Week in review 10 October 2014
Once again, Shellshock was in the news this week. It was almost inevitable, given the penetration of Linux and UNIX systems on the web. There were other interesting news items however. The impact of spam was the subject of several news articles, whilst a new malware devised to infect ATM PCs came to light. Shellshock was first publicly announced on September 24. Since then, a flurry of patching, more vulnerability disclosures, and more patching has taken place. Virtually every Linux distribution has a bash install, and most UNIX flavours too.
Furthermore, at least half of all web servers run either Linux or UNIX, meaning that the potential impact is very widespread. Fortunately, patches for bash were released quickly. Patches though are only good as the urgency of organisations to patch. And considering the number of servers to patch, no one could blame system administrators for taking time to patch. Unfortunately, many servers are still exposed, leading to a number of exploits being developed and deployed. One such exploit is a version of the Mayhem malware. The Mayhem malware was first detailed in July this year. A new version that specifically targets the Shellshock vulnerability has recently been detected, and has infected at least 30+ machines worldwide (at the time of writing).
However, there are likely to be many more. The Mayhem malware utilises the Shellshock vulnerability to download an installer script written in Perl. The way it does this is to inject a command into a web server running a vulnerable version of bash. The details of the exploit are on the Malware Must Die website. The other big news items revolved around spam. An article on The Register website talked about the history of spam, as well as the latest measures designed to capture spam. Of more interest however was a report released by GFI software this week. The report was the findings of a survey of 200 IT administrators in the US. One area of interest was the number of hours of lost productivity due to a user clicking on a spam email and causing an incident. 48% of responders reported that up to three hours of productivity were lost; 9% reported losing up to 9 hours. Other interesting findings were that 27% reported malware being downloaded to a user’s machine and/or a server due to a user clicking on an email link. 22% reported network disruptions caused by a user responding to a malicious email.
The full report is well worth a read. ATM crime moved onto another level this week, with the release by Kaspersky Lab of information relating to ATM malware that has been installed on at least 50 ATMs in Europe. The malware (called Tyupkin) can be installed on less than secure PCs that run an ATM. A unique code can then be used by an operator to access the malware. Once the malware is running, the operator can select a cassette. The ATM will then dispense 40 bank notes. It is not known how widespread this malware is, but we do know that a financial institution originally contacted Kaspersky Lab in early 2014. The institution was mystified as to how cash was disappearing from its ATMs. Investigation by Kaspersky Lab uncovered the malware. The Tyupkin malware represents a new level of sophistication for ATM thieves, but it can be counteracted by use of better physical security on the ATM PC.