Weekly Security Brief: May 20 2015


Welcome! When the best offense is a good defense, you’ve come to the right place. Given the ever-changing landscape of technology threats, that couldn’t be more true. Each week, we’ll cover current security threats, patches and issues that affect you and your business. And when something really big happens, we’ll post on Twitter and update this page with all the details you need to stay safe. Read on!


We’ve had some big security issues over the past year. But Venom isn’t going to be one of them, despite the name. Sometimes, it’s easy to get carried away by the hype and hyperbole. If we’re doing our job right, though, rather than scaring you we’re preparing you.
This latest vulnerability, classified as CVE-2015-3456, is a problem in the floppy drive emulation code found on many virtualization platforms. What that means is if an attacker were able to, by considerable effort, escape the Guest OS, they could use the host to launch other network attacks. Essentially, an administrator account would have to be compromised for this to happen. Only certain platforms are impacted and they have patches currently available. Major VMs that are not impacted include:

  • VMware
  • Microsoft Hyper-V
  • Bochs
  • AWS
  • Linode

Rombertik Malware

It’s elusive, evasive, and the next evolution of malware. Newly identified by Cisco researchers, “Rombertik” doesn’t just self-destruct when it finds tools that can detect it. Instead, if tries to destroy the Master Boot Record (MBR) of the machine it’s on, which is destructive because when the machine restarts, it will be inoperable. The MBR is critical to system operation, and is the first sector of a hard drive, where all the initial instructions are at boot up, letting the computer know to load the operating system.

rombertik pic

This is an example of complex malware, hard to detect, and to protect against. Its purpose is to gain access to the target’s browser, read credentials and pilfer other sensitive information which it then collects to send off to a remote server. Rombertik spreads via spam and phishing emails. Here’s how it works:

Once loaded into the system, Rombertik first runs a series of anti-analysis checks to determine if it is running within a sandbox. In case it isn’t running within the sandbox, Rombertik decrypts and installs itself on the victim’s machine, which then allows the malware to launch a second copy of itself and overwrite the second copy with the malware’s core spying functionality. After completing this process and before begins spying on users, Rombertik runs a final check to make sure it is not being analyzed in memory. In case it finds any indication of being analyzed, the spyware attempts to destroy the master boot record (MBR) of the vulnerable computer. Rombertik then restarts the machine, and because now the MBR is missing from the hard drive, the victim’s computer will go into an endless restart loop.

The best defence in this situation is a layered defence, because Rombertik won’t be able to evade all the layers.

Macro Malware’s Re-Emergence. Be Aware. Be Very Aware

Remember that saying “Everything old is new again”? That’s a trend in InfoSec. It’s not at all uncommon for threats to re-emerge after seeming cease, because attackers have taken the time to revisit and retool. Think of it as a more damaging version of reduce, reuse, recycle. What happens is that the malware gets onto computers via spam email attachments. When the user opens the document, they are prompted by a bar along the top asking if they wish to enable macros to read the item. Most people click willingly, enabling the macro and the malware. The malware then becomes a portal for even nastier stuff waiting in the wings, like the banking Trojan, Dridex, which hunt down and collect valuable personal and financial information. Once again, the onus is on the end user to be aware of what they open and click, but that isn’t always an easy judgement call as these emails look very convincing. Currently, most attacks are happening within the US and the UK.


WordPress Sites Backdoored

Another week, another WordPress security issue. According to Zscaler, this time multiple WordPress sites are leaking credentials. Compromised sites are implanted with a “Backdoor” code that serves up injected JAVA script when the user enters their credentials on the login page. The end user remains oblivious as they are redirected to a successful logged in session of a WordPress site. Meanwhile, those valuable credentials are encoded and sent to off to the attacker’s command and control server. The recommendation from the ZScaler security research report is what we’ve been saying consistently:

“It is extremely important for the site administrators to keep their WordPress sites patched with the latest security updates,”

PHP Hash Comparison Flaw May Put Many Sites at Risk

About a year ago, a flaw in PHP password hashes was identified involving the equals-equals operator (==). Robert Hansen, vice president of WhiteHat Security, describes the issue as “one that affects any website that uses two specific types of operators for comparing hashes in PHP.” The issue mostly affects authentication, but this could extend to binary checking, cookies, and passwords, among other things.

“The problem is how PHP handles hashed strings when either the double equal (==) or “!=” operators are used to compare them. When either of these two operators is used for comparing hashes, PHP interprets any hashed value beginning with ‘0e’ as having the value 0. So if two different passwords are hashed and both their hashed values begin with ‘0e’ followed by numerals, PHP will interpret both as having the value 0. Even though the hash values for both passwords are completely different, PHP would treat them both as the number zero if both begin with 0e and when either ‘==’ or ‘!=’ are used.”

This gives attackers a way to try and compromise user accounts by entering a string that when hashed gets equated to zero by PHP. If a password in the database is represented the same way, the attacker will get access to the account, Hansen said. Until now, there haven’t been examples of these hash types.

GPU Keylogger and Linux Rootkit attacks

Malware just keeps evolving. This time it’s targeting the GPU over the CPU with 2 new items: Jellyfish Rootkit for Linux and Demon Keylogger. The GPU, graphics processor unit, has its own processor and memory. That allows the malware to operate incognito, attracting no attention since malicious code isn’t modifying processes in the main operating system kernel. The danger becomes that these types of rootkits can snoop on the CPU host memory via the direct memory access (DMA). This allows hardware components to read the main system memory without going thru the CPU so actions are harder to catch.
Some attacker advantages with GPU are:

  • No GPU malware analysis tools are available on the Internet
  • Can snoop on CPU host memory via DMA (direct memory access)
  • GPU can be used for fast/swift mathematical calculations like parsing or XORing
  • Stubs
  • Malicious memory is still inside GPU after device shutdown

For reference purposes, a GPU-based keystroke logger consists of two main components:

  • A CPU-based component that is executed once, during the bootstrap phase, with the task of locating the address of the keyboard buffer in main memory
  • A GPU-based component that monitors, via DMA, the keyboard buffer, and records all keystroke events


Breaking Bad Themed Crypto Ransomware

This latest ransomware, Trojan.Cryptolocker.S, is currently going after computers running Windows based systems in Australia. The attackers leverage social engineering methods to get victims to open a malicious zip archive file, apparently with a major courier firm in the file name. Attackers then can run their own PowerShell script on the computer to run the ransomware. Encryption uses a random AES key, which is then encrypted with an RSA public key. Targetted files for encryption include media files, music, images, .lnk and .rar extensions.


Symantec has a blog post about how to stay protected if you get ransomware here.


And Last but not Least …You know that Flashlight App you have?

Time to shed a little light on a dark matter. The top 10 Android flashlight apps are actually malware designed to steal your data off your mobile device.


Thanks for reading!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s