You are viewing 'malicious'
Three ways to protect yourself
If you keep up with security news then you have probably heard about atom bombing. Atom bombing is the latest way for attackers to inject malicious code into nearly any Windows operating system and it uses an inherent Windows mechanism known as “atom tables.” The jury is still out on just how dangerous this technique is, but anything that would allow an attacker to run malicious code on your machine should be considered a bad thing.
Atom tables are system-defined tables that store strings and corresponding identifiers. Windows uses these tables for a variety of purposes, everything from Dynamic Data Exchange (DDE) to applications. If you are interested in learning more about atom tables, you can go to https://msdn.microsoft.com/en-us/library/windows/desktop/ms649053(v=vs.85).aspx for more details.
For the purposes of this blog, I am... read more >
Recently, NTT Security discovered a phishing email containing malware. The email had a Microsoft Word document attached with a malicious embedded macro. Macros are an effective infection vector and have been steadily gaining popularity in the last several years. Microsoft Office macros are a series of instructions run together as a single command. Microsoft extended macro capabilities to include Visual Basic for Applications (VBA) run inside of a Microsoft Office application (Access, Word, Outlook, Excel, and Power Point). The takeaway is that macros could be, and probably are, malicious code when coming from an unknown source.The Document
Below in figure 1 is a screen shot of the document we discovered embedded in the email. As you can see, the document is well formatted, and looks very legitimate. It also gives step-by-step instructions, requesting the user to enable content so the... read more >
A while ago someone referred me to this post on reddit labeled, “The boss has malware, again….” It is an entertaining story from a help desk employee at a large corporation who discovered that an e-cigarette belonging to one of their executives had malware hardcoded into the charger. When the charger was plugged into a systems USB port, it would phone home to a server to download malware on the unsuspecting users system. Stories such as this are more common than you may think. In the past, many consumer devices have been discovered to contain embedded malware directly from the manufacturer. There have been many historical incidents of infected digital picture frames, MP3 players and other devices having been unwittingly sold and distributed by big box stores and small retailers alike. Most recently, a large quantity of... read more >
Black Energy (BE) malware is back in the news as of early January 2016. This time it is being blamed for contributing to a power outage on December 23, 2015 in Ukraine, which left nearly half the populace in the Ivano-Frankivsk region without power for several hours.
Discovered in 2007, BE was originally designed as a distributed-denial-of-service (DDoS) toolkit but has since evolved to its current state, supporting a multitude of plug-ins. The newest features of the BE malware include:
- KillDisk, a destructive data-wiping utility capable of destroying an estimated 4000 file types, including registry files. This function could render the host unbootable, and depending on the infected host, could have dire consequences. Based on the malware’s typical target set of Industrial Control Systems (ICS), an infected host could prove to be disastrous, not to mention expensive.
- Researchers also identified a previously unknown Secure Shell (SSH) backdoor...
Information Leakage (CVE-2016-0777) and Buffer Overflow (CVE-2016-0778)
On January 14, researchers from Qualys published information regarding information leakage (CVE-2016-0777) and buffer overflow (CVE-2016-0778) vulnerabilities in OpenSSH which result from default code in versions 5.4 through 7.1p1.
These vulnerabilities exist because OpenSSH clients support a feature called roaming. This feature allows for connectivity to an SSH server to resume the suspended SSH session if the existing connection breaks unexpectedly. Because of the roaming feature, however, these vulnerabilities exist and could be exploited by a malicious or compromised SSH server.
Information Leakage (CVE-2016-0777)
The information leak is exploitable because the default code in the OpenSSH client allows a malicious SSH server to steal the client's private keys. The client code was enabled by default, and a malicious server could trick that code into leaking client memory to the server, including private client user... read more >