Malware RSS Feed
Microsoft presented a preview of their newest "experience", Windows 10, over a live stream this morning. The release is expected later this year. This isn't envisioned as just an OS for desktops, but it brings support as a truly broad computing platform. They claim to have built Windows 10 with "more personal computing" in mind, and it's an ambitious push into seamlessly bringing together desktop computing, holographic computing (awesome!!!), mobile devices, gaming and IoT, a move to the "Store", productivity applications, big data services and sharing, new hardware partner technologies, and cloud computing for a "mobility of experience". They skimmed over "Trust" only in light of data privacy issues. From what I have seen, pushing aside security is a somewhat disappointing theme for all of the vendors at their previews, not just Microsoft. There is, however, a very long list of enhanced security features developed into this new codebase along with a massive amount of new attack surface introduced with this new platform.
Microsoft is attempting to better tighten down the new version of Windows the operating system by disallowing untrusted applications from installing and verifying their trustworthiness with their digital signature. This trusted signing model is an improvement, however, this active handling is not perfect. APT like Winnti's attacks on major development shops and their multiple, other significant ongoing attack projects demonstrate that digital certificates are readily stolen and re-used in attacks. Not just their core group's winnti attacks, but the certificates are distributed throughout multiple APT actors, sharing these highly valued assets, breaking the trust model itself to further their espionage efforts.
With seamless integration of all these data sharing services across computing resources, authentication and their underlying credentials and tokens cannot be leaked across services, applications, and devices. Pass-the-hash attack techniques frequently used by targeted attackers haunted corporate organizations using Windows for almost a decade. These types of credential theft techniques will have to be better protected against. And Flame introduced a whole new level of credential attack, so we may see Hyper-V and the newest container model for Windows 10 attacked to gain access to and abuse these tokens for lateral movement and data access. Defensive efforts haven't been terribly successful in their responsiveness in the past, and Active Directory continues to see new attacks on organization-wide authentication with "skeleton keys". So, their implementation of credential provisioning and access token handling will deserve security researchers' attention - Hyper-V technologies and components' attack surface will come under a new focus for years to come. And the DLP implementation for sharing corporate data securely is encouraging as well, but how strong can it be across energy constrained mobile hardware?
Considering that 2014 brought with it over 200 patch-worthy vulnerabilities for the various versions of Internet Explorer, a minimalist refresh of this code with the "Project Spartan" browser would be welcome. Simply put, the IE web browser was hammered in 2014 across all Windows platforms, including their latest. Our AEP and other technologies have been protecting against exploitation of these vulnerabilities in high volume this past year. Not only has its model implementing ActiveX components and its design been under heavy review, but the slew of newer code and functionality enabling "use-after-free" vulnerabilities led to critical remote code execution. The new Spartan browser brings with it large amounts of new code for communications and data sharing, which brings with it Microsoft's track record of introducing hundreds of patch-worthy vulnerabilities annually into their browser code. Hopefully their team won't bring that baggage with them, but the load seems pretty heavy with the new functionality. I didn't see any new security features, development practices, or sandboxes described for it and will wait to see what is in store here.
An unusually large amount of time was set aside to present their "intelligent assistant" Cortana, which started with a somewhat disconnected and bizarre conversation between the presenter and the actual Cortana assistant instance onstage. The devil is in the details when implementing security support for access to data across fairly unpredictable services like this one.
Of course, our products will be ready to go. Kaspersky Lab consumer products will support Windows 10 after its official launch. There will be no need for customers to reinstall Kaspersky Lab solutions for migration onto the new platform. All these products will be patched accordingly and will provide the same exceptional level of protection on the new Windows OS.
Microsoft's security team begins 2015 with a minimal set of Security Bulletins, MS15-001 through MS15-008. The set included one critical vulnerability in a service that probably shouldn't be shipped any longer (telnet), and seven bulletins rated "Important" patches for elevation of privilege, DoS, and security bypass issues.
The critical Bulletin effects the telnet service. The telnet service is an ancient piece of software that provides shell access to a system. Only it's over unencrypted, plain text communications, and should not be used. Luckily, this service is not enabled by default on supported windows systems (but it is installed by default on Windows Server 2003). So, this patch effects very few customers. A quick search in shodan shows a pretty reduced set of users, and its presence in our Ksn data is very limited. When installed and enabled, Microsoft's telnet server runs as "Tlntsess.exe" on all Windows systems since Windows Server 2003.
But, if someone didn't install an alternative like OpenSSH, uses the PowerShell facility, WinSCP, or other facilities, and oddly installed this service, they may be running a server vulnerable to remote malformed packet delivery leading to remote code execution. Meaning it's a severe issue that really >shouldn't< effect many users. And it appears to not be exploited on our user base. On a somewhat related note, Ksn shows infected Tlntsess.exe files on systems that need upgrades and cleanup:
It's always surprising to still see the viral stuff, but it's certainly more prevalent than telnet service exploitation at this point.
The other Security Bulletins are rated "Important", and the escalation of privilege issues are somewhat interesting and the kind of thing businesses should be aware of - they are frequently used as a part of target attack activity.
One of these EoP vulnerabilities was reported privately and exposed publicly by Google's Project Zero. The project maintains a database of exploitable vulnerabilities, each of which has a deadline of 90 days from reporting before the bug goes public: "Deadline exceeded - automatically derestricting". This EoP was fixed and the fix released by Microsoft as MS015-003 two days after Google's bug issue was exposed publicly. It's strange that Google would do such a thing, it's not as if Microsoft doesn't commit to reasonable time frames for fixes and proper testing anymore. Microsoft responded with a lengthy writeup on responsible disclosure and cooperation within the industry, and mentioned Google's approach in particular.
The flawed code has yet to be seen as abused in the wild, but it will likely happen. You can find a set of executive summaries for the Bulletins here.
And one last note, the Advanced Notification Service is coming to an end. Microsoft ended their practice of broadcasting advance notice of security updates to all customers, and offers it only to paying Premiere-level customers. For the most part, it seems that this works out just fine and possibly frustrates people less with security maintenance. However, I think that it would be useful for Microsoft to pre-release forecasted download file sizes and reboot requirements for the updates, along with their ratings of critical or not, etc. For example, knowing that I will have to download over 200mb of critical software updates requiring system reboots would be helpful. That information would be useful to their customers both large and small. Time will tell if they bring it back, but likely, they will not need to.
The new year has started rather badly for the Bitcoin world. On January 4th, a cyber-attack against Bitstamp, one of the biggest bitcoin exchanges in the world, resulted in the loss of almost 19,000 BTC - the equivalent of more than $5 million.
While very little is known at the moment about how the attackers managed to pull off this latest bitcoin heist, Bitstamp is assuring their customers that all of their bitcoins remain safe. The company states that "this breach represents a small fraction of Bitstamp's total bitcoin reserves", so hopefully covering the losses shouldn't be a problem for them.
Because of the irreversible nature of bitcoin transactions, the only thing Bitcoin enthusiasts can do right now is to sit and watch how the attackers are emptying the address used to collect the stolen bitcoins.
You can follow the thieves' transactions by yourself here: https://blockchain.info/address/1L2JsXHPMYuAa9ugvHGLwkdstCPUDemNCf
Right now, the attackers are most likely trying to move those bitcoins around through as many addresses as possible, and then will proceed to launder the stolen coins by using so-called "mixing" services
Bitstamp seems to have been much better prepared for such an incident compared to Mt. Gox, so while the price of Bitcoin was of course impacted, the impact was not that big. Part of the reason is that bitcoins are currently trading at prices that haven't been seen since the autumn of 2013 anyway, between $250 and $300 for 1 BTC.
Bitcoin price in 2014 - source: ZeroBlock
Taking into account these cyber attacks, we conclude that in 2015 security will continue to remain the most important thing for Bitcoin exchanges and enthusiasts.
Our advice is to diversify and try and minimize the time in which your bitcoins are hosted by anyone else except yourself. Bitcoin exchanges and third party wallet providers seem to act as a magnet for attackers, so it's better to take the security of your bitcoins in your own hands.
Make sure to check out our tips on How to Keep Your Bitcoins Safe.
CODE BLUE＠TOKYO, a cutting-edge IT security conference, was held from 18th -19th December. It was the second round, following its first occurrence in February 2014.
More than 400 people came together from all around the world, including one remotely participating in the conference via a drone. Heated discussions took place among researchers and engineers during intervals, lunchtime and coffee breaks - some were too enthusiastic they almost missed the next presentation (I admit I was one of them).
The concept of the meeting is "an international conference where the world's top class information security specialists gather to give cutting edge talks, and is a place for all participants to exchange information and interact beyond borders and languages." As this states, all the presentations were of high-quality technical research selected from topics submitted from researchers around the world. The security topics include: embedded technologies, penetration testing, vulnerabilities, malware, programming and more. It would be perfect if I could cover all the presentations, but to save my time and yours, I would like to pick up five of them.
- A security assessment study and trial of Tricore-powered automotive ECU
Dennis Kengo Oka (ETAS) and Takahiro Matsuki (FFRI) analyzed the behavior of ECU software running on TriCore, to attempt to verify the possibilities of attacks against it. Although they were not able to obtain the actual software itself for their testing, they created a test program on their own to show that the control system of TriCore was at risk of attack. There was a return address in a certain part of memory, and it was possible to transfer processing of the program to an arbitrary address if this was successfully overwritten. They proved the vulnerability by means of four demos, using an evaluation board. They said that they would need to obtain the ECU software actually used by TriCore in order to investigate whether or not the vulnerability could be a real threat.
- Physical [In]Security: It's not ALL about Cyber
Inbar Raz (Check Point) presented risks in cinema-ticketing machines, PoS machines and TVs in hospitals. Such devices have USB/LAN ports; and inserting USB keyboards or flash drives with LiveOS into those ports and booting them makes it possible to extract data stored on these devices. Since these devices often store credit card information or private keys for communications, this may pose risks. Through the presentation, Raz pointed out that special devices commonly used in public often lack protection against inappropriate access and could give away confidential data to malicious third parties.
- The story of IDA Pro
The keynote for Day 2, by Ilfak Guilfanov, was about the history of IDA from ver. 0.1 to IDA Pro. He outlined how IDA was created; which functionalities had been implemented; what issues have been resolved; and the existence of a pirated version of IDA Pro. Besides the future landscape of IDA Pro, the identity of the icon-lady was also revealed.
IDA Pro is widely used among engineers and malware researchers in their analysis of programs; I am not an exception.
- Drone attack by malware and network hacking
Dongcheol Hong (SEWORKS) pointed out the inadequate security settings of a drone system and showed that it was easy to hijack a drone. In his video he demonstrated experiments of malware infection via a smartphone app and an attack from an infected drone to a clean drone. At the end of the presentation, he warned that drones could possibly pose threats to other systems, since it may be possible to conduct a remote attack through PC, AP, or smart devices.
- Embedded Security in The Land of the Rising Sun
Ben Schmidt (Narf Industries) and Paul Makowski (Narf Industries) focused on routers commonly used in Japan, outlined which part of their code was vulnerable and demonstrated an attack on a router. According to them, there are a lot of home routers worldwide, which allow access to HTTP and UPnP ports from a WAN – Japan was number four on their worldwide list. They further pointed out that at the time of their presentation there were ~200,000 vulnerable routers which allowed HTTP and UPnP access from a WAN in Japan. Schmidt and Makowski sent me some additional comments after their presentation. They said: "Japanese embedded devices are attractive targets because Japanese Internet links are high bandwidth and low latency." They also emphasized the importance of quick patching of embedded devices.
David Jacoby from Kaspersky Lab GReAT was also a speaker at CODE BLUE. His presentation, entitled "How I Hacked My Home" ,was about the results of him hacking his own devices at home. His blog post is available in Securelist.
Kaspersky Lab Japan was Emerald Sponsor of CODE BLUE, as it had been for the first round.