading in history, and although it didn't carry a malicious payload, it still earned him a visit from US law enforcement and a felony charge of computer hacking.
Since then he's demonstrated critical weaknesses in near-field communications and RFID chips, discovered a major flaw in PHP, and learned how to hijack drones in mid-flight. He's a regular at the hacking conference circuit and is now an independent security consultant.

2015/05/13

DDoS Botnet Leverages Thousands of Insecure SOHO Routers

DDoS Botnet Leverages Thousands of Insecure SOHO Routers

Small office and home office (SOHO) routers are an increasingly common target for cybercriminals, not because of any vulnerability, but because most routers are loosely managed and often deployed with default administrator credentials.

A new report suggests that hackers are using large botnet of tens of thousands of insecure home and office-based routers to launch Distributed Denial-of-Service (DDoS) attacks.

Security researchers from DDoS protection firm Incapsula uncovered a router-based botnet, still largely active while investigating a series of DDoS attacks against its customers that have been underway since at least last December, 2014.

Over the past four months, researchers have recorded malicious traffic targeting 60 of its clients came from some 40,269 IP addresses belonging to 1,600 ISPs around the world.

Almost all of the infected routers that were part of the botnet appear to be ARM-based models from a California-based networking company Ubiquiti Networks, sold across the world.

This makes researchers believed that the cyber criminals were exploiting a firmware vulnerability in the routers.

What’s revealed in the close inspection?

However, this assumption was proved wrong when inspected deeply, revealing that…
All of the compromised routers could be remotely accessible on the default ports (via HTTP and SSH)
Almost all of those accounts continued to make use of vendor-provided login credentials

This basically opens the door for an attacker to man-in-the-middle (MitM) attacks, eavesdrop on all communication, cookie hijack, and allows hackers to gain access to other local network devices such as CCTV cameras.

Router makers design their devices in such a way that it can be easily connected, and therefore they give each user the same administrator credential, without giving any warning to change the default credentials. Moreover, instead of allowing users to turn on remote administration, the manufacturers make it on by default.

"Given how easy it is to hijack these devices, we expect to see them being exploited by additional perpetrators," researchers wrote. "Even as we conducted our research, the Incapsula security team documented numerous new malware types being added—each compounding the threat posed by the existence of these botnet devices."

A variety of DDoS malware involvement

The security firm also discovered a variety of DDoS malware programs, including MrBlack, Dofloo, and Mayday, installed on the insecure devices in order to attempt other malicious tasks such as:
  • Redirect victims to malicious websites
  • Intercept victims’ online banking sessions
  • Inject rogue and malicious advertisements into the victim's Web traffic
  • Steal login credentials for various online accounts
  • Perform other illegal activities

The question remains — Who is behind this botnet?

Researchers found some indirect evidence correlating the router-based botnet to a notorious hackers group called Lizard Squad, a group that has used compromised routers to launch DDoS attacks against Sony's PlayStation and Microsoft's Xbox networks.

Back in January, Lizard Squad set up a DDoS-for-hire service called Lizard Stresser that was using hacked home routers. However, Incapsula believes that it’s not Lizard Stresser because it is powered by different malware programs.

The botnet comprises devices in 109 countries, with Thailand (64 percent), Brazil, and the United States being the top three most-affected nations. Also, the firm identified 60 command and control servers used by criminals to control the botnet, the majority of them were located in China and the U.S.

The bottom line

Users should also keep in mind the safety of their devices by making sure that they:
  • Disable all remote access to the devices unless it's specifically needed
  • Change the default login credentials for their routers to prevent unauthorized access
  • Router firmware is up-to-date

Compromised routers are not at all new. Some manufacturers, including Linksys, Asus, D-Link, Micronet, Tenda, and TP-Link, have been known to be vulnerable. Incapsula has informed specific routers manufacturers and the relevant ISPs about the insecurity of the routers they market.

Quand un logiciel ne vient pas seul