Computer Security Updates Week 2 of May 2013

Refer to Computer Security Updates Week 5 of Apr 2013; in which the biggest news was Reuters reported that LivingSocial cyber attack affects millions of customers.

For this week / last week, here are / were the biggest news.
  • Symantec: spammers continue to exploit mother’s day.
  • Symantec analyzes new Internet Explorer 8 Zero-Day used in Watering Hole Attack.
  • McAfee to acquire Stonesoft.
  • Reuters reported Pentagon cleared Samsung, BlackBerry devices to adopt multi-vendor environment.
  • ESET Blog analyzes Win32/Rootkit.Avatar family.
  • Bit9 blog summarizes the 2013 Verizon Data Breach Investigations Report (DBIR).

Symantec, May 6, 2013 - Spammers Continue to Exploit Mother’s Day

Accordingly to Symantec’s latest Internet Security Threat Report, the estimated projection of global spam volumes in 2012 was 30 billion spam emails per day. Spammers are improving the quality and targeting of their spam messages in an effort to bypass filters and trick victims into revealing personal information, passwords, credit card details, and bank credentials. Ironically, even web pages meant for the guidance and protection of customers, were mimicked by phishers with the intent of tricking people into handing over personal information. The latest theme being used by spammers is Mothers Day.

Symantec has observed an increase in spam messages around Mother’s Day. These messages encourage users to take advantage of products offers, fake surveys, e-card, personalized gifts, replica watches as well as clearance sales of cars and trucks. By clicking the URL in the email, the user is automatically redirected to a website containing bogus offers. This is where the user is asked a few questions related to Mother’s Day. Upon completion of the survey, the Web page is redirected and it asks users to enter their personal information in order to receive the gifts they’d selected.

Some of the Subject Lines observed for these spam attacks:
  • Subject: Don't Forget Mother's Day - $19.99 Chocolate, Dipped Strawberries
  • Subject: Stunning Personalized Gifts for Mother's Day
  • Subject: Top Personalized Mother's Day Gifts
  • Subject: Make Mother's Day Special With A Personalized Gift
  • Subject: Mother's Day Car Deal (Half Off Every Make And Model)
  • Subject: Regarding Mothers Day
  • Subject: Celebrate Mom with a $19.99 bouquet.
  • Subject: Mother'sDay Replica's Women's Accessories
  • Subject: Mother's Day Secret Formula.

Internet users should exercise caution while handling unsolicited or unexpected emails.

Get more details.

Symantec, May 5, 2013 - New Internet Explorer 8 Zero-Day Used in Watering Hole Attack.

Microsoft identified an IE8 zero-day.

Symantec discovered that upon visiting an adversary site, a vulnerable victim would have been redirected to download a back door as the payload. Symantec products detect the exploit code on the vulnerable site as Trojan.Malscript and the back door as Backdoor.Darkmoon.

Get more details.

SANTA CLARA, Calif., May 5, 2013 - McAfee to Acquire Stonesoft

McAfee today announced the execution of a definitive agreement to initiate a conditional tender offer for the acquisition of Stonesoft Oyj, a leading innovator in next-generation network firewall products, for an aggregate equity value of approximately $389 million in cash.

Stonesoft delivers software-based, dynamic, customer-driven, cyber security solutions to secure information flow and simplify security management. Stonesoft’s product portfolio of next-generation firewalls, evasion prevention systems, and SSL VPN solutions addresses businesses of all sizes. Through the pending acquisition of Stonesoft, McAfee expects to extend its leadership position in network security.
    The rationale for the proposed acquisition is as follows:

  • Network security is a vital component of a comprehensive security solution. Next-generation firewalls solve critical customer needs and represent one of the fastest growing market segments in network security.
  • Stonesoft is a leading innovator in the next-generation firewall segment. Gartner positioned the company as “visionary” in the 2013 Network Security Firewall Magic Quadrant. Stonesoft achieved “Recommend” status in NSS Labs’ latest 2013 firewall tests.
  • With Stonesoft, McAfee expects to grow its network security business by delivering the industry’s most complete network security solution with three leading platforms: McAfee’s IPS Network Security Platform, McAfee’s Firewall Enterprise for the high assurance market segment, and Stonesoft’s next-generation firewall.

Get more details.

Reuters, May 2, 2013 - Samsung, BlackBerry devices cleared for use on U.S. defense networks

Reuters reported that the Pentagon on Thursday cleared BlackBerry and Samsung mobile devices for use on Defense Department networks, a step toward opening up the military to a wide variety of technology equipment makers while still ensuring communications security.

Such move is meant to prevent vendor's lock-in.

To ensure security, mobile devices and operating systems go through a security review process approved by the Defense Information Systems Agency. Once their Security Technical Implementation Guide - or STIG - is reviewed and approved, the devices can be used on the network.

Get more details.

ESET Blog, May 1, 2013 - Mysterious Avatar rootkit with API, SDK, and Yahoo Groups for C&C communication.

Win32/Rootkit.Avatar was first discovered by ESET in February 2013.

It is c&c-powered. In March 2013, two different compilations of dropper were detected.

It only works on 32 bits system.

Win32/Rootkit.Avatar uses a driver infection technique twice: the first in the dropper so as to bypass detections by HIPS, and the second in the rootkit driver for surviving after system reboot.

In computer security, a dropper complements a payload. A dropper is a program (malware component) that has been designed to "install" some sort of malware (virus, backdoor, etc.) to a target system.

The payload does the malicious codes.

In this case, the dropper process is designed as such that the malicious code will be eventually loaded by modified system driver; hence bypassing security software.

After successfully loading the Avatar rootkit driver, Avatar executes an algorithm for infecting system drivers so as to survive after reboot. In order to perform its infection, Avatar randomly chooses a driver and checks its name against a blacklist that varies for every Windows versions.

After that, the Win32/Rootkit.Avatar Payload will be loaded.

The payload is designed with core function of facilitating communications. One of its ability is to be able to received encrypted messages and instructions from Yahoo Groups. Once this process is achieved, the goal is achieved.

Win32/Rootkit.Avatar is an interesting rootkit family using many interesting techniques for bypassing detection by security software.

For cleaning it’s necessary first to deactivate the Avatar rootkit driver and user-mode payload, and only then is it possible to clean or restore the infected system driver.

Get more details.

Bit9 Blog, Apr 30, 2013 - Cyberespionage’s Increasing Role in 2013 Verizon DBIR

Bit9 blog presents a summary of the 2013 Verizon Data Breach Investigations Report (DBIR). Some trends were observed, though nothing new in particular. They consist of:
  • Large number of espionage-motivated attacks observed.
  • Majority of attacks originated from China.
  • Carefully planned attacks took longer time to be detected and vice versa
  • Many victims still fell prey to relatively simple and known threats
  • The vast majority of attacks were motivated either by gathering information (espionage – corporate or state sponsored), or stealing money.
  • The kill-chain approach is an effective way for enterprise to deal with APT.

Get more details.


Anonymous said…
Great post! We will be linking to this particularly great article on our website.
Keep up the good writing.

my page kliknij