Tuesday, April 28, 2015

setenforce=1 April 2015 p2

Janicab - the next wave malware

This is exciting. Sorry I said that - I know that's not the kind of language that we should be using when describing malware. But hey, credit where it is due. 
My good friend Jamieson O'reilly introduced me to this new malware recently. Its not the malware that I'm really taken by though. Its the approach. Having said that, the actual code seems to be pretty slick as well. 
These guys ask you to watch an interesting video on youtube. While you are watching the singing cat, in the background the malware executes. I have a feeling that very soon, doing something like this will end up encrypting your files. 


The URL above needs to be stopped at Gateway level. A new variant of Crypto has been hyper-active in Australia starting today and this is the URL that it tries to connect back to for control. 
There are around 150 urls that are re-directing to this URL so it makes a lot of sense to block this one at the gateway. 
Infection channel: comes in as a link in an email posing to be an infringement notice from the AFP (Australian Federal Police) and asks the victim to click on a link in order to see the details of the fine. 
Fun Fact - Australian Federal Police has got a lot more important things to deal with traffic fines!

Wordpress XXS vulnerability

A major vulnerability has been found in popular web publishing giant Wordpress. This vuln allows commentators to inject javascipt into a website through the comments feature that is available through wordpress. 
A patch has been released and it is highly recommended that wordpress users update their sites ASAP. 

BARTALEX outbreak

There has been a new outbreak of BARTALEX that has been pre-dominantly focussed on USA, though not limited to that region. This infection is spread through email and uses a combination of social engineering and code execution. The email seems to some from ACH (American Clearing House) and directs the victim to a dropbox link that provides a file download. When the victim tries to open the file, a genuine looking Microsoft message tells the user to enable macros in Word. Once that has been done, the code executes. This malware targets banking sites and software. 
All major AV vendors have got signatures for this malware - you just need to make sure your patterns are updated. 

Monday, April 20, 2015

setenforce=1 April 2015 p1

Here's a quick recap of last week's IT Security highlights:

MicroSoft Critical Vulnerability

MS15-034 is a serious one. It can allow remote code execution through HTTP requests. The security update addresses the vulnerability by modifying how the Windows HTTP stack handles requests.

Affected OS versions

Win 7, Win 8, Win Server 2008 (including r2) and Windows Server 2012 (including r2)
There is a workaround that might help mitigate this risk, it hass been published on the TechNet website. You should patch your systems ASAP. 

Facebook Trojan

And there is a new malware that attacks unsuspecting netizens (does anyone still say that?!) posing as a 'hot' video that you are likely to want to have a peek at. It's quite simple in the way it breaks in. It asks you to install Flash as soon as you hit play and then conveniently installs malicious code as you start wondering what happened to the video. The actual file name is youtube.scr. 

Action Required

Try not to fall for the 'hot' video. If it is something that you do not recognise or something that looks a bit dodgy, do not try to play it. If it starts downloading a file, stop it. Flash is not required to watch videos on FB. It's not 2004!

McAfee takes down 'beebone' 

McAfee has teamed up with law eforcement agencies in taking down a botnet that went by the name of 'beebone'. It is a great achievement and the team needs to be conogratulated for this!

Kaspersky Decrypts CoinVault-encrypted files

Kaspersky has released a tool that can be used to decrypt files that have been encrypted by ransomware that goes by the name of CoinVault. It is of great help to victims that have been targeted succesfuly by this malware. 
It is avialable here: 


Have nice week and secure week! Take care.