Week in review 28 November 2014
A pretty varied list of items appeared in this week’s news. First there was CryptoPHP, which ultimately aims to use Black Hat SEO to artificially boost search engine rankings. Regin was revealed to be one of the stealthiest pieces of malware to ever infect PCs. A bane of many a security person are users ignoring browser warnings; a recently published paper gave some indications as to why. Threat detection software was shown up just a little this week with the release of a report, and finally DroidJack made an appearance.
CryptoPHP has a sting in the tail
Legitimate looking sites are being used to trick webmasters into downloading infected WordPress plugins containing CryptoPHP. CryptoPHP installs a backdoor on the web server and uses encryption to communicate with its command and control server. This makes it difficult to detect using network scanning. The purpose of CryptoPHP is to use Black Hat SEO techniques to artificially boost search engine rankings. This type of campaign is usually used to setup scam pages.
Stealthy Regin stealing sensitive information
Regin was disclosed this week, and looks like one of the most complex and stealthiest pieces of malware ever written. First identified in 2003, it has been through several iterations. Regin tries to infect a network on many levels; ideally starting with the highest level. It is unclear how Regin is spread, though one theory suggests a man in the middle attack utilising browser zero day attacks. Communications with its command and control server are done in such a way as to ensure Regin is difficult to detect. It uses other compromised machines effectively as routers; communications go through these machines to a command and control server. Regin steals sensitive information and data. The big news was that Regin was found to have been able to access a Base Station Controller in a GSM cell network. This happened for a short time in 2008, but during that time, the attackers would have been able to access a large amount of user data, including calls made and received. Another surprise was that Fiji and Kiribati, two small island nation states in the South Pacific, were amongst those countries reporting Regin infections.
Ignore browser warnings at your peril
How do users end up getting fooled by phishing sites? A new study by researchers at Brigham Young University showed that part of the problem is that people aren’t always as aware of internet threats as they believe they are. In the experiment, subjects were first given an online quiz, and then asked to use their own laptop in a subsequent lab test. The lab tasks required the subjects to classify images shown as photos or animation, with ten seconds to decide, and a penalty applied for incorrect answers. At various points, a warning screen very similar to the Chrome warning screen would pop up. Eventually, if users clicked the “yes” button too many times, a message saying that they had been hacked would appear, and a warning that the user’s files would disappear was displayed. The message was false; however, researchers noted that users who saw the hacked message were far more cautious at clicking through in future tasks.
Malware slips by threat detection software
Threat detection software might be giving users a false sense of security, according to one report released this week. In the report, the authors state that a piece of malware managed to slip past all five commercially available threat detection products. The study involved four samples of malware that were created by researchers to resemble known malware. The samples ranged from very simple to very complex. The five threat detection products were not named in the study. Results were stunning: the two least complex malware samples were detected by the threat detection software, but only low level alarms were raised. A third malware sample managed to slip by three of the products. The fourth malware sample evaded all five products. As mentioned in the report, threat detection software is not a “silver bullet” that can protect users. Threat detection software should be considered as part of a defence in depth strategy that includes email filtering.
DroidJack poses as a legitimate app
Failed entrepreneurs are believed to be behind the creation of DroidJack, a RAT that has around 50 features. Some of the features include being able to listen in on calls, read messages, record or view in real time using the inbuilt camera, and access GPS data. With all these features, it is somewhat disingenuous of the creators to post a disclaimer notice on the DroidJack website, effectively absolving them of blame if the product is used for illegal activities.