Posts Tagged ‘Malware’
Flaws in Shamoon Malware Reinforce Theory It’s Not A Wiper Variant
Last Updated on Thursday, 23 August 2012 10:15 Written by Celframe Security Team Friday, 16 November 2012 12:35
Some clumsy coding discovered during an analysis of the Shamoon malware has led researchers to conclude that it is probably not related to the Wiper malware that hit some Iranian networks recently and likely isn’t the work of serious programmers.
A prime error appears to come from the main executable — the dropper — which in some systems is launched as a service to create a scheduled task, only the programming works incorrectly due to the date August 15, 2012 being hard-coded into the malware. Thus, if the current year is 2013 or later but the month is earlier than August, the malware reads the date as arriving before the August 2012 checkpoint value.
“This error indirectly confirms our initial conclusion that the Shamoon malware is not the Wiper malware that attacked Iranian systems,” wrote Kaspersky Lab researcher Dmitry Tarakanov in a Securelist post. “Wiper is presumed to be a cyber-weapon and, if so, it should have been developed by a team of professionals. But experienced programmers would hardly be expected to mess up a date comparison routine.”
“Wiper” was the name researchers gave to malware that was discovered earlier this summer on some networks in Iran erasing data from infected machines. Like that malware, Shamoon steals data from infected computers before overwriting the master boot record, rendering compromised machines unbootable. But upon further analysis, researchers realized the two pieces of malware differed.
In an earlier post by another Kaspersky Lab expert, Shamoon was considered an imitation of the earlier malware tied to energy systems. “It is more likely that this is a copycat, the work of a script kiddies inspired by the story. Nowadays, destructive malware is rare; the main focus of cybercriminals is financial profit. Cases like the one here do not appear very often.”
Tarakanov outlined evidence for such a conclusion by examining how the program runs in a typical 32-bit operating system. For instance, the program expects arguments that work like a list of IP addresses linked to computers targeted for infection. When the program runs without such arguments, it must rely on a service it installs locally, called a distributed link tracking server, to ensure the malware reboots and changes workstation configurations whenever the operating system loads.
“There is an easier way to force the OS to run a service at startup – just set up the appropriate option of a particular service,” Tarakanov wrote. “Moreover, ‘TrkSvr’ gets created by malware with that option adjusted to start automatically. Why the author followed this method, with dependencies, is difficult to understand.”
Fake Flash Player, Laden with Malware, Making Rounds
Last Updated on Thursday, 23 August 2012 10:14 Written by Celframe Security Team Wednesday, 14 November 2012 04:55
Scammers have already begun to take advantage of Adobe’s recent decision to remove its Flash Player from Android’s Google Play marketplace. Last week’s removal has prompted scammers to start promoting fake versions of the software to unsuspecting smartphone owners. While researching the scamware, security firm GFI Labs uncovered a separate fake version of the Flash Player that’s not only bogus but an SMS Trojan that comes bundled with adware.
According to a post on the company’s blog, the app named ‘adobeflashinstaller.apk’ comes replete with adware from the mobile ad network AirPush. Once installed, the app tricks users into following a series of steps to root their phone before downloading another .APK file. This file, hosted on a XDA-Developers forum post, is a hacked version of Adobe’s Flash Player app. While the app isn’t necessarily malicious, it’s not authorized by the company, meaning it’s possible the app could grant or install permissions without the users’ knowledge further down the line.
Meanwhile, the app’s adware leads to the installation of advertisements on the phone. If the user tries to deletes them, the adware will simply add more of them. The adware also will change the users’ home page; send pop-up ads to the phone’s status bar every fifteen minutes and even read and send the users’ phonebook contacts to advertisers.
Adobe ceased development on Flash Player for Android on August 15 after announcing it was shifting its focus to AIR, a runtime environment that allows apps that utilize Flash to run on devices natively. Adobe added that the current version of Flash Player as it stands may exhibit “unpredictable behavior” when the next version of Android, Jelly Bean, is further rolled out.
Software Update Site For Hospital Respirators Found Riddled With Malware
Last Updated on Saturday, 14 July 2012 05:47 Written by Celframe Security Team Thursday, 8 November 2012 08:05
UPDATE: A Web site used to distribute software updates for a wide range medical equipment, including ventilators has been blocked by Google after it was found to be riddled with malware and serving up attacks. The U.S. Department of Homeland Security is looking into the compromise, Threatpost has learned.
The site belongs to San Diego-based CareFusion Inc., a hospital equipment supplier. The infected Web sites, which use a number of different domains, distribute firmware updates for a range of ventilators and respiratory products. Scans by Google’s Safe Browsing program in May and June found the sites were rife with malware. For example, about six percent of the 347 Web pages hosted at Viasyshealthcare.com, a CareFusion Web site that is used to distribute software updates for the company’s AVEA brand ventilators, were found to be infected and pushing malicious software to visitors’ systems.
CareFusion Support SiteThe software downloaded from Viasyshealthcare.com included 48 separate Trojan horse programs and two scripting exploits, according to a review of the Google Safe Browsing report by Threatpost. Another domain, sensormedics.com, which supports CareFusion’s VELA brand ventilators, was also found to be serving “content that resulted in malicious software being downloaded and installed without user consent,” according to a June 13 scan by Google’s Safe Browsing crawler.
A CareFusion did not respond to a request for comment spokeswoman said the company is “looking into the matter” and has removed the software updates from its website in the meantime.
The company makes a range of hospital equipment including the Alaris-brand infusion pumps and AVEA, AirLife and LTV series ventilation and respiratory products. CareFusion employs 14,000 people worldwide reported revenue of $2.63 billion for the first nine months of its fiscal year.
After being contacted by Threatpost on Thursday, CareFusion removed links to the infected Web sites hosting software updates for the respirators from its Product Support page. However, the company still offered links for parts and supplies for CareFusion’s 3100A High Frequency Oscillatory Ventilator (HFOV) and LTV series ventilators that were likewise infected, according to Google.
Google Safe Browsing Warning
The infections first caught the attention of Kevin Fu, a professor and security researcher at the University of Massachusetts, Amherst who is a recognized expert in the security of medical devices. Fu discovered the infections when trying to download an update for the AVEA ventilators. Fu said the infections pose a major risk for hospitals that use CareFusion products.
“Vendors routinely install software updates for medical devices from the Internet or USB keys. I’ve seen medical sales engineers download pacemaker-related software from the Internet,” he wrote on his blog, Medical Device Security Center.
Fu notes that CareFusion advises customers to simply “click run” when the “file download security warning” dialog box appears – potentially tragic advice on a Web site that is serving up malicious programs such as Trojan horse programs.
Fu said an e-mail sent to an e-mail address “email@example.com” bounced back. He reported the incident to the U.S. Federal Food and Drug Administration (FDA) but that the agency lacks a way to track and respond to cyber security reports for medical devices. “The reports get mixed in with general adverse event reports, and incidents with known injuries or deaths usually receive more swift attention,” Fu wrote.
Little is known about the source of the infections at CareFusion. However, an analysis by the Department of Homeland Security found that some of CareFusion’s Web sites were relying on six year old versions of ASP.NET and Microsoft Internet Information Services (IIS) version 6.0, which was released with Windows Server 2003. Both platforms are highly susceptible to compromise. DHS is continuing to investigate the incident and may refer it to its ICS-CERT division, which focuses on threats to critical infrastructure.
It is also unclear whether the attackers knew that the compromised sites hosted software for running life-saving medical devices. Attacks that leverage legitimate Web sites are common online. Recent months have brought reports of prominent Web sites and hosting firms that were hacked and reconfigured to serve up malicious programs. In April, Google warned 20,000 Webmasters about sites that may be compromised and redirecting visitors to malicious Web sites.
Fu said the warnings from Google should give CareFusion’s many customers pause before downloading updates from the company’s Web sites.
“I find it difficult to establish trust in the safety of software affiliated with reports of “malicious software being downloaded and installed without user consent.”