Tag Archives: Malware

Don’t ‘Enable Macro if Data Encoding is Incorrect’!

30 January 2016

If you open a word document attached to an email and you see the message ‘Enable macro if data encoding is incorrect’ you are well on the way to become the victim of a cyber-attack:

Dridex malware requests to lower macor security

Dridex malware requests to lower macro security

Word blocked the auto-open macro in the document to prevent its execution. In the case of document ‘Fax 49 2232949992120160128232732.doc’ it’s about the trojan ‘W2KM_DRIDEX.BM’. Besides other malicious activities the macro downloads and executes the program g545.exe from a server hosted in the Russian Federation.

So far everything went well. Word was well secured and blocked the auto-open macro from executing the payload. The best way to go ahead is to close word and drop the email and the downloaded attachment.

But if you comply with the request and lower the macro virus settings in word you will be definitely tricked.

As always the first line of defense is a well-trained user who follows the commandments

  • ‘Think twice before you click on whatever links or attachments’,
  • ‘Never lower your security settings upon requests of whatever sources’ and
  • ‘Disable all macros with notification’ in Word Trust Center, section Macro Settings.

In the worst case it may come to a blackout in a country, done in Ukraine 23 December 2015.

Have a good weekend.

Advertisements

TrojanDownloader:Win32/Upatre not detected by 22 of 57 Anti-Malware Programs after 2 days

20 June 2015

In the past days I got lots of emails with suspicious attachments. I carefully analyzed most of them on my test system (VMWare with Windows 8.1 64bit and Microsoft Defender) and identified most of them as good old friends, sent by cyber criminals to steal personal information.

Cyber-attacks follow always the same pattern:

Development of a Cyber Attack

Development of a Cyber Attack

[1] Attract the reader’s attention.

[2] Force the reader to extract and execute the malware disguised as an innocuous pdf or html file.

[3] Make the Trojan persistent in the operating system and wipe out the digital traces as far as possible.

[4] Connect to the Command & Control (C&C) server and download additional software from the C&C server. The C&C server is the cyber attacker’s command center.

[5] Send the users secrets to the C&C server.

In most cases, email providers put such mails directly in the Junk E-mail or Spam folder. Unfortunately a small part of e-mails, with well camouflaged malware attachments or new variants of malware, are directed to the inbox. But this should be no problem at all. Since most of the Trojans are variants of already known malware one would expect that the heuristic scanners of the anti-malware systems should be able detect and sanitize the attachments during download from the email to the file system.

I use Trend Micro MaximumSecurity because the program got a 5 star rating in a comprehensive test last November. I run the program in protection level “Hypersensitive” to get maximum protection, but, to my great surprise, Trend Micro did not detect the malware.

On 18 June I uploaded the payload to virustotal.com to get an overview of the detection rate of 57 anti-malware programs. The malware was first analyzed on virustotal.com on 16 June 2015 at 11:48 a.m.

I received the mail on 16 June 2015 at 1:37 p.m. Microsoft Defender, rated “worst” in the November evaluation, identified the Trojan as Trojan:Win32/Peals.D!plock on 16 June 2015 at 9:45 p.m, 10 hours after the first upload to virustotal.com. This is a very good result!

On 18 June, 29 of 57 scanners were able to detect the malware, Trend Micro MaximumSecurity was not among them. Defender identified the malware as TrojanDownloader:Win32/Upatre, but this change is not relevant.

Defender Report

Defender Report

Yesterday evening I repeated the check on virustotal.com. 35 of 57 anti-malware programs successfully detected the malware. Again, Trend Micro MaximumSecurity was still not among them.

I am really puzzled. I thought, I bought one of the best anti-malware systems, but 6 months later it’s just not capable to detect variants of old Trojans. It’s time to switch back to Defender and to write-off the Trend Micro software. This seems to me an acceptable risk.

By the way, the most effective protection measure here is user training. Never open attachments of nested zip-files. It is very likely that they contain malware which puts your information systems at risk.

And don’t trust Anti-Malware program evaluations in German computer magazines.

Have a good weekend!


Appendix: virustotal.com check results as of 19 June 2015

Antivirus Result Update
ALYac Trojan.GenericKD.2494514 20150619
AVG Generic_s.EUO 20150619
AVware Trojan-Downloader.Win32.Upatre.ic (v) 20150619
Ad-Aware Trojan.GenericKD.2494514 20150619
AhnLab-V3 Trojan/Win32.Upatre 20150619
Arcabit Trojan.Generic.D261032 20150619
Avira TR/Agent.68096.251 20150619
Baidu-International Trojan.Win32.Upatre.bkby 20150619
BitDefender Trojan.GenericKD.2494514 20150619
CAT-QuickHeal TrojanDownloader.Upatre.r3 20150619
Cyren W32/Upatre.AT.gen!Eldorado 20150619
DrWeb Trojan.Upatre.3504 20150619
ESET-NOD32 a variant of Win32/Kryptik.DMJN 20150619
Emsisoft Trojan.GenericKD.2494514 (B) 20150619
F-Prot W32/Upatre.AT.gen!Eldorado 20150619
F-Secure Trojan.GenericKD.2494514 20150619
Fortinet W32/Waski.A!tr 20150619
GData Trojan.GenericKD.2494514 20150619
Ikarus PUA.Bundler 20150619
K7GW Trojan ( 004c5fac1 ) 20150619
Kaspersky Trojan-Downloader.Win32.Upatre.bkby 20150619
Malwarebytes Trojan.Downloader.Upatre 20150619
McAfee Upatre-FACH!9B004AD1DBB5 20150619
McAfee-GW-Edition BehavesLike.Win32.Dropper.km 20150619
MicroWorld-eScan Trojan.GenericKD.2494514 20150619
Microsoft TrojanDownloader:Win32/Upatre 20150619
Panda Trj/Genetic.gen 20150619
Qihoo-360 HEUR/QVM20.1.Malware.Gen 20150619
Rising PE:Trojan.Win32.Generic.18C77685!415725189 20150618
Sophos Troj/Dyreza-FP 20150619
Symantec Downloader.Upatre!gen5 20150619
Tencent Trojan.Win32.Qudamah.Gen.2 20150619
TrendMicro-HouseCall TROJ_GEN.F0D1H0ZFG15 20150619
VIPRE Trojan-Downloader.Win32.Upatre.ic (v) 20150619
nProtect Trojan.GenericKD.2494514 20150619
AegisLab 20150619
Agnitum 20150619
Alibaba 20150619
Antiy-AVL 20150619
Avast 20150619
Bkav 20150619
ByteHero 20150619
CMC 20150618
ClamAV 20150619
Comodo 20150619
Jiangmin 20150618
K7AntiVirus 20150619
Kingsoft 20150619
NANO-Antivirus 20150619
SUPERAntiSpyware 20150619
TheHacker 20150619
TotalDefense 20150619
TrendMicro 20150619
VBA32 20150619
ViRobot 20150619
Zillya 20150619
Zoner 20150619

 

Some thoughts about ‘Mitigation strategies for data-wiping malware’

21 May 2015

In article ‘Mitigation strategies for data-wiping malware’ published on Security Think Tank in January 2015, Peter Wenham talks about mitigation strategies for data-wiping malware.

Peter’s proposals for creating a prevention strategy, training and strict refusal of local administrator access for employees, can be implemented quickly and at a fair price.

To complement this, companies should add a trusted zone concept for administrative tasks. A server administrator should never sign in to a server from a system at a lower trust level, e.g. from the laptop he uses to connect from outside the company network to a server. A trusted admin zone concept will prevent the lateral drift of attackers within the company network once they got access through e.g. a phishing attack and a RAT (Remote Access Trojan).

Have a good day!

Anthem hacked – company says five employee’s credentials phished and used

26 February 2015

In his report ‘Anthem: company says five employee’s credentials phished and used’ posted on IT Security Guru at 12 February 2015, Dan Raywood gives us some background details about how the hack occurred.

The attackers used a phishing attack to steal the credentials of employees. To be honest, I’m relieved to hear that. No rocket science! Phishing is and remains the #1 attack vector.

Awareness training and Two Factor Authentication are the preferred preventive protection measures. Anthem did the right thing. In report ‘Anthem’s IT system had cracks before hack’ we read: ‘Then on Feb. 7 and 8, Anthem reworked all its IT accounts that have privileged access to sensitive information to now require three layers of authentication—a permanent login, a physical token, and a temporary password that changes every few hours.’

If Two Factor Authentication could not be implemented, SmartScreen Filtering in Internet Explorer or the Reported Attack Site Blocker in Firefox could be helpful. The error messages can hardly be ignored:

SmartScreen Warning Phishing Attack

SmartScreen Warning Phishing Attack

Some anti-malware packages, e.g. Trend Micro Maximum security, will also block access to malicious sites. But the above options are of limited use in the case of zero day exploits, although it’s amazing to see how fast the filters are updated.

Have a good day! … And,  don’t forget to activate SmartScreen Filtering as soon as possible.

Free email providers are preferred distribution channels for malware

21 February 2015

Thursday morning I got a very puzzling e-mail. A collection agency informed me of an allegedly not paid invoice and threatened me with defaulted interest and overdue fines.

But, I conduct no business with Pay Bank AG. In addition the mail was sent from a GMX, a Germany based free mail service, address and not from the Pay Bank AG domain.

This was just another spam mail, but, compared to others, well and convincing written. The message was crystal clear: Open the attachment!

In the evening I checked the attachment and found nested zip files. The inner zip file contained a program that appeared to be the data-gathering malware Win32/Zbot.gen!plock (TROJ_DLOADR.JCQ). Fortunately the anti-malware program on my computer removed the malware during download to my hard disk.

Sending malware in nested zip files ensures that the anti-malware systems on the e-mail provider’s mail-in servers become not aware of the malicious attachments. Scanning of archives is very time-consuming because the anti-malware system has to open the archive and to scan all files inside. Therefore nearly all anti-malware systems are configured to ignore nested zip files..

But what amazed me was that apparently no e-mail provider runs an in-depth scan of attachments. From the e-mail header I found that the mail was sent from the attacker’s computer PC14-050 to mail.gmx.com (GMX) and via mailin55.aul.t-online.de (T-Online) to SNT004-MC3F11.hotmail.com (Microsoft).

Since the malicious attachment wasn’t removed on his way to the inbox on my computer, GMX, T-Online and Microsoft use a similar, inadequate anti-malware configuration on their mail-in servers. As always, the last line of defense is the anti-malware system on the end-user’s computer.

In my opinion, this is an enormous waste of resources. Every day millions of malicious attachments clog the internet because of inadequate anti-malware configurations. We could save a lot of bandwidth for really important business, and much hassle, if mail-in servers would just reject any e-mail that has known malicious attachments.

That’s it for today. Please configure the anti-malware program, which is installed on your computer, to perform in-depth scans of attachments. Safety has priority over speed!

Have a good weekend.

Sony-pocalypse is still stuck in my mind

13 December 2014

The more technical details about the Sony attack come to light, the more restless I become. Although the attacker delivered a high sophisticated piece of code, the impact of this attack would not have been such serious without the unintended help of the Sony users and IT groups.

Samuel Gibbs writes in theguardian ‘While security analysts have said that preventing sophisticated and well-funded cyber criminals from breaking into a company is very hard indeed, researchers have criticised Sony Pictures for its poor data security, which allegedly saw login details stored in unencrypted spreadsheets.’

That’s really bad! And particularly critical in the case of functional accounts or global admin accounts.

Another large weak spot, users who work with administrative privileges or accounts, was exploited for the initial attack.

The big question is: How could we make an attackers life more difficult?

Just a few suggestions:

  • Never use an account with administrative rights for daily work. This also applies for members of the IT groups. Administrators should work with standard user accounts, and switch to privileged accounts if required.
  • Never use the same accounts and passwords for administration of services like email or database server systems and workstations. Even if a workstation account is compromised the server will stay safe.
  • Never use the same functional accounts and passwords for workstations and servers. Functional accounts are often used for managing services of third-party vendors, e.g. the anti-malware systems. Unfortunately these accounts must often have administrative privileges. Different accounts and passwords for workstations and servers will prevent the spread of malware to servers if e.g. the workstation account is compromised.
  • Never use the same functional account for multiple services. Mind the isolation principle!
  • Service specific functional accounts should be defined locally, and only on systems where the services are hosted.
  • Use strong passwords with length > 20 chars only. This is in particular for functional accounts no problem because the passwords are not very often used.
  • Decide about implementing Two Factor Authorization.

That’s it for today, and for this year. I will take a Christmas break.

Christmas Trees

A merry Christmas to you all
and the best wishes for health, happiness
and prosperity in the New Year.