Categories
Security

Don’t forget the cyber criminals

Continuing our media push, I wrote a guest post for Forbes.

High profile news throws a spotlight on how people feel about the privacy of their personal digital data, but for years, cybercrime has been stealing and selling it with very little coordinated public uproar.  This malaise must end.  The very real threat comes not from big faceless companies and governments, but those who seek to hide below the radar and the law.  A combined awakening needs to take place and governments, businesses and Internet users must pull together to fight this very current threat to personal data, because at the moment cyber crime is winning.

Check out the post and let me know what you think!

Categories
Security

Mysterious case of the broken browser

A friend of mine asked me to take a look as to why Google and Bing were inaccessible using Firefox. I dove in and realized that they were also unreachable using Internet Explorer, Chrome, and even command line ping. It became apparent that the hosts file had been hijacked. In fact, these entries were the only ones present:

87.229.126.50 www.google.com
87.229.126.51 www.bing.com

I swiftly removed them from the hosts file and both websites loaded fine. But what had put them there? With a working browser, a quick search revealed that those addresses were not legitimate and something had clearly hijacked the machine.

Knowing my friend to be an avid Malwarebytes Anti-Malware user, I checked the quarantine and found several objects. The main files appeared to be dplayx.dll and dplaysvr.exe and had several registry entries allowing them to start with the computer. I sent the files to Adam Kujawa, a Malware Intelligence Analyst working with me at Malwarebytes. Adam confirmed that this malware was responsible for the hosts file redirection.

However, a further analysis revealed a more cynical side. Adam continued by saying that “all binaries analyzed were heavily packed with custom obfuscation methods and employed anti-debugging tricks which made them a pain to get through” and that “the use of the filenames dplayx.dll and dplaysvr.exe is important because the names belong to legitimate applications and are integral parts of Direct X.”

While not new, the use of these particular filenames shows that malware authors are still trying to hide their executables behind legitimate names.

Categories
Security

Check if you’re a digital pirate

With all of the SOPA talk this month, I figured an article on piracy was deserving. Being able to pinpoint users of pirated software is becoming easier and more accurate. For example, check out YouHaveDownloaded.com, a website that lists the torrents you may have downloaded in a certain time span. While the website is not perfect, for those who have static IP addresses, it can get pretty close and provide you a list.

In one article on CNET, it was mentioned that “someone in the home of French President Nicholas Sarkozy, a strong proponent of anti-piracy legislation, has been using BitTorrent to download pirated versions of music and movies.”

If the Stop Online Piracy Act passes in the United States, I’m sure technology to track torrents and other illegal downloads will improve. Consequently, imagine the privacy concerns I have for Internet users. This proof-of-concept website is scary enough!

Categories
Security

Malware in a barcode

Quick Response codes, also known as QR codes, are two dimensional barcodes originally invented by the automotive industry to keep track of parts during manufacturing. However, these barcodes can hold any type of information and were quickly adapted to all types of different industries. Most smartphones now have applications that can quickly read and process QR codes. You simply point your camera at the barcode and take a picture.

The QR code generated above contains a link to this domain. While QR codes themselves do not contain malware, imagine a barcode that takes you to a malicious website. One that uses an exploit in your smartphone to install unauthorized applications. The possibilities are endless and as this technology becomes more popular, there becomes greater motivation to find ways to exploit it. John Vezina put it best when he said, “I could, if I wished, print out dozens of QR codes and peel and stick them to bus stops, power line poles, or anywhere the things can stick to.”

Categories
Security

Mysterious case of the executable hijack

I got a message from my friend Paul today asking for help with an infection. He was using the latest version of Firefox at the time and was positive he did not click on any odd links or downloaded anything malicious. Naturally, I advised him to run Malwarebytes Anti-Malware and had him send me the log. One specific entry popped out at me.

Memory Processes Infected:
c:UsersPaulAppDataLocalojx.exe (Trojan.ExeShell.Gen) -> 3508 -> No action taken.

I picked up the phone and called Bruce Harrison, our VP of Research, and asked for an explanation. The result had shocked me. I was told that this was an executable hijack that is used with FakeAlert, a Trojan we see almost daily in our research center.

What exactly does that mean? Well, when the infection is able to penetrate your computer, it hijacks all executables to run the malicious file instead of their intended targets. For example, you try to open Skype and the malicious file starts instead.

It does this in two ways. First, it modifies each shortcut itself to point to the malware. Secondly, it modifies the .exe shell in the registry so that once again instead of starting the correct executable, it starts the malicious file.

Luckily, Malwarebytes Anti-Malware was able to patch Paul up, but we both wanted to know how this had happened. Bruce advised us to check the installed Java version. It was in fact outdated by several versions. I advised Paul to update to the latest version and he now has a healthy computer!

Categories
Security

Duqu: new zero day malware targets businesses

Since the media has made a huge hype about this, I thought I’d clear up to my readers what Duqu is and how it affects you.

Duqu, also commonly referred to as the ‘son of Stuxnet’, is a Remote Access Trojan that uses a zero-day vulnerability in Microsoft Word to infect a machine. Once dropped on the system, Duqu’s primary task is to stealthily gather data, including logging keystrokes, making it a prime tool for cyberwarfare. However, Duqu is unique in that it was likely developed over several years and its primary method of distribution is through e-mail.

Specifically, Duqu is more likely used to target higher profile targets, such as large companies, from which it can steal data. Microsoft said they “see low customer impact at this time,” which makes sense if Duqu was indeed a targeted attack.

Here are a few tips for those who suspect they are vulnerable:

  1. While Microsoft has not issued a full patch just yet, it is important to know that a workaround exists. Simply click on the Suggested Actions menu.
  2. Scan all e-mail attachments you try to open with both anti-virus and anti-malware software. This should automatically be done if you have licensed versions of both products.
  3. The e-mails can be forged to look like they came from somebody else in the company. If you weren’t expecting an e-mail or the attachment looks fishy, err on the side of caution and ask if the attachment is indeed legitimate.

Note that these types of attacks are common and it is good practice to always follow the steps above.

Safe surfing!

Categories
Security

How many security researchers does it take to rob a bank?

Thought I’d share something that made me laugh today.

Moran Cerf talks about his work as a hacker who breaks into banks digitally. He reports these exploits to the bank and they pay him. Listen to his story as he attempts to break into a bank physically and everything goes wrong.

With this story, Moran won the 2010 Moth GrandSLAM story-telling competition.

I don’t think you’ll see me robbing banks anytime soon.

Categories
Security

Teaching security to the hopeless

One of my Twitter followers suggested that I write about security tips for the technically challenged. Instantly, I thought about my last visit home.

If you’re anything like me, you’ll notice that your friends, your family, and even people you rarely interact with always turn to you with their computer troubles. Sometimes, the questions are easy to answer, like recommending anti-virus software. Other times, you get the friend or family member that is technically savvy enough to follow your advice. Unfortunately, most of the time you get to deal with the hopeless, my parents being a prime example. Luckily my mother doesn’t read this blog. If she did, I’d get an earful on my next visit home.

Below are some easy tips you can recommend to those you may be hearing from a bit too much:

  1. Don’t just click next. When installing a piece of software, read each page of the installation. Many software companies now ask you to install a toolbar and if you don’t opt-out you may end up with browsing the Internet with this.
  2. Be vigilant while browsing. If you search Google for “car rentals,” make sure you select a search result that looks credible, like Hertz. This sounds obvious, but I can’t tell you how many times I’ve seen someone get infected by clicking the first link or advertisement.
  3. Buy your anti-virus software. Okay, that may be stretching it but make sure your anti-virus is scheduled to update continuously. Most full versions of anti-virus software have automatic updating enabled by default.
  4. You don’t have any friends trying to sell you Viagra, I promise. Don’t open e-mails from senders you don’t recognize. More importantly, don’t open attachments unless you absolutely trust the sender.

With these quick tips, I was able to significantly reduce the number of calls from my parents. Leave a comment to share what’s worked for you!