You are viewing 'malware'
Recently, I read an article in SANS News Bytes about the Stegano malvertising campaign that was discovered by ESET Research. Instead of discussing this campaign in great detail, which ESET has already done, I am going to focus this blog on what you can do when information about a new malicious campaign becomes public.
One of the SANS News Bytes editors, Gal Shpantzer, recommended looking for the attack’s domain names in DNS logs. Most organizations do not retain their DNS traffic, but these can be a valuable source of information. In a corporate environment, having a historical record of traffic that traversed your network can aid in threat hunting, especially as new intelligence is made public. A SIEM is a... read more >
ImageGate allows Ransomware Infection
With so many users accessing Facebook within corporate networks, it is imperative that your security team be up to date on current threats involving social media. A well-known piece of malware, Locky Ransomware, is spreading via Facebook Messenger by pretending to be a harmless image file. Since many companies allow employees to access Facebook, this presents a potentially massive hole in security programs.
The initial reports on this piece of ransomware show a commonality among the type of infection vector and approach used by the attackers. First, the user receives an instant message containing only an image file, or what appears to be an image file. It is usually titled generically with a .svg extension. A .svg (Scalable Vector Graphics) is an XML-based vector image, which is formatted for two dimensional graphics and support for animation and interactivity. These image files can be created and edited with any text... read more >
Three ways to protect yourself
If you keep up with security news then you have probably heard about atom bombing. Atom bombing is the latest way for attackers to inject malicious code into nearly any Windows operating system and it uses an inherent Windows mechanism known as “atom tables.” The jury is still out on just how dangerous this technique is, but anything that would allow an attacker to run malicious code on your machine should be considered a bad thing.
Atom tables are system-defined tables that store strings and corresponding identifiers. Windows uses these tables for a variety of purposes, everything from Dynamic Data Exchange (DDE) to applications. If you are interested in learning more about atom tables, you can go to https://msdn.microsoft.com/en-us/library/windows/desktop/ms649053(v=vs.85).aspx for more details.
For the purposes of this blog, I am... read more >
Recently, NTT Security discovered a phishing email containing malware. The email had a Microsoft Word document attached with a malicious embedded macro. Macros are an effective infection vector and have been steadily gaining popularity in the last several years. Microsoft Office macros are a series of instructions run together as a single command. Microsoft extended macro capabilities to include Visual Basic for Applications (VBA) run inside of a Microsoft Office application (Access, Word, Outlook, Excel, and Power Point). The takeaway is that macros could be, and probably are, malicious code when coming from an unknown source.The Document
Below in figure 1 is a screen shot of the document we discovered embedded in the email. As you can see, the document is well formatted, and looks very legitimate. It also gives step-by-step instructions, requesting the user to enable content so the... read more >
A while ago someone referred me to this post on reddit labeled, “The boss has malware, again….” It is an entertaining story from a help desk employee at a large corporation who discovered that an e-cigarette belonging to one of their executives had malware hardcoded into the charger. When the charger was plugged into a systems USB port, it would phone home to a server to download malware on the unsuspecting users system. Stories such as this are more common than you may think. In the past, many consumer devices have been discovered to contain embedded malware directly from the manufacturer. There have been many historical incidents of infected digital picture frames, MP3 players and other devices having been unwittingly sold and distributed by big box stores and small retailers alike. Most recently, a large quantity of... read more >