Super-Sophisticated Spyware Spotted After 5-Year Run

2016.08.18 03

Symantec and Kaspersky Lab last week separately announced the discovery of a highly sophisticated advanced persistent threat that had eluded security researchers for at least five years.

A previously unknown group called “Strider” has been using Remsec, an advanced tool that seems to be designed primarily for spying. Its code contains a reference to Sauron, the main villain in The Lord of the Rings, according to Symantec.

The APT spyware is called “ProjectSauron” or “Strider” in Kaspersky’s report.

The malware has been active since at least October 2011, Symantec said. It obtained a sample after its behavioral engine detected it on a customer’s systems.

Kaspersky found out about ProjectSauron when its software caught an executable library registered as a Windows password filter loaded in the memory of a Windows domain controller. The library had access to sensitive data in cleartext.

“Learning that some sophisticated malware has been running in your infrastructure for half a decade without detection is certainly painful,” said Sándor Bálint, security lead for applied data science at Balabit.

“Installing antivirus software and running a personal firewall provide only a bare minimum of protection,” he told TechNewsWorld.

Antimalware systems “stop 99.999 percent of known attacks,” claimed Balabit CEO Zoltán Györkő.

However, the Strider APT mimicked a password filter module, which “is yet another clear sign that passwords are dead and behavior is the new authentication,” he told TechNewsWorld. “The only way to catch these attacks is to spot changes in the behavior of users at the end points.”

Super-Sophisticated Spyware Spotted After 5-Year Run

Civil Rights Office Issues Ransomware Guidance

2016.07.25 03

Ransomware infections are on the rise, and healthcare organizations are ripe targets, which may be why the federal government addressed the subject last week.

Ransomware attacks have risen from about 1,000 a day last year to 4,000 a day this year, Symantec has reported.

Many of those attacks are for small change, but some of the larger ones have been directed at healthcare providers. For example, Hollywood Presbyterian Medical Center earlier this year paid hackers US$17,000 to get its systems back online. Also, Medstar Health this spring coughed up $19,000 to return to normal operations.

Civil Rights Office Issues Ransomware Guidance

HummingBad Mucks Up Android’s Works

2016.07.11 02

More than 85 million Android devices worldwide have been taken over by the Yingmob, a group of China-based cybercriminals who created the HummingBad malware, according to a Check Point report released last week.

HummingBad establishes a persistent rootkit on Android devices, generates fraudulent ad revenue, and installs additional fraudulent apps.

If it fails to establish a rootkit, it effectively carpet bombs the target devices with poisoned apps.

HummingBad has been generating revenue of US$300,000 a month, according to Check Point.

The malware runs along with legitimate ad campaigns that Yingmob has produced for its legitimate ad analytics business.

HummingBad Mucks Up Android’s Works

You Can Only Disable Defender In Windows 10 Home By Installing Another Antivirus

2016.06.17 01

Windows Defender isn’t the best antivirus software (even Microsoft admits its first-party solutions aren’t ideal), but it’s enabled by default on Windows 10 Home. In fact, the only way to disable it is to install something else.

In a strange turn of events, Microsoft has made its Windows Defender feature a permanent fixture of Windows 10. You can temporarily disable it, as you see in the screenshot above, but you can’t turn it off permanently. If it stays off for too long, Windows will turn it back on.

The one caveat to this rule, as pointed out by tips site MakeUseOf, is to install third-party antivirus software.

You Can Only Disable Defender In Windows 10 Home By Installing Another Antivirus

New Attack Technique Hides Spread of RATs in Asia

2016.04.27 01SentinelOne last week announced that it has detected a technique being used in Asia to infect systems with remote access Trojans that ensures that the payload remains in memory throughout its execution and doesn’t touch the victim’s computer disk in an unencrypted state.

Attackers remain hidden from antivirus technologies and next-generation technologies that focus only on file-based threats, according to SentinelOne.

The samples analyzed also can detect the presence of a virtual machine, preventing them from being analyzed in a network sandbox.

Remote access Trojans, or RATs, aren’t new but the technique is, said Joseph Landry, senior security researcher at SentinelOne.

“We expect to see an increase in fileless-based attacks that execute in memory to avoid detection,” he told TechNewsWorld.

New Attack Technique Hides Spread of RATs in Asia