Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
This week has been one of the most hectic weeks in a very long time, I've been working day and night to finish everything for the Kaspersky Security Analyst Summit. I was not in the mood for new work because of the very late and hectic nights. I am on my way out from the door to drop off the kids and wife at her parents place and suddenly the phone rings, its Magnus Lindkvist, who was the Security Evangelist at Microsoft in Sweden. It is always nice to talk to Magnus, but this time he had a different tone on his voice, he was not really up for any chit chat, and just asked me if I was close to a computer. The mood for something exciting suddently just came back to me! I was in the game again! :)
As a security researcher, I always have at least one computer running 24/7, he tells me that the largest website in Sweden; Aftonbladet is spreading malware. I quickly up boot my virtual machine, launch Chrome and open the website. Nothing happen... what did I miss? Was Magnus joking? Then on the other side of the phone I hear Magnus say: "You need to use Internet Explorer".
During the last days, several high profile domains have been defaced including domains from two prominent security companies. In addition to these, high profile domains such as alexa.com, whatsapp.com and redtube.com were also defaced. From our quick analysis It does not seem that the actual webserver has been compromised, the most possible attack vector was that the DNS have been hijacked.
When looking into this, there are some quite obvious traces but nothing that really confirms what the hackers did; or what kind of information they were able to obtain. When analyzing previous compromises and defaces it seems that there is a "new" trend within hacking groups and defacers to go for the DNS or domain registrars instead of compromising the actual webserver. When quickly analyzing the domain there were two indicators that stood out.
As a security analyst we often get asked the question: “What threats and vulnerabilities do you expect us to see in the future?” This is a very interesting question but also an indication that the way we think about and discuss IT-security is fundamentally wrong. Do we really need to invest time and resources to focus on future threats when we are still vulnerable to attacks that have been discussed for over 20 years?
If you take a look at some of the major breaches we have seen in the past, the attackers did not use zero day vulnerabilities. Also if you look in the exploit kits, only very few are actually equipped with exploits taking advantage of zero day vulnerabilities. To analyze this in depth, Kaspersky researcher David Jacoby joined forces with Outpost24’s CSO Martin Jartelius, gaining access to unique statistics related to technical risk exposures from the vulnerability management vendor and performed several security audits which included both social engineering tests and penetration tests. However, everything was performed without exploiting any vulnerabilities.
We started to analyze the statistics that we obtained and it did not take very long until our theories were proved to be correct. We looked into the frequency of old vulnerabilities, meaning what vulnerabilities are we actually vulnerable against. We chose to include statistics for Sweden and Benelux in this report.
Even the statistics show that we are quite good at protecting ourselves against vulnerabilities which are new, but strangely enough we have a tendency to forget about older vulnerabilities. Some systems are still vulnerable to vulnerabilities older than 10 years.
Another interesting question is: ‘what systems do we actually try to secure?’ It’s a very hot topic to talk about critical infrastructure, but what other kind of “public resources” are out there which might be critical? What about for example hotels? Or hospitals? Or radio stations for example?
When doing research it’s always important to get real facts, and one of the ways to do this is to get your hands dirty. During our research we also wanted to perform a practical challenge for a few companies from different industries. The idea was to go out and visit the companies and perform a security audit with a pre-defined checklist based on the results from the research. Our goal was to check and see if they had any systems vulnerable to old threats and also review their security routines and a lot of additional tests. However, only a handful of companies actually wanted to participate in this challenge. We both think that this is absolutely one of today’s key problems; we spend rather more time on new exciting vulnerabilities and threats than actually taking care of the real problems. We decided to perform the challenge anyway, and the results were pretty interesting.
Read the full research paper here.
When I think about Iceland I do not immediately think about a place where top IT-security researchers from all over the world meet once a year to present and discuss some of the most recent and relevant security topics, but this is actually the case. It is the second year that the Nordic Security Conference has taken place here on Iceland. It is quite funny because when I’m in Las Vegas for DEFCON and BLACKHAT I always complain about the insane heat, and during the Nordic Security Conference the weather is terrible. When can someone arrange a conference at a location where it’s not insanely warm or cold?
I’ve had the great opportunity to present at both events. This year I gave a presentation about one of the weakest links in IT-security; the human factor. For over 6 months I have done several research projects, some of them on my own, and some together with other security researchers such as Martin Jartelius from Outpost24. We tried to answer the question: “How easy is it to hack a country?” by performing various social engineering experiments, with great success.
The title of this blog reminds me of the old zombie horror movies back from the 80-ies, but what im going to write here is more like a comedy. Some of you guys have probably read my blog post about the time when i tricked them into accessing websites under my control, which led to me collecting alot of information about the callers.
After that blog post i didn’t receive any calls... until today. I was sitting in my home office, drinking my daily smoothie and writing on my paper for the Virus Bulletin magazine, and suddenly i hear the phone ringing. I don’t care about that anymore, because i hear that my wife answers the phone, but after a few minutes she enters my room and tells me that "they" are calling again.
As always, i booted up my VMware image with a totally FRESH installation of Windows XP and start talking to the scammers. For you who are not familiar with the scam, please read my other blog post which can be found below because i won’t cover it in this post. http://www.securelist.com/en/blog/208193750/Trying_to_unmask_the_fake_Microsoft_support_scammers
This time the scammers where using some different methods trying to convince me that my compute where infected with some malware. They even gave me the name "Frozen Trojan", and went to Google and tried to look it up for me. But they only ended up on results talking about the bird flue and other biological viruses which i thought was quite entertaining.
I got the impression that lately the amount of phishing attacks via social media was not as great as we have seen in the past. But just as I logged in to Twitter today I noticed that I had received two direct messages, and they both had a very similar message.
Two days ago I received the first message, and when I tried to verify if it was a link spreading malware, or a phishing site, the URL was already inactive. Now when I received another one I wanted to look at it quickly, and at the time of writing the phishing site is still active.
Virus Bulletin 2012 is now over, the final chapter from this year’s conference needs to be written. Almost all of the participants have packed their bags and gone home. This event was three action packed days containing everything from discussions about cyber war, interesting meetings with fellow researchers and presentations about Indian Phone Scammers. I am now sitting here and writing the last blog post about the Virus Bulletin 2012 conference in Dallas.
This is my second Virus Bulletin, and just like last time it gave me not just the opportunity to network with fellow researchers, but this time I also presented my own research. Vicente Diaz wrote about the second day at VB, and he included some pictures from my presentation on Malware against Linux and the Attackers Automated Tools - check out the pictures here. During my presentation I also had a 30 minute live demo where four people from the audience helped me identify vulnerabilities and exploit them using the same techniques as the bad guys used. The demonstration also contained automated scripts for backdooring and bypassing security mechanisms within the Linux operating system.
The Nordic Security Conference on Iceland is now over, and i must say that it was an amazing conference with several top notch presentations from both local and international researchers. The line up for a conference that was running for the first time was very impressive, and i am pretty sure that history in the Nordic IT-security industry was written this weekend.
I was asked by the organizers to do the keynote and open the conference with the presentation A Diary From A Security Geek which i felt very honored to do. The presentation was the same which i gave in South Africa at the IDC Security Roadshow just some days ago. What i understood from the conversations during the breaks and also after the conference it seems that the keynote was very well received and the majority of the other speakers also made some nice references to it in their talks.
The Nordic Security Conference was located on Iceland, in Reykjavik. Even that the excursion was cancelled due to the bad weather (storm) i must say that Iceland is a very beautiful country. Even before you land and are sitting in the plane looking over Iceland you can see the amazing nature that country have. You can see everything from glaciers, volcanos, hot geysers.
Greetings from the IDC Security Roadshow in Johannesburg, South Africa! I am sitting here in the hotel lobby looking out at the Nelson Mandela Square listening to the explosive track from DJ Fresh - The Feeling (Ft. RaVaughn) (Metrik Remix), reflecting on the last couple of days and the discussions I’ve had with various people.
I have been giving a few interviews and I was also presenting at the IDC security conference; my presentation is called “The Diary of a Security Geek” and it includes material from a one year long research project I have had. It basically contains observations made during these conferences and some really interesting facts on how security managers see IT security, how they prioritize and some interesting false perceptions on IT security and risks. I know that some of you might be interested in this research, so don’t worry - I will publish my research at a later date and I will also be giving the same presentation on quite a few conferences around the world this year.
Yesterday it was a dark day for many companies in Europe, but especially in the Netherlands. A piece of malware known as Worm.Win32.Dorifel infected over 3000 machines globally, and 90% of infected users were both from public and business sector organizations based in the Netherlands. We have seen government departments and hospitals being victims. The other countries with a large amount of infections were detected in Denmark, the Philippines, Germany, the United States and Spain. All users running Kaspersky Lab’s Products are protected from this threat.
The malware is initially distributed via email to victims. It uses a “Right To Left” vulnerability to hide its original file extension. The malware then downloads another malware which encrypts documents and executes them on the infected computer. Dorifel also attempts to encrypt files found on network shares.
When I was sitting down and investigating the Dorifel malware I noticed that the servers hosting the Dorifel malware was not configured properly and allowed for example directory listing in certain directories. This triggered me to search for more interesting directories, which I did and to my surprise I noticed that the server was hosting a lot more malicious “components” and not just the Dorifel malware. It is very difficult to say if this scam is complex and advanced since it uses many different components with different complexity level. Some of the interesting things I found includes: