Week in review 17 October 2014
Another data breach hit the headlines this week, this time involving Kmart in the USA. Actually, malware was the theme of the week; Kmart’s breach was due to POS malware, a promise of a salacious video on Facebook led to malware being downloaded, Sandworm malware was announced (in conjunction with Microsoft’s patch Tuesday) and malicious ads were discovered to be on some YouTube videos leading to – you guessed it – malware downloads. To round off, we looked in more detail at some of the more insidious new features of the Dyre banking Trojan. Sears Holdings are the US owners of Kmart. This week Sears put a statement on the Kmart website that read (in part) that the “IT team detected that our Kmart store payment data system had been breached”. The statement went on to say that “data systems at Kmart stores were purposely infected with a new form of malware (similar to a computer virus).”
However, credit and debit card numbers were compromised. PINs and other information remained secure. Still, the information was enough to be able to produce fake cards, as Brian Krebs pointed out. Once again, POS malware had infected a system, leading to a data breach. A favourite vehicle for scammers is the lure of videos promising more if the user clicks on a link. Unfortunately, clicking on the link often leads the user to fake sites and may download malware to the user’s computer. Celebrities (in particular) are becoming a favourite subject to entice victims; this week it was Emma Watson. Facebook links promising that the user could view a video of Emma Watson by clicking on a link led to a fake message telling the user that they needed to upgrade their software. However In this case, the malware (once installed) can repost the video on your timeline (without your knowledge) and like other monetized pages (again without your knowledge.
Best policy if you get a message such as the Emma Watson one: ignore it. Frank Herbert’s classic Science Fiction novel Dune was a contributor to a news story this week. The Sandworm malware (named after a species of animals native to the planet Dune) was revealed in conjunction with Microsoft’s patch Tuesday; one of the patches Microsoft released closed a hole that the Sandworm malware was able to exploit. Microsoft helpfully released details on workarounds, if System Administrators couldn’t immediately apply the patch. The Sandworm virus was first uncovered in September 2014 by iSight, who reported it to Microsoft. Disclosure of the malware was delayed until Microsoft could release a patch.
The malware takes advantage of vulnerability in the OLE package manager of Windows. Ironically, Windows XP is not affected. The method used by the attackers to spread the malware was via a phishing campaign. Speaking of patching, un-patched versions of Internet Explorer were found to be at risk of a malvertising campaign using YouTube videos. The campaign was able to modify DNS lookups from a Polish government website to direct victims to the malicious site. As yet, it is not known how the attackers were able to change the DNS lookups, as the Polish sites themselves were not hacked.
The campaign has hit US users most, with 95.84% of those affected located in the US. Significantly, the exploit used a vulnerability in Internet Explored that was patched by Microsoft in May 2013. A salient lesson in keeping systems up to date with the latest patches. Dyre is one of the more disturbing pieces of malware detected in 2014. Dyre uses a technique known as “browser hooking” to steal user login credentials.
This technique is a way of capturing information that a user enters into a login session after they have finished typing/clicking, but before they submit. Once a user submits login credentials, the information is encrypted. What Dyre can do is monitor and subsequently capture the credentials before they are encrypted. Dyre malware is spread via phishing campaigns. A new version of Dyre has been detected that can capture extra information relating to a user’s PC.
The attackers can then compile information on what software an organisation uses, and craft future attacks to take advantage of known (and unknown) vulnerabilities in the software. As can be seen from looking back over this week, many of the dangers that lurk in today’s connected world are first spread via phishing. Phishing is a low tech method, but a highly effective means for attackers to access an organisation and launch attacks.